Navigation :
Release Notes
User Guides
Data Onboarding Guides
Features
SSE Content
- 7Zip Commandline To SMB Share Path
- AWS Create Policy Version To Allow All Resources
- AWS Createaccesskey
- AWS Createloginprofile
- AWS Cross Account Activity From Previously Unseen Account
- AWS Detect Attach To Role Policy
- AWS Detect Permanent Key Creation
- AWS Detect Role Creation
- AWS Detect Sts Assume Role Abuse
- AWS Detect Sts Get Session Token Abuse
- AWS Detect Users Creating Keys With Encrypt Policy Without MFA
- AWS Detect Users With Kms Keys Performing Encryption S3
- AWS Ecr Container Scanning Findings High
- AWS Ecr Container Scanning Findings Low Informational Unknown
- AWS Ecr Container Scanning Findings Medium
- AWS Ecr Container Upload Outside Business Hours
- AWS Ecr Container Upload Unknown User
- AWS Excessive Security Scanning
- AWS Iam Accessdenied Discovery Events
- AWS Iam Assume Role Policy Brute Force
- AWS Iam Delete Policy
- AWS Iam Failure Group Deletion
- AWS Iam Successful Group Deletion
- AWS Network Access Control List Created With All Open Ports
- AWS Network Access Control List Deleted
- AWS Saml Access By Provider User And Principal
- AWS Saml Update Identity Provider
- AWS Setdefaultpolicyversion
- AWS Updateloginprofile
- Abnormally High Number Of Cloud Infrastructure API Calls
- Abnormally High Number Of Cloud Instances Destroyed
- Abnormally High Number Of Cloud Instances Launched
- Abnormally High Number Of Cloud Security Group API Calls
- Abnormally High Number of Endpoint Changes By User
- Abnormally High Number of HTTP Method Events By Src
- Access LSASS Memory For Dump Creation
- Access to In-Scope Unencrypted Resources
- Access to In-scope Resources
- Account Compromise with Suspicious Internal Activity
- Account Compromised followed by Exfiltration
- Account Deleted
- Account Discovery With Net App
- Activity from Expired User Identity
- Activity from Expired User Identity - on Category
- Add Defaultuser And Password In Registry
- Adsisearcher Account Discovery
- Aggregate Risky Events
- Allow File And Printing Sharing In Firewall
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Inbound Traffic In Firewall Rule
- Allow Network Discovery In Firewall
- Allow Operation With Consent Admin
- Amazon EKS Kubernetes Cluster Scan Detection
- Amazon EKS Kubernetes Pod Scan Detection
- Anomalous Audit Trail Activity Detected
- Anomalous New Listening Port
- Anomalous New Process
- Anomalous New Service
- Anomalous Usage Of 7Zip
- Any Powershell Downloadfile
- Any Powershell Downloadstring
- Asset Ownership Unspecified
- Attacker Tools On Endpoint
- Attempt To Add Certificate To Untrusted Store
- Attempt To Stop Security Service
- Attempted Credential Dump From Registry Via Reg Exe
- Auditing Overview of Data Processing Systems (Glass Table)
- Authentication Against a New Domain Controller
- Auto Admin Logon Registry Entry
- Basic Brute Force Detection
- Basic Dynamic DNS Detection
- Basic Malware Outbreak
- Basic Scanning
- Basic TOR Traffic Detection
- Batch File Write To System32
- Bcdedit Command Back To Normal Mode Boot
- Bcdedit Failure Recovery Modification
- Bits Job Persistence
- Bitsadmin Download File
- Blacklisted Application
- Blacklisted Domain
- Blacklisted IP Address
- Brute Force
- Brute Force Access Behavior Detected
- Brute Force Access Behavior Detected - Against Category
- Brute Force Access Behavior Detected Over One Day
- Brute Force Access Behavior Detected Over One Day - Against Category
- Brute Force Attack
- Building a Departmental Peer Group
- COVID-19 Indicator Check
- Certutil Download With Urlcache And Split Arguments
- Certutil Download With Verifyctl And Split Arguments
- Certutil Exe Certificate Extraction
- Certutil With Decode Argument
- Change To Safe Mode With Network Config
- Chcp Command Execution
- Check Elevated Cmd Using Whoami
- Child Processes Of Spoolsv Exe
- Circle Ci Disable Security Job
- Circle Ci Disable Security Step
- Clear Unallocated Sector Using Cipher App
- Cleartext Password At Rest Detected
- Clop Common Exec Parameter
- Clop Ransomware Known Service Name
- Cloud API Calls From Previously Unseen User Roles
- Cloud APIs Called More Often Than Usual Per User
- Cloud Compute Instance Created By Previously Unseen User
- Cloud Compute Instance Created In Previously Unused Region
- Cloud Compute Instance Created With Previously Unseen Image
- Cloud Compute Instance Created With Previously Unseen Instance Type
- Cloud Instance Modified By Previously Unseen User
- Cloud Provisioning Activity From Previously Unseen City
- Cloud Provisioning Activity From Previously Unseen Country
- Cloud Provisioning Activity From Previously Unseen IP Address
- Cloud Provisioning Activity From Previously Unseen Region
- Cloud Provisioning Activity from Unusual Country
- Cloud Provisioning Activity from Unusual IP
- Cmd Echo Pipe - Escalation
- Cmdline Tool Not Executed In Cmd Shell
- Cmlua Or Cmstplua Uac Bypass
- Cobalt Strike Named Pipes
- Common Filename Launched from New Path
- Common Ransomware Extensions
- Common Ransomware Notes
- Completely Inactive Account
- Compromised Account
- Compromised Web Server
- Concentration of Attacker Tools by Filename
- Concentration of Attacker Tools by SHA1 Hash
- Concentration of Discovery Tools by Filename
- Concentration of Discovery Tools by SHA1 Hash
- Concurrent Login Attempts Detected
- Connection to New Domain
- Conti Common Exec Parameter
- Control Loading From World Writable Directory
- Correlation By Repository And Risk
- Correlation By User And Risk
- Create Local Admin Accounts Using Net Exe
- Create Or Delete Windows Shares Using Net Exe
- Create Remote Thread In Shell Application
- Create Remote Thread Into LSASS
- Create Service In Suspicious File Path
- Creation Of LSASS Dump With Taskmgr
- Creation Of Shadow Copy
- Creation Of Shadow Copy With Wmic And Powershell
- Credential Dumping Via Copy Command From Shadow Copy
- Credential Dumping Via Symlink To Shadow Copy
- Credentials In File Detected
- DNS Exfiltration Using Nslookup App
- DNS Query Length Outliers - MLTK
- DNS Query Length With High Standard Deviation
- Data Exfiltration after Account Takeover, High
- Data Exfiltration after Account Takeover, Medium
- Data Exfiltration after Data Staging
- Data Exfiltration by suspicious user or device
- Data Staging
- Default Account Activity Detected
- Default Account At Rest Detected
- Delete Shadowcopy With Powershell
- Deleting Of Net Users
- Deleting Shadow Copies
- Detect AWS Console Login By New User
- Detect AWS Console Login By User From New City
- Detect AWS Console Login By User From New Country
- Detect AWS Console Login By User From New Region
- Detect Activity Related To Pass The Hash Attacks
- Detect Arp Poisoning
- Detect Attackers Scanning For Vulnerable Jboss Servers
- Detect Azurehound Command-Line Arguments
- Detect Azurehound File Modifications
- Detect Baron Samedit Cve-2021-3156
- Detect Baron Samedit Cve-2021-3156 Segfault
- Detect Baron Samedit Cve-2021-3156 Via Osquery
- Detect Computer Changed With Anonymous Account
- Detect Copy Of Shadowcopy With Script Block Logging
- Detect Credential Dumping Through LSASS Access
- Detect Credit Card Numbers using Luhn Algorithm
- Detect Empire With Powershell Script Block Logging
- Detect Excessive Account Lockouts From Endpoint
- Detect Excessive User Account Lockouts
- Detect Exchange Web Shell
- Detect F5 Tmui RCE Cve-2020-5902
- Detect GCP Storage Access From A New IP
- Detect Hosts Connecting To Dynamic Domain Providers
- Detect Html Help Renamed
- Detect Html Help Spawn Child Process
- Detect Html Help Url In Command Line
- Detect Html Help Using Infotech Storage Handlers
- Detect Ipv6 Network Infrastructure Threats
- Detect Journal Clearing
- Detect Large Outbound ICMP Packets
- Detect Lateral Movement With WMI
- Detect Log Clearing With wevtutil
- Detect Malicious Requests To Exploit Jboss Servers
- Detect Many Unauthorized Access Attempts
- Detect Mimikatz Using Loaded Images
- Detect Mimikatz With Powershell Script Block Logging
- Detect Mshta Inline Hta Execution
- Detect Mshta Renamed
- Detect Mshta Url In Command Line
- Detect New Local Admin Account
- Detect New Login Attempts To Routers
- Detect New Open GCP Storage Buckets
- Detect New Open S3 Buckets
- Detect New Open S3 Buckets Over AWS Cli
- Detect Outbound SMB Traffic
- Detect Outlook Exe Writing A Zip File
- Detect Path Interception By Creation Of Program Exe
- Detect Port Security Violation
- Detect Processes Used For System Network Configuration Discovery
- Detect Prohibited Applications Spawning Cmd Exe
- Detect Psexec With Accepteula Flag
- Detect Rare Executables
- Detect Rclone Command-Line Usage
- Detect Regasm Spawning A Process
- Detect Regasm With Network Connection
- Detect Regasm With No Command Line Arguments
- Detect Regsvcs Spawning A Process
- Detect Regsvcs With Network Connection
- Detect Regsvcs With No Command Line Arguments
- Detect Regsvr32 Application Control Bypass
- Detect Renamed 7-Zip
- Detect Renamed Psexec
- Detect Renamed Rclone
- Detect Renamed Winrar
- Detect Rogue DHCP Server
- Detect Rundll32 Application Control Bypass - Advpack
- Detect Rundll32 Application Control Bypass - Setupapi
- Detect Rundll32 Application Control Bypass - Syssetup
- Detect Rundll32 Inline Hta Execution
- Detect S3 Access From A New IP
- Detect Shared EC2 Snapshot
- Detect Sharphound Command-Line Arguments
- Detect Sharphound File Modifications
- Detect Sharphound Usage
- Detect Snicat Sni Exfiltration
- Detect Software Download To Network Device
- Detect Spike In AWS Security Hub Alerts For EC2 Instance
- Detect Spike In AWS Security Hub Alerts For User
- Detect Spike In Blocked Outbound Traffic From Your AWS
- Detect Spike In S3 Bucket Deletion
- Detect Traffic Mirroring
- Detect Unauthorized Assets By MAC Address
- Detect Use Of Cmd Exe To Launch Script Interpreters
- Detect WMI Event Subscription Persistence
- Detect Windows DNS Sigred Via Splunk Stream
- Detect Windows DNS Sigred Via Zeek
- Detect Zerologon Via Zeek
- Detection Of Tools Built By Nirsoft
- Disable Amsi Through Registry
- Disable Etw Through Registry
- Disable Logs Using Wevtutil
- Disable Registry Tool
- Disable Show Hidden Files
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows Smartscreen Protection
- Disabled Update Service
- Disabling Cmd Application
- Disabling Controlpanel
- Disabling Firewall With Netsh
- Disabling Folderoptions Windows Feature
- Disabling Net User Account
- Disabling Norun Windows App
- Disabling Remote User Account Control
- Disabling Systemrestore In Registry
- Disabling Task Manager
- Dllhost With No Command Line Arguments With Network
- Domain Account Discovery With Dsquery
- Domain Account Discovery With Net App
- Domain Account Discovery With Wmic
- Domain Controller Discovery With Nltest
- Domain Controller Discovery With Wmic
- Domain Group Discovery With Adsisearcher
- Domain Group Discovery With Dsquery
- Domain Group Discovery With Net
- Domain Group Discovery With Wmic
- Download Files Using Telegram
- Download from Internal Server
- Drop Icedid License Dat
- Dsquery Domain Discovery
- Dump LSASS Via Comsvcs DLL
- Dump LSASS Via Procdump
- EC2 Instance Isolation
- Elevated Group Discovery With Net
- Elevated Group Discovery With Powerview
- Elevated Group Discovery With Wmic
- Email Attachments With Lots Of Spaces
- Email Files Written Outside Of The Outlook Directory
- Email Servers Sending High Volume Traffic To Hosts
- Emails from Outside the Organization with Company Domains
- Emails with Lookalike Domains
- Enable Rdp In Other Port Number
- Endpoint Uncleaned Malware Detection
- Enumerate Users Local Group Using Telegram
- Esentutl Sam Copy
- Eventvwr Uac Bypass
- Excel Spawning Powershell
- Excel Spawning Windows Script Host
- Excessive Attempt To Disable Services
- Excessive Box Downloads
- Excessive DNS Queries
- Excessive Data Printed
- Excessive Data Transmission
- Excessive Downloads via VPN
- Excessive Failed Logins
- Excessive HTTP Failure Responses
- Excessive Number Of Distinct Processes Created In Windows Temp Folder
- Excessive Number Of Service Control Start As Disabled
- Excessive Number Of Taskhost Processes
- Excessive Service Stop Attempt
- Excessive Usage Of Cacls App
- Excessive Usage Of Net App
- Excessive Usage Of Nslookup App
- Excessive Usage Of Sc Service Utility
- Excessive Usage Of Taskkill
- Exchange Powershell Abuse Via Ssrf
- Exchange Powershell Module Usage
- Executables Or Script Creation In Suspicious Path
- Execute Javascript With Jscript Com Clsid
- Execution Of File With Multiple Extensions
- Exfiltration
- Exfiltration after Account Compromise
- Exfiltration after Infection
- Exfiltration after Suspicious Internal Activity
- Expected Host Not Reporting
- Expected Host Not Reporting - in Category
- External Alarm Activity
- External Website Attack
- Extraction Of Registry Hives
- Failed Access by Disabled Badge
- Failed Badge Accesses on Multiple Doors
- Fake Windows Processes
- Familiar Filename Launched with New Path on Host
- File With Samsam Extension
- Find Processes with Renamed Executables
- Find Unusually Long CLI Commands
- First Time Access to Jump Server for Peer Group
- First Time Accessing an Internal Git Repository
- First Time Accessing an Internal Git Repository Not Viewed by Peers
- First Time Logon to New Server
- First Time Seen Child Process Of Zoom
- First Time Seen Running Windows Service
- First Time USB Usage
- Flight Risk Emailing
- Flight Risk Printing
- Flight Risk User
- Flight Risk Web Browsing
- Fodhelper Uac Bypass
- Fsutil Zeroing File
- GCP Detect Gcploit Framework
- GCP Kubernetes Cluster Pod Scan Detection
- Geographically Improbable Access (Physical access and VPN)
- Geographically Improbable Access Detected
- Geographically Improbable Access Detected against Category
- Geographically Improbable Access Detected for Privileged Accounts
- Get Addefaultdomainpasswordpolicy With Powershell
- Get Addefaultdomainpasswordpolicy With Powershell Script Block
- Get Aduser With Powershell
- Get Aduser With Powershell Script Block
- Get Aduserresultantpasswordpolicy With Powershell
- Get Aduserresultantpasswordpolicy With Powershell Script Block
- Get Domainpolicy With Powershell
- Get Domainpolicy With Powershell Script Block
- Get Domainuser With Powershell
- Get Domainuser With Powershell Script Block
- Get Wmiobject Group Discovery
- Get Wmiobject Group Discovery With Script Block Logging
- Get-Domaintrust With Powershell
- Get-Domaintrust With Powershell Script Block
- Get-Foresttrust With Powershell
- Get-Foresttrust With Powershell Script Block
- Getadcomputer With Powershell
- Getadcomputer With Powershell Script Block
- Getadgroup With Powershell
- Getadgroup With Powershell Script Block
- Getcurrent User With Powershell
- Getcurrent User With Powershell Script Block
- Getdomaincomputer With Powershell
- Getdomaincomputer With Powershell Script Block
- Getdomaincontroller With Powershell
- Getdomaincontroller With Powershell Script Block
- Getdomaingroup With Powershell
- Getdomaingroup With Powershell Script Block
- Getlocaluser With Powershell
- Getlocaluser With Powershell Script Block
- Getnettcpconnection With Powershell
- Getnettcpconnection With Powershell Script Block
- Getwmiobject Ds Computer With Powershell
- Getwmiobject Ds Computer With Powershell Script Block
- Getwmiobject Ds Group With Powershell
- Getwmiobject Ds Group With Powershell Script Block
- Getwmiobject Ds User With Powershell
- Getwmiobject Ds User With Powershell Script Block
- Getwmiobject User Account With Powershell
- Getwmiobject User Account With Powershell Script Block
- Github Commit Changes In Master
- Github Commit In Develop
- Github Dependabot Alert
- Github Pull Request From Unknown User
- Gpupdate With No Command Line Arguments With Network
- Gsuite Drive Share In External Email
- Gsuite Email Suspicious Attachment
- Gsuite Email Suspicious Subject With Attachment
- Gsuite Email With Known Abuse Web Service Link
- Gsuite Outbound Email With Attachment To External Domain
- Gsuite Suspicious Shared File Name
- Healthcare Worker Opening More Patient Records Than Usual
- Hide User Account From Sign-In Screen
- Hiding Files And Directories With Attrib Exe
- High File Deletion Frequency
- High Number Of Infected Hosts
- High Number Of Login Failures From A Single Source
- High Number of Hosts Not Updating Malware Signatures
- High Or Critical Priority Host With Malware Detected
- High Process Count
- High Process Termination Frequency
- High Volume Email Activity to Non-corporate Domains by User
- High Volume of Traffic from High or Critical Host Observed
- High or Critical Priority Individual Logging into Infected Machine
- High or critical risk NGFW application activity detected
- Host Sending Excessive Email
- Host With A Recurring Malware Infection
- Host With High Number Of Listening ports
- Host With High Number Of Services
- Host With Multiple Infections
- Host With Old Infection Or Potential Re-Infection
- Hosts Receiving High Volume Of Network Traffic From Email Server
- Hosts Sending To More Destinations Than Normal
- Hosts Where Security Sources Go Quiet
- Hosts with Varied and Future Timestamps
- Hunting COVID Themed Attacks With IOCs
- IP Investigate and Report
- Icacls Deny Command
- Icacls Grant Command
- Icedid Exfiltrated Archived File Creation
- Image From New Repository Detected
- In-Scope Device with Outdated Anti-Malware Found
- In-Scope System with Windows Update Disabled
- Inactive Account Activity Detected
- Increase in # of Hosts Logged into
- Increase in Pages Printed
- Increase in Source Code (Git) Downloads
- Increase in Windows Privilege Escalations
- Infected Host
- Infection followed by Exfiltration
- Insecure Or Cleartext Authentication Detected
- Instance Created by Unusual User
- Instance Modified by Unusual User
- Integrating Threat Indicators with MISP and Splunk Enterprise Security
- Investigate GDPR Breaches Using ES
- Jscript Execution Using Cscript App
- Kerberoasting Spn Request With RC4 Encryption
- Known Services Killed By Ransomware
- Kubernetes AWS Detect Suspicious Kubectl Calls
- Kubernetes Nginx Ingress Lfi
- Kubernetes Nginx Ingress Rfi
- Kubernetes Scanner Image Pulling
- Land Speed Violation
- Large Volume Of DNS Any Queries
- Large Web Upload
- Lateral Movement
- Local Account Creation
- Local Account Discovery With Net
- Local Account Discovery With Wmic
- Machine Generated Beacon
- Macos - Re-Opened Applications
- Mailsniper Invoke Functions
- Malicious AD Activity
- Malicious Command Line Executions
- Malicious Insider Containment
- Malicious Powershell Executed As A Service
- Malicious Powershell Process - Connect To Internet With Hidden Window
- Malicious Powershell Process - Encoded Command
- Malicious Powershell Process - Execution Policy Bypass
- Malicious Powershell Process With Obfuscation Techniques
- Malicious URI with Potential Malware
- Malware
- Malware Investigation
- Many USB File Copies for User
- Modification Of Wallpaper
- Modify ACL Permission To Files Or Folder
- Monitor AutoRun Registry Keys
- Monitor Email For Brand Abuse
- Monitor Registry Keys For Print Monitors
- Monitor Successful Backups
- Monitor Successful Windows Updates
- Monitor Unsuccessful Backups
- Monitor Unsuccessful Windows Updates
- Monitor Web Traffic For Brand Abuse
- Ms Scripting Process Loading Ldap Module
- Ms Scripting Process Loading WMI Module
- Mshta Spawning Rundll32 Or Regsvr32 Process
- Mshtml Module Load In Office Product
- Msmpeng Application DLL Side Loading
- Multiple Account Deletion by an Administrator
- Multiple Account Disabled by an Administrator
- Multiple Account Passwords changed by an Administrator
- Multiple Archive Files Http Post Traffic
- Multiple Authentication Failures
- Multiple Authentications
- Multiple Badge Accesses
- Multiple Box login errors
- Multiple Box logins
- Multiple Box operations
- Multiple Disabled Users Failing To Authenticate From Host Using Kerberos
- Multiple External Alarms
- Multiple Failed Badge Access Attempts
- Multiple Infections on Host
- Multiple Invalid Users Failing To Authenticate From Host Using Kerberos
- Multiple Invalid Users Failing To Authenticate From Host Using Ntlm
- Multiple Login Errors
- Multiple Logins
- Multiple Okta Users With Invalid Credentials From The Same IP
- Multiple Outgoing Connections
- Multiple Primary Functions Detected
- Multiple Users Attempting To Authenticate Using Explicit Credentials
- Multiple Users Failing To Authenticate From Host Using Kerberos
- Multiple Users Failing To Authenticate From Host Using Ntlm
- Multiple Users Failing To Authenticate From Process
- Multiple Users Remotely Failing To Authenticate From Host
- Multiple failed badge attempts and unusual badge access time
- Net Localgroup Discovery
- Net Profiler Uac Bypass
- Network Change Detected
- Network Connection Discovery With Arp
- Network Connection Discovery With Net
- Network Connection Discovery With Netstat
- Network Device Rebooted
- Network Protocol Violation
- New AD Domain Detected
- New Application Accessing Salesforce.com API
- New Cloud API Call Per Peer Group
- New Cloud Provider for User
- New Connection to In-Scope Device
- New Container Uploaded To AWS Ecr
- New Data Exfil DLP Alerts for User
- New High Risk Event Types for Salesforce.com User
- New IaaS API Call Per User
- New Interactive Logon from a Service Account
- New Local Admin Account
- New Logon Type for User
- New Parent Process for cmd.exe or regedit.exe
- New RunAs Host / Privileged Account Combination
- New Service Paths for Host
- New Suspicious Executable Launch for User
- New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
- New Tables Queried by Salesforce.com Peer Group
- New Tables Queried by Salesforce.com User
- New User Account Created On Multiple Hosts
- New User Taking Privileged Actions
- Nishang Powershelltcponeline
- Nltest Domain Trust Discovery
- No Windows Updates In A Time Frame
- Non Chrome Process Accessing Chrome Default Dir
- Non Firefox Process Access Firefox Profile Dir
- Non-Privileged Users taking Privileged Actions
- Ntdsutil Export Ntds
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA Via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive Sso Logon Errors
- O365 New Federated Domain Added
- O365 Pst Export Alert
- O365 Suspicious Admin Email Forwarding
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Office Application Drop Executable
- Office Application Spawn Regsvr32 Process
- Office Application Spawn Rundll32 Process
- Office Document Creating Schedule Task
- Office Document Executing Macro Code
- Office Document Spawned Child Process To Download
- Office Product Spawn Cmd Process
- Office Product Spawning Bitsadmin
- Office Product Spawning Certutil
- Office Product Spawning Mshta
- Office Product Spawning Rundll32 With No DLL
- Office Product Spawning Wmic
- Office Product Writing Cab Or Inf
- Office Spawning Control
- Okta Account Lockout Events
- Okta Failed Sso Attempts
- Okta User Logins From Multiple Cities
- Old Passwords in Use
- Outbreak Detected
- Outdated Malware Definitions
- Overwriting Accessibility Binaries
- Password Policy Discovery With Net
- Period with Unusual Windows Security Event Sequences
- Permission Modification Using Takeown App
- Personally Identifiable Information Detected
- Petitpotam Network Share Access Request
- Petitpotam Suspicious Kerberos Tgt Request
- Phishing Investigation and Response
- Plain Http Post Exfiltrated Data
- Possible Phishing Attempt
- Potential Day Trading
- Potential Flight Risk Exfiltration
- Potential Flight Risk Staging
- Potential Gap in Data
- Potential Phishing Attack
- Potential Webshell Activity
- Powershell 4104 Hunting
- Powershell Creating Thread Mutex
- Powershell Disable Security Monitoring
- Powershell Domain Enumeration
- Powershell Enable Smb1Protocol Feature
- Powershell Execute Com Object
- Powershell Fileless Process Injection Via Getprocaddress
- Powershell Fileless Script Contains Base64 Encoded Content
- Powershell Get Localgroup Discovery
- Powershell Get Localgroup Discovery With Script Block Logging
- Powershell Loading Dotnet Into Memory Via System Reflection Assembly
- Powershell Processing Stream Of Data
- Powershell Remote Thread To Known Windows Process
- Powershell Start-Bitstransfer
- Powershell Using Memory As Backing Store
- Prevent Automatic Repair Mode Using Bcdedit
- Print Spooler Adding A Printer Driver
- Print Spooler Failed To Load A Plug-In
- Privilege Escalation after Powershell Activity
- Process Creating Lnk File In Suspicious Location
- Process Deleting Its Process File Path
- Process Execution Via WMI
- Process Kill Base On File Path
- Processes Launching Netsh
- Processes Tapping Keyboard Events
- Processes with High Entropy Names
- Processes with Lookalike (typo) Filenames
- Prohibited Network Traffic Allowed
- Prohibited Port Activity Detected
- Prohibited Process Detected
- Prohibited Service Detected
- Prompt and Block Domain
- Protocol Or Port Mismatch
- Protocols Passing Authentication In Cleartext
- Public Cloud Storage (Bucket)
- Public facing Website Attack
- Pull List of Privileged Users
- RFC1918 IP Not in CMDB
- Ransomware Extensions
- Ransomware Investigate and Contain
- Ransomware Note Files
- Ransomware Notes Bulk Creation
- Ransomware Vulnerabilities
- Recon Avproduct Through Pwh Or WMI
- Recon Using WMI Class
- Recurring Infection on Host
- Recursive Delete Of Directory In Batch Cmd
- Reg Exe Manipulating Windows Services Registry Keys
- Registry Keys For Creating Shim Databases
- Registry Keys Used For Persistence
- Registry Keys Used For Privilege Escalation
- Remcos Rat File Creation In Remcos Folder
- Remote Account Takeover
- Remote Desktop Network Bruteforce
- Remote Desktop Network Traffic
- Remote Desktop Process Running On System
- Remote PowerShell Launches
- Remote Process Instantiation Via WMI
- Remote System Discovery With Adsisearcher
- Remote System Discovery With Dsquery
- Remote System Discovery With Net
- Remote System Discovery With Wmic
- Remote WMI Command Attempt
- Resize Shadowstorage Volume
- Revil Common Exec Parameter
- Revil Registry Entry
- Risky Events from Privileged Users
- Rundll Loading DLL By Ordinal
- Rundll32 Control Rundll Hunt
- Rundll32 Control Rundll World Writable Directory
- Rundll32 Create Remote Thread To A Process
- Rundll32 Createremotethread In Browser
- Rundll32 Dnsquery
- Rundll32 Process Creating Exe DLL Files
- Rundll32 With No Command Line Arguments With Network
- Ryuk Test Files Detected
- Ryuk Wake On Lan Command
- SFDC Suspicious volume of records accessed
- SMB Traffic Allowed
- SMB Traffic Spike
- SMB Traffic Spike - MLTK
- Sam Database File Access Attempt
- Same Error On Many Servers Detected
- Samsam Test File Write
- Sc Exe Manipulating Windows Services
- Scanning Activity
- Schcache Change By App Connect And Create Adsi Object
- Schedule Task With Http Command Arguments
- Schedule Task With Rundll32 Command Trigger
- Scheduled Task Deleted Or Created Via Cmd
- Schtasks Run Task On Demand
- Schtasks Scheduling Job On Remote System
- Schtasks Used For Forcing A Reboot
- Script Execution Via WMI
- Sdclt Uac Bypass
- Searchprotocolhost With No Command Line With Network
- Secretdumps Offline Ntds Dumping Tool
- Sensitive Kubernetes Mount Pod Detected
- Service Account Login
- Services Escalate Exe
- Set Default Powershell Execution Policy To Unrestricted Or Bypass
- Shim Database File Creation
- Shim Database Installation With Suspicious Parameters
- Short Lived Admin Accounts
- Short Lived Windows Accounts
- Short-lived Account Detected
- Significant Increase in Interactive Logons
- Significant Increase in Interactively Logged On Users
- Silentcleanup Uac Bypass
- Single Letter Process On Endpoint
- Slui Runas Elevated
- Slui Spawning A Process
- Sources Sending Many DNS Requests
- Sources Sending a High Volume of DNS Traffic
- Spike In File Writes
- Spike in Downloaded Documents Per User from Salesforce.com
- Spike in Exported Records from Salesforce.com
- Spike in Password Reset Emails
- Spike in SMB Traffic
- Spoolsv Spawning Rundll32
- Spoolsv Suspicious Loaded Modules
- Spoolsv Suspicious Process Access
- Spoolsv Writing A DLL
- Spoolsv Writing A DLL - Sysmon
- Sql Injection With Long Urls
- Sqlite Module In Temp Folder
- Stale Account Usage
- Start Up During Safe Mode Boot
- Substantial Increase In Events
- Substantial Increase In Port Activity
- Successful Login of Account for Former Employee
- Sunburst Correlation DLL And Network Event
- Supernova Webshell
- Suspicious Account Activity
- Suspicious Account Lockout
- Suspicious Activity After Intrusion
- Suspicious Badge Activity
- Suspicious Behavior
- Suspicious Box Usage
- Suspicious Container Image Name
- Suspicious Curl Network Connection
- Suspicious Data Collection
- Suspicious Data Movement
- Suspicious Dllhost No Command Line Arguments
- Suspicious Domain Communication
- Suspicious Domain Communication followed by Malware Activity
- Suspicious Domain Name
- Suspicious Driver Loaded Path
- Suspicious Email - UBA Anomaly
- Suspicious Email Attachment Extensions
- Suspicious Event Log Service Behavior
- Suspicious External Alarm Activity
- Suspicious Gpupdate No Command Line Arguments
- Suspicious HTTP Redirects
- Suspicious HTTP Redirects followed by Suspected Infection
- Suspicious IP Address Communication
- Suspicious Icedid Regsvr32 Cmdline
- Suspicious Icedid Rundll32 Cmdline
- Suspicious Image Creation In Appdata Folder
- Suspicious Java Classes
- Suspicious Microsoft Workflow Compiler Rename
- Suspicious Microsoft Workflow Compiler Usage
- Suspicious Msbuild Path
- Suspicious Msbuild Rename
- Suspicious Msbuild Spawn
- Suspicious Mshta Child Process
- Suspicious Mshta Spawn
- Suspicious Network Connection
- Suspicious Network Exploration
- Suspicious New Access
- Suspicious Plistbuddy Usage
- Suspicious Plistbuddy Usage Via Osquery
- Suspicious Powershell Activity
- Suspicious Privilege Escalation
- Suspicious Process File Path
- Suspicious Reg Exe Process
- Suspicious Regsvr32 Register Suspicious Path
- Suspicious Rundll32 Dllregisterserver
- Suspicious Rundll32 No Command Line Arguments
- Suspicious Rundll32 Plugininit
- Suspicious Rundll32 Rename
- Suspicious Rundll32 Startw
- Suspicious Scheduled Task From Public Directory
- Suspicious Searchprotocolhost No Command Line Arguments
- Suspicious Sqlite3 Lsquarantine Behavior
- Suspicious URL Communications and Redirects
- Suspicious Wav File In Appdata Folder
- Suspicious Wevtutil Usage
- Suspicious Writes To Windows Recycle Bin
- System Information Discovery Detection
- System Processes Run From Unexpected Locations
- System User Discovery With Query
- System User Discovery With Whoami
- Threat Activity Detected
- Threat Hunting
- Tor Traffic
- Trickbot Named Pipe
- USB storage attached an unusually high number of times
- Uac Bypass Mmc Load Unsigned DLL
- Uac Bypass With Colorui Com Object
- Unauthorized Connection Through Firewall
- Unified Messaging Service Spawning A Process
- Uninstall App Using Msiexec
- Unload Sysmon Filter Driver
- Unloading Amsi Via Reflection
- Unrouteable Activity Detected
- Untriaged Notable Events
- Unusual Activity Time
- Unusual Badge Reader Access
- Unusual Child Process for spoolsv.exe or connhost.exe
- Unusual Cloud Regions
- Unusual Cloud Storage Deletions
- Unusual Cloud Storage Downloads
- Unusual External Alarm
- Unusual File Extension
- Unusual Geolocation of Communication Destination
- Unusual Machine Access
- Unusual Network Activity
- Unusual Number of Modifications to Cloud ACLs
- Unusual Printer Usage
- Unusual Time of Badge Access
- Unusual USB Activity
- Unusual USB Device Plugged In
- Unusual VPN Login Geolocation
- Unusual Volume of Network Activity
- Unusual Web Browser
- Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain)
- Unusually Long Command Line
- Unusually Long Command Line - MLTK
- Unusually Long Content-Type Length
- Unusually Long VPN Session
- User Discovery With Env Vars Powershell
- User Discovery With Env Vars Powershell Script Block
- User Finding Project Code Names from Many Departments
- User Has Access to In-Scope Splunk Indexes They Should Not
- User Logged into In-Scope System They Should Not Have
- User Login to Unauthorized Geo
- User Login with Local Credentials
- User with Increase in Outgoing Email
- User with Many DLP Events
- Usn Journal Deletion
- Vulnerability Scanner Detected (by events)
- Vulnerability Scanner Detected (by targets)
- W3Wp Spawning Shell
- WMI Permanent Event Subscription
- WMI Permanent Event Subscription - Sysmon
- WMI Recon Running Process Or Services
- WMI Temporary Event Subscription
- Watchlisted Event Observed
- Watering Hole Infection
- Wbadmin Delete System Backups
- Wbemprox Com Object Execution
- Web Browsing to Unauthorized Sites
- Web Servers Executing Suspicious Processes
- Web Site Compromised (Webshell)
- Web Uploads to Non-corporate Sites by Users
- Wermgr Process Connecting To IP Check Web Services
- Wermgr Process Create Executable File
- Wermgr Process Spawned Cmd Or Powershell Process
- Windows Adfind Exe
- Windows Disableantispyware Registry
- Windows Event Log Cleared
- Windows Event Log Clearing Events
- Windows Security Account Manager Stopped
- Winevent Scheduled Task Created To Spawn Shell
- Winevent Scheduled Task Created Within Public Path
- Winrm Spawning A Process
- Winword Spawning Cmd
- Winword Spawning Powershell
- Winword Spawning Windows Script Host
- Wmic Group Discovery
- Write Executable In SMB Share
- Wsreset Uac Bypass
- Xmrig Driver Loaded
- Xsl Script Execution With Wmic
Technical Detail
Developing on SSE
Installation Documentation Windows Adfind Exe Windows Adfind Exe Description This search looks for the execution of adfind.exe
with command-line arguments that it uses by default. Specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. This has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. AdFind.exe is usually used a recon tool to enumare a domain controller.
Help
Windows Adfind Exe Help
To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Search | tstats `security_content_summariesonly` count min (_time) as firstTime max (_time) as lastTime from datamodel =Endpoint.Processes where (Processes.process=*-f* OR Processes.process=*-b*) AND (Processes.process=*objectcategory* OR Processes.process=*-gcb* OR Processes.process=*-sc*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`
Open in Search