Navigation :
SSE Content
SSE has 800+ detections. Consult the list below for the full set of content.
7Zip Commandline To SMB Share PathAWS Create Policy Version To Allow All ResourcesAWS CreateaccesskeyAWS CreateloginprofileAWS Cross Account Activity From Previously Unseen AccountAWS Detect Attach To Role PolicyAWS Detect Permanent Key CreationAWS Detect Role CreationAWS Detect Sts Assume Role AbuseAWS Detect Sts Get Session Token AbuseAWS Detect Users Creating Keys With Encrypt Policy Without MFAAWS Detect Users With Kms Keys Performing Encryption S3AWS Ecr Container Scanning Findings HighAWS Ecr Container Scanning Findings Low Informational UnknownAWS Ecr Container Scanning Findings MediumAWS Ecr Container Upload Outside Business HoursAWS Ecr Container Upload Unknown UserAWS Excessive Security ScanningAWS Iam Accessdenied Discovery EventsAWS Iam Assume Role Policy Brute ForceAWS Iam Delete PolicyAWS Iam Failure Group DeletionAWS Iam Successful Group DeletionAWS Network Access Control List Created With All Open PortsAWS Network Access Control List DeletedAWS Saml Access By Provider User And PrincipalAWS Saml Update Identity ProviderAWS SetdefaultpolicyversionAWS UpdateloginprofileAbnormally High Number Of Cloud Infrastructure API CallsAbnormally High Number Of Cloud Instances DestroyedAbnormally High Number Of Cloud Instances LaunchedAbnormally High Number Of Cloud Security Group API CallsAbnormally High Number of Endpoint Changes By UserAbnormally High Number of HTTP Method Events By SrcAccess LSASS Memory For Dump CreationAccess to In-Scope Unencrypted ResourcesAccess to In-scope ResourcesAccount Compromise with Suspicious Internal ActivityAccount Compromised followed by ExfiltrationAccount DeletedAccount Discovery With Net AppActivity from Expired User IdentityActivity from Expired User Identity - on CategoryAdd Defaultuser And Password In RegistryAdsisearcher Account DiscoveryAggregate Risky EventsAllow File And Printing Sharing In FirewallAllow Inbound Traffic By Firewall Rule RegistryAllow Inbound Traffic In Firewall RuleAllow Network Discovery In FirewallAllow Operation With Consent AdminAmazon EKS Kubernetes Cluster Scan DetectionAmazon EKS Kubernetes Pod Scan DetectionAnomalous Audit Trail Activity DetectedAnomalous New Listening PortAnomalous New ProcessAnomalous New ServiceAnomalous Usage Of 7ZipAny Powershell DownloadfileAny Powershell DownloadstringAsset Ownership UnspecifiedAttacker Tools On EndpointAttempt To Add Certificate To Untrusted StoreAttempt To Stop Security ServiceAttempted Credential Dump From Registry Via Reg ExeAuditing Overview of Data Processing Systems (Glass Table)Authentication Against a New Domain ControllerAuto Admin Logon Registry EntryBasic Brute Force DetectionBasic Dynamic DNS DetectionBasic Malware OutbreakBasic ScanningBasic TOR Traffic DetectionBatch File Write To System32Bcdedit Command Back To Normal Mode BootBcdedit Failure Recovery ModificationBits Job PersistenceBitsadmin Download FileBlacklisted ApplicationBlacklisted DomainBlacklisted IP AddressBrute ForceBrute Force Access Behavior DetectedBrute Force Access Behavior Detected - Against CategoryBrute Force Access Behavior Detected Over One DayBrute Force Access Behavior Detected Over One Day - Against CategoryBrute Force AttackBuilding a Departmental Peer GroupCOVID-19 Indicator CheckCertutil Download With Urlcache And Split ArgumentsCertutil Download With Verifyctl And Split ArgumentsCertutil Exe Certificate ExtractionCertutil With Decode ArgumentChange To Safe Mode With Network ConfigChcp Command ExecutionCheck Elevated Cmd Using WhoamiChild Processes Of Spoolsv ExeCircle Ci Disable Security JobCircle Ci Disable Security StepClear Unallocated Sector Using Cipher AppCleartext Password At Rest DetectedClop Common Exec ParameterClop Ransomware Known Service NameCloud API Calls From Previously Unseen User RolesCloud APIs Called More Often Than Usual Per UserCloud Compute Instance Created By Previously Unseen UserCloud Compute Instance Created In Previously Unused RegionCloud Compute Instance Created With Previously Unseen ImageCloud Compute Instance Created With Previously Unseen Instance TypeCloud Instance Modified By Previously Unseen UserCloud Provisioning Activity From Previously Unseen CityCloud Provisioning Activity From Previously Unseen CountryCloud Provisioning Activity From Previously Unseen IP AddressCloud Provisioning Activity From Previously Unseen RegionCloud Provisioning Activity from Unusual CountryCloud Provisioning Activity from Unusual IPCmd Echo Pipe - EscalationCmdline Tool Not Executed In Cmd ShellCmlua Or Cmstplua Uac BypassCobalt Strike Named PipesCommon Filename Launched from New PathCommon Ransomware ExtensionsCommon Ransomware NotesCompletely Inactive AccountCompromised AccountCompromised Web ServerConcentration of Attacker Tools by FilenameConcentration of Attacker Tools by SHA1 HashConcentration of Discovery Tools by FilenameConcentration of Discovery Tools by SHA1 HashConcurrent Login Attempts DetectedConnection to New DomainConti Common Exec ParameterControl Loading From World Writable DirectoryCorrelation By Repository And RiskCorrelation By User And RiskCreate Local Admin Accounts Using Net ExeCreate Or Delete Windows Shares Using Net ExeCreate Remote Thread In Shell ApplicationCreate Remote Thread Into LSASSCreate Service In Suspicious File PathCreation Of LSASS Dump With TaskmgrCreation Of Shadow CopyCreation Of Shadow Copy With Wmic And PowershellCredential Dumping Via Copy Command From Shadow CopyCredential Dumping Via Symlink To Shadow CopyCredentials In File DetectedDNS Exfiltration Using Nslookup AppDNS Query Length Outliers - MLTKDNS Query Length With High Standard DeviationData Exfiltration after Account Takeover, HighData Exfiltration after Account Takeover, MediumData Exfiltration after Data StagingData Exfiltration by suspicious user or deviceData StagingDefault Account Activity DetectedDefault Account At Rest DetectedDelete Shadowcopy With PowershellDeleting Of Net UsersDeleting Shadow CopiesDetect AWS Console Login By New UserDetect AWS Console Login By User From New CityDetect AWS Console Login By User From New CountryDetect AWS Console Login By User From New RegionDetect Activity Related To Pass The Hash AttacksDetect Arp PoisoningDetect Attackers Scanning For Vulnerable Jboss ServersDetect Azurehound Command-Line ArgumentsDetect Azurehound File ModificationsDetect Baron Samedit Cve-2021-3156Detect Baron Samedit Cve-2021-3156 SegfaultDetect Baron Samedit Cve-2021-3156 Via OsqueryDetect Computer Changed With Anonymous AccountDetect Copy Of Shadowcopy With Script Block LoggingDetect Credential Dumping Through LSASS AccessDetect Credit Card Numbers using Luhn AlgorithmDetect Empire With Powershell Script Block LoggingDetect Excessive Account Lockouts From EndpointDetect Excessive User Account LockoutsDetect Exchange Web ShellDetect F5 Tmui RCE Cve-2020-5902Detect GCP Storage Access From A New IPDetect Hosts Connecting To Dynamic Domain ProvidersDetect Html Help RenamedDetect Html Help Spawn Child ProcessDetect Html Help Url In Command LineDetect Html Help Using Infotech Storage HandlersDetect Ipv6 Network Infrastructure ThreatsDetect Journal ClearingDetect Large Outbound ICMP PacketsDetect Lateral Movement With WMIDetect Log Clearing With wevtutilDetect Malicious Requests To Exploit Jboss ServersDetect Many Unauthorized Access AttemptsDetect Mimikatz Using Loaded ImagesDetect Mimikatz With Powershell Script Block LoggingDetect Mshta Inline Hta ExecutionDetect Mshta RenamedDetect Mshta Url In Command LineDetect New Local Admin AccountDetect New Login Attempts To RoutersDetect New Open GCP Storage BucketsDetect New Open S3 BucketsDetect New Open S3 Buckets Over AWS CliDetect Outbound SMB TrafficDetect Outlook Exe Writing A Zip FileDetect Path Interception By Creation Of Program ExeDetect Port Security ViolationDetect Processes Used For System Network Configuration DiscoveryDetect Prohibited Applications Spawning Cmd ExeDetect Psexec With Accepteula FlagDetect Rare ExecutablesDetect Rclone Command-Line UsageDetect Regasm Spawning A ProcessDetect Regasm With Network ConnectionDetect Regasm With No Command Line ArgumentsDetect Regsvcs Spawning A ProcessDetect Regsvcs With Network ConnectionDetect Regsvcs With No Command Line ArgumentsDetect Regsvr32 Application Control BypassDetect Renamed 7-ZipDetect Renamed PsexecDetect Renamed RcloneDetect Renamed WinrarDetect Rogue DHCP ServerDetect Rundll32 Application Control Bypass - AdvpackDetect Rundll32 Application Control Bypass - SetupapiDetect Rundll32 Application Control Bypass - SyssetupDetect Rundll32 Inline Hta ExecutionDetect S3 Access From A New IPDetect Shared EC2 SnapshotDetect Sharphound Command-Line ArgumentsDetect Sharphound File ModificationsDetect Sharphound UsageDetect Snicat Sni ExfiltrationDetect Software Download To Network DeviceDetect Spike In AWS Security Hub Alerts For EC2 InstanceDetect Spike In AWS Security Hub Alerts For UserDetect Spike In Blocked Outbound Traffic From Your AWSDetect Spike In S3 Bucket DeletionDetect Traffic MirroringDetect Unauthorized Assets By MAC AddressDetect Use Of Cmd Exe To Launch Script InterpretersDetect WMI Event Subscription PersistenceDetect Windows DNS Sigred Via Splunk StreamDetect Windows DNS Sigred Via ZeekDetect Zerologon Via ZeekDetection Of Tools Built By NirsoftDisable Amsi Through RegistryDisable Etw Through RegistryDisable Logs Using WevtutilDisable Registry ToolDisable Show Hidden FilesDisable Windows App HotkeysDisable Windows Behavior MonitoringDisable Windows Smartscreen ProtectionDisabled Update ServiceDisabling Cmd ApplicationDisabling ControlpanelDisabling Firewall With NetshDisabling Folderoptions Windows FeatureDisabling Net User AccountDisabling Norun Windows AppDisabling Remote User Account ControlDisabling Systemrestore In RegistryDisabling Task ManagerDllhost With No Command Line Arguments With NetworkDomain Account Discovery With DsqueryDomain Account Discovery With Net AppDomain Account Discovery With WmicDomain Controller Discovery With NltestDomain Controller Discovery With WmicDomain Group Discovery With AdsisearcherDomain Group Discovery With DsqueryDomain Group Discovery With NetDomain Group Discovery With WmicDownload Files Using TelegramDownload from Internal ServerDrop Icedid License DatDsquery Domain DiscoveryDump LSASS Via Comsvcs DLLDump LSASS Via ProcdumpEC2 Instance IsolationElevated Group Discovery With NetElevated Group Discovery With PowerviewElevated Group Discovery With WmicEmail Attachments With Lots Of SpacesEmail Files Written Outside Of The Outlook DirectoryEmail Servers Sending High Volume Traffic To HostsEmails from Outside the Organization with Company DomainsEmails with Lookalike DomainsEnable Rdp In Other Port NumberEndpoint Uncleaned Malware DetectionEnumerate Users Local Group Using TelegramEsentutl Sam CopyEventvwr Uac BypassExcel Spawning PowershellExcel Spawning Windows Script HostExcessive Attempt To Disable ServicesExcessive Box DownloadsExcessive DNS QueriesExcessive Data PrintedExcessive Data TransmissionExcessive Downloads via VPNExcessive Failed LoginsExcessive HTTP Failure ResponsesExcessive Number Of Distinct Processes Created In Windows Temp FolderExcessive Number Of Service Control Start As DisabledExcessive Number Of Taskhost ProcessesExcessive Service Stop AttemptExcessive Usage Of Cacls AppExcessive Usage Of Net AppExcessive Usage Of Nslookup AppExcessive Usage Of Sc Service UtilityExcessive Usage Of TaskkillExchange Powershell Abuse Via SsrfExchange Powershell Module UsageExecutables Or Script Creation In Suspicious PathExecute Javascript With Jscript Com ClsidExecution Of File With Multiple ExtensionsExfiltrationExfiltration after Account CompromiseExfiltration after InfectionExfiltration after Suspicious Internal ActivityExpected Host Not ReportingExpected Host Not Reporting - in CategoryExternal Alarm ActivityExternal Website AttackExtraction Of Registry HivesFailed Access by Disabled BadgeFailed Badge Accesses on Multiple DoorsFake Windows ProcessesFamiliar Filename Launched with New Path on HostFile With Samsam ExtensionFind Processes with Renamed ExecutablesFind Unusually Long CLI CommandsFirst Time Access to Jump Server for Peer GroupFirst Time Accessing an Internal Git RepositoryFirst Time Accessing an Internal Git Repository Not Viewed by PeersFirst Time Logon to New ServerFirst Time Seen Child Process Of ZoomFirst Time Seen Running Windows ServiceFirst Time USB UsageFlight Risk EmailingFlight Risk PrintingFlight Risk UserFlight Risk Web BrowsingFodhelper Uac BypassFsutil Zeroing FileGCP Detect Gcploit FrameworkGCP Kubernetes Cluster Pod Scan DetectionGeographically Improbable Access (Physical access and VPN)Geographically Improbable Access DetectedGeographically Improbable Access Detected against CategoryGeographically Improbable Access Detected for Privileged AccountsGet Addefaultdomainpasswordpolicy With PowershellGet Addefaultdomainpasswordpolicy With Powershell Script BlockGet Aduser With PowershellGet Aduser With Powershell Script BlockGet Aduserresultantpasswordpolicy With PowershellGet Aduserresultantpasswordpolicy With Powershell Script BlockGet Domainpolicy With PowershellGet Domainpolicy With Powershell Script BlockGet Domainuser With PowershellGet Domainuser With Powershell Script BlockGet Wmiobject Group DiscoveryGet Wmiobject Group Discovery With Script Block LoggingGet-Domaintrust With PowershellGet-Domaintrust With Powershell Script BlockGet-Foresttrust With PowershellGet-Foresttrust With Powershell Script BlockGetadcomputer With PowershellGetadcomputer With Powershell Script BlockGetadgroup With PowershellGetadgroup With Powershell Script BlockGetcurrent User With PowershellGetcurrent User With Powershell Script BlockGetdomaincomputer With PowershellGetdomaincomputer With Powershell Script BlockGetdomaincontroller With PowershellGetdomaincontroller With Powershell Script BlockGetdomaingroup With PowershellGetdomaingroup With Powershell Script BlockGetlocaluser With PowershellGetlocaluser With Powershell Script BlockGetnettcpconnection With PowershellGetnettcpconnection With Powershell Script BlockGetwmiobject Ds Computer With PowershellGetwmiobject Ds Computer With Powershell Script BlockGetwmiobject Ds Group With PowershellGetwmiobject Ds Group With Powershell Script BlockGetwmiobject Ds User With PowershellGetwmiobject Ds User With Powershell Script BlockGetwmiobject User Account With PowershellGetwmiobject User Account With Powershell Script BlockGithub Commit Changes In MasterGithub Commit In DevelopGithub Dependabot AlertGithub Pull Request From Unknown UserGpupdate With No Command Line Arguments With NetworkGsuite Drive Share In External EmailGsuite Email Suspicious AttachmentGsuite Email Suspicious Subject With AttachmentGsuite Email With Known Abuse Web Service LinkGsuite Outbound Email With Attachment To External DomainGsuite Suspicious Shared File NameHealthcare Worker Opening More Patient Records Than UsualHide User Account From Sign-In ScreenHiding Files And Directories With Attrib ExeHigh File Deletion FrequencyHigh Number Of Infected HostsHigh Number Of Login Failures From A Single SourceHigh Number of Hosts Not Updating Malware SignaturesHigh Or Critical Priority Host With Malware DetectedHigh Process CountHigh Process Termination FrequencyHigh Volume Email Activity to Non-corporate Domains by UserHigh Volume of Traffic from High or Critical Host ObservedHigh or Critical Priority Individual Logging into Infected MachineHigh or critical risk NGFW application activity detectedHost Sending Excessive EmailHost With A Recurring Malware InfectionHost With High Number Of Listening portsHost With High Number Of ServicesHost With Multiple InfectionsHost With Old Infection Or Potential Re-InfectionHosts Receiving High Volume Of Network Traffic From Email ServerHosts Sending To More Destinations Than NormalHosts Where Security Sources Go QuietHosts with Varied and Future TimestampsHunting COVID Themed Attacks With IOCsIP Investigate and ReportIcacls Deny CommandIcacls Grant CommandIcedid Exfiltrated Archived File CreationImage From New Repository DetectedIn-Scope Device with Outdated Anti-Malware FoundIn-Scope System with Windows Update DisabledInactive Account Activity DetectedIncrease in # of Hosts Logged intoIncrease in Pages PrintedIncrease in Source Code (Git) DownloadsIncrease in Windows Privilege EscalationsInfected HostInfection followed by ExfiltrationInsecure Or Cleartext Authentication DetectedInstance Created by Unusual UserInstance Modified by Unusual UserIntegrating Threat Indicators with MISP and Splunk Enterprise SecurityInvestigate GDPR Breaches Using ESJscript Execution Using Cscript AppKerberoasting Spn Request With RC4 EncryptionKnown Services Killed By RansomwareKubernetes AWS Detect Suspicious Kubectl CallsKubernetes Nginx Ingress LfiKubernetes Nginx Ingress RfiKubernetes Scanner Image PullingLand Speed ViolationLarge Volume Of DNS Any QueriesLarge Web UploadLateral MovementLocal Account CreationLocal Account Discovery With NetLocal Account Discovery With WmicMachine Generated BeaconMacos - Re-Opened ApplicationsMailsniper Invoke FunctionsMalicious AD ActivityMalicious Command Line ExecutionsMalicious Insider ContainmentMalicious Powershell Executed As A ServiceMalicious Powershell Process - Connect To Internet With Hidden WindowMalicious Powershell Process - Encoded CommandMalicious Powershell Process - Execution Policy BypassMalicious Powershell Process With Obfuscation TechniquesMalicious URI with Potential MalwareMalwareMalware InvestigationMany USB File Copies for UserModification Of WallpaperModify ACL Permission To Files Or FolderMonitor AutoRun Registry KeysMonitor Email For Brand AbuseMonitor Registry Keys For Print MonitorsMonitor Successful BackupsMonitor Successful Windows UpdatesMonitor Unsuccessful BackupsMonitor Unsuccessful Windows UpdatesMonitor Web Traffic For Brand AbuseMs Scripting Process Loading Ldap ModuleMs Scripting Process Loading WMI ModuleMshta Spawning Rundll32 Or Regsvr32 ProcessMshtml Module Load In Office ProductMsmpeng Application DLL Side LoadingMultiple Account Deletion by an AdministratorMultiple Account Disabled by an AdministratorMultiple Account Passwords changed by an AdministratorMultiple Archive Files Http Post TrafficMultiple Authentication FailuresMultiple AuthenticationsMultiple Badge AccessesMultiple Box login errorsMultiple Box loginsMultiple Box operationsMultiple Disabled Users Failing To Authenticate From Host Using KerberosMultiple External AlarmsMultiple Failed Badge Access AttemptsMultiple Infections on HostMultiple Invalid Users Failing To Authenticate From Host Using KerberosMultiple Invalid Users Failing To Authenticate From Host Using NtlmMultiple Login ErrorsMultiple LoginsMultiple Okta Users With Invalid Credentials From The Same IPMultiple Outgoing ConnectionsMultiple Primary Functions DetectedMultiple Users Attempting To Authenticate Using Explicit CredentialsMultiple Users Failing To Authenticate From Host Using KerberosMultiple Users Failing To Authenticate From Host Using NtlmMultiple Users Failing To Authenticate From ProcessMultiple Users Remotely Failing To Authenticate From HostMultiple failed badge attempts and unusual badge access timeNet Localgroup DiscoveryNet Profiler Uac BypassNetwork Change DetectedNetwork Connection Discovery With ArpNetwork Connection Discovery With NetNetwork Connection Discovery With NetstatNetwork Device RebootedNetwork Protocol ViolationNew AD Domain DetectedNew Application Accessing Salesforce.com APINew Cloud API Call Per Peer GroupNew Cloud Provider for UserNew Connection to In-Scope DeviceNew Container Uploaded To AWS EcrNew Data Exfil DLP Alerts for UserNew High Risk Event Types for Salesforce.com UserNew IaaS API Call Per UserNew Interactive Logon from a Service AccountNew Local Admin AccountNew Logon Type for UserNew Parent Process for cmd.exe or regedit.exeNew RunAs Host / Privileged Account CombinationNew Service Paths for HostNew Suspicious Executable Launch for UserNew Suspicious cmd.exe / regedit.exe / powershell.exe Service LaunchNew Tables Queried by Salesforce.com Peer GroupNew Tables Queried by Salesforce.com UserNew User Account Created On Multiple HostsNew User Taking Privileged ActionsNishang PowershelltcponelineNltest Domain Trust DiscoveryNo Windows Updates In A Time FrameNon Chrome Process Accessing Chrome Default DirNon Firefox Process Access Firefox Profile DirNon-Privileged Users taking Privileged ActionsNtdsutil Export NtdsO365 Add App Role Assignment Grant UserO365 Added Service PrincipalO365 Bypass MFA Via Trusted IPO365 Disable MFAO365 Excessive Authentication Failures AlertO365 Excessive Sso Logon ErrorsO365 New Federated Domain AddedO365 Pst Export AlertO365 Suspicious Admin Email ForwardingO365 Suspicious Rights DelegationO365 Suspicious User Email ForwardingOffice Application Drop ExecutableOffice Application Spawn Regsvr32 ProcessOffice Application Spawn Rundll32 ProcessOffice Document Creating Schedule TaskOffice Document Executing Macro CodeOffice Document Spawned Child Process To DownloadOffice Product Spawn Cmd ProcessOffice Product Spawning BitsadminOffice Product Spawning CertutilOffice Product Spawning MshtaOffice Product Spawning Rundll32 With No DLLOffice Product Spawning WmicOffice Product Writing Cab Or InfOffice Spawning ControlOkta Account Lockout EventsOkta Failed Sso AttemptsOkta User Logins From Multiple CitiesOld Passwords in UseOutbreak DetectedOutdated Malware DefinitionsOverwriting Accessibility BinariesPassword Policy Discovery With NetPeriod with Unusual Windows Security Event SequencesPermission Modification Using Takeown AppPersonally Identifiable Information DetectedPetitpotam Network Share Access RequestPetitpotam Suspicious Kerberos Tgt RequestPhishing Investigation and ResponsePlain Http Post Exfiltrated DataPossible Phishing AttemptPotential Day TradingPotential Flight Risk ExfiltrationPotential Flight Risk StagingPotential Gap in DataPotential Phishing AttackPotential Webshell ActivityPowershell 4104 HuntingPowershell Creating Thread MutexPowershell Disable Security MonitoringPowershell Domain EnumerationPowershell Enable Smb1Protocol FeaturePowershell Execute Com ObjectPowershell Fileless Process Injection Via GetprocaddressPowershell Fileless Script Contains Base64 Encoded ContentPowershell Get Localgroup DiscoveryPowershell Get Localgroup Discovery With Script Block LoggingPowershell Loading Dotnet Into Memory Via System Reflection AssemblyPowershell Processing Stream Of DataPowershell Remote Thread To Known Windows ProcessPowershell Start-BitstransferPowershell Using Memory As Backing StorePrevent Automatic Repair Mode Using BcdeditPrint Spooler Adding A Printer DriverPrint Spooler Failed To Load A Plug-InPrivilege Escalation after Powershell ActivityProcess Creating Lnk File In Suspicious LocationProcess Deleting Its Process File PathProcess Execution Via WMIProcess Kill Base On File PathProcesses Launching NetshProcesses Tapping Keyboard EventsProcesses with High Entropy NamesProcesses with Lookalike (typo) FilenamesProhibited Network Traffic AllowedProhibited Port Activity DetectedProhibited Process DetectedProhibited Service DetectedPrompt and Block DomainProtocol Or Port MismatchProtocols Passing Authentication In CleartextPublic Cloud Storage (Bucket)Public facing Website AttackPull List of Privileged UsersRFC1918 IP Not in CMDBRansomware ExtensionsRansomware Investigate and ContainRansomware Note FilesRansomware Notes Bulk CreationRansomware VulnerabilitiesRecon Avproduct Through Pwh Or WMIRecon Using WMI ClassRecurring Infection on HostRecursive Delete Of Directory In Batch CmdReg Exe Manipulating Windows Services Registry KeysRegistry Keys For Creating Shim DatabasesRegistry Keys Used For PersistenceRegistry Keys Used For Privilege EscalationRemcos Rat File Creation In Remcos FolderRemote Account TakeoverRemote Desktop Network BruteforceRemote Desktop Network TrafficRemote Desktop Process Running On SystemRemote PowerShell LaunchesRemote Process Instantiation Via WMIRemote System Discovery With AdsisearcherRemote System Discovery With DsqueryRemote System Discovery With NetRemote System Discovery With WmicRemote WMI Command AttemptResize Shadowstorage VolumeRevil Common Exec ParameterRevil Registry EntryRisky Events from Privileged UsersRundll Loading DLL By OrdinalRundll32 Control Rundll HuntRundll32 Control Rundll World Writable DirectoryRundll32 Create Remote Thread To A ProcessRundll32 Createremotethread In BrowserRundll32 DnsqueryRundll32 Process Creating Exe DLL FilesRundll32 With No Command Line Arguments With NetworkRyuk Test Files DetectedRyuk Wake On Lan CommandSFDC Suspicious volume of records accessedSMB Traffic AllowedSMB Traffic SpikeSMB Traffic Spike - MLTKSam Database File Access AttemptSame Error On Many Servers DetectedSamsam Test File WriteSc Exe Manipulating Windows ServicesScanning ActivitySchcache Change By App Connect And Create Adsi ObjectSchedule Task With Http Command ArgumentsSchedule Task With Rundll32 Command TriggerScheduled Task Deleted Or Created Via CmdSchtasks Run Task On DemandSchtasks Scheduling Job On Remote SystemSchtasks Used For Forcing A RebootScript Execution Via WMISdclt Uac BypassSearchprotocolhost With No Command Line With NetworkSecretdumps Offline Ntds Dumping ToolSensitive Kubernetes Mount Pod DetectedService Account LoginServices Escalate ExeSet Default Powershell Execution Policy To Unrestricted Or BypassShim Database File CreationShim Database Installation With Suspicious ParametersShort Lived Admin AccountsShort Lived Windows AccountsShort-lived Account DetectedSignificant Increase in Interactive LogonsSignificant Increase in Interactively Logged On UsersSilentcleanup Uac BypassSingle Letter Process On EndpointSlui Runas ElevatedSlui Spawning A ProcessSources Sending Many DNS RequestsSources Sending a High Volume of DNS TrafficSpike In File WritesSpike in Downloaded Documents Per User from Salesforce.comSpike in Exported Records from Salesforce.comSpike in Password Reset EmailsSpike in SMB TrafficSpoolsv Spawning Rundll32Spoolsv Suspicious Loaded ModulesSpoolsv Suspicious Process AccessSpoolsv Writing A DLLSpoolsv Writing A DLL - SysmonSql Injection With Long UrlsSqlite Module In Temp FolderStale Account UsageStart Up During Safe Mode BootSubstantial Increase In EventsSubstantial Increase In Port ActivitySuccessful Login of Account for Former EmployeeSunburst Correlation DLL And Network EventSupernova WebshellSuspicious Account ActivitySuspicious Account LockoutSuspicious Activity After IntrusionSuspicious Badge ActivitySuspicious BehaviorSuspicious Box UsageSuspicious Container Image NameSuspicious Curl Network ConnectionSuspicious Data CollectionSuspicious Data MovementSuspicious Dllhost No Command Line ArgumentsSuspicious Domain CommunicationSuspicious Domain Communication followed by Malware ActivitySuspicious Domain NameSuspicious Driver Loaded PathSuspicious Email - UBA AnomalySuspicious Email Attachment ExtensionsSuspicious Event Log Service BehaviorSuspicious External Alarm ActivitySuspicious Gpupdate No Command Line ArgumentsSuspicious HTTP RedirectsSuspicious HTTP Redirects followed by Suspected InfectionSuspicious IP Address CommunicationSuspicious Icedid Regsvr32 CmdlineSuspicious Icedid Rundll32 CmdlineSuspicious Image Creation In Appdata FolderSuspicious Java ClassesSuspicious Microsoft Workflow Compiler RenameSuspicious Microsoft Workflow Compiler UsageSuspicious Msbuild PathSuspicious Msbuild RenameSuspicious Msbuild SpawnSuspicious Mshta Child ProcessSuspicious Mshta SpawnSuspicious Network ConnectionSuspicious Network ExplorationSuspicious New AccessSuspicious Plistbuddy UsageSuspicious Plistbuddy Usage Via OsquerySuspicious Powershell ActivitySuspicious Privilege EscalationSuspicious Process File PathSuspicious Reg Exe ProcessSuspicious Regsvr32 Register Suspicious PathSuspicious Rundll32 DllregisterserverSuspicious Rundll32 No Command Line ArgumentsSuspicious Rundll32 PlugininitSuspicious Rundll32 RenameSuspicious Rundll32 StartwSuspicious Scheduled Task From Public DirectorySuspicious Searchprotocolhost No Command Line ArgumentsSuspicious Sqlite3 Lsquarantine BehaviorSuspicious URL Communications and RedirectsSuspicious Wav File In Appdata FolderSuspicious Wevtutil UsageSuspicious Writes To Windows Recycle BinSystem Information Discovery DetectionSystem Processes Run From Unexpected LocationsSystem User Discovery With QuerySystem User Discovery With WhoamiThreat Activity DetectedThreat HuntingTor TrafficTrickbot Named PipeUSB storage attached an unusually high number of timesUac Bypass Mmc Load Unsigned DLLUac Bypass With Colorui Com ObjectUnauthorized Connection Through FirewallUnified Messaging Service Spawning A ProcessUninstall App Using MsiexecUnload Sysmon Filter DriverUnloading Amsi Via ReflectionUnrouteable Activity DetectedUntriaged Notable EventsUnusual Activity TimeUnusual Badge Reader AccessUnusual Child Process for spoolsv.exe or connhost.exeUnusual Cloud RegionsUnusual Cloud Storage DeletionsUnusual Cloud Storage DownloadsUnusual External AlarmUnusual File ExtensionUnusual Geolocation of Communication DestinationUnusual Machine AccessUnusual Network ActivityUnusual Number of Modifications to Cloud ACLsUnusual Printer UsageUnusual Time of Badge AccessUnusual USB ActivityUnusual USB Device Plugged InUnusual VPN Login GeolocationUnusual Volume of Network ActivityUnusual Web BrowserUnusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain)Unusually Long Command LineUnusually Long Command Line - MLTKUnusually Long Content-Type LengthUnusually Long VPN SessionUser Discovery With Env Vars PowershellUser Discovery With Env Vars Powershell Script BlockUser Finding Project Code Names from Many DepartmentsUser Has Access to In-Scope Splunk Indexes They Should NotUser Logged into In-Scope System They Should Not HaveUser Login to Unauthorized GeoUser Login with Local CredentialsUser with Increase in Outgoing EmailUser with Many DLP EventsUsn Journal DeletionVulnerability Scanner Detected (by events)Vulnerability Scanner Detected (by targets)W3Wp Spawning ShellWMI Permanent Event SubscriptionWMI Permanent Event Subscription - SysmonWMI Recon Running Process Or ServicesWMI Temporary Event SubscriptionWatchlisted Event ObservedWatering Hole InfectionWbadmin Delete System BackupsWbemprox Com Object ExecutionWeb Browsing to Unauthorized SitesWeb Servers Executing Suspicious ProcessesWeb Site Compromised (Webshell)Web Uploads to Non-corporate Sites by UsersWermgr Process Connecting To IP Check Web ServicesWermgr Process Create Executable FileWermgr Process Spawned Cmd Or Powershell ProcessWindows Adfind ExeWindows Disableantispyware RegistryWindows Event Log ClearedWindows Event Log Clearing EventsWindows Security Account Manager StoppedWinevent Scheduled Task Created To Spawn ShellWinevent Scheduled Task Created Within Public PathWinrm Spawning A ProcessWinword Spawning CmdWinword Spawning PowershellWinword Spawning Windows Script HostWmic Group DiscoveryWrite Executable In SMB ShareWsreset Uac BypassXmrig Driver LoadedXsl Script Execution With Wmic