Navigation :
Release Notes
User Guides
Data Onboarding Guides
Features
SSE Content
- AWS Cloud Provisioning From Previously Unseen City
- AWS Cloud Provisioning From Previously Unseen Country
- AWS Cloud Provisioning From Previously Unseen IP Address
- AWS Cloud Provisioning From Previously Unseen Region
- AWS Cross Account Activity From Previously Unseen Account
- AWS Detect Attach To Role Policy
- AWS Detect Permanent Key Creation
- AWS Detect Role Creation
- AWS Detect Sts Assume Role Abuse
- AWS Detect Sts Get Session Token Abuse
- AWS Detect Users Creating Keys With Encrypt Policy Without MFA
- AWS Detect Users With Kms Keys Performing Encryption S3
- AWS EKS Kubernetes Cluster Sensitive Object Access
- AWS Network Access Control List Created With All Open Ports
- AWS Network Access Control List Deleted
- AWS Saml Access By Provider User And Principal
- AWS Saml Update Identity Provider
- Abnormally High AWS Instances Launched By User
- Abnormally High AWS Instances Launched By User - MLTK
- Abnormally High AWS Instances Launched by User
- Abnormally High AWS Instances Terminated By User
- Abnormally High AWS Instances Terminated By User - MLTK
- Abnormally High Number Of Cloud Infrastructure API Calls
- Abnormally High Number Of Cloud Instances Destroyed
- Abnormally High Number Of Cloud Instances Launched
- Abnormally High Number Of Cloud Security Group API Calls
- Abnormally High Number of Endpoint Changes By User
- Abnormally High Number of HTTP Method Events By Src
- Access LSASS Memory For Dump Creation
- Access to In-Scope Unencrypted Resources
- Access to In-scope Resources
- Account Compromise with Suspicious Internal Activity
- Account Compromised followed by Exfiltration
- Account Deleted
- Activity from Expired User Identity
- Activity from Expired User Identity - on Category
- Aggregate Risky Events
- Amazon EKS Kubernetes Cluster Scan Detection
- Amazon EKS Kubernetes Pod Scan Detection
- Anomalous Audit Trail Activity Detected
- Anomalous New Listening Port
- Anomalous New Process
- Anomalous New Service
- Any Powershell Downloadfile
- Any Powershell Downloadstring
- Asset Ownership Unspecified
- Attempt To Add Certificate To Untrusted Store
- Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Attempt To Set Default Powershell Execution Policy To Unrestricted Or Bypass
- Attempt To Stop Security Service
- Attempted Credential Dump From Registry Via Reg Exe
- Attempted Credential Dump From Registry Via Reg.exe
- Auditing Overview of Data Processing Systems (Glass Table)
- Authentication Against a New Domain Controller
- Basic Brute Force Detection
- Basic Dynamic DNS Detection
- Basic Malware Outbreak
- Basic Scanning
- Basic TOR Traffic Detection
- Batch File Write To System32
- Bcdedit Failure Recovery Modification
- Blacklisted Application
- Blacklisted Domain
- Blacklisted IP Address
- Brute Force
- Brute Force Access Behavior Detected
- Brute Force Access Behavior Detected - Against Category
- Brute Force Access Behavior Detected Over One Day
- Brute Force Access Behavior Detected Over One Day - Against Category
- Brute Force Attack
- Building a Departmental Peer Group
- COVID-19 Indicator Check
- Certutil Exe Certificate Extraction
- Child Processes Of Spoolsv Exe
- Child Processes of Spoolsv.exe
- Cleartext Password At Rest Detected
- Clients Connecting To Multiple DNS Servers
- Cloud API Calls From Previously Unseen User Roles
- Cloud APIs Called More Often Than Usual Per User
- Cloud Compute Instance Created By Previously Unseen User
- Cloud Compute Instance Created In Previously Unused Region
- Cloud Compute Instance Created With Previously Unseen Image
- Cloud Compute Instance Created With Previously Unseen Instance Type
- Cloud Compute Instance Started In Previously Unused Region
- Cloud Instance Modified By Previously Unseen User
- Cloud Network Access Control List Deleted
- Cloud Provisioning Activity From Previously Unseen City
- Cloud Provisioning Activity From Previously Unseen Country
- Cloud Provisioning Activity From Previously Unseen IP Address
- Cloud Provisioning Activity From Previously Unseen Region
- Cloud Provisioning Activity from Unusual Country
- Cloud Provisioning Activity from Unusual IP
- Cobalt Strike Named Pipes
- Common Filename Launched from New Path
- Common Ransomware Extensions
- Common Ransomware Notes
- Completely Inactive Account
- Compromised Account
- Compromised Web Server
- Concentration of Attacker Tools by Filename
- Concentration of Attacker Tools by SHA1 Hash
- Concentration of Discovery Tools by Filename
- Concentration of Discovery Tools by SHA1 Hash
- Concurrent Login Attempts Detected
- Connection to New Domain
- Create Local Admin Accounts Using Net Exe
- Create Or Delete Windows Shares Using Net Exe
- Create Remote Thread Into LSASS
- Create local admin accounts using net.exe
- Create or delete hidden shares using net.exe
- Create or delete windows shares using net.exe
- Creation Of LSASS Dump With Taskmgr
- Creation Of Shadow Copy
- Creation Of Shadow Copy With Wmic And Powershell
- Credential Dumping Via Copy Command From Shadow Copy
- Credential Dumping Via Symlink To Shadow Copy
- Credentials In File Detected
- Critical Severity Intrusion
- DNS Query Length Outliers - MLTK
- DNS Query Length With High Standard Deviation
- DNS Query Requests Resolved By Unauthorized DNS Servers
- DNS Record Changed
- Data Exfiltration after Account Takeover, High
- Data Exfiltration after Account Takeover, Medium
- Data Exfiltration after Data Staging
- Data Exfiltration by suspicious user or device
- Data Staging
- Default Account Activity Detected
- Default Account At Rest Detected
- Deleting Shadow Copies
- Detect API Activity From Users Without MFA
- Detect AWS API Activities From Unapproved Accounts
- Detect AWS Console Login By New User
- Detect AWS Console Login By User From New City
- Detect AWS Console Login By User From New Country
- Detect AWS Console Login By User From New Region
- Detect Activity Related To Pass The Hash Attacks
- Detect Arp Poisoning
- Detect Attackers Scanning For Vulnerable Jboss Servers
- Detect Baron Samedit Cve-2021-3156
- Detect Baron Samedit Cve-2021-3156 Segfault
- Detect Baron Samedit Cve-2021-3156 Via Osquery
- Detect Computer Changed With Anonymous Account
- Detect Credential Dumping Through LSASS Access
- Detect Credit Card Numbers using Luhn Algorithm
- Detect DNS Requests To Phishing Sites Leveraging Evilginx2
- Detect Excessive Account Lockouts From Endpoint
- Detect Excessive User Account Lockouts
- Detect F5 Tmui RCE Cve-2020-5902
- Detect GCP Storage Access From A New IP
- Detect Hosts Connecting To Dynamic Domain Providers
- Detect Html Help Renamed
- Detect Html Help Spawn Child Process
- Detect Html Help Url In Command Line
- Detect Html Help Using Infotech Storage Handlers
- Detect Ipv6 Network Infrastructure Threats
- Detect Journal Clearing
- Detect Large Outbound ICMP Packets
- Detect Lateral Movement With WMI
- Detect Log Clearing With wevtutil
- Detect Long DNS TXT Record Response
- Detect Long DNS Txt Record Response
- Detect Malicious Requests To Exploit Jboss Servers
- Detect Many Unauthorized Access Attempts
- Detect Mimikatz Using Loaded Images
- Detect Mimikatz Via PowerShell And EventCode 4663
- Detect Mimikatz Via Powershell And Eventcode 4703
- Detect Mshta Exe Running Scripts In Command-Line Arguments
- Detect Mshta Inline Hta Execution
- Detect Mshta Renamed
- Detect Mshta Url In Command Line
- Detect New API Calls From User Roles
- Detect New Local Admin Account
- Detect New Login Attempts To Routers
- Detect New Open GCP Storage Buckets
- Detect New Open S3 Buckets
- Detect New Open S3 Buckets Over AWS Cli
- Detect New User AWS Console Login
- Detect New User AWS Console Login - Dm
- Detect Oulook Exe Writing A Zip File
- Detect Oulook exe writing a zip file
- Detect Outbound SMB Traffic
- Detect Path Interception By Creation Of Program Exe
- Detect Path Interception By Creation Of program.exe
- Detect Port Security Violation
- Detect Processes Used For System Network Configuration Discovery
- Detect Prohibited Applications Spawning Cmd Exe
- Detect Prohibited Applications Spawning cmd.exe
- Detect Psexec With Accepteula Flag
- Detect Rare Executables
- Detect Regasm Spawning A Process
- Detect Regasm With Network Connection
- Detect Regasm With No Command Line Arguments
- Detect Regsvcs Spawning A Process
- Detect Regsvcs With Network Connection
- Detect Regsvcs With No Command Line Arguments
- Detect Regsvr32 Application Control Bypass
- Detect Rogue DHCP Server
- Detect Rundll32 Application Control Bypass - Advpack
- Detect Rundll32 Application Control Bypass - Setupapi
- Detect Rundll32 Application Control Bypass - Syssetup
- Detect Rundll32 Inline Hta Execution
- Detect S3 Access From A New IP
- Detect Snicat Sni Exfiltration
- Detect Software Download To Network Device
- Detect Spike In AWS API Activity
- Detect Spike In AWS Security Hub Alerts For EC2 Instance
- Detect Spike In AWS Security Hub Alerts For User
- Detect Spike In Blocked Outbound Traffic From Your AWS
- Detect Spike In Network ACL Activity
- Detect Spike In S3 Bucket Deletion
- Detect Spike In Security Group Activity
- Detect Traffic Mirroring
- Detect USB Device Insertion
- Detect Unauthorized Assets By MAC Address
- Detect Use Of Cmd Exe To Launch Script Interpreters
- Detect Use of cmd.exe to Launch Script Interpreters
- Detect Web Traffic To Dynamic Domain Providers
- Detect Windows DNS Sigred Via Splunk Stream
- Detect Windows DNS Sigred Via Zeek
- Detect Zerologon Via Zeek
- Detect attackers scanning for vulnerable JBoss servers
- Detect mshta exe running scripts in command-line arguments
- Detection Of DNS Tunnels
- Detection Of Tools Built By Nirsoft
- Disabled Update Service
- Disabling Remote User Account Control
- Download from Internal Server
- Dump LSASS Via Comsvcs DLL
- Dump LSASS Via Procdump
- Dump LSASS Via Procdump Rename
- EC2 Instance Isolation
- EC2 Instance Modified With Previously Unseen User
- EC2 Instance Started In Previously Unseen Region
- EC2 Instance Started With Previously Unseen AMI
- EC2 Instance Started With Previously Unseen Instance Type
- EC2 Instance Started With Previously Unseen User
- Email Attachments With Lots Of Spaces
- Email Files Written Outside Of The Outlook Directory
- Email Servers Sending High Volume Traffic To Hosts
- Emails from Outside the Organization with Company Domains
- Emails with Lookalike Domains
- Endpoint Uncleaned Malware Detection
- Eventvwr Uac Bypass
- Excessive Box Downloads
- Excessive DNS Failures
- Excessive DNS Queries
- Excessive Data Printed
- Excessive Data Transmission
- Excessive Downloads via VPN
- Excessive Failed Logins
- Excessive HTTP Failure Responses
- Execution Of File With Multiple Extensions
- Execution Of File With Spaces Before Extension
- Exfiltration
- Exfiltration after Account Compromise
- Exfiltration after Infection
- Exfiltration after Suspicious Internal Activity
- Expected Host Not Reporting
- Expected Host Not Reporting - in Category
- Extended Period Without Successful Netbackup Backups
- External Alarm Activity
- External Website Attack
- Failed Access by Disabled Badge
- Failed Badge Accesses on Multiple Doors
- Fake Windows Processes
- Familiar Filename Launched with New Path on Host
- File With Samsam Extension
- Find Processes with Renamed Executables
- Find Unusually Long CLI Commands
- First Time Access to Jump Server for Peer Group
- First Time Accessing an Internal Git Repository
- First Time Accessing an Internal Git Repository Not Viewed by Peers
- First Time Logon to New Server
- First Time Seen Child Process Of Zoom
- First Time Seen Child Process of Zoom
- First Time Seen Command Line Argument
- First Time Seen Running Windows Service
- First Time USB Usage
- Flight Risk Emailing
- Flight Risk Printing
- Flight Risk User
- Flight Risk Web Browsing
- Fodhelper Uac Bypass
- GCP Detect Accounts With High Risk Roles By Project
- GCP Detect Gcploit Framework
- GCP Detect High Risk Permissions By Resource And Account
- GCP Detect Oauth Token Abuse
- GCP GCR Container Uploaded
- GCP Kubernetes Cluster Pod Scan Detection
- GCP Kubernetes Cluster Scan Detection
- Geographically Improbable Access Detected
- Geographically Improbable Access Detected against Category
- Geographically Improbable Access Detected for Privileged Accounts
- Healthcare Worker Opening More Patient Records Than Usual
- Hiding Files And Directories With Attrib Exe
- Hiding Files And Directories With Attrib.exe
- High Number Of Infected Hosts
- High Number Of Login Failures From A Single Source
- High Number of Hosts Not Updating Malware Signatures
- High Or Critical Priority Host With Malware Detected
- High Process Count
- High Volume Email Activity to Non-corporate Domains by User
- High Volume of Traffic from High or Critical Host Observed
- High or Critical Priority Individual Logging into Infected Machine
- Host Sending Excessive Email
- Host With A Recurring Malware Infection
- Host With High Number Of Listening ports
- Host With High Number Of Services
- Host With Multiple Infections
- Host With Old Infection Or Potential Re-Infection
- Hosts Receiving High Volume Of Network Traffic From Email Server
- Hosts Sending To More Destinations Than Normal
- Hosts Where Security Sources Go Quiet
- Hosts with Varied and Future Timestamps
- Hunting COVID Themed Attacks With IOCs
- IP Investigate and Report
- Identify New User Accounts
- Image From New Repository Detected
- In-Scope Device with Outdated Anti-Malware Found
- In-Scope System with Windows Update Disabled
- Inactive Account Activity Detected
- Increase in # of Hosts Logged into
- Increase in Pages Printed
- Increase in Source Code (Git) Downloads
- Increase in Windows Privilege Escalations
- Infected Host
- Infection followed by Exfiltration
- Insecure Or Cleartext Authentication Detected
- Instance Created by Unusual User
- Instance Modified by Unusual User
- Integrating Threat Indicators with MISP and Splunk Enterprise Security
- Investigate GDPR Breaches Using ES
- Kerberoasting Spn Request With RC4 Encryption
- Kerberoasting spn request with RC4 encryption
- Kubernetes AWS Detect Most Active Service Accounts By Pod
- Kubernetes AWS Detect Rbac Authorization By Account
- Kubernetes AWS Detect Sensitive Role Access
- Kubernetes AWS Detect Service Accounts Forbidden Failure Access
- Kubernetes AWS Detect Suspicious Kubectl Calls
- Kubernetes Azure Detect Most Active Service Accounts By Pod Namespace
- Kubernetes Azure Detect Rbac Authorization By Account
- Kubernetes Azure Detect Sensitive Object Access
- Kubernetes Azure Detect Sensitive Role Access
- Kubernetes Azure Detect Service Accounts Forbidden Failure Access
- Kubernetes Azure Detect Suspicious Kubectl Calls
- Kubernetes Azure Pod Scan Fingerprint
- Kubernetes Azure Scan Fingerprint
- Kubernetes GCP Detect Most Active Service Accounts By Pod
- Kubernetes GCP Detect Rbac Authorizations By Account
- Kubernetes GCP Detect Sensitive Object Access
- Kubernetes GCP Detect Sensitive Role Access
- Kubernetes GCP Detect Service Accounts Forbidden Failure Access
- Kubernetes GCP Detect Suspicious Kubectl Calls
- Land Speed Violation
- Large Volume Of DNS Any Queries
- Large Web Upload
- Lateral Movement
- Local Account Creation
- Machine Generated Beacon
- Macos - Re-Opened Applications
- Malicious AD Activity
- Malicious Command Line Executions
- Malicious Insider Containment
- Malicious PowerShell Process With Obfuscation Techniques
- Malicious Powershell Process - Connect To Internet With Hidden Window
- Malicious Powershell Process - Encoded Command
- Malicious Powershell Process - Execution Policy Bypass
- Malicious Powershell Process - Multiple Suspicious Command-Line Arguments
- Malicious Powershell Process With Obfuscation Techniques
- Malicious URI with Potential Malware
- Malware
- Malware Investigation
- Many USB File Copies for User
- Monitor AutoRun Registry Keys
- Monitor DNS For Brand Abuse
- Monitor Email For Brand Abuse
- Monitor Registry Keys For Print Monitors
- Monitor Successful Backups
- Monitor Successful Windows Updates
- Monitor Unsuccessful Backups
- Monitor Unsuccessful Windows Updates
- Monitor Web Traffic For Brand Abuse
- Multiple Account Deletion by an Administrator
- Multiple Account Disabled by an Administrator
- Multiple Account Passwords changed by an Administrator
- Multiple Authentication Failures
- Multiple Authentications
- Multiple Badge Accesses
- Multiple Box login errors
- Multiple Box logins
- Multiple Box operations
- Multiple External Alarms
- Multiple Failed Badge Access Attempts
- Multiple Infections on Host
- Multiple Login Errors
- Multiple Logins
- Multiple Okta Users With Invalid Credentails From The Same IP
- Multiple Okta Users With Invalid Credentials From The Same IP
- Multiple Outgoing Connections
- Multiple Primary Functions Detected
- Multiple failed badge attempts and unusual badge access time
- Network Change Detected
- Network Device Rebooted
- Network Protocol Violation
- New AD Domain Detected
- New Application Accessing Salesforce.com API
- New Cloud API Call Per Peer Group
- New Cloud Provider for User
- New Connection to In-Scope Device
- New Container Uploaded To AWS Ecr
- New Data Exfil DLP Alerts for User
- New High Risk Event Types for Salesforce.com User
- New IaaS API Call Per User
- New Interactive Logon from a Service Account
- New Local Admin Account
- New Logon Type for User
- New Parent Process for cmd.exe or regedit.exe
- New RunAs Host / Privileged Account Combination
- New Service Paths for Host
- New Suspicious Executable Launch for User
- New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
- New Tables Queried by Salesforce.com Peer Group
- New Tables Queried by Salesforce.com User
- New User Account Created On Multiple Hosts
- New User Taking Privileged Actions
- Nishang Powershelltcponeline
- Nltest Domain Trust Discovery
- No Windows Updates In A Time Frame
- Non-Privileged Users taking Privileged Actions
- Ntdsutil Export Ntds
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA Via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive Sso Logon Errors
- O365 New Federated Domain Added
- O365 Pst Export Alert
- O365 Suspicious Admin Email Forwarding
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Okta Account Lockout Events
- Okta Failed Sso Attempts
- Okta User Logins From Multiple Cities
- Old Passwords in Use
- Open Redirect In Splunk Web
- Osquery Pack - Coldroot Detection
- Outbreak Detected
- Outdated Malware Definitions
- Overwriting Accessibility Binaries
- Period with Unusual Windows Security Event Sequences
- Personally Identifiable Information Detected
- Phishing Investigation and Response
- Possible Phishing Attempt
- Potential Day Trading
- Potential Flight Risk Exfiltration
- Potential Flight Risk Staging
- Potential Gap in Data
- Potential Phishing Attack
- Potential Webshell Activity
- Privilege Escalation after Powershell Activity
- Process Creating Lnk File In Suspicious Location
- Process Execution Via WMI
- Processes Created By Netsh
- Processes Launching Netsh
- Processes Tapping Keyboard Events
- Processes launching netsh
- Processes with High Entropy Names
- Processes with Lookalike (typo) Filenames
- Prohibited Network Traffic Allowed
- Prohibited Port Activity Detected
- Prohibited Process Detected
- Prohibited Service Detected
- Prohibited Software On Endpoint
- Prompt and Block Domain
- Protocol Or Port Mismatch
- Protocols Passing Authentication In Cleartext
- Public Cloud Storage (Bucket)
- Public facing Website Attack
- Pull List of Privileged Users
- RFC1918 IP Not in CMDB
- Ransomware Extensions
- Ransomware Investigate and Contain
- Ransomware Note Files
- Ransomware Vulnerabilities
- Recurring Infection on Host
- Reg Exe Manipulating Windows Services Registry Keys
- Reg Exe Used To Hide Files Directories Via Registry Keys
- Reg.exe Manipulating Windows Services Registry Keys
- Reg.exe used to hide files/directories via registry keys
- Registry Keys For Creating Shim Databases
- Registry Keys Used For Persistence
- Registry Keys Used For Privilege Escalation
- Remote Account Takeover
- Remote Desktop Network Bruteforce
- Remote Desktop Network Traffic
- Remote Desktop Process Running On System
- Remote PowerShell Launches
- Remote Process Instantiation Via WMI
- Remote Registry Key Modifications
- Remote WMI Command Attempt
- Risky Events from Privileged Users
- Rundll Loading DLL By Ordinal
- Ryuk Test Files Detected
- Ryuk Wake On Lan Command
- SMB Traffic Allowed
- SMB Traffic Spike
- SMB Traffic Spike - MLTK
- SQL Injection with Long URLs
- Same Error On Many Servers Detected
- Samsam Test File Write
- Sc Exe Manipulating Windows Services
- Sc.exe Manipulating Windows Services
- Scanning Activity
- Scheduled Task Deleted Or Created Via Cmd
- Scheduled Task Name Used By Dragonfly Threat Actors
- Scheduled Tasks Used In Badrabbit Ransomware
- Schtasks Scheduling Job On Remote System
- Schtasks Used For Forcing A Reboot
- Script Execution Via WMI
- Sensitive Kubernetes Mount Pod Detected
- Service Account Login
- Shim Database File Creation
- Shim Database Installation With Suspicious Parameters
- Short Lived Admin Accounts
- Short Lived Windows Accounts
- Short-lived Account Detected
- Significant Increase in Interactive Logons
- Significant Increase in Interactively Logged On Users
- Single Letter Process On Endpoint
- Sources Sending Many DNS Requests
- Sources Sending a High Volume of DNS Traffic
- Spectre And Meltdown Vulnerable Systems
- Spike In File Writes
- Spike in Downloaded Documents Per User from Salesforce.com
- Spike in Exported Records from Salesforce.com
- Spike in Password Reset Emails
- Spike in SMB Traffic
- Splunk Enterprise Information Disclosure
- Sql Injection With Long Urls
- Stale Account Usage
- Substantial Increase In Events
- Substantial Increase In Port Activity
- Successful Login of Account for Former Employee
- Sunburst Correlation DLL And Network Event
- Supernova Webshell
- Suspicious Account Activity
- Suspicious Account Lockout
- Suspicious Activity After Intrusion
- Suspicious Badge Activity
- Suspicious Behavior
- Suspicious Box Usage
- Suspicious Changes To File Associations
- Suspicious Container Image Name
- Suspicious Curl Network Connection
- Suspicious Data Collection
- Suspicious Data Movement
- Suspicious Dllhost No Command Line Arguments
- Suspicious Domain Communication
- Suspicious Domain Communication followed by Malware Activity
- Suspicious Domain Name
- Suspicious Email - UBA Anomaly
- Suspicious Email Attachment Extensions
- Suspicious External Alarm Activity
- Suspicious File Write
- Suspicious Gpupdate No Command Line Arguments
- Suspicious HTTP Redirects
- Suspicious HTTP Redirects followed by Suspected Infection
- Suspicious IP Address Communication
- Suspicious Java Classes
- Suspicious Lnk File Launching A Process
- Suspicious Microsoft Workflow Compiler Rename
- Suspicious Microsoft Workflow Compiler Usage
- Suspicious Msbuild Path
- Suspicious Msbuild Rename
- Suspicious Msbuild Spawn
- Suspicious Mshta Child Process
- Suspicious Mshta Spawn
- Suspicious Network Connection
- Suspicious Network Exploration
- Suspicious New Access
- Suspicious Plistbuddy Usage
- Suspicious Plistbuddy Usage Via Osquery
- Suspicious Powershell Activity
- Suspicious Privilege Escalation
- Suspicious Reg Exe Process
- Suspicious Reg.exe Process
- Suspicious Regsvr32 Register Suspicious Path
- Suspicious Rundll32 Dllregisterserver
- Suspicious Rundll32 No Command Line Arguments
- Suspicious Rundll32 Rename
- Suspicious Rundll32 Startw
- Suspicious Scheduled Task From Public Directory
- Suspicious Searchprotocolhost No Command Line Arguments
- Suspicious Sqlite3 Lsquarantine Behavior
- Suspicious URL Communications and Redirects
- Suspicious Wevtutil Usage
- Suspicious Writes To System Volume Information
- Suspicious Writes To Windows Recycle Bin
- System Information Discovery Detection
- System Processes Run From Unexpected Locations
- Threat Activity Detected
- Threat Hunting
- Tor Traffic
- USB storage attached an unusually high number of times
- Unauthorized Connection Through Firewall
- Uncommon Processes On Endpoint
- Unified Messaging Service Spawning A Process
- Unload Sysmon Filter Driver
- Unrouteable Activity Detected
- Unsigned Image Loaded By LSASS
- Unsuccessful Netbackup Backups
- Untriaged Notable Events
- Unusual Activity Time
- Unusual Badge Reader Access
- Unusual Child Process for spoolsv.exe or connhost.exe
- Unusual Cloud Regions
- Unusual Cloud Storage Deletions
- Unusual Cloud Storage Downloads
- Unusual External Alarm
- Unusual File Extension
- Unusual Geolocation of Communication Destination
- Unusual Machine Access
- Unusual Network Activity
- Unusual Number of Modifications to Cloud ACLs
- Unusual Printer Usage
- Unusual Time of Badge Access
- Unusual USB Activity
- Unusual USB Device Plugged In
- Unusual VPN Login Geolocation
- Unusual Volume of Network Activity
- Unusual Web Browser
- Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain)
- Unusually Long Command Line
- Unusually Long Command Line - MLTK
- Unusually Long Content-Type Length
- Unusually Long VPN Session
- User Finding Project Code Names from Many Departments
- User Has Access to In-Scope Splunk Indexes They Should Not
- User Logged into In-Scope System They Should Not Have
- User Login to Unauthorized Geo
- User Login with Local Credentials
- User with Increase in Outgoing Email
- User with Many DLP Events
- Usn Journal Deletion
- Vulnerability Scanner Detected (by events)
- Vulnerability Scanner Detected (by targets)
- W3Wp Spawning Shell
- WMI Permanent Event Subscription
- WMI Permanent Event Subscription - Sysmon
- WMI Temporary Event Subscription
- Watchlisted Event Observed
- Watering Hole Infection
- Wbadmin Delete System Backups
- Web Browsing to Unauthorized Sites
- Web Fraud - Account Harvesting
- Web Fraud - Anomalous User Clickspeed
- Web Fraud - Password Sharing Across Accounts
- Web Servers Executing Suspicious Processes
- Web Site Compromised (Webshell)
- Web Uploads to Non-corporate Sites by Users
- Windows Adfind Exe
- Windows Connhost Exe Started Forcefully
- Windows Disableantispyware Registry
- Windows Event Log Cleared
- Windows Event Log Clearing Events
- Windows Hosts File Modification
- Windows Security Account Manager Stopped
Technical Detail
Developing on SSE
Installation Documentation Windows Adfind Exe Description This search looks for the execution of adfind.exe with command-line arguments that it uses by default. Specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. This has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. AdFind.exe is usually used a recon tool to enumare a domain controller.
Windows Adfind Exe Help
To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
| tstats `security_content_summariesonly` count min (_time) as firstTime max (_time) as lastTime from datamodel =Endpoint.Processes where (Processes.process=*-f* OR Processes.process=*-b*) AND (Processes.process=*objectcategory* OR Processes.process=*-gcb* OR Processes.process=*-sc*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter` Open in Search