CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 09:12:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
0e21a2e0565184e17624d3e28b61f3222fd82bb7
WELA/config/security_rules.json
fukusuket 775c36e357 feat: add other log check
2025-04-14 22:34:02 +09:00

32702 lines
669 KiB
JSON
Raw Blame History

[
{
"channel": [
"Microsoft-Windows-WinRM/Operational"
],
"event_ids": [
"6"
],
"id": "4f321a68-176a-4f1d-873a-8793bc49e3b0",
"level": "informational",
"subcategory_guids": [],
"title": "Win RM Session Created"
},
{
"channel": [
"Microsoft-Windows-Partition/Diagnostic"
],
"event_ids": [
"1006"
],
"id": "a6a0d64-75d1-433a-b415-4123bab080ec",
"level": "informational",
"subcategory_guids": [],
"title": "Device Conn"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-Gateway/Operational"
],
"event_ids": [
"302"
],
"id": "24a04758-729d-4c43-9bd5-cccd31db80d0",
"level": "low",
"subcategory_guids": [],
"title": "RDS GTW Logon Error"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-Gateway/Operational"
],
"event_ids": [
"302"
],
"id": "27648a93-cfc0-4903-beb2-9395e784a484",
"level": "informational",
"subcategory_guids": [],
"title": "RDS GTW Logon"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-Gateway/Operational"
],
"event_ids": [
"303"
],
"id": "e5f74909-58a9-45ec-b70d-21c654dca4f3",
"level": "informational",
"subcategory_guids": [],
"title": "RDS GTW Logoff"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "ac2ae63b-83e6-4d06-aeaf-07409bda92c9",
"level": "informational",
"subcategory_guids": [],
"title": "PwSh Engine Started"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "bc082394-73e6-4d00-a9af-e7b524ef5085",
"level": "medium",
"subcategory_guids": [],
"title": "PwSh 2.0 Downgrade Attack"
},
{
"channel": [
"sec"
],
"event_ids": [
"4776"
],
"id": "4fbe94b0-577a-4f77-9b13-250e27d440fa",
"level": "informational",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "NTLM Auth"
},
{
"channel": [
"sec"
],
"event_ids": [
"4768"
],
"id": "dee2a01e-5d7c-45b4-aec3-ad9722f2165a",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4769"
],
"id": "f19849e7-b5ba-404b-a731-9b624d7f6d19",
"level": "medium",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4768"
],
"id": "d9f336ea-bb16-4a35-8a9c-183216b8d59c",
"level": "informational",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Kerberos TGT Requested"
},
{
"channel": [
"sec"
],
"event_ids": [
"4769"
],
"id": "da6257f3-cf49-464a-96fc-c84a7ce20636",
"level": "informational",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Kerberos Service Ticket Requested"
},
{
"channel": [
"sec"
],
"event_ids": [
"1102"
],
"id": "c2f690ac-53f8-4745-8cfe-7127dda28c74",
"level": "high",
"subcategory_guids": [],
"title": "Log Cleared"
},
{
"channel": [
"sec"
],
"event_ids": [
"5379"
],
"id": "d478c070-8f84-4e65-9f45-cc432a000e93",
"level": "low",
"subcategory_guids": [],
"title": "Credential Manager Accessed"
},
{
"channel": [
"sec"
],
"event_ids": [
"5379"
],
"id": "d8e3afc5-fa0a-4063-a4af-55e014eb1936",
"level": "low",
"subcategory_guids": [],
"title": "Credential Manager Enumerated"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "d0a61a11-57c9-4afc-b940-3f19b60db08e",
"level": "informational",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Net Conn"
},
{
"channel": [
"sec"
],
"event_ids": [
"5157"
],
"id": "b793a8e6-28a4-4fb8-816e-17a99e4e7b40",
"level": "informational",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Net Conn Blocked"
},
{
"channel": [
"sec"
],
"event_ids": [
"5140"
],
"id": "15d042c1-07c6-4e16-ae7d-e0e556ccd9a8",
"level": "informational",
"subcategory_guids": [
"0CCE9224-69AE-11D9-BED3-505054503030"
],
"title": "NetShare Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "8c6ec2b2-8dad-4996-9aba-d659afc1b919",
"level": "informational",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "NetShare File Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4699"
],
"id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4",
"level": "informational",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Task Deleted"
},
{
"channel": [
"sec"
],
"event_ids": [
"4698"
],
"id": "60d768ca-33e8-4f34-b967-14fd7aa18a22",
"level": "informational",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Task Created"
},
{
"channel": [
"sec"
],
"event_ids": [
"4611"
],
"id": "614c150b-905d-4071-9b8e-0425e370c493",
"level": "informational",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Logon Proc Registered With LSA"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "95fe88c9-5b9d-4454-97b4-957918b84208",
"level": "informational",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Svc Installed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4611"
],
"id": "41ca6049-dd12-462c-a772-7bba78d8e2f0",
"level": "informational",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Abnormal Logon Proc Registered With LSA"
},
{
"channel": [
"sec"
],
"event_ids": [
"4825"
],
"id": "f97a152e-753c-4975-9375-19087fb66f8c",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Denied"
},
{
"channel": [
"sec"
],
"event_ids": [
"5038"
],
"id": "0c871345-668e-4b71-bdad-61e42ecc31e3",
"level": "low",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Code Integrity Error (Invalid Image Hash)"
},
{
"channel": [
"sec"
],
"event_ids": [
"6281"
],
"id": "d4757f63-cc0e-448e-8b5b-6cb02aeb918a",
"level": "low",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Code Integrity Error (Invalid Image Page Hash)"
},
{
"channel": [
"sec"
],
"event_ids": [
"6410"
],
"id": "c2eb9d20-ef9d-4b2d-bffe-d0a5d9616f30",
"level": "low",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Code Integrity Proble (Possible Modification)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4674"
],
"id": "15db3cc7-30bd-47a0-bd75-66208ce8e3fe",
"level": "medium",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Possible Hidden Service Created"
},
{
"channel": [
"sec"
],
"event_ids": [
"4673"
],
"id": "5b6e58ee-c231-4a54-9eee-af2577802e08",
"level": "medium",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030"
],
"title": "Process Ran With High Privilege"
},
{
"channel": [
"sec"
],
"event_ids": [
"4779"
],
"id": "f3532729-5536-42b4-ad74-d061b61a3891",
"level": "informational",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "RDP Session Disconnect"
},
{
"channel": [
"sec"
],
"event_ids": [
"4778"
],
"id": "db23f704-61c8-4c95-a5b7-4db61c89f41d",
"level": "informational",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "RDP Session Reconnect"
},
{
"channel": [
"sec"
],
"event_ids": [
"4648"
],
"id": "ffd622af-d049-449f-af5a-0492fdcc3a58",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "PW Spray"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "c7b22878-e5d8-4c30-b245-e51fd354359e",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Network)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4648"
],
"id": "a5b3ebf0-141a-4264-b2ff-400c0d515fca",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Explicit Logon Attempt (Noisy)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "PW Guessing"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Unknown Reason)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4648"
],
"id": "7616e857-8e41-4976-bc21-811d122b9fc9",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc"
},
{
"channel": [
"sec"
],
"event_ids": [
"4648"
],
"id": "8c1899fe-493d-4faf-aae1-0853a33a3278",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Explicit Logon Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "fbbe9d3f-ed1f-49a9-9446-726e349f5fba",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (CachedInteractive) *Creds in memory*"
},
{
"channel": [
"sec"
],
"event_ids": [
"4648"
],
"id": "ab1accc0-b6e2-4841-8dfb-5902581392c3",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Incorrect Password"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "8afa97ce-a217-4f7c-aced-3e320a57756d",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (User Does Not Exist)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "User Guessing"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "b61bfa39-48ec-4bdf-9d4e-e7205f49acd2",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Unlock)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "8ad8b25f-6052-4cfd-9a50-717cb514af13",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Batch)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Non-Existent User"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "7ff51227-6a10-49e6-a58b-b9f4ac32b138",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (NetworkCleartext)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "e50e3952-06d9-44a8-ab07-7a41c9801d78",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (CachedUnlock) *Creds in memory*"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "46614e82-7926-41f9-85aa-006b98c5c2a3",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Possible Token Impersonation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "9e8b6cdb-9991-488b-a7b3-2eec7aa64679",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "NewInteractive Logon (Suspicious Process)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "d80facaa-ca97-47bb-aed2-66362416eb49",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (NewCredentials) *Creds in memory*"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "9fa273cc-bcb2-4789-85e3-14ca253ac7f4",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (System) - Bootup"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "7beb4832-f357-47a4-afd8-803d69a5c85c",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Interactive) *Creds in memory*"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "84e5ff02-5f8f-48c4-a7e9-88aa1fb888f7",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Service) (Noisy)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "e87bd730-df45-4ae9-85de-6c75369c5d29",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Wrong Password)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "b1782e40-d247-4de1-86d1-37392cb62e3b",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Interactive) (Noisy)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "408e1304-51d7-4d3e-ab31-afd07192400b",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Service)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "0266af4f-8825-495e-959c-bff801094349",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Network) (Noisy)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (CachedRemoteInteractive) *Creds in memory*"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "a4e05f05-ff88-48b9-8524-a88c1c32fe19",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (RemoteInteractive (RDP)) *Creds in memory*"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "5b0b75dc-9190-4047-b9a8-14164cee8a31",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Incorrect Password"
},
{
"channel": [
"sec"
],
"event_ids": [
"4647"
],
"id": "6bad16f1-02c4-4075-b414-3cd16944bc65",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "Logoff (User Initiated)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4634"
],
"id": "84288799-8b61-4d98-bad0-4043c40cf992",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "Logoff (Noisy)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4634"
],
"id": "7309e070-56b9-408b-a2f4-f1840f8f1ebf",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "Logoff"
},
{
"channel": [
"sec"
],
"event_ids": [
"4672"
],
"id": "fdd0b325-8b89-469c-8b0c-e5ddfe39b62e",
"level": "informational",
"subcategory_guids": [
"0CCE921B-69AE-11D9-BED3-505054503030"
],
"title": "Admin Logon"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136"
],
"id": "22ee9fb7-64ca-4eed-92de-d1dbef1170b8",
"level": "informational",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Dir Svc Obj Modified"
},
{
"channel": [
"sec"
],
"event_ids": [
"4724"
],
"id": "0b78aca4-35f0-4bec-acce-c5743ff26614",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Password Reset By Admin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4720"
],
"id": "13edce80-2b02-4469-8de4-a3e37271dcdb",
"level": "low",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Local User Account Created"
},
{
"channel": [
"sec"
],
"event_ids": [
"4723"
],
"id": "3b3046f3-a51c-4378-b059-c716aaa865b4",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "User Password Changed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4720"
],
"id": "70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Hidden User Account Created"
},
{
"channel": [
"sec"
],
"event_ids": [
"4728"
],
"id": "0db443ba-561c-4a04-b349-d74ce1c5fc8b",
"level": "medium",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Global Security Grp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4728"
],
"id": "4bb89c86-a138-42a0-baaf-fc2f777a4506",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Global Domain Admins Grp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4732"
],
"id": "bc58e432-959f-464d-812e-d60ce5d46fa1",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Local Domain Admins Grp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4728"
],
"id": "2f04e44e-1c79-4343-b4ab-ba670ee10aa0",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Non-Admin Global Grp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4732"
],
"id": "611e2e76-a28f-4255-812c-eb8836b2f5bb",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Local Admin Grp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4741"
],
"id": "42a0a842-2b82-4b2d-8e44-5580fb6c38db",
"level": "informational",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Computer Account Created"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6c34b782-a5b5-4298-80f3-1918caf1f558",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Possible LOLBIN"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6be7f3fc-8917-11ec-a8a3-0242ac120002",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Possible RDP Hijacking"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ac933178-c222-430d-8dcf-17b4f3a2fed8",
"level": "informational",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Proc Exec"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "75744b7f-7e4a-47fe-afbe-1ee74ec2448e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Susp CmdLine (Possible Meterpreter getsystem)"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"106"
],
"id": "33599dfb-f3e4-4298-8d3f-59407f65f4e7",
"level": "informational",
"subcategory_guids": [],
"title": "Task Created"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"200"
],
"id": "d1923809-955b-47c4-b3e5-37c0e461919c",
"level": "informational",
"subcategory_guids": [],
"title": "Task Executed"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"141"
],
"id": "ff6ada24-c7f0-4ae5-a7a6-f20ddb7b591f",
"level": "informational",
"subcategory_guids": [],
"title": "Task Deleted"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"140"
],
"id": "aba04101-e439-4e2f-b051-4be561993c31",
"level": "informational",
"subcategory_guids": [],
"title": "Task Updated"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
],
"event_ids": [
"25"
],
"id": "8fe4a60b-2af3-43d6-95e2-8f13caccc179",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Reconnect"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
],
"event_ids": [
"24"
],
"id": "3fc6234f-93a5-4d48-b618-30e2c69c0a86",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Disconnect"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
],
"event_ids": [
"21"
],
"id": "b107551c-409d-44b8-bb0d-3b007c269881",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Logon"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
],
"event_ids": [
"23"
],
"id": "e14a729f-f4f8-427b-a238-dfbde9c1614b",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Logoff"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
],
"event_ids": [
"22"
],
"id": "320e2cb0-a56a-476f-a299-79dc45644fee",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Sess Start (Noisy)"
},
{
"channel": [
"Microsoft-Windows-WMI-Activity/Operational"
],
"event_ids": [
"5860"
],
"id": "d96164c4-9e15-4d48-964f-153ac0dab6e9",
"level": "informational",
"subcategory_guids": [],
"title": "Temporary WMI Event Consumer"
},
{
"channel": [
"Microsoft-Windows-WMI-Activity/Operational"
],
"event_ids": [
"5861"
],
"id": "ac9f0a2a-e9c5-4d19-b69e-e3d518ca6797",
"level": "informational",
"subcategory_guids": [],
"title": "Permanent WMI Event Consumer"
},
{
"channel": [
"Microsoft-Windows-WMI-Activity/Operational"
],
"event_ids": [
"5857"
],
"id": "547aec97-2635-474a-a36c-7a3a46b07fde",
"level": "informational",
"subcategory_guids": [],
"title": "WMI Provider Started"
},
{
"channel": [
"Microsoft-Windows-WMI-Activity/Operational"
],
"event_ids": [
"5861"
],
"id": "ab4852ca-3e27-4dbb-af6b-5f8458d5717a",
"level": "medium",
"subcategory_guids": [],
"title": "WMI Filter To Consumer Binding_Command Execution"
},
{
"channel": [
"Microsoft-Windows-VHDMP-Operational"
],
"event_ids": [
"12"
],
"id": "f9915ff9-17ce-4524-9851-cc4bdd9bb35e",
"level": "low",
"subcategory_guids": [],
"title": "ISO Mounted"
},
{
"channel": [
"Microsoft-Windows-VHDMP-Operational"
],
"event_ids": [
"12"
],
"id": "d00c370c-c6c2-474f-9d41-a250644852b5",
"level": "low",
"subcategory_guids": [],
"title": "VHD Mounted"
},
{
"channel": [
"Microsoft-Windows-VHDMP-Operational"
],
"event_ids": [
"12"
],
"id": "2c544083-e209-4a8d-ad28-4f1427353d2e",
"level": "low",
"subcategory_guids": [],
"title": "VHDX Mounted"
},
{
"channel": [
"Microsoft-Windows-Crypto-DPAPI/Debug"
],
"event_ids": [
"16385"
],
"id": "420d5d28-78ed-4e43-844a-94ce69db378c",
"level": "informational",
"subcategory_guids": [],
"title": "CryptoDPAPI Decrypt"
},
{
"channel": [
"Microsoft-Windows-DNS-Server/Analytical"
],
"event_ids": [
"261"
],
"id": "6db38b96-3772-4cbf-a8ad-c65d8ac5134e",
"level": "informational",
"subcategory_guids": [],
"title": "Recursive DNS Response"
},
{
"channel": [
"Microsoft-Windows-DNS-Server/Analytical"
],
"event_ids": [
"260"
],
"id": "cd6eb342-9dcd-450d-b448-bebd97cb6e89",
"level": "informational",
"subcategory_guids": [],
"title": "Recursive DNS Request"
},
{
"channel": [
"System"
],
"event_ids": [
"20001"
],
"id": "9eaea7e6-6567-4ad0-bcc9-fe568dd27909",
"level": "informational",
"subcategory_guids": [],
"title": "New Non-USB PnP Device"
},
{
"channel": [
"System"
],
"event_ids": [
"12"
],
"id": "8da41a05-364b-4e3c-95d9-397abb82eac4",
"level": "medium",
"subcategory_guids": [],
"title": "Computer Startup In Safe Mode"
},
{
"channel": [
"System"
],
"event_ids": [
"1001"
],
"id": "082fbbf5-bb05-468c-ad9c-ef2a383bb293",
"level": "medium",
"subcategory_guids": [],
"title": "BSOD"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "0694c340-3a46-40ac-acfc-c3444ae6572c",
"level": "high",
"subcategory_guids": [],
"title": "PSExec Lateral Movement"
},
{
"channel": [
"System"
],
"event_ids": [
"104"
],
"id": "f481a1f3-969e-4187-b3a5-b47c272bfebd",
"level": "high",
"subcategory_guids": [],
"title": "Important Log File Cleared"
},
{
"channel": [
"System"
],
"event_ids": [
"7040"
],
"id": "ab3507cf-5231-4af6-ab1d-5d3b3ad467b5",
"level": "medium",
"subcategory_guids": [],
"title": "Event Log Service Startup Type Changed To Disabled"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "cc429813-21db-4019-b520-2f19648e1ef1",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Service Name"
},
{
"channel": [
"System"
],
"event_ids": [
"104"
],
"id": "ed90ed4f-0d93-4f1a-99a2-4b9003b750a7",
"level": "medium",
"subcategory_guids": [],
"title": "Log File Cleared"
},
{
"channel": [
"System"
],
"event_ids": [
"20001"
],
"id": "f5c0b936-bec8-418a-a79a-89833468fea2",
"level": "informational",
"subcategory_guids": [],
"title": "New USB PnP Device"
},
{
"channel": [
"System"
],
"event_ids": [
"6009"
],
"id": "b27292f1a-18b3-4433-b340-151874a7d4e8",
"level": "informational",
"subcategory_guids": [],
"title": "Computer Startup"
},
{
"channel": [
"System"
],
"event_ids": [
"6013"
],
"id": "982fdd1f-38fe-4243-bea3-6032fc01b723",
"level": "informational",
"subcategory_guids": [],
"title": "Computer Uptime/Timezone"
},
{
"channel": [
"System"
],
"event_ids": [
"6005"
],
"id": "11dc7d25-01c9-4b07-9d91-8e07b60d8fd3",
"level": "informational",
"subcategory_guids": [],
"title": "Event Log Svc Started"
},
{
"channel": [
"System"
],
"event_ids": [
"6008"
],
"id": "517c0b15-d2bf-48a3-926c-f7b4a96dcec3",
"level": "low",
"subcategory_guids": [],
"title": "Unexpected Shutdown"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "76355548-fa5a-4310-9610-0de4b11f4688",
"level": "medium",
"subcategory_guids": [],
"title": "Possible Metasploit Svc Installed"
},
{
"channel": [
"System"
],
"event_ids": [
"12"
],
"id": "a225cc36-bfdc-4e7a-ad01-f544b90e2d2a",
"level": "informational",
"subcategory_guids": [],
"title": "Computer Startup"
},
{
"channel": [
"System"
],
"event_ids": [
"7034"
],
"id": "f5dc6a6d-fdf1-441a-a10c-aa10e2908aa4",
"level": "low",
"subcategory_guids": [],
"title": "Service Crashed"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "64c5d39d-10a7-44f4-b5d6-fd0d93d0a69f",
"level": "informational",
"subcategory_guids": [],
"title": "Svc Installed"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "dbbfd9f3-9508-478b-887e-03ddb9236909",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Service Path"
},
{
"channel": [
"System"
],
"event_ids": [
"7031"
],
"id": "d869bf31-92b3-4e21-a447-708f10156e7c",
"level": "low",
"subcategory_guids": [],
"title": "Service Crashed"
},
{
"channel": [
"System"
],
"event_ids": [
"6006"
],
"id": "b6d53116-36b2-4413-a99b-e6708f9c3027",
"level": "informational",
"subcategory_guids": [],
"title": "Event Log Svc Stopped"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-RDPClient/Operational"
],
"event_ids": [
"1102"
],
"id": "1a850b71-6aef-4f31-a509-f31b2c778476",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Attempt"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-RDPClient/Operational"
],
"event_ids": [
"1024"
],
"id": "512e70f5-bf70-4de1-9375-2174999a7f8d",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Conn Attempt"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
],
"event_ids": [
"1149"
],
"id": "e91c514e-08c5-4c42-96d7-ab1f5668a2f7",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Logon"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
],
"event_ids": [
"261"
],
"id": "6dbed1df-f08a-47ab-9a58-999c0787d034",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Conn (Noisy)"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031",
"level": "informational",
"subcategory_guids": [],
"title": "PwSh Pipeline Exec"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba",
"level": "informational",
"subcategory_guids": [],
"title": "PwSh Scriptblock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "73be1519-4648-4ed7-b305-605504afc242",
"level": "medium",
"subcategory_guids": [],
"title": "Potentially Malicious PwSh"
},
{
"channel": [
"Microsoft-Windows-Ntfs/Operational"
],
"event_ids": [
"4"
],
"id": "af127790-5563-473e-8d3a-43b3509572b1",
"level": "informational",
"subcategory_guids": [],
"title": "NTFS volume mounted"
},
{
"channel": [
"Microsoft-Windows-WLAN-AutoConfig"
],
"event_ids": [
"8001"
],
"id": "90dd0797-f481-453d-a97e-dd78436893f9",
"level": "informational",
"subcategory_guids": [],
"title": "Wifi AP Conn"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1116"
],
"id": "3f5005fc-e354-4b0b-b1a1-3eec1d336023",
"level": "medium",
"subcategory_guids": [],
"title": "Defender Alert (Moderate)"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1116"
],
"id": "810bfd3a-9fb3-44e0-9016-8cdf785fddbf",
"level": "critical",
"subcategory_guids": [],
"title": "Defender Alert (Severe)"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1116"
],
"id": "61056ed8-7be5-46e4-9015-c5f6bc8b93a1",
"level": "low",
"subcategory_guids": [],
"title": "Defender Alert (Low)"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1116"
],
"id": "1e11c0f0-aecd-45d8-9229-da679c0265ea",
"level": "high",
"subcategory_guids": [],
"title": "Defender Alert (High)"
},
{
"channel": [
"Application"
],
"event_ids": [
"1033",
"1022"
],
"id": "ef118d4d-ef83-40a7-bb27-2bb3945473ee",
"level": "informational",
"subcategory_guids": [],
"title": "MSI Install"
},
{
"channel": [
"OAlerts"
],
"event_ids": [
"300"
],
"id": "8cab5688-ca77-483d-a295-56dd6c1db944",
"level": "informational",
"subcategory_guids": [],
"title": "Office App PopUp"
},
{
"channel": [
"Microsoft-Windows-DriverFrameworks-UserMode/Operational"
],
"event_ids": [
"2003"
],
"id": "b39b18a5-cece-4e7d-a438-827d0b0e8a82",
"level": "informational",
"subcategory_guids": [],
"title": "USB Plugged In"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"59"
],
"id": "18e6fa4a-353d-42b6-975c-bb05dbf4a004",
"level": "informational",
"subcategory_guids": [],
"title": "Bits Job Created"
},
{
"channel": [
"Microsoft-ServiceBus-Client"
],
"event_ids": [
"40302",
"40300",
"40301"
],
"id": "871bc844-4977-a864-457b-46cfba6ddb65",
"level": "high",
"subcategory_guids": [],
"title": "HybridConnectionManager Service Running"
},
{
"channel": [
"Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
],
"event_ids": [
"1007"
],
"id": "aec05047-d4cd-8eed-6c67-40b018f64c6e",
"level": "medium",
"subcategory_guids": [],
"title": "Certificate Exported From Local Certificate Store"
},
{
"channel": [
"Microsoft-Windows-AppLocker/MSI and Script",
"Microsoft-Windows-AppLocker/EXE and DLL",
"Microsoft-Windows-AppLocker/Packaged app-Deployment",
"Microsoft-Windows-AppLocker/Packaged app-Execution"
],
"event_ids": [
"8004",
"8025",
"8007",
"8022"
],
"id": "da0e47f5-493f-9da4-b041-8eb762761118",
"level": "medium",
"subcategory_guids": [],
"title": "File Was Not Allowed To Run"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2083",
"2082",
"2008",
"2003",
"2002"
],
"id": "a0062bfc-2eba-05df-e231-f4a44b1317ab",
"level": "low",
"subcategory_guids": [],
"title": "Windows Firewall Settings Have Been Changed"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2097",
"2004",
"2071"
],
"id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd",
"level": "medium",
"subcategory_guids": [],
"title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2071",
"2004",
"2097"
],
"id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4",
"level": "high",
"subcategory_guids": [],
"title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2052",
"2006"
],
"id": "55827aab-4062-032f-35e7-2406dc57c35e",
"level": "medium",
"subcategory_guids": [],
"title": "A Rule Has Been Deleted From The Windows Firewall Exception List"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2071",
"2097",
"2004"
],
"id": "a1dbd390-a4c5-755a-1b1f-a76aabbecbbc",
"level": "medium",
"subcategory_guids": [],
"title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2032",
"2060"
],
"id": "e2592615-38d5-5099-c59f-83ab34a11d9a",
"level": "low",
"subcategory_guids": [],
"title": "Windows Defender Firewall Has Been Reset To Its Default Configuration"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2009"
],
"id": "33a69619-460b-90f5-19b1-2f34036caf0a",
"level": "low",
"subcategory_guids": [],
"title": "The Windows Defender Firewall Service Failed To Load Group Policy"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2033",
"2059"
],
"id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69",
"level": "high",
"subcategory_guids": [],
"title": "All Rules Have Been Deleted From The Windows Firewall Configuration"
},
{
"channel": [
"Application"
],
"event_ids": [
"1001"
],
"id": "ea429061-e3b4-fabd-8bd6-cb98772aeeba",
"level": "high",
"subcategory_guids": [],
"title": "Microsoft Malware Protection Engine Crash - WER"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"129"
],
"id": "d5a3d13e-7db3-bcf5-824a-789488ab40fd",
"level": "medium",
"subcategory_guids": [],
"title": "Scheduled Task Executed Uncommon LOLBIN"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"129"
],
"id": "c1fd9ca2-a3f8-1adc-0f1d-1d6099f5d827",
"level": "medium",
"subcategory_guids": [],
"title": "Scheduled Task Executed From A Suspicious Location"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"141"
],
"id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940",
"level": "high",
"subcategory_guids": [],
"title": "Important Scheduled Task Deleted"
},
{
"channel": [
"Microsoft-Windows-AppxPackaging/Operational"
],
"event_ids": [
"157"
],
"id": "e6dd8206-87ca-b6e9-3c8f-9e097bfc4e31",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Digital Signature Of AppX Package"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1018",
"1115",
"1006",
"1007",
"1008",
"1010",
"1011",
"1017",
"1116",
"1012",
"1009",
"1019"
],
"id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd",
"level": "high",
"subcategory_guids": [],
"title": "Antivirus Hacktool Detection"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1115",
"1017",
"1012",
"1010",
"1018",
"1116",
"1019",
"1006",
"1009",
"1011",
"1007",
"1008"
],
"id": "22f82564-4b51-e901-bf00-ea94ff39b468",
"level": "critical",
"subcategory_guids": [],
"title": "Antivirus Ransomware Detection"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1008",
"1006",
"1116",
"1009",
"1012",
"1018",
"1010",
"1115",
"1019",
"1007",
"1011",
"1017"
],
"id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6",
"level": "high",
"subcategory_guids": [],
"title": "Antivirus Web Shell Detection"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1006",
"1116",
"1010",
"1012",
"1007",
"1017",
"1009",
"1018",
"1115",
"1011",
"1019",
"1008"
],
"id": "a1be9170-2ada-e8bb-285c-3e1ff336189e",
"level": "high",
"subcategory_guids": [],
"title": "Antivirus Relevant File Paths Alerts"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1011",
"1012",
"1007",
"1010",
"1017",
"1116",
"1009",
"1018",
"1008",
"1019",
"1115",
"1006"
],
"id": "1868a1c5-30e8-dffd-a373-90c72ea4921a",
"level": "critical",
"subcategory_guids": [],
"title": "Antivirus Exploitation Framework Detection"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1009",
"1006",
"1007",
"1012",
"1011",
"1010",
"1017",
"1019",
"1018",
"1115",
"1116",
"1008"
],
"id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab",
"level": "critical",
"subcategory_guids": [],
"title": "Antivirus Password Dumper Detection"
},
{
"channel": [
"Microsoft-Windows-CAPI2/Operational"
],
"event_ids": [
"70"
],
"id": "dadaca47-d760-88a9-fd35-cbe8a6237499",
"level": "medium",
"subcategory_guids": [],
"title": "Certificate Private Key Acquired"
},
{
"channel": [
"DNS Server"
],
"event_ids": [
"6004"
],
"id": "04768e11-3acf-895f-9193-daae77c4678f",
"level": "medium",
"subcategory_guids": [],
"title": "Failed DNS Zone Transfer"
},
{
"channel": [
"DNS Server"
],
"event_ids": [
"770",
"771",
"150"
],
"id": "40077f9e-f597-1087-0c4f-8901d1a07af4",
"level": "high",
"subcategory_guids": [],
"title": "DNS Server Error Failed Loading the ServerLevelPluginDLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136"
],
"id": "8bcf1772-4335-28e1-e320-5ce48b15ae9f",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Possible Shadow Credentials Added"
},
{
"channel": [
"sec"
],
"event_ids": [
"4720",
"4781"
],
"id": "ec77919c-1169-6640-23e7-91c6f27ddc91",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "New or Renamed User Account with '$' Character"
},
{
"channel": [
"sec"
],
"event_ids": [
"4732"
],
"id": "6695d6a2-9365-ee87-ccdd-966b0e1cdbd4",
"level": "medium",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added to Local Administrator Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"4720"
],
"id": "23013005-3d59-4dbe-dabd-d17a54e6c6cf",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Hidden Local User Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Service Registry Key Read Access Request"
},
{
"channel": [
"sec"
],
"event_ids": [
"4662"
],
"id": "5c8e2537-5c7f-56d8-de80-1f0746b61067",
"level": "critical",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Active Directory Replication from Non Machine Account"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4663"
],
"id": "777523b0-14f8-1ca2-12c9-d668153661ff",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Registry Key - Write Access Requested"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663",
"4656"
],
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SysKey Registry Keys Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4649"
],
"id": "167784ae-8d7f-ca00-e9d9-586a4c8469e8",
"level": "high",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "Replay Attack Detected"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "85e291ec-b85b-2553-1aba-03c9ad116b61",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool Services Have Been Installed - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4800"
],
"id": "c4d03743-7286-15e4-d317-c86d1b5fdc09",
"level": "informational",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "Locked Workstation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "96896e3a-28de-da11-c7fd-0040868e3a2f",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "dd648614-9dd8-fab8-92d6-be7dfa1b393c",
"level": "critical",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "DiagTrackEoP Default Login Username"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "b3f33f69-1331-d3d0-eb62-81f477abad86",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "RDP Login from Localhost"
},
{
"channel": [
"sec"
],
"event_ids": [
"4730",
"634"
],
"id": "ae7d8d1c-f75b-d952-e84e-a7981b861590",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "A Security-Enabled Global Group Was Deleted"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "5c67a566-7829-eb05-4a1f-0eb292ef993f",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "External Remote SMB Logon from Public IP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "a1f9fad3-d563-5f3f-de09-e4ca03b97522",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "RottenPotato Like Attack Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "897e25ba-f935-3fd3-c6d5-f9abf379e831",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Outgoing Logon with New Credentials"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "232ecd79-c09d-1323-8e7e-14322b766855",
"level": "high",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "56a1bb6f-e039-3f65-3ea0-de425cefa8a7",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "External Remote RDP Logon from Public IP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon From Public IP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "c310cab1-252e-1d98-6b6f-e6e60c88a374",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Successful Account Login Via WMI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "059e7255-411c-1666-a2e5-2e99e294e614",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Pass the Hash Activity 2"
},
{
"channel": [
"sec"
],
"event_ids": [
"4729",
"633"
],
"id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "A Member Was Removed From a Security-Enabled Global Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "e8c130a4-cf04-543d-919b-76947bde76b8",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Access Token Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"632",
"4728"
],
"id": "26767093-828c-2f39-bdd8-d0439e87307c",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "A Member Was Added to a Security-Enabled Global Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "20f4e87b-c272-42da-9a1f-ad54206e3622",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Successful Overpass the Hash Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "de5d0dd7-b73e-7f18-02b0-6b1acb7e9f52",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Admin User Remote Logon"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "e2755f38-e817-94c0-afef-acff29676b43",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625",
"4624",
"4776"
],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit SMB Authentication"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "9a0e08fc-d50e-2539-9da0-f2b04439c414",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Remote Service Activity via SVCCTL Named Pipe"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136",
"5145"
],
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Persistence and Execution at Scale via GPO Scheduled Task"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Teams Application Related ObjectAcess Event"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "15284efb-90de-5675-59c5-433d34675e8e",
"level": "low",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Tap Driver Installation - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4616"
],
"id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0",
"level": "low",
"subcategory_guids": [
"0CCE9210-69AE-11D9-BED3-505054503030",
"69979849-797A-11D9-BED3-505054503030"
],
"title": "Unauthorized System Time Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "192d9d70-11ad-70e5-9d6c-d32a1ec74857",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Windows Network Access Suspicious desktop.ini Action"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "37f5d188-182d-7a53-dca7-4bebbb6ce43e",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "SMB Create Remote File Admin Share"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "660a0229-700e-8e43-40c7-fafe60c29491",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation CLIP+ Launcher - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4743",
"4741"
],
"id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d",
"level": "low",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Add or Remove Computer from DC"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "f252afa3-fe83-562c-01c0-1334f55af84c",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "T1047 Wmiprvse Wbemcomn DLL Hijack"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663",
"4656"
],
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "WCE wceaux.dll Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "89d88072-7a24-8218-a044-0c071bf36bf6",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use Rundll32 - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4662"
],
"id": "c42c534d-16ae-877f-0722-6d6914090855",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "DPAPI Domain Backup Key Extraction"
},
{
"channel": [
"sec"
],
"event_ids": [
"4611"
],
"id": "a5498e1f-e40d-d8b1-bceb-5931f5169dbd",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Register new Logon Process by Rubeus"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4663"
],
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Monitoring Agent Registry Keys Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "9ab29a5b-d66d-a41e-bdaf-8c718011875c",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4662"
],
"id": "09c08048-5eab-303f-dfe3-706a6052b6f9",
"level": "critical",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "AD Object WriteDAC Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4825"
],
"id": "c0c9db9a-0a47-c9fd-13fd-965eadb10a6f",
"level": "medium",
"subcategory_guids": [],
"title": "Denied Access To Remote Desktop"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "85e72fe3-83af-8ed9-39d3-2883e46059f1",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656"
],
"id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Handle Failure"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8948f034-2d45-47bc-c04b-14ab124247f3",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion List Modified"
},
{
"channel": [
"sec"
],
"event_ids": [
"4698"
],
"id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656"
],
"id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Password Dumper Activity on LSASS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4663"
],
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious AccessMask Requested From LSASS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4662"
],
"id": "daad2203-665f-294c-6d2f-f9272c3214f2",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Mimikatz DC Sync"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136"
],
"id": "6e3066ef-54e1-9d1b-5bc6-9ae6947ae271",
"level": "medium",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Group Policy Abuse for Privilege Addition"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "1b037a84-214e-b58a-53ae-949542063f1f",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
},
{
"channel": [
"sec"
],
"event_ids": [
"4706"
],
"id": "5a3e5a2f-bdf8-d6d0-f439-5543b54d5ba5",
"level": "medium",
"subcategory_guids": [
"0CCE9230-69AE-11D9-BED3-505054503030"
],
"title": "A New Trust Was Created To A Domain"
},
{
"channel": [
"sec"
],
"event_ids": [
"4662"
],
"id": "ec2275df-3a0a-933f-0573-490938cc47ef",
"level": "medium",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "WMI Persistence - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "d415c82b-814d-5cdc-c2f2-a138115b878e",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "DCERPC SMB Spoolss Named Pipe"
},
{
"channel": [
"sec"
],
"event_ids": [],
"id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8",
"level": "critical",
"subcategory_guids": [],
"title": "Win Susp Computer Name Containing Samtheadmin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4719"
],
"id": "83d7b3c2-220e-60e8-4aad-98e206e841ba",
"level": "low",
"subcategory_guids": [
"0CCE922F-69AE-11D9-BED3-505054503030"
],
"title": "Windows Event Auditing Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"5379"
],
"id": "77366099-d04a-214d-365c-c62c537df3ba",
"level": "high",
"subcategory_guids": [],
"title": "Password Protected ZIP File Opened (Email Attachment)"
},
{
"channel": [
"sec"
],
"event_ids": [
"517",
"1102"
],
"id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9",
"level": "high",
"subcategory_guids": [],
"title": "Security Eventlog Cleared"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "d0c8e98d-0746-a43c-9170-c04e7f7a3867",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4899",
"4898"
],
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
"level": "high",
"subcategory_guids": [
"0CCE9221-69AE-11D9-BED3-505054503030"
],
"title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU"
},
{
"channel": [
"sec"
],
"event_ids": [
"4673"
],
"id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7",
"level": "medium",
"subcategory_guids": [
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136"
],
"id": "925d441a-37b4-0afa-1d98-809b5df5fd06",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious LDAP-Attributes Used"
},
{
"channel": [
"sec"
],
"event_ids": [
"4719"
],
"id": "5fa54162-0bc4-710e-5dec-7ccc99ee4d52",
"level": "high",
"subcategory_guids": [
"0CCE922F-69AE-11D9-BED3-505054503030"
],
"title": "Important Windows Event Auditing Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4657",
"4663"
],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Processes Accessing the Microphone and Webcam"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "7695295d-281f-23ce-d52e-8336ebd47532",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Protected Storage Service Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"5038",
"6281"
],
"id": "4f738466-2a14-5842-1eb3-481614770a49",
"level": "informational",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Failed Code Integrity Checks"
},
{
"channel": [
"sec"
],
"event_ids": [
"4661"
],
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
"level": "medium",
"subcategory_guids": [
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Password Policy Enumerated"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "54f9b4d2-3f4a-675f-58d6-9995ae58f988",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "HybridConnectionManager Service Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "cc1d9970-7c17-d738-f5cb-8fb12f02d0fd",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Remote PowerShell Sessions Network Connections (WinRM)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625",
"4624",
"4776"
],
"id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Hacktool Ruler"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625",
"4776"
],
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Account Tampering - Suspicious Failed Logon Reasons"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "bcc12e55-1578-5174-2a47-98a6211a1c6c",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Possible PetitPotam Coerce Authentication Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4720"
],
"id": "e5c627ea-fa27-df99-0573-e47092dc4a98",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Windows ANONYMOUS LOGON Local Account Created"
},
{
"channel": [
"sec"
],
"event_ids": [
"4899",
"4898"
],
"id": "3a655a7c-a830-77ad-fc8b-f054fb713304",
"level": "low",
"subcategory_guids": [
"0CCE9221-69AE-11D9-BED3-505054503030"
],
"title": "ADCS Certificate Template Configuration Vulnerability"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "fbc9679a-a1f8-33c7-5a85-c6e7a3c2363f",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation VAR+ Launcher - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "24e370e0-b9f0-5851-0261-f984742ff2a1",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Impacket PsExec Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4648"
],
"id": "250cf413-1d30-38fd-4b41-ae5a92452700",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Remote Logon with Explicit Credentials"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "93fd0f77-62da-26fb-3e96-71cde45a9680",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Remote Task Creation via ATSVC Named Pipe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "ISO Image Mounted"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "b073cf4b-ed38-0a6f-38d3-50997892d7e7",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Stdin - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4769"
],
"id": "2d20edf4-6141-35c5-e54f-3c578082d1d3",
"level": "medium",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Kerberos RC4 Ticket Encryption"
},
{
"channel": [
"sec"
],
"event_ids": [
"4661"
],
"id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
],
"title": "Reconnaissance Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "8c3523c1-357b-5653-335a-9db3ecfcbc2a",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Scripts Installed as Services - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "df47c51b-2738-8866-a1d7-86b96fb5b5ca",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Service Installed By Unusual Client - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "308a3356-4624-7c95-24df-cf5a02e5eb56",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "First Time Seen Remote Named Pipe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "107a403c-5a05-2568-95a7-a7329d714440",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ETW Logging Disabled In .NET Processes - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "426009da-814c-c1c0-cf41-6631c9ff6a8e",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PsExec Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656"
],
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SAM Registry Hive Handle Request"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "eb15263a-80e1-a789-18a9-ec45f9a6edfc",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136"
],
"id": "e92d7fea-4127-4b6c-a889-3f0b89f7b567",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right"
},
{
"channel": [
"sec"
],
"event_ids": [
"5157"
],
"id": "764518e5-4160-b679-1946-cbd0e76705da",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary"
},
{
"channel": [
"sec"
],
"event_ids": [
"4769"
],
"id": "4386b4e0-f268-42a6-b91d-e3bb768976d6",
"level": "medium",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Kerberoasting Activity - Initial Query"
},
{
"channel": [
"sec"
],
"event_ids": [
"4720"
],
"id": "5ecd226b-563f-4723-7a1e-d637d81f0a1f",
"level": "low",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Local User Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4769",
"4768",
"675",
"4771"
],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
"level": "high",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030",
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Kerberos Manipulation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "68f0908b-8434-9199-f0a3-350c27ac97c4",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "NetNTLM Downgrade Attack"
},
{
"channel": [
"sec"
],
"event_ids": [
"6416"
],
"id": "eab514f7-3f9b-a705-4d1d-8fee3d81c4b5",
"level": "low",
"subcategory_guids": [
"0CCE9248-69AE-11D9-BED3-505054503030"
],
"title": "External Disk Drive Or USB Storage Device Was Recognized By The System"
},
{
"channel": [
"sec"
],
"event_ids": [
"5379"
],
"id": "586bcb8e-f698-f372-54cf-ff08727352e7",
"level": "high",
"subcategory_guids": [],
"title": "Password Protected ZIP File Opened (Suspicious Filenames)"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136",
"5145"
],
"id": "bc613d09-5a80-cad3-6f65-c5020f960511",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Startup/Logon Script Added to Group Policy Object"
},
{
"channel": [
"sec"
],
"event_ids": [
"4765",
"4766",
"4738"
],
"id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Addition of SID History to Active Directory Object"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "3ae69c7e-e865-c0e2-05b7-553ab8979ac0",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation STDIN+ Launcher - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "633bd649-4b18-b5bd-d923-07caeccd1ee0",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Credential Dumping Tools Service Execution - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"5379"
],
"id": "7e1daab0-3263-403e-ec26-de48e3bf22c3",
"level": "medium",
"subcategory_guids": [],
"title": "Password Protected ZIP File Opened"
},
{
"channel": [
"sec"
],
"event_ids": [
"4738",
"5136"
],
"id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Active Directory User Backdoors"
},
{
"channel": [
"sec"
],
"event_ids": [
"4634",
"4647"
],
"id": "73f64ce7-a76d-0208-ea75-dd26a09d719b",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "User Logoff Event"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4663",
"4658"
],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium",
"subcategory_guids": [
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Potential Secure Deletion with SDelete"
},
{
"channel": [
"sec"
],
"event_ids": [
"4904",
"4905"
],
"id": "00f253a0-1035-e450-7f6e-e2291dee27ec",
"level": "informational",
"subcategory_guids": [
"0CCE922F-69AE-11D9-BED3-505054503030"
],
"title": "VSSAudit Security Event Source Registration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4661"
],
"id": "93c95eee-748a-e1db-18a5-f40035167086",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
],
"title": "AD Privileged Users or Groups Reconnaissance"
},
{
"channel": [
"sec"
],
"event_ids": [
"4738"
],
"id": "2ea71437-cb4d-5a41-2431-1773fce76de8",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Weak Encryption Enabled and Kerberoast"
},
{
"channel": [
"sec"
],
"event_ids": [
"4673"
],
"id": "cd93b6ed-961d-ed36-92db-bd44bccda695",
"level": "high",
"subcategory_guids": [
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4663"
],
"id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Service Agents Registry Keys Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"5447",
"5449"
],
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high",
"subcategory_guids": [
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - NoFilter Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"5447",
"5441"
],
"id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
"level": "high",
"subcategory_guids": [
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - EDRSilencer Execution - Filter Added"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "73d3720b-e4f3-d7e1-2a3f-8ca0a5e1fc1b",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Transferring Files with Credential Data via Network Shares"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "810804a5-98c3-7e56-e8ed-8a95d72ad829",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "RDP over Reverse SSH Tunnel WFP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4794"
],
"id": "4592ea29-1b0e-0cc3-7735-b7f264c0a5b8",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Password Change on Directory Service Restore Mode (DSRM) Account"
},
{
"channel": [
"sec"
],
"event_ids": [
"4674"
],
"id": "ec9c7ea2-54d7-3a55-caa8-4741f099505a",
"level": "medium",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Privileged Operation"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "677980bc-7dcc-1f9a-e161-a7f310ec9652",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Possible Impacket SecretDump Remote Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4663"
],
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Access From Non System Account"
},
{
"channel": [
"sec"
],
"event_ids": [
"6423"
],
"id": "53f7ff98-38dd-f02c-0658-1debbf8deddc",
"level": "medium",
"subcategory_guids": [
"0CCE9248-69AE-11D9-BED3-505054503030"
],
"title": "Device Installation Blocked"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "4af39497-9655-9586-817d-94f0df38913f",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Access to Sensitive File Extensions"
},
{
"channel": [
"sec"
],
"event_ids": [
"4704"
],
"id": "eaafcd7e-3303-38d1-9cff-fcfbae177f4d",
"level": "high",
"subcategory_guids": [
"0CCE9231-69AE-11D9-BED3-505054503030"
],
"title": "Enabled User Right in AD to Control User Objects"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "8ec23dfa-00a7-2b09-1756-678e941d69b2",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use Clip - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"5136",
"4742"
],
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Possible DC Shadow Attack"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "1ee90f6c-2d09-5bcf-b8fd-06fe14f86746",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Outbound Kerberos Connection - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4768"
],
"id": "cd01c787-aad1-bbed-5842-aa8e58410aad",
"level": "high",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "PetitPotam Suspicious Kerberos TGT Request"
},
{
"channel": [
"sec"
],
"event_ids": [
"5140"
],
"id": "37b219bc-37bb-1261-f179-64307c1a1829",
"level": "low",
"subcategory_guids": [
"0CCE9224-69AE-11D9-BED3-505054503030"
],
"title": "Access To ADMIN$ Network Share"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "566fa294-85f7-af27-80c7-753d9941729b",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Windows Pcap Drivers"
},
{
"channel": [
"sec"
],
"event_ids": [
"4692"
],
"id": "725b729a-b3ea-fb14-9cad-a4e944af8b5d",
"level": "medium",
"subcategory_guids": [
"0CCE922D-69AE-11D9-BED3-505054503030"
],
"title": "DPAPI Domain Master Key Backup Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "826feb8b-536b-0302-0b4e-bd34cc5c4923",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4702"
],
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Update"
},
{
"channel": [
"sec"
],
"event_ids": [
"4699",
"4701"
],
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Important Scheduled Task Deleted/Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4662"
],
"id": "fe814c5a-505f-a313-7d8c-030187c24e8e",
"level": "medium",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Potential AD User Enumeration From Non-Machine Account"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "3dc2d411-4f0e-6564-d243-8351afd3d375",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use MSHTA - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "3d2e9eef-8851-f3ed-49e1-53e350e277cb",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "CobaltStrike Service Installations - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657",
"4663"
],
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Channel Reference Deletion"
},
{
"channel": [
"Microsoft-Windows-WMI-Activity/Operational"
],
"event_ids": [
"5861",
"5859"
],
"id": "efac5da1-1be2-d8d6-863e-d61125c1cbbd",
"level": "medium",
"subcategory_guids": [],
"title": "WMI Persistence"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"16403"
],
"id": "b37c7d8f-22b8-a92d-1d1c-593de0fa759e",
"level": "medium",
"subcategory_guids": [],
"title": "BITS Transfer Job Downloading File Potential Suspicious Extension"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"16403"
],
"id": "26844668-ef48-7a97-5687-9533e59288b7",
"level": "high",
"subcategory_guids": [],
"title": "BITS Transfer Job Download To Potential Suspicious Folder"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"16403"
],
"id": "5e8a986a-7579-0482-f86e-ad63f6341cd1",
"level": "high",
"subcategory_guids": [],
"title": "BITS Transfer Job Download From Direct IP"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"3"
],
"id": "f72c1543-44f6-f836-c0da-9bab33600dac",
"level": "low",
"subcategory_guids": [],
"title": "New BITS Job Created Via Bitsadmin"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"3"
],
"id": "23d76ee6-e5fc-fb90-961a-4b412b97cc94",
"level": "low",
"subcategory_guids": [],
"title": "New BITS Job Created Via PowerShell"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"16403"
],
"id": "8a389ad3-d0c7-ef8c-1fb3-5bb7e31bcf7f",
"level": "medium",
"subcategory_guids": [],
"title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD"
},
{
"channel": [
"Microsoft-Windows-Bits-Client/Operational"
],
"event_ids": [
"16403"
],
"id": "4f9e9e60-c580-dd4e-4f06-42a016217d0e",
"level": "high",
"subcategory_guids": [],
"title": "BITS Transfer Job Download From File Sharing Domains"
},
{
"channel": [
"Microsoft-Windows-NTLM/Operational"
],
"event_ids": [
"8002"
],
"id": "c043d322-c767-faa8-92d4-381dcc35cab3",
"level": "low",
"subcategory_guids": [],
"title": "NTLM Logon"
},
{
"channel": [
"Microsoft-Windows-NTLM/Operational"
],
"event_ids": [
"8001"
],
"id": "b416a5b9-a282-2826-bc58-8b8481d865f6",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Remote Desktop Connection to Non-Domain Host"
},
{
"channel": [
"Microsoft-Windows-NTLM/Operational"
],
"event_ids": [
"8004"
],
"id": "b7a0fd59-bab8-fec2-28ad-548b2635d87f",
"level": "medium",
"subcategory_guids": [],
"title": "NTLM Brute Force"
},
{
"channel": [
"OpenSSH/Operational"
],
"event_ids": [
"4"
],
"id": "12800c31-cb60-9d63-bcc2-9ad342585c3a",
"level": "medium",
"subcategory_guids": [],
"title": "OpenSSH Server Listening On Socket"
},
{
"channel": [
"sec"
],
"event_ids": [
"529",
"4625"
],
"id": "428d3964-3241-1ceb-8f93-b31d8490c822",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logins with Different Accounts from Single Source System"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d85240fc-d5ad-8061-a795-9eaea580fbf0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing"
},
{
"channel": [
"sec"
],
"event_ids": [
"4776"
],
"id": "ddbbe639-21f9-7b39-ae7d-821e490d6130",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Valid Users Failing to Authenticate from Single Source Using NTLM"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "c953a767-8b94-df03-dd53-611baad380fd",
"level": "high",
"subcategory_guids": [],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "84202b5b-54c1-473b-4568-e10da23b3eb8",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Failing to Authenticate from Single Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4625"
],
"id": "30e70d43-6368-123c-a3c8-d23309a3ff97",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Remotely Failing To Authenticate From Single Source"
},
{
"channel": [
"sec"
],
"event_ids": [
"4771"
],
"id": "32ce2d24-3d1c-2f81-cddb-d64b33fe9247",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Valid Users Failing to Authenticate From Single Source Using Kerberos"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e7ce8bbd-3976-853e-eb57-e2ca8dcbf67c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Reconnaissance Activity Using BuiltIn Commands"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "97408cc2-d2e8-83dd-1f84-93da08e9f191",
"level": "high",
"subcategory_guids": [],
"title": "Execution via CL_Mutexverifiers.ps1 (2 Lines)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Stored Credentials in Fake Files"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "a5f841a8-5dcb-5ee4-73ea-5331859bf763",
"level": "critical",
"subcategory_guids": [],
"title": "Malicious Service Installations"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "ffaf246b-f54a-05ba-d9b0-fba6626c7822",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Enumeration via the Global Catalog"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ca51d442-0a18-77d6-66b8-6f72ef1dc3bd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MSI Spawned Cmd and Powershell Spawned Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4768"
],
"id": "74eaa0ee-05a7-86a5-a7a8-076952aa764d",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Invalid Users Failing To Authenticate From Source Using Kerberos"
},
{
"channel": [
"sec"
],
"event_ids": [
"4768"
],
"id": "c6c2c3e3-44ee-516c-9e48-63b304511787",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Disabled Users Failing To Authenticate From Source Using Kerberos"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"106"
],
"id": "696cf23d-d3f2-0a4d-6aff-b162d692a778",
"level": "low",
"subcategory_guids": [],
"title": "Rare Scheduled Task Creations"
},
{
"channel": [
"sec"
],
"event_ids": [
"4648"
],
"id": "27124590-ab3f-79b8-7dfa-b82820dbb1cc",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Password Spraying via Explicit Credentials"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Multiple File Rename Or Delete Occurred"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "13cf4134-564b-abdb-c83e-dac3ba9bac3c",
"level": "high",
"subcategory_guids": [],
"title": "Execution via CL_Invocation.ps1 (2 Lines)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624",
"4698",
"4702"
],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Remote Schtasks Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4698"
],
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Rare Schtasks Creations"
},
{
"channel": [
"sec"
],
"event_ids": [
"4776"
],
"id": "203aaec0-5613-4fdc-42b3-a021d6f853dc",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Failed NTLM Logins with Different Accounts from Single Source System"
},
{
"channel": [
"Microsoft-Windows-SmbClient/Security"
],
"event_ids": [
"31010"
],
"id": "624e39e1-5bc5-13fe-0b2d-5d988a416f24",
"level": "medium",
"subcategory_guids": [],
"title": "Failed Mounting of Hidden Share"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d5482c32-a04b-a0a2-4262-064908b098a3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DNSCat2 Powershell Implementation Detection Via Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4776"
],
"id": "bbd02091-a432-94b3-8041-9f776b681fc2",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Invalid Users Failing To Authenticate From Single Source Using NTLM"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "e9acc9e9-8b91-7859-2d0c-446a2c40b937",
"level": "low",
"subcategory_guids": [],
"title": "Rare Service Installations"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "53facd0f-d88d-bab7-469e-a36211463245",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Quick Execution of a Series of Suspicious Commands"
},
{
"channel": [
"Microsoft-Windows-Security-Mitigations*"
],
"event_ids": [
"11",
"12"
],
"id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08",
"level": "high",
"subcategory_guids": [],
"title": "Microsoft Defender Blocked from Loading Unsigned DLL"
},
{
"channel": [
"Microsoft-Windows-Security-Mitigations*"
],
"event_ids": [
"11",
"12"
],
"id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c",
"level": "high",
"subcategory_guids": [],
"title": "Unsigned Binary Loaded From Suspicious Location"
},
{
"channel": [
"Microsoft-Windows-Shell-Core/Operational"
],
"event_ids": [
"28115"
],
"id": "487f5b43-6155-d21c-7189-1a6108974f1b",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Application Installed"
},
{
"channel": [
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
],
"event_ids": [
"21"
],
"id": "cfba8e23-d224-ff3b-7cb7-dbc6085172a0",
"level": "high",
"subcategory_guids": [],
"title": "Ngrok Usage with Remote Desktop Service"
},
{
"channel": [
"Microsoft-Windows-AppModel-Runtime/Admin"
],
"event_ids": [
"201"
],
"id": "a3ffcde3-a83d-3d16-0b83-72f4758207cd",
"level": "low",
"subcategory_guids": [],
"title": "Sysinternals Tools AppX Versions Execution"
},
{
"channel": [
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
],
"event_ids": [
"2073",
"2005"
],
"id": "5d551ac6-b825-b536-7ec6-75339fc57a25",
"level": "low",
"subcategory_guids": [],
"title": "Firewall Rule Modified In The Windows Firewall Exception List"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624"
],
"id": "910ec16d-6957-01b7-39a8-5e676e459cac",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Remote WMI ActiveScriptEventConsumers Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "7619b716-8052-6323-d9c7-87923ef591e6",
"level": "low",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Access To Browser Credential Files By Uncommon Applications - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4699"
],
"id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
"level": "low",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Deletion"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "315f165d-92fd-170d-d80b-0f16f9cf5384",
"level": "medium",
"subcategory_guids": [],
"title": "Uncommon PowerShell Hosts"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "8427e501-af53-a1ba-41a5-0b2d83e199fb",
"level": "low",
"subcategory_guids": [],
"title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "aac8a133-780e-35ed-5d52-60a568765afb",
"level": "medium",
"subcategory_guids": [],
"title": "Windows Mail App Mailbox Access Via PowerShell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "87face0d-1383-7cc4-2da9-2a5da8b81325",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "c0483a49-1049-db52-97c5-ed73a6063b93",
"level": "low",
"subcategory_guids": [],
"title": "Compress-Archive Cmdlet Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "822b05a7-afa1-99c7-fc49-578330c9bf81",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Registry Reconnaissance Via PowerShell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b3c17af7-4207-0100-fe3c-3730a1c40c82",
"level": "medium",
"subcategory_guids": [],
"title": "SMB over QUIC Via PowerShell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6e77c76e-375f-3378-fb5b-0d55e078f8ad",
"level": "low",
"subcategory_guids": [],
"title": "Use Of Remove-Item to Delete File - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "40fd8a4e-3820-0edf-530e-53785ee863e9",
"level": "low",
"subcategory_guids": [],
"title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "fc457d0e-1ed4-ecab-aa1f-bd5c4b53c2d9",
"level": "medium",
"subcategory_guids": [],
"title": "WinAPI Function Calls Via PowerShell Scripts"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "66cccc69-033d-56e2-a1e1-f190cc0a9ca0",
"level": "medium",
"subcategory_guids": [],
"title": "WinAPI Library Calls Via PowerShell Scripts"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "81b7f962-1b39-9a15-eca7-f718f8e45e85",
"level": "low",
"subcategory_guids": [],
"title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d4bfa0d5-6f83-cac0-c838-2d05d677611f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Microsoft Office Trusted Location Updated"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "1ce6a719-c7b0-11e7-2b9f-37facf10d1d4",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Shell Context Menu Command Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "aa71f12d-30c7-985b-9784-b26e948f0f5d",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c4b8f7e9-f874-4e2b-4320-dd805a1bbf21",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Command Executed Via Run Dialog Box - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f9252ab9-0f85-c10d-fd51-576b83182926",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Service Binary in User Controlled Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c6cda933-68be-134e-fe2e-71ee945f0f69",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Created - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9d361072-2d35-e275-87b6-4915aa2beab8",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Unusually Long PowerShell CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e75ce043-bf1d-9f0c-e8bf-f149e9bd5283",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e0489e47-4c09-f300-bf19-14475e09c953",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Curl.EXE Execution With Custom UserAgent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2fbf12bc-cfa8-081e-6e1c-f7a08543c781",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File or Folder Permissions Modifications"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f2b2d6f5-92ed-d0f5-25fe-38019bd55906",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Import New Module Via PowerShell CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "441ef2d8-5da0-7432-b390-b778f9f5c77b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f0e5d329-4070-a553-6ff1-1842415b9bc8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Creation From Potential Suspicious Parent Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d11c691d-7387-9895-7369-83c0abfbfba7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Dynamic .NET Compilation Via Csc.EXE - Hunting"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d8d3e301-168c-b875-ade4-7962ec221634",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Suspicious Execution From GUID Like Folder Names"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a1facc19-608b-ffb7-9591-3063f27baa01",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Elevated System Shell Spawned"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "65955846-8a6d-8beb-af3d-ad2cdaf58f82",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Diskshadow Child Process Spawned"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "28780094-1850-b624-cda8-9bec4509c976",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "EventLog Query Requests By Builtin Utilities"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1a3d7d59-1928-edd5-afaa-ffb4018bf777",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SC.EXE Query Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5742c4d7-6bb8-d4c7-1abf-eedde7c178df",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9938bbf1-ddc1-5cb0-3fc5-5f55abdba2c0",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Password Protected Compressed File Extraction Via 7Zip"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1c28655b-a54c-2619-b61d-1b3307a9d6dd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CommandLine Obfuscation Using Unicode Characters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7b704219-d3dd-93d1-6237-a4541abf28ed",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious New Instance Of An Office COM Object"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "613ea969-381a-6723-e44f-9202a3e64638",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Tunneling Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8a9c93e5-e67a-2190-d912-b0f9a3711b17",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cab File Extraction Via Wusa.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7482a6b9-2304-1d3c-7835-d804bcf7672f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0d73093a-d5b0-8bc8-7a92-c4be8f638bf7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Diskshadow Script Mode Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a8683f51-05f0-cb77-d513-48b731911be3",
"level": "informational",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Tasklist Discovery Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "592e613b-8b20-792b-c8be-b55cf0bbe6a4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Microsoft Workflow Compiler Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1907e117-0636-2197-9e4a-c6f58a1f30e7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SMB over QUIC Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b7469b0d-0e65-e130-f73c-9b9ccd3b363b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - Ammy Admin Agent Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bc8a6370-9950-1a63-7ece-7feed9d18e57",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Self Extracting Package Created Via IExpress.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b3580f6e-3488-e1e8-ec74-68176667ab9e",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential File Override/Append Via SET Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5e3a93fe-fb7d-ad20-c7e2-e8712a13aefb",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "System Information Discovery Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "20c51c2f-7e3d-8f18-01f5-ef39633f31f9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DLL Call by Ordinal Via Rundll32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8a760077-f6df-d8ae-baaa-b183b988ac04",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Via Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "168763f9-a5fa-29af-e778-ed5054fe3044",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CMD Shell Output Redirect"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fc780b12-2819-3958-745b-4cd4c6b66435",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "68f79cf9-60cf-aed6-ab55-707e40c4057d",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Curl.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a19f541-5164-a71e-b29a-91d7d34d09e6",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "eccdceeb-5139-9a2f-8bfd-9235f5a36687",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "27784707-1245-1352-019e-2ece1694aa9e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential DLL Sideloading Activity Via ExtExport.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b25c6710-2d0f-f815-6c97-ba13c1680f88",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CodePage Modification Via MODE.COM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8a0a2c60-bc08-2e90-8f92-1da8d1f8499b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary Command Execution Using WSL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e86bcb59-4f56-b91f-1c5f-100512b9d367",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Manual Execution of Script Inside of a Compressed File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "56ff2d1a-cadd-2622-f049-458f96d44a39",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious PowerShell Child Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2f97f9ce-7a7d-959a-856a-f32ca7058c3e",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Terminated Via Taskkill"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "612adf3c-4f2f-852b-487d-3930de4337ed",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execution From Webserver Root Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "78135073-a4b1-9708-8e2f-dced9caf0c32",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Set Files as System Files Using Attrib.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4519a945-f840-1570-0add-773bb923bedc",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Proxy Execution Via Explorer.EXE From Shell Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e0f16539-f1cb-5cb9-0004-f3a040346952",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Net.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c86d9b72-174d-552f-255d-2e3818a6b891",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Data Exfiltration Via Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "73e99dad-5a1b-32af-36f2-0339c13763b4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "377979aa-f6e3-79ac-c29c-43d82f8e48a7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Password Reconnaissance Via Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "13790f2d-97b2-d1a0-6624-1061d7ccbb8c",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "HH.EXE Initiated HTTP Network Connection"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "1062d249-f014-9faf-044e-2b75d6f9763f",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "8696ae22-70c1-ca19-4888-66ed19ea27da",
"level": "low",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Msiexec.EXE Initiated Network Connection Over HTTP"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "9e00ae65-e5aa-2c89-c7a1-7b6ee0e194f5",
"level": "low",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated By PowerShell Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "713fd43d-88e4-6801-2eac-756d06792d4f",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Dfsvc.EXE Network Connection To Non-Local IPs"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "a1027f51-4eb5-a16d-91bf-9e124bb594dd",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated From Users\\Public Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "4255ccee-f954-7d80-4281-d5a5fe9ea9f7",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Dfsvc.EXE Initiated Network Connection Over Uncommon Port"
},
{
"channel": [
"Microsoft-Windows-WMI-Activity/Operational"
],
"event_ids": [
"5861"
],
"id": "93786e05-1808-f3b1-9841-7fee02fd7247",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Scripting in a WMI Consumer"
},
{
"channel": [
"Microsoft-Windows-WMI-Activity/Operational"
],
"event_ids": [
"5861"
],
"id": "f4e538d8-94a9-8ecc-779e-e03aa85aedb4",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Encoded Scripts in a WMI Consumer"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"600"
],
"id": "3ec981cc-6521-d6a9-9630-d1df7d2090b9",
"level": "high",
"subcategory_guids": [],
"title": "Tamper Windows Defender - PSClassic"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "11151659-80c2-7657-d058-2a07c5662662",
"level": "medium",
"subcategory_guids": [],
"title": "Nslookup PowerShell Download Cradle"
},
{
"channel": [
"pwsh"
],
"event_ids": [],
"id": "29a3935d-0428-4f39-d39e-ec43c598b272",
"level": "high",
"subcategory_guids": [],
"title": "Potential RemoteFXvGPUDisablement.EXE Abuse"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "970cb6bc-a1b8-c7da-f658-ea96f2045162",
"level": "high",
"subcategory_guids": [],
"title": "Delete Volume Shadow Copies Via WMI With PowerShell"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "05ab81d4-8539-cffc-89f9-e470468bb28c",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Downgrade Attack - PowerShell"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "19bee8fa-b4db-79ab-2c60-ea8ae4875dcc",
"level": "low",
"subcategory_guids": [],
"title": "Use Get-NetTCPConnection"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "b8c409c0-bd7a-5c05-0bae-56f88fe7b78d",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell Called from an Executable Version Mismatch"
},
{
"channel": [
"pwsh"
],
"event_ids": [],
"id": "aedc0f64-b9e7-36d1-fd92-838fdf33eac3",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Non PowerShell WSMAN COM Provider"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "d938bbb0-a745-c4fc-ce0d-eb5a006e6757",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious PowerShell Download"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "d79eda57-503a-274d-fab8-0d26ff047015",
"level": "low",
"subcategory_guids": [],
"title": "Remote PowerShell Session (PS Classic)"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "b1868902-0d34-3392-8d98-99c0919a01d4",
"level": "low",
"subcategory_guids": [],
"title": "Renamed Powershell Under Powershell Channel"
},
{
"channel": [
"pwsh"
],
"event_ids": [
"400"
],
"id": "cc575689-20fe-0dda-ed3b-93e52d0d8ef1",
"level": "medium",
"subcategory_guids": [],
"title": "Netcat The Powershell Version"
},
{
"channel": [
"pwsh"
],
"event_ids": [],
"id": "ee9681d0-6ba5-5eaf-9c8b-fe39afe542b9",
"level": "medium",
"subcategory_guids": [],
"title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "43541d1d-9cb1-a49f-2fb9-4121c1302705",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious PowerShell Get Current User"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f698fa3e-50d4-0a6b-4f65-9cc569e1a709",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell XML Execute Command"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "40e38653-158e-78ce-f816-60a159924dc9",
"level": "high",
"subcategory_guids": [],
"title": "HackTool - WinPwn Execution - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "629a73b6-b63c-b6d1-5e2c-5d7ee3042f44",
"level": "medium",
"subcategory_guids": [],
"title": "Testing Usage of Uncommonly Used Port"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "bf9ed747-37f2-803e-2a51-91d56622d6ba",
"level": "medium",
"subcategory_guids": [],
"title": "Windows Screen Capture with CopyFromScreen"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "ebdae8b0-7b83-5602-356e-b214571cee19",
"level": "high",
"subcategory_guids": [],
"title": "Disable Powershell Command History"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "53ba1f6b-70f2-242f-1377-8dc22d806e78",
"level": "critical",
"subcategory_guids": [],
"title": "Suspicious PowerShell Mailbox Export to Share - PS"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "245734a0-22f3-d684-07a7-ed1cea011d8e",
"level": "medium",
"subcategory_guids": [],
"title": "Root Certificate Installed - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "43de23b6-5e9c-142a-9e42-64992bede784",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "77e99ce3-b834-1c0d-0fe8-ffd39f1bc29f",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell Credential Prompt"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "80aaec39-a75b-8ad7-ac46-14fd5159f93f",
"level": "low",
"subcategory_guids": [],
"title": "Active Directory Group Enumeration With Get-AdGroup"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "e3888b82-f1d3-14e8-54e5-16b522dfd8a9",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious PowerShell Download - Powershell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "55d8816f-49cc-7135-b3b1-63d41ce23a01",
"level": "high",
"subcategory_guids": [],
"title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6074ad34-a80f-fdd9-5c49-e1a2fc4572c4",
"level": "high",
"subcategory_guids": [],
"title": "Tamper Windows Defender - ScriptBlockLogging"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "308e8029-d702-799b-6aea-82f749348b24",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious PowerShell Invocations - Generic"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "4956629d-759b-2297-1edf-5751449384cb",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Data Exfiltration Via Audio File"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "30be45df-1ada-4075-3586-5a3d6eda8cd3",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "82a11bd6-070f-3229-f413-73fe2ddd7018",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell Set-Acl On Windows Folder - PsScript"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "d7f88495-fd82-8062-2c13-6036a8358e39",
"level": "medium",
"subcategory_guids": [],
"title": "Automated Collection Command PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0b0963db-269b-9351-ab12-4aa9d1f8a105",
"level": "medium",
"subcategory_guids": [],
"title": "Modify Group Policy Settings - ScriptBlockLogging"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "72ba1398-c3d6-c1a6-9133-bc72ccaca90d",
"level": "medium",
"subcategory_guids": [],
"title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "de547eac-5fa2-bf69-1a62-760251de3870",
"level": "medium",
"subcategory_guids": [],
"title": "Winlogon Helper DLL"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0c3ed50a-e9ab-a1ab-192f-17494d3bcb53",
"level": "medium",
"subcategory_guids": [],
"title": "Access to Browser Login Data"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "802477a9-01ea-d5f8-2ff9-44285787d0f7",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell Web Access Installation - PsScript"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "aa7ecfb4-5a28-3a35-0b06-35cdfed46928",
"level": "medium",
"subcategory_guids": [],
"title": "Recon Information for Export with PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "57e275e0-10cf-be8d-39b2-027fbfeb2913",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious SSL Connection"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "fd4e11cc-a1e1-264d-4545-f06b97371ed2",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "737309de-cb25-6cd6-de11-74ac6a587299",
"level": "high",
"subcategory_guids": [],
"title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "12b5b805-7b4b-d153-35e2-2230d216346c",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Suspicious PowerShell Keywords"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6154995f-9153-aaa3-dc51-d3062506c78a",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Keylogger Activity"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a91bd8f4-12c9-8c19-370c-2ddece54fd99",
"level": "high",
"subcategory_guids": [],
"title": "WMImplant Hack Tool"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "d7307e8a-60da-106b-aeb8-c4ebd5c1fb6d",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use MSHTA - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "649adb28-28ab-34b1-166d-cfffb0245bbd",
"level": "medium",
"subcategory_guids": [],
"title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0fb43313-1253-f71b-1a13-e10e073c1627",
"level": "medium",
"subcategory_guids": [],
"title": "Get-ADUser Enumeration Using UserAccountControl Flags"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "8094e74c-0e24-f840-50c3-bfcdc98cd6a9",
"level": "medium",
"subcategory_guids": [],
"title": "Add Windows Capability Via PowerShell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "e355cee1-576c-66ad-ccaf-3f4dfa5b541e",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Stdin - Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "33f62d96-55cf-87d2-e9f0-0a5fff75a278",
"level": "high",
"subcategory_guids": [],
"title": "Create Volume Shadow Copy with Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "1296d31f-9f66-0be1-424b-a641f15c4475",
"level": "high",
"subcategory_guids": [],
"title": "HackTool - Rubeus Execution - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "4502b93e-2c0d-56b8-7ce1-35523e4fb0ba",
"level": "medium",
"subcategory_guids": [],
"title": "Potential AMSI Bypass Script Using NULL Bits"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6454f2bf-2962-a90a-eec3-6c7bef6be08e",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious IO.FileStream"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "79769f3b-efb3-9463-e114-7446d4361146",
"level": "high",
"subcategory_guids": [],
"title": "Malicious Nishang PowerShell Commandlets"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "977cdcc1-6d3a-a221-a03f-d794230e01ae",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Create Scheduled Task"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6ab29276-37b6-8501-afb8-33126a6a9918",
"level": "medium",
"subcategory_guids": [],
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "129010c2-32d8-8ae8-d3a5-cdd24744231e",
"level": "medium",
"subcategory_guids": [],
"title": "Enumerate Credentials from Windows Credential Manager With PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "1dc5f777-bb62-c024-3838-e53492b5e574",
"level": "high",
"subcategory_guids": [],
"title": "Powershell DNSExfiltration"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "369a4eed-03b4-7aea-6309-c6d7173b0567",
"level": "medium",
"subcategory_guids": [],
"title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "33811b3f-3506-6bff-bb4a-4250e7714358",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use Clip - Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "13a97026-d21c-5c67-761d-537efe8f3fe7",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Directory Enumeration"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "efbceae5-07cf-4b09-fc03-df062b971e10",
"level": "medium",
"subcategory_guids": [],
"title": "Change User Agents with WebRequest"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b5223513-5e9d-2c11-1cf7-d980bfed58f5",
"level": "medium",
"subcategory_guids": [],
"title": "Enable Windows Remote Management"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "9134b08c-39fa-8211-b3f5-5bd1839b9540",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious GetTypeFromCLSID ShellExecute"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "cb989f20-ebb9-8b1b-a5d6-f98b3929346c",
"level": "high",
"subcategory_guids": [],
"title": "Disable-WindowsOptionalFeature Command PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "c0fcc261-538c-247d-21ff-05b6d2cbdf07",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "7778d03c-e7bd-53bb-1f84-6557e3ecf12d",
"level": "medium",
"subcategory_guids": [],
"title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a427508a-2c94-8fdb-863f-555304b70605",
"level": "low",
"subcategory_guids": [],
"title": "Replace Desktop Wallpaper by Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a91de133-e7bc-3e22-d4ec-af1bfe620409",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell WMI Win32_Product Install MSI"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "c9aa7755-6950-a83c-72f5-53d0eab019eb",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Keylogging"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "00ba998e-b435-22a6-2dbf-e85e1918b8a7",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Local Email Collection"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "8acde15f-c52f-455b-127c-8de1892767e5",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious X509Enrollment - Ps Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0a3956ee-9813-55f3-ca74-4d00e9df5262",
"level": "medium",
"subcategory_guids": [],
"title": "Import PowerShell Modules From Suspicious Directories"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a4545017-4d6d-c3bd-7fec-62214f01e6b2",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation STDIN+ Launcher - Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "70b65468-d1e8-0a6b-78c3-a458a95e477b",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f9889db2-6490-a082-33a3-1b46dff5e2f1",
"level": "medium",
"subcategory_guids": [],
"title": "Extracting Information with PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "abc8469f-9601-7199-13b7-9620478f5335",
"level": "medium",
"subcategory_guids": [],
"title": "Detected Windows Software Discovery - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "c6dce605-3bb0-c881-1c5c-f3e4e9d62577",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Start-Process PassThru"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "4dc42aa9-1963-4ee8-e6ed-021575365449",
"level": "low",
"subcategory_guids": [],
"title": "PowerShell Script With File Upload Capabilities"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b0c6066e-a243-d2f6-c744-990ed060759c",
"level": "high",
"subcategory_guids": [],
"title": "Potential Invoke-Mimikatz PowerShell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0e7ff574-cd58-3250-821d-47fedcc03db6",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Process Discovery With Get-Process"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "247b332c-8cf3-11c1-bf63-2693c99a6082",
"level": "high",
"subcategory_guids": [],
"title": "Malicious PowerShell Commandlets - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "8c8871af-c2f2-4671-9f1d-d6c3e90b7c42",
"level": "medium",
"subcategory_guids": [],
"title": "Potential COM Objects Download Cradles Usage - PS Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a4fa5d2e-a803-b311-5ff7-669ada2d36eb",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Invoke-Item From Mount-DiskImage"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "088701bf-4758-9a2a-76c0-2e148a7e122c",
"level": "high",
"subcategory_guids": [],
"title": "Request A Single Ticket via PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "5ac6d31e-76f4-b5ee-831e-7d076ff2dca6",
"level": "high",
"subcategory_guids": [],
"title": "Veeam Backup Servers Credential Dumping Script Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "c9326131-769a-8ba4-03f2-7d17f9847a50",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Suspicious Windows Feature Enabled"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "cc813de1-cf1f-dd91-bcfb-3821610d9dfc",
"level": "high",
"subcategory_guids": [],
"title": "PowerView PowerShell Cmdlets - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "e84977df-6377-368d-ed22-e05ee31e9947",
"level": "high",
"subcategory_guids": [],
"title": "Malicious ShellIntel PowerShell Commandlets"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a86c5f75-859a-89ac-20a4-ad3be80336c9",
"level": "medium",
"subcategory_guids": [],
"title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "9a9b4924-bf93-774d-4bee-a2d13260663c",
"level": "high",
"subcategory_guids": [],
"title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f1a1daa1-2c4e-6354-e062-1f80427eafc3",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Remote Session Creation"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b3cb91b9-f3a8-1486-c398-1ea1e5183b3c",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Get Information for SMB Share"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "d72c1916-ab63-11e1-1916-5e8b3822f133",
"level": "medium",
"subcategory_guids": [],
"title": "DirectorySearcher Powershell Exploitation"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "cde108d4-944b-2594-02b8-61f2852260a1",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell ADRecon Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "231be74a-ed58-7e55-d906-23131f589913",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Get Local Groups Information - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "3c8ea56a-ad16-8598-c24e-3fdd6b345dda",
"level": "low",
"subcategory_guids": [],
"title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a8e07a3d-571c-0d25-729b-fa16be9ea6c5",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Eventlog Clear"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "714c75ab-6bed-7c9d-462b-f7f9252e47e5",
"level": "high",
"subcategory_guids": [],
"title": "PSAsyncShell - Asynchronous TCP Reverse Shell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "71d6a25b-6fe6-37e2-40bc-c4de171fbbc9",
"level": "critical",
"subcategory_guids": [],
"title": "Silence.EDA Detection"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "77af6d22-9887-7943-53f1-6a849e2e892d",
"level": "high",
"subcategory_guids": [],
"title": "Powershell Token Obfuscation - Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f5ce4704-7343-4e6a-f741-f53b6d412d1f",
"level": "high",
"subcategory_guids": [],
"title": "Code Executed Via Office Add-in XLL File"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "edeeb148-ce01-b5b8-a531-3b364b7fd191",
"level": "high",
"subcategory_guids": [],
"title": "Potential WinAPI Calls Via PowerShell Scripts"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "97e928f0-6985-66cd-fd2d-3783904a3c7c",
"level": "high",
"subcategory_guids": [],
"title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6dcad107-58f0-d885-7198-fe78bda1ff4b",
"level": "high",
"subcategory_guids": [],
"title": "Powershell Add Name Resolution Policy Table Rule"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "329df23d-a366-2e13-47f7-3c67cfb56f75",
"level": "high",
"subcategory_guids": [],
"title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "baee41a3-2063-6125-778e-0d9710474c06",
"level": "high",
"subcategory_guids": [],
"title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f1205c3a-b112-f060-2b3e-b43fd3460482",
"level": "high",
"subcategory_guids": [],
"title": "Disable of ETW Trace - Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious PowerShell Mailbox SMTP Forward Rule"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "389e5737-c793-4d03-4191-fe78d2cc1dcb",
"level": "low",
"subcategory_guids": [],
"title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "9d0ff6ee-9967-a757-d8dc-cf3f3b3546b1",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious New-PSDrive to Admin Share"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "61d6fe12-d403-c9b3-bc3f-fb10de58a4c3",
"level": "high",
"subcategory_guids": [],
"title": "AADInternals PowerShell Cmdlets Execution - PsScript"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "d2c72fb1-8ebf-d5d3-1e88-80f15ba1079a",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious PowerShell WindowStyle Option"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "36e3fc18-c21d-b046-86b0-9f14ccbb975e",
"level": "medium",
"subcategory_guids": [],
"title": "Clear PowerShell History - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "3bef19ed-f703-65eb-ab07-eebb20abdd4e",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Hotfix Enumeration"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "94272bf4-116b-5204-4be6-69b2d5648fa4",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Hyper-V Cmdlets"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "33a52335-678e-da31-eb46-d7cfc302cb3e",
"level": "medium",
"subcategory_guids": [],
"title": "Remove Account From Domain Admin Group"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b32352bf-5bcb-d3c9-a9eb-4bbf8ed85654",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Timestomp"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "43254631-95ca-6c3c-11bc-16c19f09e819",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious GPO Discovery With Get-GPO"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "5ab8284b-d017-c68c-31ff-6c9b51010284",
"level": "low",
"subcategory_guids": [],
"title": "Potential PowerShell Obfuscation Using Character Join"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "527063ac-15f7-52e7-7ced-4348087aaec7",
"level": "medium",
"subcategory_guids": [],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "77515874-226e-d597-815a-9962d2951358",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell Get-Process LSASS in ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "2e7d9c7a-fab3-d015-8552-39acf165059c",
"level": "medium",
"subcategory_guids": [],
"title": "Security Software Discovery Via Powershell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0357e3d7-f8fe-0601-0902-364f4cdbed81",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f279fcb8-4560-0d0c-3bee-043b32f9b3fb",
"level": "high",
"subcategory_guids": [],
"title": "Live Memory Dump Using Powershell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "ec4cdf41-f053-d3af-6a68-973d32bacdff",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell LocalAccount Manipulation"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "aa566d46-235a-b467-88ed-434788883da2",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Persistence Via PowerShell User Profile Using Add-Content"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "2b77aa85-451b-f506-eda5-71bef0c2bfa6",
"level": "low",
"subcategory_guids": [],
"title": "Potential PowerShell Obfuscation Using Alias Cmdlets"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "2843f0fc-1a75-2140-6c4c-f5c296073941",
"level": "medium",
"subcategory_guids": [],
"title": "Manipulation of User Computer or Group Security Principals Across AD"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "2182e106-ae16-770c-3022-a67abacb10d0",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Deleted Mounted Share"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f0174af7-3de1-3209-5f81-f96ff9d1f5c6",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious TCP Tunnel Via PowerShell Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "00b36dc9-4f98-0596-4487-6aabd187344b",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a47e2fc3-e3e3-9763-7cb2-d19df00ad719",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Mount-DiskImage"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b935d5dd-d5e5-51df-9c4f-dc30aec0a6e6",
"level": "medium",
"subcategory_guids": [],
"title": "Windows Firewall Profile Disabled"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "53f26dda-d088-32eb-a704-03c3b6986b49",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Script With File Hostname Resolving Capabilities"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "98d89b85-61ea-f78b-d1fa-cd52182b6b28",
"level": "medium",
"subcategory_guids": [],
"title": "Registry-Free Process Scope COR_PROFILER"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "addd9852-1b8e-322b-77eb-4a749ba8dca6",
"level": "medium",
"subcategory_guids": [],
"title": "Windows Defender Exclusions Added - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6535a2a7-e5ce-2a80-726d-8eb3b016084d",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell WMI Persistence"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "7f3d30e6-1565-4e09-7b13-5d7c5b8b0947",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell ShellCode"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "3586407d-f3a3-bb2d-8467-0956e15af381",
"level": "low",
"subcategory_guids": [],
"title": "PowerShell Script Change Permission Via Set-Acl - PsScript"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "777d9383-7a6f-f82a-d22e-2f05f433bc9b",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Write-EventLog Usage"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "e5a59479-4ded-f6c3-ab4d-8d464128fbb2",
"level": "medium",
"subcategory_guids": [],
"title": "Change PowerShell Policies to an Insecure Level - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a57f49ff-b916-4527-881f-bef76dc42248",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell MsXml COM Object"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "8655ba53-c937-dbcf-91c5-3125219b9497",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious PowerShell Invocations - Specific"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b16a0b26-d586-4ff7-f200-20927037e55f",
"level": "high",
"subcategory_guids": [],
"title": "Powershell Install a DLL in System Directory"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a547df68-c62d-4415-9a62-cbe68f006b9e",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Store File In Alternate Data Stream"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "647d9a85-b4af-a355-a79e-5ad4afa553bd",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell ICMP Exfiltration"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "8dd08d08-a638-c74c-8e7a-07d55d3b3318",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell PSAttack"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "297f849b-2dff-ce76-be52-6f50e2f5d205",
"level": "medium",
"subcategory_guids": [],
"title": "Troubleshooting Pack Cmdlet Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "e701b235-4663-b82b-8611-b51a0706589b",
"level": "high",
"subcategory_guids": [],
"title": "NTFS Alternate Data Stream"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "80fe1b47-6d38-9fc5-9535-6afd04b55a15",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Active Directory Enumeration Using AD Module - PsScript"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "58f5980d-d851-77b4-2f1f-945eb2d3e430",
"level": "medium",
"subcategory_guids": [],
"title": "Certificate Exported Via PowerShell - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "246287be-b277-41bc-b620-83f82d6006d3",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Sensitive File Discovery"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "654b7573-5b04-0352-d832-f32c333f4a56",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Detect Virtualization Environment"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "956b0dfd-4aba-c0c7-7608-c7889eea8a67",
"level": "low",
"subcategory_guids": [],
"title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f9203bdd-ca24-aced-1e79-b9cfd7936099",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Connection to Remote Account"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "c4a3b240-b0c5-3eed-9e95-d3db01157764",
"level": "medium",
"subcategory_guids": [],
"title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b56d246e-e1d8-6f33-6e90-65864d130915",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Unblock-File"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b49ece4c-cd58-540c-62a8-d4189dc45f3e",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Create Local User"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "57b18282-5df7-0636-ee86-75ccdbe55519",
"level": "medium",
"subcategory_guids": [],
"title": "Powershell Execute Batch Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "4ee64eb7-79b5-d7d2-9ba7-89616409e7d0",
"level": "medium",
"subcategory_guids": [],
"title": "Potential In-Memory Execution Using Reflection.Assembly"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "a4603d3c-bb7c-8db0-3d8a-23f265190006",
"level": "medium",
"subcategory_guids": [],
"title": "Execute Invoke-command on Remote Host"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "1bc61c35-56bd-6b9c-12fc-5513d8aa80d2",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation VAR+ Launcher - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "0f434135-833f-9c32-7048-ab3c6264d3d2",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "e59d0c87-f426-154d-9744-50e5cb987c9f",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Get-ADReplAccount"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "12bd77fd-a44d-6373-2156-4c29b22d9c85",
"level": "low",
"subcategory_guids": [],
"title": "Powershell Suspicious Win32_PnPEntity"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b38a93d1-2bd3-6583-6617-1f4bdccf8589",
"level": "high",
"subcategory_guids": [],
"title": "AMSI Bypass Pattern Assembly GetType"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "437f4723-94d2-dfdf-cd3b-9cf2e0af0fba",
"level": "medium",
"subcategory_guids": [],
"title": "WMIC Unquoted Services Path Lookup - PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "00f90856-99dc-9ecd-31ca-0d93b7577bac",
"level": "low",
"subcategory_guids": [],
"title": "Active Directory Computers Enumeration With Get-AdComputer"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "4397a007-0c10-834b-0796-7b4b1b931b03",
"level": "medium",
"subcategory_guids": [],
"title": "Malicious PowerShell Keywords"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "eddbf1d6-60c9-96f5-4cdf-f0947b3aad8f",
"level": "medium",
"subcategory_guids": [],
"title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "437d2bdc-4ee9-913b-42df-e947c8193f88",
"level": "medium",
"subcategory_guids": [],
"title": "Dump Credentials from Windows Credential Manager With PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "ce3cad3a-afec-9acc-c763-9b4cb0fd5ece",
"level": "medium",
"subcategory_guids": [],
"title": "Service Registry Permissions Weakness Check"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b46c37cc-554c-aab3-0744-26f3a5ace219",
"level": "high",
"subcategory_guids": [],
"title": "Potential Persistence Via Security Descriptors - ScriptBlock"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "1a8e1936-4b07-2bb2-ef3a-2cdf7d294a56",
"level": "high",
"subcategory_guids": [],
"title": "Clearing Windows Console History"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "61ec8448-ba5d-0b4f-8089-eb047d43a2ec",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "b21405ff-2071-082b-067f-fa116d28a858",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "31981511-e5c7-fa6d-65dd-422e26ba8f0d",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Computer Machine Password by PowerShell"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "3a7c8368-70ba-0539-d7a9-662a59306969",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious PowerShell Download - PoshModule"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "36554b35-d185-3e51-6b7f-9b61726b8d3a",
"level": "high",
"subcategory_guids": [],
"title": "Malicious PowerShell Commandlets - PoshModule"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "da4a803e-e609-d187-675c-d7e7f0083763",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious PowerShell Invocations - Specific - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "8485a923-ab47-503c-8823-f930f71f83a1",
"level": "low",
"subcategory_guids": [],
"title": "Use Get-NetTCPConnection - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "e4ba78e1-d659-9152-8504-cae6d6c7372e",
"level": "informational",
"subcategory_guids": [],
"title": "PowerShell Decompress Commands"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "c2325f35-edc7-9b45-d0bc-548ab4074e0a",
"level": "high",
"subcategory_guids": [],
"title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "118c017d-54bd-d0a7-e24e-74482fd67b54",
"level": "critical",
"subcategory_guids": [],
"title": "Bad Opsec Powershell Code Artifacts"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "f3c1031c-796c-6c50-7af9-c490e09550f6",
"level": "low",
"subcategory_guids": [],
"title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "d1ec8808-93c9-9dcb-b4b8-b20791287ee2",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use Clip - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "5dea4020-38c8-b6d5-ebdb-2a7cfa20044e",
"level": "medium",
"subcategory_guids": [],
"title": "Clear PowerShell History - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "acb9f9fe-df3e-be2a-239f-51b194099630",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "a0ecd6f3-309d-3ad0-2231-421f98a89f32",
"level": "high",
"subcategory_guids": [],
"title": "HackTool - Evil-WinRm Execution - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "a707acca-c4f5-6929-a1fc-0908ab087be0",
"level": "medium",
"subcategory_guids": [],
"title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "567da8d6-9387-9852-16ed-a336bfaad91e",
"level": "medium",
"subcategory_guids": [],
"title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "8ed7f4b3-91aa-4c85-95e8-a361f9004b2e",
"level": "medium",
"subcategory_guids": [],
"title": "PowerShell Get Clipboard"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "93fea8ea-89ab-d08a-3904-a6949999010c",
"level": "medium",
"subcategory_guids": [],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "043fe2ff-2844-9176-3d40-aa3bf3e794a6",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Active Directory Enumeration Using AD Module - PsModule"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "a1d89efd-6d69-416b-3004-ec9c460a863d",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Get Information for SMB Share - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "d8bf9898-a71e-347a-25d6-1fde2e2925e6",
"level": "high",
"subcategory_guids": [],
"title": "Remote PowerShell Session (PS Module)"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "6ead282b-ed6b-7f68-1ed2-b8f5fb092b4e",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "85b06a92-2ad6-ef34-57c3-fac694f74095",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Get-ADDBAccount Usage"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "b7826f95-a54d-d6e4-d4e0-38998c4eb8d7",
"level": "medium",
"subcategory_guids": [],
"title": "Alternate PowerShell Hosts - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "c539a450-9d59-8ac3-1709-f3b5f2e5a989",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "58925ff0-2936-8ebd-4c28-8fdbb8ac19a8",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Stdin - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "9863342f-1e0e-72c5-8faa-674337cd6d2b",
"level": "medium",
"subcategory_guids": [],
"title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "e27c3517-69ca-c8c3-fc57-c4baba10867f",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious PowerShell Invocations - Generic - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "7a595cb6-87c9-7d42-5bf9-f404e939d500",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "300dbe85-b7a0-be0b-aa57-321c1ee97848",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Get Local Groups Information"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "a26b0227-f81e-097b-19ba-ffbb04417ccc",
"level": "high",
"subcategory_guids": [],
"title": "Malicious PowerShell Scripts - PoshModule"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "b2064db0-e465-72c2-edcc-57cfd9676207",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module"
},
{
"channel": [
"System"
],
"event_ids": [
"50",
"56"
],
"id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7",
"level": "medium",
"subcategory_guids": [],
"title": "Potential RDP Exploit CVE-2019-0708"
},
{
"channel": [
"System"
],
"event_ids": [
"16991",
"16990"
],
"id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb",
"level": "medium",
"subcategory_guids": [],
"title": "Potential CVE-2021-42287 Exploitation Attempt"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "e0aa759a-fa97-fb3b-1b02-82aa44f8c068",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use MSHTA - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7036"
],
"id": "07c5c883-1da4-d066-f69b-6caadbd1d6f9",
"level": "medium",
"subcategory_guids": [],
"title": "Windows Defender Threat Detection Service Disabled"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "87d5cdc0-24c5-8411-1230-d717dd6a47e8",
"level": "medium",
"subcategory_guids": [],
"title": "Anydesk Remote Access Software Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "4de4ea24-8c0c-75ed-78c3-bf620ec06fd5",
"level": "medium",
"subcategory_guids": [],
"title": "Uncommon Service Installation Image Path"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "51ba8477-86a4-6ff0-35fa-7b7f1b1e3f83",
"level": "critical",
"subcategory_guids": [],
"title": "CobaltStrike Service Installations - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "686d9481-474f-2b85-7c51-e69967c1afcc",
"level": "medium",
"subcategory_guids": [],
"title": "Invoke-Obfuscation RUNDLL LAUNCHER - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "97bd461f-b35e-a243-c697-06cc0539d7e3",
"level": "medium",
"subcategory_guids": [],
"title": "Remote Utilities Host Service Install"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "1ae1cb63-2c82-d95d-a200-533f229715b2",
"level": "medium",
"subcategory_guids": [],
"title": "RemCom Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "60ddd708-71a3-e524-27b1-4cdeda02ce46",
"level": "medium",
"subcategory_guids": [],
"title": "Service Installation in Suspicious Folder"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "cd204548-409b-e025-4fde-4a8fb1fe5332",
"level": "medium",
"subcategory_guids": [],
"title": "Mesh Agent Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "cb7a40d5-f1de-9dd4-465d-eada7e316d8f",
"level": "medium",
"subcategory_guids": [],
"title": "PsExec Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "e38955da-ce8e-7137-94e5-7890c0bab131",
"level": "high",
"subcategory_guids": [],
"title": "Sliver C2 Default Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "778c7f2b-32f5-e591-5c4a-01e47388475c",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Service Installation Script"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "9e870183-fbbc-e736-c380-d20bd74d7dbe",
"level": "high",
"subcategory_guids": [],
"title": "ProcessHacker Privilege Elevation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "6218888e-3b1f-f6be-b9f8-9fd758caa380",
"level": "high",
"subcategory_guids": [],
"title": "RTCore Suspicious Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "6623b0c3-f904-2d2e-9c24-4cbb81bf55aa",
"level": "medium",
"subcategory_guids": [],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "4639745f-a91a-d296-8935-4c694a97f938",
"level": "high",
"subcategory_guids": [],
"title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7023"
],
"id": "bf2272c8-bc92-d925-4fb6-aeb1fe9283aa",
"level": "high",
"subcategory_guids": [],
"title": "Important Windows Service Terminated With Error"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "be1b026a-db82-4f10-0739-68c60f1261c9",
"level": "high",
"subcategory_guids": [],
"title": "PowerShell Scripts Installed as Services"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "81562732-3278-cd48-1db2-581bc7158b6e",
"level": "high",
"subcategory_guids": [],
"title": "Credential Dumping Tools Service Execution - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "1702910b-83b9-ce95-4ae8-2405c2e9faf7",
"level": "high",
"subcategory_guids": [],
"title": "Service Installation with Suspicious Folder Pattern"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "ebfad3e2-5025-b233-20ef-71fc2ada8fe7",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "414e0fbd-67a8-17e4-371e-4f9f6a8799d0",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation CLIP+ Launcher - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045",
"7036"
],
"id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c",
"level": "high",
"subcategory_guids": [],
"title": "HackTool Service Registration or Execution"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "8682ea60-89d6-e616-7cdd-410a05ed1611",
"level": "medium",
"subcategory_guids": [],
"title": "New PDQDeploy Service - Server Side"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "19b4e2a1-4499-8c65-e93a-5f675df202d8",
"level": "medium",
"subcategory_guids": [],
"title": "PAExec Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "7ca6e518-decb-de46-861e-5673c026b257",
"level": "critical",
"subcategory_guids": [],
"title": "Moriya Rootkit - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "6cda0359-f921-911b-a724-cc2f00d661f8",
"level": "medium",
"subcategory_guids": [],
"title": "Tap Driver Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "f5581097-47d5-fd2b-1a94-37dd36318706",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "97b97d4d-e03c-ace5-3215-fa2f51ec5fd5",
"level": "high",
"subcategory_guids": [],
"title": "Service Installed By Unusual Client - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "c5b232f5-bd0a-c0ea-585f-c54fbe370580",
"level": "medium",
"subcategory_guids": [],
"title": "New PDQDeploy Service - Client Side"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "8aef41c8-fc2b-f490-5a9b-a683fe107829",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Stdin - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "9d5e9ea9-180b-0d92-6e5a-645275e94267",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation STDIN+ Launcher - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "8623dcbf-e828-afb3-eb29-42cade82b39a",
"level": "high",
"subcategory_guids": [],
"title": "KrbRelayUp Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "384155f0-8906-ff64-5188-211c9a98274e",
"level": "high",
"subcategory_guids": [],
"title": "smbexec.py Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7034"
],
"id": "d3c329c7-54bd-4896-cc7d-e04077eba081",
"level": "high",
"subcategory_guids": [],
"title": "Important Windows Service Terminated Unexpectedly"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "af2b45c1-ed61-0866-791a-13ae39ff80c3",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Obfuscated IEX Invocation - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "e92121bb-a1c1-5d5a-6abb-3a25fe37fb41",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use Clip - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "19adbb05-25d8-44fe-3721-1590be735426",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation VAR+ Launcher - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "a36af175-0d96-acc8-c2f7-f5bb57c974fe",
"level": "medium",
"subcategory_guids": [],
"title": "TacticalRMM Service Installation"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "f1988b01-7f12-1851-58b5-8a4d63743183",
"level": "high",
"subcategory_guids": [],
"title": "Invoke-Obfuscation Via Use Rundll32 - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "ee415dc3-b7c0-9568-e6dd-878777ff237a",
"level": "medium",
"subcategory_guids": [],
"title": "NetSupport Manager Service Install"
},
{
"channel": [
"System"
],
"event_ids": [
"7023"
],
"id": "c002ec31-f147-d591-b2f2-253774fd4248",
"level": "low",
"subcategory_guids": [],
"title": "Windows Service Terminated With Error"
},
{
"channel": [
"System"
],
"event_ids": [
"7045",
"7036"
],
"id": "cd1c0081-d0c8-369f-2ed1-dcc058b08b9c",
"level": "medium",
"subcategory_guids": [],
"title": "Remote Access Tool Services Have Been Installed - System"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "efef064b-d350-a96b-fe1e-ef4cfe657066",
"level": "medium",
"subcategory_guids": [],
"title": "CSExec Service Installation"
},
{
"channel": [
"Application"
],
"event_ids": [
"1511"
],
"id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919"
},
{
"channel": [
"System"
],
"event_ids": [
"213",
"16",
"24",
"217",
"20"
],
"id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b",
"level": "informational",
"subcategory_guids": [],
"title": "Windows Update Error"
},
{
"channel": [
"System"
],
"event_ids": [
"104"
],
"id": "30966a3a-2224-0e1a-d28d-c0f7e84cfed3",
"level": "high",
"subcategory_guids": [],
"title": "Important Windows Eventlog Cleared"
},
{
"channel": [
"System"
],
"event_ids": [
"104"
],
"id": "8617b59c-812e-c88e-0bd4-5267e0e825f0",
"level": "medium",
"subcategory_guids": [],
"title": "Eventlog Cleared"
},
{
"channel": [
"System"
],
"event_ids": [
"98"
],
"id": "15b42b84-becb-a48c-8971-28895065fbd3",
"level": "low",
"subcategory_guids": [],
"title": "Volume Shadow Copy Mount"
},
{
"channel": [
"System"
],
"event_ids": [
"5723",
"5805"
],
"id": "4d943318-24e9-7318-6951-fdf8cb235652",
"level": "critical",
"subcategory_guids": [],
"title": "Zerologon Exploitation Using Well-known Tools"
},
{
"channel": [
"System"
],
"event_ids": [
"5829"
],
"id": "a82f6b3b-324f-7234-9092-289117234d31",
"level": "high",
"subcategory_guids": [],
"title": "Vulnerable Netlogon Secure Channel Connection Allowed"
},
{
"channel": [
"System"
],
"event_ids": [
"16",
"27"
],
"id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6",
"level": "low",
"subcategory_guids": [],
"title": "No Suitable Encryption Key Found For Generating Kerberos Ticket"
},
{
"channel": [
"System"
],
"event_ids": [
"42"
],
"id": "87515290-bf9f-09a4-af0e-bac22cb017f6",
"level": "high",
"subcategory_guids": [],
"title": "KDC RC4-HMAC Downgrade CVE-2022-37966"
},
{
"channel": [
"System"
],
"event_ids": [
"39",
"41"
],
"id": "470e08fc-0b52-8769-10d3-5b5c1920327e",
"level": "medium",
"subcategory_guids": [],
"title": "Certificate Use With No Strong Mapping"
},
{
"channel": [
"System"
],
"event_ids": [
"10001"
],
"id": "cd12f5c0-9798-3928-58bf-34b2816ea898",
"level": "high",
"subcategory_guids": [],
"title": "Local Privilege Escalation Indicator TabTip"
},
{
"channel": [
"System"
],
"event_ids": [
"53"
],
"id": "817138f1-cfd3-c653-7392-a3c61051a8d3",
"level": "low",
"subcategory_guids": [],
"title": "Active Directory Certificate Services Denied Certificate Enrollment Request"
},
{
"channel": [
"System"
],
"event_ids": [
"16"
],
"id": "625954f8-9cc1-bc90-d5bd-4d1d82849d37",
"level": "high",
"subcategory_guids": [],
"title": "Critical Hive In Suspicious Location Access Bits Cleared"
},
{
"channel": [
"System"
],
"event_ids": [
"6038",
"6039"
],
"id": "cb063566-b04b-c7e4-316b-c69075ed08f5",
"level": "medium",
"subcategory_guids": [],
"title": "NTLMv1 Logon Between Client and Server"
},
{
"channel": [
"System"
],
"event_ids": [
"1034",
"1032",
"1031"
],
"id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa",
"level": "high",
"subcategory_guids": [],
"title": "DHCP Server Error Failed Loading the CallOut DLL"
},
{
"channel": [
"System"
],
"event_ids": [
"1033"
],
"id": "87ade82b-7e03-f378-c163-59adb06640ae",
"level": "high",
"subcategory_guids": [],
"title": "DHCP Server Loaded the CallOut DLL"
},
{
"channel": [
"System"
],
"event_ids": [
"55"
],
"id": "73b6342c-c17a-d447-2fd3-119ed3cf61ca",
"level": "high",
"subcategory_guids": [],
"title": "NTFS Vulnerability Exploitation"
},
{
"channel": [
"System"
],
"event_ids": [
"26"
],
"id": "e064a7a6-e709-1464-34e4-626106c91d98",
"level": "high",
"subcategory_guids": [],
"title": "Sysmon Application Crashed"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [],
"id": "9c8f1614-f386-ea28-e870-75e3daf99adc",
"level": "critical",
"subcategory_guids": [],
"title": "Certificate Request Export to Exchange Webserver"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [],
"id": "31aa27f1-7ac6-a316-2786-b13400c130f5",
"level": "medium",
"subcategory_guids": [],
"title": "MSExchange Transport Agent Installation - Builtin"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [],
"id": "30eb1897-ab7e-5cc9-6f83-cd5abd8ee0dc",
"level": "high",
"subcategory_guids": [],
"title": "Exchange Set OabVirtualDirectory ExternalUrl Property"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [
"6"
],
"id": "29ec9279-2899-b0a0-0b41-6bf40cdda885",
"level": "high",
"subcategory_guids": [],
"title": "Failed MSExchange Transport Agent Installation"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [],
"id": "47e67dfc-354a-0989-f6b1-f3f888a31278",
"level": "high",
"subcategory_guids": [],
"title": "Remove Exported Mailbox from Exchange Webserver"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [],
"id": "469804e4-bb11-7cb1-96ce-f7687daa98a0",
"level": "critical",
"subcategory_guids": [],
"title": "ProxyLogon MSExchange OabVirtualDirectory"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [],
"id": "684f5f59-5de0-7d7a-e983-1e2758d383d6",
"level": "critical",
"subcategory_guids": [],
"title": "Mailbox Export to Exchange Webserver"
},
{
"channel": [
"Microsoft-Windows-SmbClient/Security"
],
"event_ids": [
"31017"
],
"id": "610c6a10-ca67-69c5-0f6d-761487fb3b37",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious Rejected SMB Guest Logon From IP"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5007"
],
"id": "2b57cd91-079d-5f13-07f4-82d7435acd38",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Exploit Guard Tamper"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1009"
],
"id": "77f49adb-372a-8c7c-0bee-7e361b09b30e",
"level": "high",
"subcategory_guids": [],
"title": "Win Defender Restored Quarantine File"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1121"
],
"id": "c73d596d-c719-ab68-1753-6aa80ff340d7",
"level": "high",
"subcategory_guids": [],
"title": "PSExec and WMI Process Creations Block"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5013"
],
"id": "f0a75367-1237-98a3-79c3-c4e7e4f5bacc",
"level": "high",
"subcategory_guids": [],
"title": "Microsoft Defender Tamper Protection Trigger"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5101"
],
"id": "5a62f5a9-71eb-a0e2-496d-e062350225df",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Grace Period Expired"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1117",
"1006",
"1116",
"1015"
],
"id": "c70d7033-8146-fe73-8430-90b23c296f9d",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Threat Detected"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1116"
],
"id": "4947e388-9eb4-8e77-4de7-17accc04246e",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender AMSI Trigger Detected"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5001"
],
"id": "e6c2628d-e4dc-0b32-e087-1c205385af72",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Real-time Protection Disabled"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1121"
],
"id": "db45bac6-e4cf-df15-bb73-abdc2bb5b466",
"level": "high",
"subcategory_guids": [],
"title": "LSASS Access Detected via Attack Surface Reduction"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"3002",
"3007"
],
"id": "73176728-033d-ef77-a174-554a0bf61f94",
"level": "medium",
"subcategory_guids": [],
"title": "Windows Defender Real-Time Protection Failure/Restart"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1013"
],
"id": "e9310b5d-113f-86dc-a3e0-3ed5cefa6088",
"level": "informational",
"subcategory_guids": [],
"title": "Windows Defender Malware Detection History Deletion"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5007"
],
"id": "f8be1673-da49-5b78-517b-16094864fab7",
"level": "low",
"subcategory_guids": [],
"title": "Windows Defender Submit Sample Feature Disabled"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5007"
],
"id": "36d5c11e-504a-a3a6-2704-4d6f5f35be41",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Configuration Changes"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5012"
],
"id": "a325b024-9641-6ee4-56c1-20eb9fc4324a",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Virus Scanning Feature Disabled"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5007"
],
"id": "13020ca6-8f32-26e1-25d6-1f727e58de89",
"level": "medium",
"subcategory_guids": [],
"title": "Windows Defender Exclusions Added"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5010"
],
"id": "ac622fde-5d5a-e064-bfd2-55cbb5f1eacb",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Malware And PUA Scanning Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b6f9cd8c-4abc-cbc8-159c-654b64f77695",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e4a61ceb-0bbe-6cab-3249-6c48c6ef7320",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "COM Hijack via Sdclt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c561b602-ffb8-a69c-10ef-7c35000d7bca",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential AutoLogger Sessions Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "1bb96a94-8ab5-69b5-8366-2ab8e23877f2",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New BgInfo.EXE Custom DB Path Registry Configuration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d3c2b07c-075b-b06e-926a-3c74236f7b42",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential PSFactoryBuffer COM Hijacking"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d3e621d9-17c0-c31c-1daf-8247438baa83",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New BgInfo.EXE Custom VBScript Registry Configuration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "dcbfe53c-e933-cfb7-d9ce-8f03726f9637",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Ransomware Activity Using LegalNotice Message"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8f22d1f4-6491-fcf7-858d-c2e73bcb8c48",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Hide Schedule Task Via Index Value Tamper"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6c5c8d47-3184-6c84-8736-f426d0e50839",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Bypass UAC Using DelegateExecute"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5726e5a8-ce24-8360-cfb3-731d16ed8aca",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Scripted Diagnostics Turn Off Check Enabled - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "59f5abe2-1a9e-45ca-21d7-c1494694129e",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Keyboard Layout Load"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c1daf9d0-4faf-5cf7-ee69-08dbaf545e0b",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Add DisallowRun Execution to Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7e39f9c6-fca2-d20b-c975-48062f7ac3e0",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Using DebugPath"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "658b7369-eb29-2ab2-5a37-830bffa14b06",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Shim Database In Uncommon Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "43beb49f-0ccb-ecd4-f361-bcb66b1170f4",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Driver Added To Disallowed Images In HVCI - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "96a90fb0-3747-35a8-d9c5-dcc7d373c57c",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Change User Account Associated with the FAX Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f3359b54-f4f9-b8da-0ddb-ef16968c70e7",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "59a208e8-d58f-efd0-e693-48703d554101",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Environment Variable Has Been Registered"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b7f195d8-0147-8ddd-90c3-3e8e75037660",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Session Manager Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "90a9c79a-934b-1610-6e9c-d088885d656f",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Python Function Execution Security Warning Disabled In Excel - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a2a9ea74-be61-a011-3676-5bdd9cdae0a4",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Wdigest Enable UseLogonCredential"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7f5a4070-c4d2-ba36-ab1f-378da90ddf45",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Service Disabled - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c1e78049-d5f0-8a11-39dd-10110524f89f",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ETW Logging Disabled For rpcrt4.dll"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6b966f00-7138-0a2d-0f30-029d3bed3524",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Bypass UAC Using Event Viewer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "595fb3ac-f3e2-e83b-fe23-f4a160b15c17",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Path In Keyboard Layout IME File Registry Value"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b0b20369-6a44-df4d-5671-a85b5eb960dd",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Activate Suppression of Windows Security Center Notifications"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e70cde78-b476-8726-75d1-073aeabb4e1d",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Enable Local Manifest Installation With Winget"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "068836cf-abab-c1b2-804b-c9f34e4445aa",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8d3cb1da-3cc0-2448-a467-9b5a2bd3c4c0",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Attachment Manager Settings Associations Tamper"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e95c5cb7-fd08-cb3b-14e8-d0a4287e6f68",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Hide Function from User"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f27c3f9d-33e2-2ee6-64f7-a34b895b6379",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "536c7bf1-8834-bffb-665e-b945d9a1894b",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via AppCompat RegisterAppRestart Layer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "2946c058-5b67-3779-9a29-6cd622926e09",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Administrative Share Creation at Startup"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5cfed8dd-d873-5012-6a54-f3136099d818",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Disable System Restore"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "3b708c9b-48bd-96e8-a680-84e819fcd228",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Hypervisor Enforced Code Integrity Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c08df57b-ce0c-de04-72c1-3319cfdc5a37",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New BgInfo.EXE Custom WMI Query Registry Configuration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4c6aafd5-b32d-12d2-ecc7-0138f21e65e8",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Internet Explorer Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0e75b3d7-d3d3-d9fa-4d60-a1254f59e47d",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Outlook Today Page"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "94a78414-5302-4e88-7c59-1d5d0de11a5f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CurrentControlSet Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6191bb45-e2d4-dc12-74c9-be6994d84572",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Netsh Helper DLL - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "007fb76c-92e3-5bfa-4f46-d6179811290f",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "MaxMpxCt Registry Value Changed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b845b5d0-c25c-d832-f891-58b8224599ee",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ETW Logging Disabled In .NET Processes - Sysmon Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "dee5910c-4bd3-fb48-fdbf-2d813d23aefb",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass via Event Viewer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ea79a782-319f-b5bd-9293-cab2134f5c43",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Macro Enabled In A Potentially Suspicious Document"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "010beef6-dccd-7edc-c751-9236ab787158",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0a89f91f-0278-2cf2-d4ad-c958bc125ad3",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "COM Hijacking via TreatAs"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c22014de-7963-a2c6-ead7-9fded54d54f0",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Microsoft Office Trusted Location Added"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e262d6ab-07ec-712b-78c5-696f002dc7f0",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Wow6432Node CurrentVersion Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "55790e96-f1bd-5804-59c2-7cd806625025",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Usage of Renamed Sysinternals Tools - RegistrySet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "57fba93d-7938-c3fd-109b-6d1fb6037e2c",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New Netsh Helper DLL Registered From A Suspicious Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a6f5fcfd-58a6-fb93-b548-3772adf366b9",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via MyComputer Registry Keys"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6665e720-ff59-40c7-6fc2-63c2990aef5f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e2bf2ad9-465c-3b63-7970-fd222ffa3708",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CurrentVersion NT Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e06345ae-614b-8ef6-d336-a5ed3b2dc71b",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "WinSock2 Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "95ba330a-4c5b-ff06-beae-5b424cdd506f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Recall Feature Enabled - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "989dffb4-2561-5f0b-079e-74bfe39a050a",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Execution Policy Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5631054a-458c-6998-d637-e2d4f239ed07",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Excel Add-in - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "60953210-fd32-ddac-1118-a569c8452fd3",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Service Installed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7b78e30a-de66-08da-7417-5b735a074ba2",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disabled Windows Defender Eventlog"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "027f1f5f-4aa7-ac2c-d8c2-084da4eaee3d",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Execution DLL of Choice Using WAB.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "debedc1b-8c7d-7257-67d1-a047bde616a4",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "RDP Sensitive Settings Changed to Zero"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8785a0bb-8ec2-c019-4196-7d4d2fb47bd7",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential SentinelOne Shell Context Menu Scan Command Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "08ad005b-9676-0872-2751-56c87d6c1385",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Periodic Backup For System Registry Hives Enabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "49b76666-4660-3762-b2ea-818e190edd5d",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Custom Protocol Handler"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b0acca11-04f4-7e88-5dd9-fc299b3716e8",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Default RDP Port Changed to Non Standard Port"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5b59bbe4-226f-1215-bff7-8c5a79430936",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "RestrictedAdminMode Registry Value Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "bc03960b-bb9d-b48c-e6cd-73b6e8d17d74",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Shim Database Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "14e19d39-b1be-4903-56be-684b57d45e16",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Windows Defender Functionalities Via Registry Keys"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "effced04-aa28-c07f-9aa5-41cdded8bb61",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential WerFault ReflectDebugger Registry Value Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8a91b3b9-6d62-e700-63e7-73170f5b0bbc",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Outlook Security Settings Updated - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "9f3a2bef-c9ee-ce47-c8eb-d746addb05ac",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Visual Studio Tools for Office"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e368acaa-a5b7-0fab-0997-8f0f1db5f99a",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Desktop Background Change Via Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4936b46c-badc-cb8a-54d4-3d0b9502aa8a",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Notification Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "16505b6b-b744-b451-e1cc-2bf1ecc9e7df",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Winlogon Notify Key Logon Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "42144fcb-9adc-b4dc-e024-4bdf3311c757",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Driver Altitude Change"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "69cb5d0b-48e9-4795-d7bf-3b3051750973",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Change Winevt Channel Access Permission Via Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7d12e91a-b670-4461-8bdc-aff5b37eda63",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ServiceDll Hijack"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a4cae50c-cac3-7292-659e-cf9ca88c8ba8",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Classes Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e182da19-f29b-2327-f6f0-f71d15ff8dd5",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d5d54339-c5a4-2889-7da2-66fd42b16ef0",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Trust Access Disable For VBApplications"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b0ac9712-6658-cdfd-92d7-8aa07fcdf31c",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Script Execution Policy Enabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d61e6c48-1d69-1942-c9e5-4244f12fc88e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious ODBC Driver Registered"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "25d40765-aae0-421b-3a7e-00cff494680f",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Office Macros Warning Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f8423558-5803-e6d5-bd1e-0094253e8d41",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via GlobalFlags"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6d5ef37b-2d6d-8ef5-a641-57161c232686",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Windows Event Logging Via Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "2c5460e8-fa5b-2a17-1e53-f6f3789de52d",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Persistence via Explorer Run Key"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "844e4a35-c606-6b5d-8390-52c55b9f09b5",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Persistence Via Disk Cleanup Handler - Autorun"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f06899a3-2598-48df-bd36-4c846265e174",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Application Allowed Through Exploit Guard"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "bc9f1068-0677-5580-301a-add396842846",
"level": "informational",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New Application in AppCompat"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a6cf9f0e-8857-2bf6-bf8f-ebe833b09125",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ScreenSaver Registry Key Set"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4b44d428-f676-8642-3d97-3eb23a44d818",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Enabling COR Profiler Environment Variables"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "49f0ef07-1fcf-1ac7-54ee-8cfbb34caf06",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New TimeProviders Registered With Uncommon DLL Name"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e0f39f6d-5bc7-83ca-9a1f-4e67316af212",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via TypedPaths"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0fbb75e3-4f11-c091-e62d-0159f224a0af",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Modification of IE Registry Settings"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d84ec9a7-296b-e4d1-d97c-daa11eee226b",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Windows Firewall by Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7d02b772-7006-ba16-2b13-60db59dcfa00",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "2c7799c7-bf70-0033-f2e0-e2ae59d4385b",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ETW Logging Disabled For SCM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "092b0638-9aaa-3ecd-820c-9e873b647497",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Common Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "af6d5933-a155-f3c7-bdb6-c2b98b515cc7",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Event Log Access Tampering Via Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "88665d21-f330-6799-62f0-724746a160d7",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Modification to Hidden File Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "3649e76a-4f74-b4bf-7b6e-511fc789a746",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Enable LM Hash Storage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "9f96ee4d-d1e8-d5d0-e2d8-8fce145b8006",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Add Debugger Entry To Hangs Key For Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "dfa1b70c-248b-d9ac-0b47-fbce1fe26a10",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential EventLog File Location Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5c6e4e04-c3a5-0b21-f966-97441d749d47",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0ea81575-bcbc-e0f8-6604-6236751cb5db",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via AutodialDLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "75c0a3fc-9821-e555-9c15-d7829e36ed2e",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Windows Security Center Notifications"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6f4258c6-a880-1da0-7c68-c7e19ed0c795",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d22a2c0b-fd48-300f-ba44-d6881df81aab",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "04c29127-1ef3-f2f5-5b26-645eb052c42d",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Directory Service Restore Mode(DSRM) Registry Value Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "24cd048b-21d4-3957-a68d-e073a077e305",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "RDP Sensitive Settings Changed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "35a986a0-86d6-9685-21af-3277c6172094",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via DLLPathOverride"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5e4e8480-72ed-5e37-7cfe-93d7cfd37974",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Blue Mockingbird - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "22ff751c-b2ff-1cd8-3e5b-3bd123b3a93e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential CobaltStrike Service Installations - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7bb576ef-cc9a-5126-c758-aa8d24f0edda",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Scrobj.dll COM Hijacking"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "9f6b7775-4d86-0f98-45b5-2cfac0e410e7",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "NET NGenAssemblyUsageLog Registry Key Tamper"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "891340b3-d63e-73d0-742f-b481f911074c",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell as a Service in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ac73de31-10d9-b1f0-6a99-7f5449fef005",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable PUA Protection on Windows Defender"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "edcac99a-55ef-aa9c-92a3-d9c9d7e1e46e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "VBScript Payload Stored in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6b3466e8-35d1-e288-b322-0873400febd7",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Internet Explorer DisableFirstRunCustomize Enabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6728497e-f64d-54b9-cebf-4f2234da439a",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Privacy Settings Experience in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "22adc86b-0198-3dfd-0cc2-f686d342be66",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "DNS-over-HTTPS Enabled by Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "9023759d-f7e3-127f-82b8-e618efea5217",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Hypervisor Enforced Paging Translation Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4320bfce-fa0f-05d4-9e60-55d3f27794d8",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Logging Disabled Via Registry Key Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f1d2e557-5935-d1b7-cc8a-48563f722f9c",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Old TLS1.0/TLS1.1 Protocol Version Enabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ba919d03-0c34-c3c3-272c-ec0656c3d10c",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Modify User Shell Folders Startup Value"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7ee582b4-6e4c-aa81-c848-34f91ae9302d",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Hiding User Account Via SpecialAccounts Registry Key"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ae407430-a207-5af9-e0ad-439b41b90e3a",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Outlook Macro Execution Without Warning Setting Enabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4d50dc2c-f2bf-a039-820d-65c415ab31ee",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Winget Admin Settings Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "fe333043-ad46-425d-1661-2d2a65e25177",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Outlook Home Page"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "addf4ebc-b3ab-c6ab-98ba-db37848a8ee2",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via App Paths Default Property"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "dacb1ee4-05cc-995a-adee-964a19774888",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Extension In Keyboard Layout IME File Registry Value"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b8f4d6cb-7db9-474a-2da3-8465b2f9b699",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Microsoft Office Protected View Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "2c97b46f-dbd7-bf78-71c0-86ed4a55c654",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New RUN Key Pointing to Suspicious Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ebfabc1f-964a-69f3-60d7-e027eaaf1022",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Internal Tools or Feature in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ea43cb8f-21a1-38f6-1d50-bbcb754a91f6",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Tamper With Sophos AV Registry Keys"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a41b0618-1e99-30df-5b32-d040dd4ca439",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Add Port Monitor Persistence in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b04c5cc0-6866-8748-e7a7-d69ff8d55935",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Change the Fax Dll"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "717a326e-aa46-b2cd-4db7-1e0be4003fb9",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Lsass Full Dump Request Via DumpType Registry Settings"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "742762c2-287c-4b94-5f99-ae234cdd3d2c",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CrashControl CrashDump Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "60c54878-2012-57de-2333-6d23649b0e92",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CurrentVersion Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "886d79ab-1307-d072-9729-18305985ebad",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Powershell In Registry Run Keys"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8a77badb-a001-0da9-9213-ba6efbd70a95",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Allow RDP Remote Assistance Feature"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a1e4b72a-2af2-0002-fb44-971730e2befa",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Exploit Guard Network Protection on Windows Defender"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7c631357-74f2-6fac-f215-06a5d2c1e99b",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via CHM Helper DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4475b3bd-9b24-b189-1118-871c5fe3fe17",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Secure Desktop Prompt Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "42974e40-8ef8-03fa-d9ca-4d3522a5b239",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using Windows Media Player - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e249ebd9-4719-fbd6-ad42-802038c12f87",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via LSA Extensions"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "21c41e20-e274-bd0e-e22d-072fc5e0962d",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Printer Driver Empty Manufacturer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5a289d79-b7ce-fff7-d06d-771cffd14775",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Tamper Protection on Windows Defender"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6e7e4fc7-4279-156d-6a7b-f6c593f51098",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Persistence Via Hhctrl.ocx"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8c9b2605-a3a3-f822-afa4-e8d7abdf70e3",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled TaskCache Change by Uncommon Program"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ed9f6502-6cf6-8a06-be4a-10027cabb474",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Service Binary in Suspicious Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b9c795cf-be1f-5020-c75e-f51c56483739",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Bypass UAC Using SilentCleanup Task"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "fbab75d9-3bd2-3705-4511-3e0cf5a10fe4",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Attachment Manager Settings Attachments Tamper"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "cddc552b-0261-3637-470e-9296ae9dd79f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential PendingFileRenameOperations Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "3728b695-0511-c1dd-81df-030fda358222",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Register New IFiltre For Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8365c772-65e3-7f23-1606-2a2ecbd20235",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New Root or CA or AuthRoot Certificate to Store"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0b5acb16-e364-ec25-c330-4c4868819d39",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Microsoft Defender Firewall via Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f3d16bf4-2de2-b0e3-b8dc-37b2ca82c1cf",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New ODBC Driver Registered"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8b15d432-7c88-1622-8af2-9ab6b7134bdf",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Add Debugger Entry To AeDebug For Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "790cbe25-2aac-45a7-48c4-234b2a622f06",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Custom File Open Handler Executes PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "48421345-c746-0b27-ad78-2d4de6169565",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Macro Runtime Scan Scope"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8db93e70-1420-c43f-ea06-00a6fc42449f",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "DHCP Callout DLL Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "cb43927e-70c4-47e4-6121-af9fb00a6a77",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Office Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "fbdc5117-68bf-93e5-9ab3-03ea072e0d36",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential AMSI COM Server Hijacking"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "239ba06d-b7b1-2237-ec7e-0f41d80ff78b",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Explorer Policy Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8f6d136c-f1db-74c5-9845-308043bbbaea",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Winlogon AllowMultipleTSSessions Enable"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "98109d4e-3967-7837-46d2-9fdaface4ac0",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Shim Database Patching Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "50b1dd22-8438-5c33-c5f2-00496987423b",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Wow6432Node Classes Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "406b79d8-988c-0ef9-5702-7aa379ce70e2",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Event Viewer Events.asp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c5041759-c026-94ae-a6d4-6e6bfbfa3d0c",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Abusing Winsat Path Parsing - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "672c20dd-b3a3-85e6-ece5-2b1010734c41",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "System Scripts Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "9651c944-f6ad-6a83-4ff8-76f682bce13e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Blackbyte Ransomware Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "2f221db9-1924-551f-ad98-7f01d47c6c7e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "40faa526-8b40-5332-0b76-013443d7e0ee",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Enable Microsoft Dynamic Data Exchange"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6dbd4cbc-13d1-1d53-1ce4-5ad27813a654",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ClickOnce Trust Prompt Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0399e65b-992d-24c3-dc62-0b2904dda8f1",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Displaying Hidden Files Feature Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "15d9849f-4559-6cb8-b45b-663e3ddd9cc5",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Persistence Via New SIP Provider"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4e584b07-47af-0e21-5779-6585650ca16e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Persistence via Service in Safe Mode"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ac9276b0-7220-7600-35b6-e24d01034d45",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Mpnotify"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c2ff02fd-f4fe-2876-15ee-2a3d914b1a9f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "IE Change Domain Zone"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4e8bf251-fcde-0996-45f9-62335b5e5d8b",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass via Sdclt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c86baf10-abab-0f8f-88a2-e51640a26b5c",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusions Added - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e4a5e8fc-9e86-a5c9-b9f4-41288262dd40",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Registry Persistence Attempt Via Windows Telemetry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8ce03c3b-7a99-449f-6af3-9f5f4685385b",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Registry Persistence Attempt Via DbgManagedDebugger"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "eea69d1c-b62d-d58f-4ee3-82f9053a20ea",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Signing Bypass Via Windows Developer Features - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "1c9de880-3d26-4614-f41f-a4d975e609ff",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New DNS ServerLevelPluginDll Installed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b0fb77bd-c468-c8dd-1a84-96bf79d003a7",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New File Association Using Exefile"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "08427b1c-3ceb-9aa5-7d8d-84dfc1531fb8",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Sysinternal Tool Execution - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "61bb2824-c37f-f432-0767-9a80d45583aa",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential NetWire RAT Activity - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6b4b0ded-e40c-4d49-68f0-b78339d9587e",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d8884952-23ce-8a65-d998-cb775a119c95",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via New AMSI Providers - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "cab7e60f-55aa-b72e-1943-4d3980028a43",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Sysinternals Tools Execution - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c6a4d8a3-8e7d-30b4-a6f0-aee8a87463bf",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Logon Scripts - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6a724c01-e3a5-3f08-0a26-a25aab47a2d1",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e3adf6e1-6fbf-d4fe-ee8f-a000db6d64c8",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Disk Cleanup Handler - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0af15a7d-56b4-6742-50d9-011df5f8449e",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New DLL Added to AppCertDlls Registry Key"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5e3a86ef-f4fb-dd10-9bc7-e7c2d0a15e70",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New DLL Added to AppInit_DLLs Registry Key"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e45e543e-8d13-302c-2825-398896bd0bf8",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Narrator's Feedback-Hub Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c28049f8-7766-14aa-616f-a8628ee679bd",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "WINEKEY Registry Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "3b19eda3-3430-8cdc-686c-e0d94a32427d",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Office Application Startup - Office Test"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "33feb9a9-afd4-3403-46c9-13a7b4a62b80",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "PrinterNightmare Mimikatz Driver Name"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "95ca0984-3622-ee0b-d0b7-4bf861f58030",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Via Wsreset"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "255a8d48-2f51-b8e1-ed5c-4063555a7569",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Sticky Key Like Backdoor Usage - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f90321bd-3a7e-2f0a-220f-49096e6b8ef5",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "DLL Load via LSASS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f81b1344-1639-27dc-c1e1-577c4e6c8e19",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Run Key from Download"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "36ef53bd-ce38-b8b6-b163-c7ff42107ecb",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Security Events Logging Adding Reg Key MiniNt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "52da4b83-76bb-1c03-3d3d-d2767a05c186",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Qakbot Registry Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "139f52db-35af-c5f8-bbf8-22a2094dfea6",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Camera and Microphone Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a2b70475-be0a-993d-b01f-8ecf4bbd7576",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Security Support Provider (SSP) Added to LSA Configuration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8538e021-b60d-b297-e8e1-e9020ae98f78",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CMSTP Execution Registry Event"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b2a0af70-a308-0185-6128-c2e37db1ebf2",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Registry Trust Record Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "930cd1b8-c592-1982-65c9-cf7fecc0adf7",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "New PortProxy Registry Entry Added"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "60c241e3-567b-86bb-ae42-0e0b650b51ec",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Wdigest CredGuard Registry Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "5c5490c6-68eb-786c-e6b0-12374dce833f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Atbroker Registry Change"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "3387665f-9c44-56db-5cb9-a35e48689376",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "NetNTLM Downgrade Attack - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "447c311d-5d73-52c3-d10c-a1205258cf04",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Creation of a Local Hidden User Account by Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f00c4059-0241-7fee-4186-e8d0b5741cba",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Run Once Task Configuration in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a250ceb5-fda2-758b-e33b-594cb197d8ca",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "RedMimicry Winnti Playbook Registry Manipulation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f6fed793-a359-2cae-0383-6ec6a9aee77b",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Esentutl Volume Shadow Copy Service Keys"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "092a900e-c6b2-7064-f7b5-699f1b3be49d",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Credential Editor Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a36fab91-8874-79c8-32cb-b2a0117d5a0b",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Pandemic Registry Key"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f5a1f729-ff8c-577e-2d33-a209e00bf7f3",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Path To Screensaver Binary Modified"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "153b0ce0-9f0b-f10f-7d6e-3a23dea83494",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0a77c311-af5b-b0e4-4d1d-e87ede81b2c7",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "HybridConnectionManager Service Installation - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657",
"12",
"13"
],
"id": "46595663-e666-c413-ccf4-028a618ca712",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Entries For Azorult Malware"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "1617c214-9562-4819-58cd-ffa7929cf167",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Registry Persistence Mechanisms in Recycle Bin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b1bd0320-da55-2715-927f-f70a3cb846fa",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Shell Open Registry Keys Manipulation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "c42f7ed2-10ea-21b4-bcc5-6978cbf4ca0d",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique"
},
{
"channel": [
"sec"
],
"event_ids": [
"528",
"4624",
"4625",
"529"
],
"id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Interactive Logon to Server Systems"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Remote Registry Management Using Reg Utility"
},
{
"channel": [
"sec"
],
"event_ids": [
"4624",
"4625"
],
"id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Pass the Hash Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4742"
],
"id": "7d4b25c3-0cef-1638-1d47-bb18acda0e6c",
"level": "high",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Potential Zerologon (CVE-2020-1472) Exploitation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4964",
"4672"
],
"id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
"level": "low",
"subcategory_guids": [
"0CCE921B-69AE-11D9-BED3-505054503030"
],
"title": "User with Privileges Logon"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a0611cee-4fe8-b36f-b9a7-8c31f5d9977b",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Userdomain Variable Enumeration"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "8b0f1458-5a23-5950-ebc7-f8d7a562dc06",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "New RDP Connection Initiated From Domain Controller"
},
{
"channel": [
"Microsoft-Windows-DNS Client Events/Operational"
],
"event_ids": [
"3008"
],
"id": "e1b0fd63-1017-1597-ec08-3f9e1021e564",
"level": "high",
"subcategory_guids": [],
"title": "Query Tor Onion Address - DNS Client"
},
{
"channel": [
"Microsoft-Windows-DNS Client Events/Operational"
],
"event_ids": [
"3008"
],
"id": "9b3ffe56-a479-9b35-d590-9b94c2f7fa35",
"level": "medium",
"subcategory_guids": [],
"title": "DNS Query To Put.io - DNS Client"
},
{
"channel": [
"Microsoft-Windows-DNS Client Events/Operational"
],
"event_ids": [
"3008"
],
"id": "2abf05fa-98f2-d00b-6a6a-12d07e55233e",
"level": "high",
"subcategory_guids": [],
"title": "DNS Query for Anonfiles.com Domain - DNS Client"
},
{
"channel": [
"Microsoft-Windows-DNS Client Events/Operational"
],
"event_ids": [
"3008"
],
"id": "f0b3a5e9-e4ee-ed23-3b27-4dd30c5974c8",
"level": "critical",
"subcategory_guids": [],
"title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client"
},
{
"channel": [
"Microsoft-Windows-DNS Client Events/Operational"
],
"event_ids": [
"3008"
],
"id": "ec3b018a-d4dd-2d51-4a63-50d078f737dd",
"level": "low",
"subcategory_guids": [],
"title": "DNS Query To Ufile.io - DNS Client"
},
{
"channel": [
"Microsoft-Windows-DNS Client Events/Operational"
],
"event_ids": [
"3008"
],
"id": "14b17417-8ae7-ff8e-fe36-28aaa337ccd5",
"level": "medium",
"subcategory_guids": [],
"title": "DNS Query To MEGA Hosting Website - DNS Client"
},
{
"channel": [
"Application"
],
"event_ids": [
"1000"
],
"id": "24cdd840-5da1-6c12-5b58-4da49cc4b11a",
"level": "high",
"subcategory_guids": [],
"title": "Microsoft Malware Protection Engine Crash"
},
{
"channel": [
"Application"
],
"event_ids": [
"1000"
],
"id": "fcc29ed2-c7fa-1b44-6db4-de352c7cf1b8",
"level": "high",
"subcategory_guids": [],
"title": "Potential Credential Dumping Via WER - Application"
},
{
"channel": [
"Application"
],
"event_ids": [
"1"
],
"id": "f1c99d55-8f38-1ae5-19b6-71d4124f4c46",
"level": "critical",
"subcategory_guids": [],
"title": "Audit CVE Event"
},
{
"channel": [
"Application"
],
"event_ids": [],
"id": "b0f698cd-af36-2a37-ce9f-2ab614a8b808",
"level": "high",
"subcategory_guids": [],
"title": "Relevant Anti-Virus Signature Keywords In Application Log"
},
{
"channel": [
"Application"
],
"event_ids": [
"867",
"868",
"866",
"882",
"865"
],
"id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863",
"level": "high",
"subcategory_guids": [],
"title": "Restricted Software Access By SRP"
},
{
"channel": [
"Application"
],
"event_ids": [
"1033"
],
"id": "655bf214-78ac-5d4f-27ac-4e0ede9b68a5",
"level": "high",
"subcategory_guids": [],
"title": "Atera Agent Installation"
},
{
"channel": [
"Application"
],
"event_ids": [
"11724",
"1034"
],
"id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c",
"level": "low",
"subcategory_guids": [],
"title": "Application Uninstalled"
},
{
"channel": [
"Application"
],
"event_ids": [
"1042",
"1040"
],
"id": "96acd930-342e-66ca-9855-1285ba8a40ed",
"level": "medium",
"subcategory_guids": [],
"title": "MSI Installation From Suspicious Locations"
},
{
"channel": [
"Application"
],
"event_ids": [
"1040",
"1042"
],
"id": "1af7877b-8512-f49c-c11e-a048888c68fa",
"level": "medium",
"subcategory_guids": [],
"title": "MSI Installation From Web"
},
{
"channel": [
"Application"
],
"event_ids": [
"15457"
],
"id": "11635209-eef1-b93a-98bf-33b80e5065a1",
"level": "high",
"subcategory_guids": [],
"title": "MSSQL XPCmdshell Option Change"
},
{
"channel": [
"Application"
],
"event_ids": [
"33205"
],
"id": "e485c12e-8840-1b24-61f7-697e480d63b1",
"level": "high",
"subcategory_guids": [],
"title": "MSSQL Disable Audit Settings"
},
{
"channel": [
"Application"
],
"event_ids": [
"33205"
],
"id": "d17d99ad-18e9-67e1-6163-054f210fee16",
"level": "high",
"subcategory_guids": [],
"title": "MSSQL Add Account To Sysadmin Role"
},
{
"channel": [
"Application"
],
"event_ids": [
"18456"
],
"id": "03e217c6-de25-3afa-3833-6c534a6576f0",
"level": "low",
"subcategory_guids": [],
"title": "MSSQL Server Failed Logon"
},
{
"channel": [
"Application"
],
"event_ids": [
"18456"
],
"id": "2aec0e1c-e7f6-3837-d7f2-ee1c5cac7032",
"level": "medium",
"subcategory_guids": [],
"title": "MSSQL Server Failed Logon From External Network"
},
{
"channel": [
"Application"
],
"event_ids": [
"33205"
],
"id": "824a7eb7-81e3-6b27-2ede-6fd2d58348b4",
"level": "high",
"subcategory_guids": [],
"title": "MSSQL SPProcoption Set"
},
{
"channel": [
"Application"
],
"event_ids": [
"33205"
],
"id": "bc1445fe-1749-b913-f147-64575e1d9ac1",
"level": "high",
"subcategory_guids": [],
"title": "MSSQL XPCmdshell Suspicious Execution"
},
{
"channel": [
"Application"
],
"event_ids": [
"325"
],
"id": "a050e701-373d-fc52-c345-8fbf933e1b82",
"level": "medium",
"subcategory_guids": [],
"title": "Dump Ntds.dit To Suspicious Location"
},
{
"channel": [
"Application"
],
"event_ids": [
"326",
"327",
"216",
"325"
],
"id": "b8d0d560-906d-670f-cd10-32ed9179f21a",
"level": "medium",
"subcategory_guids": [],
"title": "Ntdsutil Abuse"
},
{
"channel": [
"Application"
],
"event_ids": [
"524"
],
"id": "9abb29b7-6fca-9563-2f87-11926d64e17d",
"level": "medium",
"subcategory_guids": [],
"title": "Backup Catalog Deleted"
},
{
"channel": [
"Application"
],
"event_ids": [
"200"
],
"id": "8df2af03-bf29-1ee2-5e6e-476326c561d7",
"level": "low",
"subcategory_guids": [],
"title": "Remote Access Tool - ScreenConnect Command Execution"
},
{
"channel": [
"Application"
],
"event_ids": [
"201"
],
"id": "98bb59e9-ce78-f18f-8355-8a6750afb314",
"level": "low",
"subcategory_guids": [],
"title": "Remote Access Tool - ScreenConnect File Transfer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7eddf245-1436-4062-e0cb-f656cda705b9",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "QuickAssist Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9e12c2cd-fa32-33a2-e894-455cfcbb3680",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Powershell Token Obfuscation - Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "21d20eb3-388b-e372-90f5-c3da2c00dc9f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Windows Defender Tampering Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d9100b89-baa5-8f0b-5a28-90217fe41a0f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Greedy Compression Using Rar.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8d0b4349-4a33-f9c1-b911-e922e9ed2f63",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Wmiexec Default Powershell Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6f1c48cf-ca24-9def-3a7c-bd81baec1f58",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using ChangePK and SLUI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "06d1ba8b-f692-36bb-8b57-6c340c87d71b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PsExec Remote Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7e7e5959-545c-8b4a-b17b-3ab2d88b6129",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "835eeb0d-312a-9bdf-62f1-ae4e172e57cb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Arbitrary Command Execution Using Msdt.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8f1f0cfc-418f-58d0-6c0a-aa9299b3d5e5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Ping Hex IP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6be0f4bd-c96b-6215-65ad-e38299aa0561",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Creation Using Sysnative Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "042378e6-098f-7fa7-3390-6dea36ffe86a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Explorer Process Tree Break"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "54783800-bea8-9a66-c11d-9aab8da467eb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Shell32 DLL Execution in Suspicious Directory"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c5a82926-ad38-8cac-850a-dcc4d26f5660",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Child Process Of BgInfo.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4aed73e4-2a5e-b456-3e10-0b58348a0620",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Compress Data and Lock With Password for Exfiltration With WINZIP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "86bcf883-2f53-b6b7-c766-0240f0ce79cf",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of TTDInject.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f57205aa-67a6-4a69-582c-08eb0b786b58",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Download Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3e293b2c-b40f-53b9-4e78-e7ad13badd8a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Conhost Spawned By Uncommon Parent Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1ba53115-a14d-1c17-6fc0-2239bc5c4ed6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Msxsl.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5464890a-e53b-c991-756a-8ac37655adca",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution of Powershell with Base64"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d3b62eee-982b-e3f3-e106-d83048e4cf0d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Pypykatz Credentials Dumping Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "415d9b8e-8ea7-ce1d-44e5-f124d411e636",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Devtoolslauncher.exe Executes Specified Binary"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2eed1cc9-eaed-d468-3184-02f80bf78c3d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Veeam Backup Database Suspicious Query"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "62b1b4bc-937a-d9ed-a691-7887aae49630",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "27cc5ada-12cd-ee4a-3260-a00437b0ac13",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using IEInstal - Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "59996aa8-9ca2-1ef7-5102-ad18e12d4402",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a5a31ba8-6ecb-ba33-f271-5a50afc76d9b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "679db9c2-6669-dc7b-3b9c-a20f4d600b28",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential RDP Session Hijacking Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e5fef5f3-db95-fac1-d6a8-ebe5cea61016",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Child Process Of SQL Server"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c53a6656-ecdc-89f8-742f-0455f2ed3c64",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Stop Windows Service Via PowerShell Stop-Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7c4af673-03d0-fd2c-2562-41ee96b4d36e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Download and Execution Cradles"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ced3b93a-d1cc-dab7-fe8c-be95fd649ff3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Code Execution via Pcwutl.dll"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dc6be7ef-4455-6b20-2304-ef99f8413cbf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Windows Service Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5ee853eb-9d4f-e140-fd4d-c6c6e65e27bf",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Add Windows Capability Via PowerShell Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4329e2b7-363d-b9dc-cbd5-6bbcc79a1b5b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Php Inline Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "21709122-92d3-408a-ce43-7f0ab256c315",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Koadic Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bc7f261d-3cfe-72c9-521d-d3cd1a0032bf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ac47d4f8-20cb-1fa8-ac93-07a08745efe7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fdd2fe27-5f29-7b4f-0381-22bac2ea7c0a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mstsc.EXE Execution From Uncommon Parent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "82652023-b2bf-3126-09bb-f4495914f471",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Via Bitsadmin To A Suspicious Target Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bee3c5b9-5fce-49e8-2301-d000d81eba6e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ImagingDevices Unusual Parent/Child Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e56b0b7d-eb03-5756-d3c4-1b29390fa86e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Application Whitelisting Bypass via Dnx.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7ff57038-20dd-b144-f4f9-fe2fb075e004",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Suspicious Mofcomp Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ec0626ac-00c0-7cf3-223c-20d71ccd38c0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Cookies Session Hijacking"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "153a349d-2f66-9cce-ff30-aebbad4e103b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Import LDAP Data Interchange Format File Via Ldifde.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0fd941d7-3dec-afd3-d991-d693f0a6dff8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Change PowerShell Policies to an Insecure Level"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1441d7b2-4429-f275-3f6d-ba7c9718c13b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Configuration And Service Reconnaissance Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "46903700-a139-8e57-f71a-3b0e0c0b1fb5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d60bae71-ab70-95e8-ce1c-c0226f62a597",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharPersist Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "53c6b925-8f6a-b834-1463-b4dade337d85",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Non Interactive PowerShell Process Spawned"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4015c0bf-a80a-7b4f-cff2-cb50ea14b40f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Memory Dumping Activity Via LiveKD"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7b1d6a26-339a-db21-8b7d-55f848967cdd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential DLL File Download Via PowerShell Invoke-WebRequest"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "85360622-4657-c400-b38e-9dc13bdb53f6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Download From File Sharing Domain Via Wget.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f2a1b260-bd4a-52e8-6aea-b4ce040025e5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Using Notepad++ GUP Utility"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ece63b49-157b-d1fb-61c5-0cf5c0182409",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Base64 Encoded WMI Classes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d2fc7f9b-7773-8c83-5bf3-d977a655e6e0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Taskmgr as LOCAL_SYSTEM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a6b2ba82-448c-971d-4112-1464c1588d84",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a453a0f3-e93d-a242-f111-8c1267906414",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell Parent Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f2200f88-34e8-ad86-b006-fc01b177fad9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Link.EXE Parent Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a45e9350-b577-e20b-ed84-113a3b5c3e3a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Xwizard.EXE Execution From Non-Default Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "132686cd-ea41-e5c8-8c22-5211ea3bfb5d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - NetSupport Execution From Unusual Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cf789cc6-bba4-88f6-106b-660f61364506",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e3cb371f-ecf2-9b45-e6ff-67bb63f48a48",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote CHM File Download/Execution Via HH.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5139400c-0a53-d802-9187-cd5a90a2b9d5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon AddinUtil.EXE CommandLine Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "40c1ee69-dcc9-b5a4-614c-60aa83c693d0",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SysmonEOP Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c1477cd5-ccf1-5649-1688-b3fc9ce45594",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ETW Trace Evasion Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d671a75d-7b95-f624-cf04-8c7814fca3aa",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Import PowerShell Modules From Suspicious Directories - ProcCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0bcdf0e5-9683-7f59-4ca8-8903a6ca8c0d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sensitive File Recovery From Backup Via Wbadmin.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e78082d8-696f-c684-d72a-e1b29ffbcc74",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Java Running with Remote Debugging"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fb7a3239-94db-7a87-e1de-97016c713f32",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using Event Viewer RecentViews"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "711f2e81-bb48-8eaf-84ad-7a331ee0cd95",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Response File Execution Via Odbcconf.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "da22844e-bd3b-4e67-433c-ff26e343600e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Arbitrary Code Execution Via Node.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c043e0b2-a5f8-ebe1-e99b-54303aa6f2ad",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential MsiExec Masquerading"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "62995636-6f75-677a-428e-531368fbda08",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CobaltStrike Load by Rundll32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "03f7ca7a-c93c-f02e-e9b4-d9b00a382023",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Operator Bloopers Cobalt Strike Commands"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "43286cfb-09a6-4e2e-a895-f3c073eeb9f1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Service DACL Modification Via Set-Service Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5705250b-888d-01e5-36cf-4302564a99bf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Process Reconnaissance Via Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aa8af443-e70d-a6a2-5903-1c62f232c0ed",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Run Once Task Execution as Configured in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b2e90afd-fc69-1c5c-0457-d908fe3c4335",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Child Process of KeyScrambler.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "56fda9b4-d3c0-2709-26ea-b109bdafb5c2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Msiexec Quiet Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f7b452f3-c372-03f2-644e-7be14a8e5b73",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WhoAmI as Parameter"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ee690e64-5c3d-8ec8-e9eb-fd7af8b36bf0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Service StartupType Change Via Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "55a1a7a8-02ee-7df8-a5e6-387dda75fc16",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Indirect Command Execution From Script File Via Bash.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b78e620c-3115-0c6d-ea3e-4ad5d55c1217",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Whoami.EXE Execution From Privileged Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "83e16972-fa32-9c0e-e39d-25254c56a9ff",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Serv-U Process Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3e94a11b-52b5-7f93-d623-5ba15ab8f4aa",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Process Of AddinUtil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f95fb96e-dacc-23fa-9a80-f509e7973c9f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Verclsid.exe Runs COM Object"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "088e72dd-07b4-8c9a-4e3a-f8b72d98def0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote PowerShell Session Host Process (WinRM)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "09a60700-1c45-a4bf-7b17-5d1e036f4b78",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - NSudo Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f7214fe4-985b-b820-4816-01cc5cd40601",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SafetyKatz Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "852227cc-1888-1ad5-93f1-633e3dc46869",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - System Informer Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a6320654-afe9-8fa6-7fdc-3270c5a552d2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Renamed ProcDump Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "04c281fd-ba4b-8255-087a-ace794d28c8e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential RDP Tunneling Via SSH"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d9505c25-324b-3a98-4f63-55ba6b677e07",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Meterpreter/CobaltStrike Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5a52bc92-7713-3fca-6d54-f03845a88c47",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Whoami.EXE Execution Anomaly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "be45d499-4cd7-c4a6-727e-e52c6770468e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Active Directory Structure Export Via Csvde.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fc42ea9c-4c0d-4a66-b3b7-34b2a831f588",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Userinit Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f671b855-3ea9-045a-c84d-36fc3884e2c7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Tasks Folder Evasion"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e8fdfc6d-5256-c3f4-7858-a45724bce385",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Stdin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f3baa8fc-8db9-1300-7b37-53785ce88ee9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sensitive File Dump Via Wbadmin.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4308f710-0e58-712f-6781-9323b7dc779e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Insecure Transfer Via Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a7926fae-e53c-6ad5-0a66-a32cbf78f1bf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6edef6e7-c67d-20e2-44cd-62afc03872c2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Dosfuscation Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "655cb0fd-79c4-949b-b842-e1fcf2e1e527",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Csi.exe Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4ca79cb2-f424-4b29-861c-91cc27599d11",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Taskkill Symantec Endpoint Protection"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "99b507ef-fee7-2f19-767e-66439dad9d9f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Cabinet File Execution Via Msdt.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "14fd1424-cb14-6945-1567-9017b4b23da5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use MSHTA"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e51338a7-866e-5cc3-f8f9-7b12fc3aa56b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exchange PowerShell Snap-Ins Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "176cddad-09e5-95d1-e061-52b79cdbd6b7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Potential Impacket Lateral Movement Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2eaa1baa-a2c9-b59b-efa8-825ca75ad2d8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential RDP Tunneling Via Plink"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9443f6eb-9423-8b8f-335d-61cab9a1d680",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "01184351-0c59-01e2-23f8-68eb74e51558",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Key Manager Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "23c16dc8-5f28-940b-9094-092e89b8727f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Download From File-Sharing Website Via Bitsadmin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "06d89cd2-498f-efd1-2df7-79500d0e99e0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "RDP Connection Allowed Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5385a182-a453-d329-5d89-d768e2b73e28",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execution Of Non-Existing File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "80fc60a3-3570-d8c6-9ee9-d527bfd15b84",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon System Information Discovery Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "48279b22-db22-17e5-5146-824c1f8d07db",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via Squirrel.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5dd528dc-d144-18ab-88ff-fca3158b68c5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Certificate Exported Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "956c7de5-3b88-83e6-b1c1-c1d194e166d8",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Windows Credential Editor (WCE) Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9030c2bf-bf5b-cbfb-9cfc-e37534d2031a",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Service Creation Using Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a20a870a-fc43-6932-6410-116f3d5e0221",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Child Process Of VsCode"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e9c3cf8c-ba2f-d937-b4c5-8f5e3f692a11",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Where Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "241ae810-4742-fb7e-24a5-9fe5b120827a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - AdFind Suspicious Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c60e39f2-5135-0c04-8c79-a2730ff4a37a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Web Access Feature Enabled Via DISM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "88ecfa5d-38dc-041a-fc73-6a0436a3d27f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fb3e5ab0-ed05-d894-23b3-a28ca8b237ba",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Base64 Encoded FromBase64String Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f82366e8-2ece-fea5-4f56-18d49f3c6aef",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - RemoteKrbRelay Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c888539c-8fb0-45df-4874-934d5b1edf1c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Advanced IP Scanner Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c2caccdd-305a-c468-590f-90ca119d0475",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use NTFS Short Name in Command Line"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5e80556b-2efe-2558-9119-c09636c4c9e4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious X509Enrollment - Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bbc6093d-c0e1-e946-62dd-d27307534a1f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Harvesting Of Wifi Credentials Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9e0f0c37-ffdb-1903-192f-5f8056bd407a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Whoami.EXE Execution With Output Option"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "98622a71-2d8e-2959-2a0c-8caffeacea13",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bddf8e50-854c-b536-b42e-72e80d7115da",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Change Default File Association To Executable Via Assoc"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b7987e8f-8f8a-20ea-821c-fa454516f624",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Malicious Windows Script Components File Execution by TAEF Detection"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2660fe06-fcf6-19f2-3233-b50236d5ff13",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Boot Configuration Tampering Via Bcdedit.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6c78dafc-594b-ab99-d6da-cafcb37ab087",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DriverQuery.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fbf93b53-f074-9501-418b-f1d43360e2cb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lolbin Unregmp2.exe Use As Proxy"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "90bfcc44-6d97-c258-a28e-a17300913661",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Security Tools Keyword Lookup Via Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "47705ba8-0a49-a7e0-328a-4001dcc919a4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using MSConfig Token Modification - Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c6bdb310-216f-075c-19c4-3873b8a1a516",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Tampering With Security Products Via WMIC"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ba17b43d-ff78-598e-3e48-6f7f77abce52",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f84fbf6b-fa1f-71fb-e2ca-4f67b2451fe6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WebDav Client Execution Via Rundll32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2e35d215-673f-ecff-67ad-c9fc3e4ffb87",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Deletion Via Del"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7aaa460d-7613-e1bd-01a0-3c17a897a9d2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Discovery Activity Via Dnscmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae6cf4fd-c5fb-db3d-3aec-31478d51a921",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sdiagnhost Calling Suspicious Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "02c0a52b-6536-ca47-ce99-cea982b9008a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - winPEAS Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4acb4c4c-6e64-9353-58fa-113832d88626",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "JScript Compiler Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e9206567-a61e-a398-07ce-db2684eef47d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SQL Client Tools PowerShell Session Detection"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5a867cd0-5780-c09f-9e82-86aaaca431f5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpLdapWhoami Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dd4ac92f-1ad9-9f2e-e7b1-574030f25c36",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via MSPUB.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d14c21ed-9fb4-dd37-d9a0-df7cd5f8092b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - SoftPerfect Netscan Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "296d5364-4c6f-d2ea-601c-12477b9e4053",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - CrackMapExec PowerShell Obfuscation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8dd79010-f068-2bb3-d92f-2545a02ba504",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Root Certificate Installed Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "70d8280e-179e-392c-fb0d-96528c5d36cc",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution of Hostname"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5f94c12e-15a0-28ec-cd81-8049ae6c625d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Audit Policy Tampering Via Auditpol"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f57937ba-e844-d5ff-1b06-4ca216d0b747",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Abuse of Service Permissions to Hide Services Via Set-Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1f7c1ba3-2f41-4b49-17f6-5a4719527d57",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Disabled Volume Snapshots"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "039cf906-44b1-1f3a-cc07-9f2cf592d320",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Reg Add BitLocker"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e05fd36e-2242-ac32-2c73-8e345a62cc85",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Process Spawned By Odbcconf.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e57cc75a-d93a-26d1-615c-9a093649f70a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Disabled IE Security Features"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ff27f8e8-0d0c-7ee1-fc19-a2d8cd69186a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Certify Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6fb2f8df-d6fd-c7e4-80e4-ba8fc1466ccc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Manipulation Of Default Accounts Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bd94e379-d774-a7fa-3d0c-ce6765196ac0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Filter Driver Unloaded Via Fltmc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0df72588-414b-1bc3-7b9d-ea4a01af56db",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Powershell Executed From Headless ConHost Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "31616502-c261-6b78-a809-4408f88bc4fb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Gzip Archive Decode Via PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3870935a-4632-088f-5f37-1baf2d7d56fe",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious WindowsTerminal Child Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "812c76e3-a745-515e-484b-d64d6f64c779",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WMI Backdoor Exchange Transport Agent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4b892866-fe93-c61b-f506-c8fd8948a868",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Netsh Helper DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "28c8ac5c-4774-b281-e7e4-3445164e0180",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Encoded To Base64 Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1ec0b8fb-050d-074d-7209-6c4c724f24cb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - AnyDesk Silent Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4c9296a3-a93c-d142-7e16-69111f075e7f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Service DACL Abuse To Hide Services Via Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "de7bed2f-8da9-bfd3-f7af-a1a8e5ff462d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Regsvr32 DLL Execution With Suspicious File Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "16e1adf7-4ed1-54b8-0031-41fd83c53349",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - ScreenConnect Installation Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "41405b7a-f9bc-bce2-50ed-abfca5390f19",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Creation Involving Temp Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ee05c67c-d79d-1e0c-e803-8cac4c11384d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Memory Dump via RdrLeakDiag.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "775d4bc1-d404-6927-6dc7-c22d00029c37",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Parent Double Extension File Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2c104dbe-603a-a438-f3a4-85ff1018ffc1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Base64 MZ Header In CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4ab524c0-380a-d654-f00f-0309d495eae1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - ADCSPwn Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1eb3ba13-9019-0f5c-55d6-f83e89f4a2ea",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious RDP Redirect Using TSCON"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a7c815fc-1c17-fb9b-3993-9508f7fe6f3f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpMove Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1a42614f-8e9e-d03e-5c6e-b4003ed85cf7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via PresentationHost.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b089b249-149b-dfae-0fa9-53aef8435346",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mstsc.EXE Execution With Local RDP File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ef5024d5-3303-f180-2b6c-186303099c26",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "18739cbf-55f7-1dda-7985-1f08fc87ea5f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Seatbelt Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "52b94cb0-304c-59f3-ca56-497db104688c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "VolumeShadowCopy Symlink Creation Via Mklink"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d7bb3d76-50b6-1c43-cbaf-4f1600e03c9c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c321b26c-a257-c5cc-1fb8-5496e91a7381",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Visual Basic Command Line Compiler Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "79562785-6cc3-acf1-853a-e4758e918d32",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Start of NT Virtual DOS Machine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a6a65b53-c476-cb1e-8267-5383b33c0dc1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Odbcconf.EXE Suspicious DLL Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0d101a61-8aa2-979a-93db-fff8ad1a96aa",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DLL Execution Via Register-cimprovider.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d6ede5f4-8daa-4a92-6e5f-9cd3ca86089c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 Execution With Uncommon DLL Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d873d8e0-160c-2599-93cf-2700ca72b2d2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Ngrok Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7c5a0957-44c3-19d6-fbb2-bf2ea7ba0a36",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "BitLockerTogo.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "55da7839-272c-d651-9349-c6e62c955734",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sysinternals PsService Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "097acc6f-8384-1ffd-c4af-993cdf49dff6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Malicious PowerShell Commandlets - ProcessCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6fed31ac-e26c-8668-fed8-9145c0f0cb2b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential ReflectDebugger Content Execution Via WerFault.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5e22c0e7-bde8-560d-0187-ee4134940af6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential MSTSC Shadowing Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a649199e-56ae-51bf-53e5-69e87b06e563",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - RedMimicry Winnti Playbook Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c77efdd5-f664-66dc-23fb-73ab8e695b53",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ff580d50-30ff-1e98-ec8c-c70512d70b55",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "09d5f483-1225-411f-dfcc-1fa1550bd9a6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious DumpMinitool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "614f34c3-e108-8880-5b20-f3df7e3ccd9e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Audit Policy Tampering Via NT Resource Kit Auditpol"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b9112bca-62a9-013b-2fba-56019745171c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Visual Studio Code Tunnel Service Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a49d1313-b65e-0401-130b-8e929805577f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Regsvr32 HTTP IP Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fa60721b-3812-856b-d15f-7c528214d125",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execution via stordiag.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "430ca46d-025b-b3cc-6fac-e01c57fee153",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Imports Registry Key From an ADS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ebcee1df-9cac-a989-982c-08e181e9d5a8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b74fe142-8535-448b-b2ff-c6de4a5a5133",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution of Shutdown"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "04aeef7e-daa9-3212-481e-808d0386c3a2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Get-Clipboard Cmdlet Via CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "31ca06b4-e4e7-1456-557e-809415680296",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remotely Hosted HTA File Executed Via Mshta.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7f54442b-227f-edd9-29d8-f6dc27ca512e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Sigverif.EXE Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c095d894-f021-b42f-054d-9727ada91e6a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell DownloadFile"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1d0387b6-6de7-eb5c-ffe9-ee892ff26f07",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Decoded From Base64/Hex Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b7049a0d-bb27-adf6-2c62-501b4398af4d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Obfuscated Ordinal Call Via Rundll32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1bc24d28-b7b8-e116-11bd-46368cdb03ac",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "75a96fdd-ec6a-1351-5cf2-00b8606831fe",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - CoercedPotato Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "45b0c0bb-7d7a-7e71-e757-cdd2508c0105",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Nmap/Zenmap Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bf24bd95-9545-2701-9d44-5f8a6769a3bb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Response File Execution Via Odbcconf.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8974c35e-3161-6538-c0ef-b12e467718a7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Chromium Browser Instance Executed With Custom Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7cd5f138-8005-2cb8-cb41-d6b0365b8e5f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Enumeration for 3rd Party Creds From CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e0c7a46a-e1c5-f3fd-6202-5fcf88ffeb16",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9dd8cfb3-e15d-dfe4-ac54-004a540f3279",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Procdump Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9fc52937-cf49-786a-b1b0-3dfe6dd280ec",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Share And Session Enumeration Using Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "09815188-8262-0a9b-c00c-460108a51499",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "70d8efc3-4098-d71c-be3c-59f75ccb6019",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Local Accounts Discovery"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "19090407-d63d-5d05-f03e-f254980d972c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious WmiPrvSE Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "612594ec-e080-cbd7-b223-76411581dea7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation VAR+ Launcher"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5f6038bc-96f3-de3a-2b59-fb22aefe871a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Empire PowerShell Launch Parameters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d14f893b-1931-f274-ce30-147d8cca81fb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "693a4b33-a1e3-3dbb-ecc3-19d6fbc9601a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Email Exifiltration Via Powershell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5df3c3b4-3daf-3385-fdf0-4b5612003633",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Extrac32 Alternate Data Stream Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "813c544e-381d-625e-3470-9a243b7ce88e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use Short Name Path in Image"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2cc522c8-300b-2344-e384-3db7df590412",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Command Line Path Traversal Evasion Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "afdc65aa-8680-da5e-c417-fc0432a76cd1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Advpack Call Via Rundll32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2bd79a93-cca3-3280-f400-f38c499e263e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a7e6a51e-0f36-3f14-8b9b-12110ce23ff3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Root Certificate Installed From Susp Locations"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d68e9dcc-21b3-418c-4d05-669b4d9c0511",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exports Critical Registry Keys To a File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "686228e1-28f8-b922-43d9-3b2fb663b67e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 Execution Without Parameters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "73a60f51-08e7-e491-9edb-b2f38dcaa09c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Curl Web Request With Potential Custom User-Agent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "db43d94f-ee5a-913b-3a86-2e1cb07e39a4",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - F-Secure C3 Load by Rundll32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6e3409a5-e74b-e405-2f94-d7be95561e7e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6855348e-9e88-3b8c-cd96-7a09bd19a04d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Register_App.Vbs LOLScript Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6408b665-07d6-1525-496f-24511bfff69c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - KrbRelayUp Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "256784a9-8cdb-2cfd-8363-95ac15a61e9c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Unusual Child Process of dns.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "30f60c05-7105-c523-3ab6-698b29aebbce",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "LOLBAS Data Exfiltration by DataSvcUtil.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "04dd1706-97cc-c1bf-45db-6a9786736ab4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential File Download Via MS-AppInstaller Protocol Handler"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e669c0f5-387a-753e-708c-1ab656e547cf",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Virtual Smart Card Created Via TpmVscMgr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "637e9594-8499-4a83-1fec-53dd2ff90147",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Curl Download And Execute Combination"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4f8de5d6-a332-76fb-d759-219688d83254",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Application Removed Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9d637e7d-578d-a370-8149-78de1277654c",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Discovery of a System Time"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8a1ff7a8-dc08-8d51-6f44-ebf8369d583a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cmd.EXE Missing Space Characters Execution Anomaly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fae361cc-c4b0-0935-1b15-79113e3f6198",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using Consent and Comctl32 - Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "40dc8b10-369e-d60a-531b-a6d6de0bad18",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious JavaScript Execution Via Mshta.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1e5c4cf4-c566-7068-d0ce-7a2eeabfc733",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Finger.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6b615673-d368-2deb-8281-a7ff75887a8c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Execution With Potential Decryption Capabilities"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0fe943e0-d659-589c-d734-689f0f7de8e7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Powershell Defender Disable Scan Feature"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "024e903d-9124-23ff-2ce8-f59651a961ea",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SMB Relay Attack Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e1344b7a-c6ce-4117-4e54-c1865cba57df",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uninstall Sysinternals Sysmon"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4ed666e7-e78b-4b16-c4bd-1612077f0065",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download From IP URL Via Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c70669f8-ed0f-df3b-f2a4-6e8605285bb1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New DLL Registered Via Odbcconf.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7a110d73-1faa-19d5-10aa-bd44ad1e783f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Process Of BgInfo.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2a048dab-1493-f4cf-68dc-2fc90db2a471",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious ZipExec Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "db4d52b7-af14-c61b-c1e1-5b52f036b5e0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Electron Application CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "12bc26c7-41c4-101d-3d26-8419d0725870",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7d9d897f-58c0-2dae-d6f2-410c0f0f5e07",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Shim Database Persistence via Sdbinst.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c9ee66ac-639b-5403-8384-6c70ecdcddc1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privilege Escalation via Service Permissions Weakness"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d8582a0e-2c3c-6716-d6d8-a79c4ce5ff75",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0ce3d50b-989b-895d-96cd-f820e09f2e18",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious SYSTEM User Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1c7255e9-5677-0dce-20d7-83f42f4a517c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Perl Inline Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4e18ea92-76c9-f5f4-1980-ea4c976954af",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "65dc2fc6-8f96-eccf-0cba-714a1f3af110",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Invoke-WebRequest Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "031e5974-b1b0-7293-81e5-57a3c3009f63",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Encoded To Base64 Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "afe56692-d76f-5259-cd59-c1032f5cf01b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious ShellExec_RunDLL Call Via Ordinal"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "835ff144-018a-4ec5-3788-ea773f0fd869",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - DIT Snapshot Viewer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6068456f-1654-f0e0-1573-add14847b216",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Indirect Inline Command Execution Via Bash.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f4e44868-e934-1170-ff1e-dc154741e18b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Always Install Elevated Windows Installer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6646eced-c21d-4c5f-dae2-0a7a43be1d5c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Copy From Or To Admin Share Or Sysvol Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e5dce32e-6986-6417-4a01-aea6093f1e87",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PrintBrm ZIP Creation of Extraction"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "34fbd3e7-f286-812f-f5a0-61d77817a0b4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Download Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f0e123c3-0e38-7799-a7bb-c5682449e2e8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "InfDefaultInstall.exe .inf Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bf39ad4c-8a90-0e00-7076-2436ebb83b41",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DeviceCredentialDeployment Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a7aba663-3da2-bc96-f8c3-acd95b2b3052",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "OneNote.EXE Execution of Malicious Embedded Scripts"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b9b053da-68a6-d372-9780-828406597122",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SquiblyTwo Technique Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3037cec2-08d0-f4a4-91c3-668db3535704",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Share Mount Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "37b23b1a-fcb3-7612-9af9-bcb48f1877d7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote File Download Via Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a0eb817-c07f-1061-89e6-3f30825c8e37",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Credential Dumping Via LSASS Process Clone"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "58180213-29ed-6aa8-7558-806ba2830b7f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Nslookup PowerShell Download Cradle - ProcessCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3efca659-a57d-a642-952a-5f476a210a07",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Ping/Copy Command Combination"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ea83af54-6f44-4f59-df6c-6d8669775fcd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary Shell Command Execution Via Settingcontent-Ms"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2d61b1f3-942f-cd54-c470-efc9dad10255",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ETW Logging Tamper In .NET Processes Via CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "802f2f6f-fab8-e8d2-bb45-6ad7a2f8f4a7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DllUnregisterServer Function Call Via Msiexec.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ba8fde0b-93d2-2680-ea4d-b260729bf75e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "All Backups Deleted Via Wbadmin.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "07d9d3ee-e3e8-9005-68ba-2e1c50fd018b",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Registry Modification Via Regini.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "24c9aace-94e9-d8a7-f3fc-58eaff2eefea",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File With Suspicious Extension Downloaded Via Bitsadmin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6e250513-0f66-ed08-f2e8-81c7884c15a3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious DLL Loaded via CertOC.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "27d72949-e67d-d712-e695-b0f3fe1d1428",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bbfa2296-5f8e-96c6-f1fd-0e0bcda268dc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "50bb828c-a04e-d207-bb34-71d9f1144a73",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Computer System Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "532fbfdd-28df-ea62-93c5-a2d9f558f9d7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2c2b3870-6e31-b098-9771-e14231da412e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Tamper Windows Defender Remove-MpPreference"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2510ad44-2338-340a-8439-d99181aef4f2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "555c9e0e-bd1c-accd-f824-11a77ca76819",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Diantz Alternate Data Stream Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a564e04a-c562-3596-74f2-efb859c61856",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Adplus.EXE Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5656cdf4-b7e5-dbcf-3fc4-2d935d5999cd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Obfuscated PowerShell OneLiner Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6770bbc3-76b1-d22f-6192-d180542dc2a2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New User Created Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "57e2b3e2-fb28-0497-4729-aa536a2a5089",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MMC20 Lateral Movement"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bc230d45-327b-2042-de48-73c5a52eb131",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Add Insecure Download Source To Winget"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9550441e-5f01-6f0a-60db-abd27009e95d",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DumpStack.log Defender Evasion"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "40457d53-1448-2b59-d171-3ec4d0c7e8b6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Deleted Data Overwritten Via Cipher.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "233231d1-9636-f53b-5bc9-0b43d4d9a539",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "08cdc165-8915-fdf4-625a-7c4f625d5efe",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Persistence Via TypedPaths - CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "97051c88-88d9-2462-99f0-99115c8013c9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Child Process Of DiskShadow.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0cad8839-9b0c-0a2c-8b61-c2b539604a10",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Shadow Copies Deletion Using Operating Systems Utilities"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "31a31ff3-32c0-0f43-bbec-b089825d4c52",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Binary Impersonating Sysinternals Tools"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e11f3d67-9772-748c-2a6a-e825964efe89",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - XORDump Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7c9f3379-969f-2e9a-5a03-cc75e44fffd0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Command Patterns In Scheduled Task Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "962dcd71-b0d7-ad49-1fe6-2966daf7a411",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Script Interpreter Execution From Suspicious Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ee28ff63-eaf6-56ee-7406-da65896bc0e5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use Short Name Path in Command Line"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b331fafb-1ddd-52ca-9bc6-1ef1b08828b0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Via Windows Defender MpCmpRun.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9c2f40db-46e4-85f0-3104-427e61b344a1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Program Names"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "033b2a23-2b9c-4ad7-db96-f2f2a509169c",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exports Registry Key To a File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "04f5d1ee-1b2f-dc73-a3fd-a7277cb56195",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Renamed Rundll32 Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6375eb27-4436-c582-1f6d-066ebfb78131",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execute From Alternate Data Streams"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a14e43f1-2c46-bf33-4ae5-b72dec4e8f0f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Assembly Loading Via CL_LoadAssembly.ps1"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "49f7221b-6487-9808-ded9-4019dfe83e80",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Impersonate Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "06860765-c664-13b1-1bba-4ae0606ad697",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Generic Credentials Added Via Cmdkey.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cb9078dd-dd0d-01f3-eee3-a3dfddf5858e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution Location Of Wermgr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "912e3077-a6e6-c6a3-649e-01cf0d496eb3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "61e02907-aae8-db6e-46be-fbbed3a0a0d3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - NirCmd Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "570163b5-0034-92d2-919d-b0027cb8ee68",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MsiExec Web Install"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "94ae2cf8-1a32-d069-3ee0-eaae5f14745e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PktMon.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "687991ec-6a52-9d7a-a775-7e80204757b3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2c25a504-0f86-ca3f-43e0-5a40240a81fd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "OpenWith.exe Executes Specified Binary"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7d26daa9-542e-73b8-57cf-fd0cd8794d26",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Disable Important Scheduled Task"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4dbb6aeb-a6f4-b360-d399-0b08844976b6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Kavremover Dropped Binary LOLBIN Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a404c83b-51de-a308-f6fc-659d55a00b6c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Download From IP Via Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5f7d7535-bf69-3a27-8300-415e9b0ed170",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Kernel Debugger Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "095ae799-3f3b-554f-3c83-f8d48e711e72",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Processes Spawned by Java.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d5a94ccf-58fd-7481-3683-e59fbf33e8c1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "17babac2-1f37-4875-6354-a2ba383af162",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Local Groups Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e5c800a5-3e9b-b168-6ef9-6f47f8a19124",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpLDAPmonitor Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "33667ca9-e2d9-2762-b163-7e71780bc3b1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Memory Dump Via Dotnet-Dump"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "18f506e1-2726-f3fa-8429-f7b06ce69825",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Script Execution From Temp Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7987377e-ddde-302c-5a17-7723837a1d38",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpWSUS/WSUSpendu Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "057c8ea6-1759-bf0b-4271-d71dfc700239",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Svchost Parent Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b7f2ba3f-b64d-9b62-1e90-ebefd17f3b94",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b5028244-965b-dd46-d698-f480c7c963e5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Chopper Webshell Process Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e8e1c7ac-50e7-03e1-c3d6-e1192efc4260",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - ScreenConnect Server Web Shell Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9db1274b-d76a-ecf1-8433-113dd1782631",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Capture Credentials with Rpcping.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3681f000-5b6c-d6a6-3a0f-8240c1325dc3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ShimCache Flush"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5b3bdcfc-fce3-bba8-39c8-ba8a4776d99e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Base64 Encoded Reflective Assembly Load"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "26773337-b821-6c5b-2c1f-2e6cca581b84",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WmiPrvSE Spawned A Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "18dfc536-9538-c1a3-545c-82b5c749672c",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - PurpleSharp Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "61dd8b58-6c93-639f-6342-1ba077ce0f45",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Persistence Via Sticky Key Backdoor"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "912866aa-0cd5-dcb6-e1d4-a0b6cbbdc575",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - DefenderCheck Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "60b34e33-95fe-6beb-2917-eb4309e6dcd8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious RASdial Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7ba37b73-d32a-9fdc-27f1-372220985b67",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "deb3c0f1-0961-ecf5-5c89-8c7640d2b22f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Powercfg Execution To Change Lock Screen Timeout"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3dce4add-2a09-340f-3b2e-5d79b18a4adb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Password Spraying Attempt Using Dsacls.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "adc0be0e-1fd7-a7d2-38cd-74c936dcd78f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Driver/DLL Installation Via Odbcconf.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "93586827-5f54-fc91-0b2f-338fd5365694",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "7Zip Compressing Dump Files"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f4b28578-b356-1cbb-4554-acd9a8b62c9b",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Indirect Command Execution By Program Compatibility Wizard"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fb65baaf-fbef-b775-a0f1-03268c7e5fa5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Msiexec Quiet Install From Remote Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e43a9b6c-3df8-4f97-b870-474e24033f49",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - 3Proxy Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9c5b92ea-7921-f006-6f7b-a5f9ce49a774",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Arbitrary File Download Via Cmdl32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "69ecc75a-13a3-371f-01a6-fcb003da67b4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Portable Gpg.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2a6f617c-481d-6799-1fd1-f7e0a24d76bf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - PowerTool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e2ad4178-62be-451e-624c-06ea47918a7a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Dllhost.EXE Execution Anomaly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "091f16dc-7243-8589-626d-3f1fa16f326b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Findstr Launching .lnk File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3d04a8d4-c258-0c3b-8665-5803d5ceba7f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7a1b8071-8f13-c99a-439b-e2769871d008",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Microsoft Office Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "234669a1-2f84-3670-fbb6-7636e8b78731",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download with Headless Browser"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "12b4859c-0eeb-091f-3b96-09ffcd5e9a9a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Covenant PowerShell Launcher"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bb0ae7bd-c963-0404-061e-ae3c6b866830",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspect Svchost Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f3a177b8-4d9d-843b-e8b0-8a6dac39b8ae",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA- IOX Tunneling Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5ede905b-ba07-4607-d2f1-ae3b552a752f",
"level": "informational",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious High IntegrityLevel Conhost Legacy Option"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3b83d907-4a3c-e167-7892-6f19c85d3edd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Audio Capture via PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fc4ecc21-82a9-f983-5331-c9e94cfc7cfd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cloudflared Tunnel Connections Cleanup"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3ea85a25-dba7-a10e-8a48-9aa4dc65abb9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Advanced Port Scanner Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "57428c1a-2716-80c7-6059-bb8408c50569",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rebuild Performance Counter Values Via Lodctr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5557e23a-e632-646a-e8ae-d0a476f8cea4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use Clip"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f9b2ffc9-5ec5-9898-b546-301c85fa3892",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Active Directory Database Snapshot Via ADExplorer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fa02ff62-1ebd-d56a-ffa0-8accc97eeec4",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - ScreenConnect Remote Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6c6e8f1c-70aa-c21c-7860-3cd72022adb7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Renamed AutoIt Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a81385de-1365-3d8d-2778-5d914a66d61e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "735b333c-168f-1517-ce6e-44604578243f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of Wfc.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3c178fa3-3914-652f-7007-f1d6f385c2ed",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Code Execute via Winrm.vbs"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4f66eca2-1272-c8d1-d056-e903294b1046",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Whoami Utility Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "69775960-6b6d-e4c6-a758-e539859c34d4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - RURAT Execution From Unusual Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "af675749-89e4-ecbe-08aa-846a61be3500",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Firewall Configuration Discovery Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9bfa1ffb-5b30-0951-fa5a-9746a98f1a6a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sysinternals PsSuspend Suspicious Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6a04614f-59c7-e8c1-6a54-5cc3b4eb1810",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Data Stealing Via Chromium Headless Debugging"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "28b7f50a-c189-4a2f-314e-b19aa4b63468",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SQLite Firefox Profile Data DB Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3fc98f17-3322-83c7-6332-d7813d88d4f1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Hiding Files with Attrib.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "df2b1ca6-a4d3-e875-ca48-ed65bd486a5f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Remote Desktop Connection Initiated Via Mstsc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e6f654c0-1d07-0204-f77c-f791d88e44d0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious UltraVNC Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0d996232-49fa-9bae-0ee6-ad86ec993064",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scan Loop Network"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aac97665-0e43-e14b-bc3c-bbefd72790dd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execute MSDT Via Answer File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "39a37f01-5f47-60db-1809-3aef76fc537a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Impacket Tools Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "26132f4c-3dfc-593f-2d62-2e8ff59e0720",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Arbitrary Command Execution Via FTP.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "140c6c67-8cac-1d16-5654-bf2221dc7542",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Forfiles Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9040711a-5958-aed6-ca57-ab80997eb33c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious JWT Token Search Via CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e2ba6258-28e5-71a1-3cb2-d13b881841dc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Desktop Background Change Using Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cb760152-8522-8711-dfe0-de3bafb00e2e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 Spawned Via Explorer.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ab4d23c2-9f69-e6fd-d546-041e823f0147",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "RestrictedAdminMode Registry Value Tampering - ProcCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a3af3078-fe5d-0755-0f26-3833f03a1a6a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Query Usage To Exfil Data"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2dadd86d-ec91-774c-96a2-b80b47515d60",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Kernel Driver Via SC.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ebccbc0b-0513-7912-7679-1ff5d676842e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Download From File Sharing Domain Via Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ebd8be0a-94fe-a103-a2bd-e48cc9af988d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Script Change Permission Via Set-Acl"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "15f30e45-8a75-9af7-3703-c6af70b3d9f5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DSInternals Suspicious PowerShell Cmdlets"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f539aaee-c369-f209-b744-3e1b8b37c936",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Decryption Using Gpg4win"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a81ad1b6-b20d-14f9-7c3a-e41f81fd519f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "de663faa-aac0-dab6-a4b3-8d8c8a00ef96",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Chisel Tunneling Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cb1cfe0e-5561-53fd-9c94-ab43c3826cf5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious CodePage Switch Via CHCP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9990ea1d-fc80-2490-3c4f-8237e8bfbc7f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious AddinUtil.EXE CommandLine Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f5338a44-bd1b-81a7-3b76-7e2efbe1ce0d",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Inveigh Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "598ec0b9-1b1e-4814-86ae-15ef649eb159",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Copy From VolumeShadowCopy Via Cmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "54b11eae-5cc5-72a8-7b50-b842a057933e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mshtml.DLL RunHTMLApplication Suspicious Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e6b6d67d-434b-039b-029d-55391089a033",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Bypass UAC via CMSTP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8bb8dbbf-4781-7bf2-3340-f3b39cc8501a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote XSL Execution Via Msxsl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "15e3c45c-06b7-5da5-4bc0-66cf00fcc185",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Shell Process Spawned by Java.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e394e239-a5c1-5879-edab-2c697795ff9e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Obfuscated IEX Invocation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "51e070ce-c40e-99ba-6652-7a5ac4f85fea",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "412f66af-4b64-0d69-8b91-9fa5161724cd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Control Panel Items"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "56a9069d-21e3-4b02-f132-6a4e930a4432",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - TruffleSnout Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "42b13785-107e-7eb5-074f-9d1ca751c065",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Elevated System Shell Spawned From Uncommon Parent Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "67e63fd2-26a0-1961-477b-8f6b517ae20b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Binary Proxy Execution Via Cdb.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "740e34bc-7ca6-ebba-db66-9b466f9c7558",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Compressed File Extraction Via Tar.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae9cee89-1554-68ec-26d5-616c9e234796",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DLL Sideloading by VMware Xfer Utility"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "54a21dac-be5a-04d2-da18-4bdd55216fa0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CodePage Modification Via MODE.COM To Russian Language"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a7ed3875-d941-ac17-9f8a-7828f6a11738",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious HWP Sub Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0114b671-6245-50f6-97b3-693945ab45cc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "94e6ca30-ee68-9136-837c-513d6086ce6c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "432d294d-a306-5b48-a105-306e9dfd78cf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Interactive AT Job"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0ea4a0ee-5c69-9f71-3691-d203eb76c9fc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Root Certificate Installed Via CertMgr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3098e48f-fecd-881b-462e-38104798a111",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Schtasks From Suspicious Folders"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a40c99d5-1323-f65d-73d1-ca673940b7b2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - PCHunter Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "be78b4b9-f54e-84e0-b62f-872d92b15df9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - LaZagne Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cda8f35e-7183-91df-da4b-c9598a42fd3b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious AgentExecutor PowerShell Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f9884b6b-0ac3-139d-1ebe-a5587c9a51fd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential LethalHTA Technique Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7aeff814-b27b-e580-603c-4c71d478a677",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Delete Important Scheduled Task"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7f7e34fc-8a05-170b-7892-a5b0aefe2983",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cscript/Wscript Uncommon Script Extension Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "814014e5-bfa2-e72a-4f31-6155fab87672",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell IEX Execution Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9295c6c5-8012-1bb1-6460-1440670cc734",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Webshell Tool Reconnaissance Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a7598bcd-02ee-2b0a-092f-27aeb1e15e94",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Wab Execution From Non Default Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f54d52ff-5047-da16-21d1-67d79aacd624",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Disable Windows Defender AV Security Monitoring"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f0f9d4eb-6b2b-b7dd-4bba-a3e2739203f4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Regsvr32 Execution From Highly Suspicious Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "01ee4326-bf63-03dc-3a07-97129ea929cb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Mshta.EXE Execution Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c78a9b49-3e9d-b00c-9e65-90d9f30bbe50",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CobaltStrike Process Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4304f0ae-3682-de08-b8f4-d768ac9cb749",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution of Systeminfo"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "42dffab1-87eb-35dd-8aad-81c3744a89ed",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Encoded PowerShell Patterns In CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "300b2c4e-03e9-b2ee-c6c3-9c87971d4bf2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Child Process of AspNetCompiler"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fc5c47f8-9b56-8d98-de6d-cd2b31c648f1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Encoded PowerShell Command Line"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0b0db942-3c12-3469-b96f-420423d80dbb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Regsvr32 Commandline Flag Anomaly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dd05faca-794f-ae1f-a880-bb0237d1443f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "User Added to Local Administrators Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "844df162-c07b-4b60-29d1-adf324d785f5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6e8f01f5-1282-1217-9c7a-9b84824e30a7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Abusing Print Executable"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "685a2b5a-0d1d-e78a-174a-b35f1069684b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b85ec837-2a0a-7e8d-e3cb-a5f960e625e5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4c2ffc3b-017b-451b-81bb-1739d5d5b1d8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "User Added to Remote Desktop Users Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "57b77c31-00b9-0cc8-2bba-b8620f34a730",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Creation via Masqueraded XML File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "42949869-416c-aa49-476a-3f2a4b57aa8c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Logged-On User Password Change Via Ksetup.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0e51a9f2-52ef-1f9a-cd41-f229ac148283",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Registry Modification From ADS Via Regini.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f8095356-407c-fb04-afa9-b637495e8d2b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Cabinet File Expansion"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3425d55a-86e5-737e-7213-a8a416faeb89",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CMSTP Execution Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "864f6704-33c0-cdec-c3fa-ae453ca199c1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Copy From or To System Directory"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "469a9d6a-0e9f-492d-9e3a-e0f35762874e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Browser Data Stealing"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1e03e881-94a8-1c6c-d90d-47c97d22bb89",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Ping/Del Command Combination"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c03c42ba-1e4e-45c3-c0ba-c8d38b077ee7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Base64 Encoded PowerShell Command Detected"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bd0d2f25-0055-04fe-5229-5ddc996bcdaa",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sensitive File Access Via Volume Shadow Copy Backup"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "58f6b474-361b-17a1-718b-461048f72ee2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Attempt Via Existing Service Tampering"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "70e8ecd5-c850-e676-1c25-2bdb4f5ef98c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Admin Share Mount Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c4306817-4a47-606b-e363-d48b4d305f82",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious IIS Module Registration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "af422edd-75d2-0585-95bf-c4e72291a69e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Via Bitsadmin To An Uncommon Target Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f4d831e1-972e-94c7-61af-2c756813c8af",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote File Download Via Desktopimgdownldr Utility"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0d0facfd-ddef-e44b-f118-c42aff14db7a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Base64 Encoded Invoke Keyword"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "64533e2e-fc62-38e3-32ed-413f474d82c7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Child Process Of Regsvr32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5ccc4b5a-ddf6-63e0-3b00-82be3eb56506",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Empire PowerShell UAC Bypass"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c4a80f4d-4976-2f43-f3ef-3feed52e43dd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution From Outlook Temporary Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1c799762-beac-3409-8ab4-09485fc2ca91",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "891ece81-d720-ce9c-fe02-6e491c7adb14",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Command Line Execution with Suspicious URL and AppData Strings"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "01ee1af2-8f96-35c2-ce46-97013e496a07",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Query of MachineGUID"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "17d5818d-8b83-0d06-600a-d4adc1b2f136",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Wab/Wabmig Unusual Parent Or Child Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9974aa8a-7f9d-e45d-d1f2-353a893b2572",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - Anydesk Execution From Suspicious Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4aab609a-ee21-b8ac-c046-68400df5cd4e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution of Shutdown to Log Out"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "98e8d981-f4c4-0375-e252-80c62c6ff415",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of VSIISExeLauncher.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c9e0d554-2be2-3ae9-6b9c-e80fde3df203",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious TSCON Start as SYSTEM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "705fa07c-8ce4-2fcc-9d33-de2ac20c6369",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4f9a9515-6240-4eb8-beb5-f86cb1f08036",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Group Membership Reconnaissance Via Whoami.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "926d4093-40e5-c7e0-f87e-01b94cbb63a7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Workstation Locking via Rundll32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dfd2290c-5c82-62f3-7643-4df329d43ce1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "52ddd559-9234-130a-cd5d-8be4384d1224",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - GMER Rootkit Detector and Remover Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "67db6bcf-cb5b-3e0b-2ba8-4afd9e5ca3a8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download From IP Based URL Via CertOC.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "58d3ef60-05d8-9a87-7fde-3bd696dba247",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Powershell Inline Execution From A File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a4a76a8b-fc4f-2887-8edc-9a4d71e5c86b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - CrackMapExec Execution Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "20f83d4c-6338-a0c0-b882-c4c1997c025f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell Download and Execute Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1cc14403-ea65-fe73-9eab-a49768dbd354",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CreateDump Process Dump"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1cd7857a-df64-5472-b57d-5938f87f3e5c",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Child Process Of Veeam Dabatase"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f94fdc78-2a2f-b107-8abe-c68c288a8e0c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Remote Child Process From Outlook"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d90fcd50-5835-4b80-6d1a-c708404a142c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "XSL Script Execution Via WMIC.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a138f860-6c01-6ff3-2c12-046799df8672",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Electron Application Child Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9d1b91e6-c352-6742-5913-b8046ff77518",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Bypass UAC via WSReset.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a0d3fa7f-7155-4aef-0428-ccfae2e54d9f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Greedy File Deletion Using Del"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "452b2159-5e6e-c494-63b9-b385d6195f58",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Double Extension File Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "310bf792-4e0d-b9ba-7dea-7512f8953921",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Enable LM Hash Storage - ProcCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0fea9c26-5302-3b51-7884-b9ed47e74157",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cloudflared Tunnel Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "08a52423-1768-5eb8-726f-bfae99db5f64",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using PkgMgr and DISM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7d442414-1318-9f2d-6f0c-65ff86c357de",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Defense Evasion Via Right-to-Left Override"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "36f17029-664a-9448-86bb-81a24da07e7e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Process Of Conhost.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5485eaef-6cb2-5361-f012-c32a0798ac29",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell Mailbox Export to Share"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2f7ca8a6-7f75-cecd-494a-76a83910eac9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d5e7858d-f6fa-9fe9-e747-ff3a3312244e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Definition Files Removed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5ea0b54f-98b4-7cc7-6c38-01a53470b4e4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "C# IL Code Compilation Via Ilasm.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1bd2b1a4-7ec2-8aac-b8fa-fa17526df88a",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Start Windows Service Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "953dba36-324e-646a-d6e5-ef62aedd2205",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6b789465-3c6e-9af1-e00a-929db8f324d1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Schtasks Execution AppData Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bc5fbebe-3d3b-0833-ff7d-34a3c035c017",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Regsvr32 Execution From Potential Suspicious Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "77495bbc-a90d-6112-a1bf-c357d3b901fd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "LOLBIN Execution From Abnormal Drive"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0cc20ab0-4c30-c947-6985-884817d59f4a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Set Suspicious Files as System Files Using Attrib.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a5621ded-7646-ab81-f618-d9132148ad46",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Diskshadow Script Mode - Uncommon Script Extension Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a2b890c-d67f-9cbf-6350-4365c0828269",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via IMEWDBLD.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a84f4bc1-ba9a-517d-9339-0a232578cf27",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "65188275-2c87-e92b-f463-550b550ef7f5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Python Inline Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "49da8649-c56c-f962-aade-f62bb1cd465c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Hidden Powershell in Link File Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "42e5d701-5c5b-c050-7996-f166b0907531",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Diskshadow Script Mode - Execution From Potential Suspicious Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "62e77033-e379-af4f-5bc4-a7f722328265",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential NTLM Coercion Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b775be60-00d5-cb10-a24f-ba7f10563dcb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Recon Activity Via Nltest.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0d186f78-d83c-0c4b-100c-cbdc93891947",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SPN Enumeration Via Setspn.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1a00950e-36a2-0312-33ae-1d272dc02169",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Computer Discovery And Export Via Get-ADComputer Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cb0503aa-0857-ee4c-cde4-211dcf7917f8",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HH.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "16ff576e-457b-7067-2eac-58bb28e7a9dd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Arbitrary File Download Using Office Application"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ccbdac70-917f-7393-ee60-cc1586b03137",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious New Service Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a71e218-8397-8c6b-22e0-fc805c7e6571",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Service Path Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5c7dd694-d4dd-a0a8-ea44-8357ca998b69",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of FSharp Interpreters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "982b7732-cb4f-a678-742f-12975f002ced",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Firewall Rule Update Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "874b58be-13ea-f81c-3413-0356498356e2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Script Event Consumer Spawning Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "69f1f3b5-0009-eed3-f99e-e0db531c168b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HTML Help HH.EXE Suspicious Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e96c2fac-d250-ed6f-8382-328d4faa876d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - CsExec Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "24b74db7-6d52-4791-9c5a-8e5de42df8f2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Computer Password Change Via Ksetup.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "de9e4f46-8404-a8bb-7f5a-78bc21b25a9e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon FileSystem Load Attempt By Format.com"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b8f11c05-4178-dd22-a155-a560b4974008",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Download from Office Domain"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "90622c98-76d8-785d-1539-e8120fa53bc6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Esentutl Gather Credentials"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ec21a11c-311b-e205-6bb5-57d26e408fcb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell Encoded Command Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ebef59bf-5a12-af67-8a95-a282ae4bdaf6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Audio Capture via SoundRecorder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "85c1b693-1ea8-0d6c-249a-3a2bffdd4bb4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Obfuscated IP Via CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "897d8214-575a-533d-6b1e-a21219da4532",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Regedit as Trusted Installer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fa8c67ae-ace2-9a11-43d7-c5b5954ce489",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Child Process Of Manage Engine ServiceDesk"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5a05c10d-f2a5-f434-4d63-63cd535745b6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "09c3b6b8-4904-bec5-4fc1-d69447e6ff3b",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Process Created Via Taskmgr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0a1228c0-6754-8156-d07f-6aa2daece740",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Gpscript Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "02224309-c907-6de7-60e0-09470aa6d721",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Replace.exe Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "63a8494a-3c4b-3902-2efc-f0ed49065b75",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sdclt Child Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "be670d5c-31eb-7391-4d2e-d122c89cd5bb",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Rubeus Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bedacc2c-35b3-fa81-61dc-a81f0369247e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c2ba2ab9-14d6-22d6-50e6-def8d485c093",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Browser Execution In Headless Mode"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bb8639b3-534e-d193-84ff-570b4a6eb383",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Chromium Browser Instance Executed With Custom Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5054d08a-687f-e98a-b2ca-ebbe7e3035b0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Debugger Registration Cmdline"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a69dee50-f5d1-178f-3794-9e06d089fc93",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Redirection to Local Admin Share"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5a3de052-774a-c805-ef2c-a9b71abecc0a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Firewall Rule Added Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "245dab46-e862-0264-ae5c-a935a1f94160",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Data Exfiltration Activity Via CommandLine Tools"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d39155d0-4154-66c0-1d94-6c61d77f27e7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution of InstallUtil Without Log"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1245d006-c502-7e4c-66d3-55cfd5aa5fc4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Browser Started with Remote Debugging"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "48f9e545-da57-e944-30a6-d6ed66b4f001",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Weak or Abused Passwords In CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9221ea23-8f7a-5f6e-cde6-763911fe289d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "550c629f-0dc6-83a7-efce-0afef9c45e4c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Detection of PowerShell Execution via Sqlps.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f880519f-4419-7762-c6d0-7676fd2192a9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "System Disk And Volume Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f97091ca-49b9-ea39-1091-bc06ed73b48f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Privilege Escalation via Named Pipe Impersonation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "471f9aca-34da-a143-18bc-d54d121778dd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DLL Loaded via CertOC.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a0fca779-5f2b-605b-e4a3-04829ce8bca5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sysprep on AppData Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b192c555-7ec6-6836-9df6-a81347c77e35",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Quarks PwDump Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9137ba87-68d5-272d-9ada-3803321cb4c4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Direct Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7371bd41-e687-4fb7-9c66-a38b83560275",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential COM Objects Download Cradles Usage - Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e0e9ccfe-20b3-2dca-ffe5-0e6c86ad22bc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Obfuscation Via WCHAR"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1a6983b5-f09c-767b-3ebe-349e7cde3c8e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Extrac32 Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0922802a-a57f-bd7e-c635-64ffdf4824e9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Execution From Internet Hosted WebDav Share"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9936b6f6-994d-8664-d072-7e6900571270",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Dumping of Sensitive Hives Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bc5cba6d-bdf9-70db-83d3-ffea696528e5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c4597337-053d-373e-4faa-cc0e1796fde6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Renamed Cloudflared.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c9b38950-be40-a8b2-9d01-5912034351f3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Add Potential Suspicious New Download Source To Winget"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2dca5a53-e0e7-287d-3c41-45e454bceadc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Visual Studio Code Tunnel Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "33f733e0-fb92-860f-da22-47ee0186c951",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Enumerate All Information With Whoami.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6ffb15be-b4f1-f105-4d90-0797b05c1838",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "TrustedPath UAC Bypass Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "145ace9e-159a-7105-5f01-b8880c351067",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Service Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1ee586c3-86e8-4b2c-b33f-80c524292d5e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uninstall Crowdstrike Falcon Sensor"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b3e6207b-ca8e-5b69-8194-cd66e4bdfc3e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cloudflared Quick Tunnel Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "133b31a6-d87d-34ee-0699-ac8c9dce764b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Backup Deleted Via Wbadmin.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c4e3bdbb-aa79-5067-6b21-87a8fa83ae97",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Reg Add Suspicious Paths"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "470da37d-268f-d626-f90a-04ef23655a27",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Name As GUID"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c9722d26-25e3-6e45-3950-85182a7a1b35",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Microsoft IIS Connection Strings Decryption"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1c5c23b8-d4a3-0d4b-6116-74f8ddd96546",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell Invocations - Specific - ProcessCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c918e9f3-229d-19b9-a50f-408e5811b033",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - CreateMiniDump Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e16f3826-f705-a1c0-36a7-5d8d869e3ca9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Time Travel Debugging Utility Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1ff691f3-1574-b038-89dd-518a27855b80",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Imports Registry Key From a File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c73c2af1-f71f-fcf6-7d69-8930f2b95d96",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Rundll32 Invoking Inline VBScript"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9acd90a3-770d-023f-0b71-92c461984dcc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Spool Service Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "962de487-869e-eec3-a641-839d9af9c49d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Deletion of Volume Shadow Copies via WMI with PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c3cf2db9-adff-41bb-ab07-0ed4770b5b47",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Schtasks Schedule Type With High Privileges"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3682c181-3b54-0cf3-cfdb-1d800bb7b125",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Disable Windows IIS HTTP Logging"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0521efb1-8519-4e3b-16a4-d3b360abc475",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Fsutil Drive Enumeration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "88689b5a-5cf9-4b6b-f596-66cc471db969",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Visual Studio Code Tunnel Shell Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fbb20f1c-c29f-e4fb-e289-3fd4de5feda4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "User Discovery And Export Via Get-ADUser Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "36fe1761-03ba-cf23-48dc-4de20028381f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Service Started/Stopped Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "eac79e1c-5b45-db94-6b62-f7581c5ed0cb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Download From Direct IP Via Bitsadmin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1ee3a188-7a90-b357-3e25-dd202515f11d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Permission Check Via Accesschk.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9acd1f19-c194-7c55-3130-8479b170af87",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Calculator Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "86b3dc5a-8aaa-c378-77ea-e9d3d850d487",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Rundll32 Execution With DLL Stored In ADS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "80e2dcdb-b882-51ac-b1e2-8440243a0492",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Directory Removal Via Rmdir"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7a530794-a84d-d066-45bb-1d94d7f2dfc0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Via Bitsadmin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "acf0cb14-e141-75f6-8a56-a843022146d1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential WinAPI Calls Via CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3be2ca2a-e70a-49c3-7d32-ac25c979e199",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Recall Feature Enabled Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a2325ec9-0dd9-e21d-c39b-3e8dc0f36213",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious WebDAV LNK Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f7115cfd-3899-16ef-c89b-2db0aa711a9c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Process Masquerading As SvcHost.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e690ad80-ba5d-6c78-f689-97c9bdad6517",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Phishing Pattern ISO in Archive"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "468cc04c-7017-cf17-29f4-4d2845397d91",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Screen Capture Activity Via Psr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "66a0246c-c8ba-1f83-d729-7de76ec64ee7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Child Process Of ClickOnce Application"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "afee1b7e-2430-1880-34e2-eb2ae5bf07ff",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Install New Package Via Winget Local Manifest"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e20cb030-7e44-e3e0-0314-4f07eae201d0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Dynamic .NET Compilation Via Csc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c757a371-d2db-6f87-21a1-9951c4a5e35a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cloudflared Portable Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ce29d50b-8a96-dc9b-96a1-3acbb2b68039",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Outlook Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f35bf333-81f6-500b-dc59-92da984b5ea2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Certreq Command to Download"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fd5780a1-437f-d735-9ec2-8ed852b7c70f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Credential Dumping Via WER"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "17bc9aa9-eb49-a701-4cab-cbcaea111644",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Renamed AdFind Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b99e1330-4add-8df6-a3ab-1425cde93e31",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Automated Collection Command Prompt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "909ad08b-a33e-57b8-8a0e-98a42a566b03",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Certificate Exported Via PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4295ffa5-ee9c-252b-51b9-150363e6906b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Renamed Visual Studio Code Tunnel Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5159a920-5ab6-272b-4cd3-a3ea17a108ea",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Encryption Using Gpg4win"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "40795b72-f1da-c1a0-035c-56ecfca25ca3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Detected Windows Software Discovery"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b1d59fa0-c42c-0efd-027d-d7721d153420",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Insecure Proxy/DOH Transfer Via Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b1b4e91a-f98e-efe3-e440-4baf203a621a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Suspicious Activity Using SeCEdit"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3559f022-c7da-a217-5e49-9934bcf0b06b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Service Registry Key Deleted Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0052946a-1593-6881-f638-b14ac2efcff8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Wsudo Suspicious Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4b713aaa-d275-9bdc-3492-6a1d3582348c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Dropper Script Execution Via WScript/CScript"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "03483409-2c67-3117-debd-eaa756713643",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Schtasks Schedule Types"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "be028779-def3-3fc8-e466-1ed868806e63",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - LocalPotato Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "52926c4e-2c91-7854-02bb-6edbfebd425e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Homoglyph Attack Using Lookalike Characters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c9a20835-ce7c-8118-9269-64b5a5e8cbb5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Program Executed Using Proxy/Local Command Via SSH.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0331991b-8942-aa87-70c4-84360f95b7ce",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Wlrmdr.EXE Uncommon Argument Or Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0005a605-5e4a-5704-75bf-485dbd31aa9a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Domain Trust Discovery Via Dsquery"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "687367a8-d423-cb00-4753-adfcbf3ef580",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Modification Of Scheduled Tasks"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "315b342a-decc-2f38-398f-41e5c8fdb4ed",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Highly Privileged Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a860f5c4-f0f1-4566-1d72-4ff887bc2538",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Nimgrab Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "adbf9c6f-f765-81c9-b566-460d75f15e4a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Psexec Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae7a6aa8-b9bd-4f34-f72a-5e9d33e9098c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "NtdllPipe Like Activity Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "88058179-1331-afd7-eaea-6a77664d95dc",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Notepad Password Files Discovery"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7ec29146-f989-0673-b4a4-9bcc03b31194",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - AnyDesk Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d2f4e6f8-8091-3df9-bc05-f48b7a951ac8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation CLIP+ Launcher"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "62ed175b-c554-0c7c-9804-0a1628688796",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Malicious PE Execution by Microsoft Visual Studio Debugger"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cb8f70fe-80c4-48c0-0473-656666b52064",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Shells Spawn by Java Utility Keytool"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c57b53ed-b127-34e4-6906-e0e36b11d5ed",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Child Process Of WinRAR.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "378bed70-399f-408f-0667-aa91c755a606",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Wscript Shell Run In CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "584c503a-bcee-ab44-f773-dea130827275",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential AMSI Bypass Via .NET Reflection"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "011b5544-f9c6-7b7c-5114-f1cbce8b511a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 Execution Without CommandLine Parameters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "77f6e2f1-7fec-6f30-aa0e-cec73ad32fc1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Hydra Password Bruteforce Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "82fb76c3-b42b-096c-0e6c-8733e1993492",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell Invocation From Script Engines"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "63efb70a-b106-3e6a-fe1d-b3c49558ebd0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CommandLine Path Traversal Via Cmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b4e3c1f6-6ba1-48f2-3b3a-a5183ddadbb3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - EDRSilencer Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6c75d760-680d-9c24-79e3-123491563466",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Desktopimgdownldr Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cd36cd3c-17cb-d0c6-1e77-c74a5a6e96fe",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Execution From Parent Process In Public Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0c52293c-57fb-c251-5f09-4da3e0776891",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Msiexec Execute Arbitrary DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "560853ca-0b24-2e95-ff72-810e13f675fa",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using NTFS Reparse Point - Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5161ecbd-ced9-5f55-3dba-cfb5e38cf9d1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "VMToolsd Suspicious Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c748889d-9dac-b46a-4f1b-812efb97e670",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Service StartupType Change Via PowerShell Set-Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4b8c4cc7-a599-dafe-263f-ff5cb96a6967",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Logon Scripts - CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "11009f2c-2e92-f0a7-40e3-76f389110133",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Mpclient.DLL Sideloading Via Defender Binaries"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "44150656-1e8d-43ca-eebd-2f773849d62a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Execution Policy Tampering - ProcCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "00ca290b-102c-83b3-ff90-2781c070cf8e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Amazon SSM Agent Hijacking"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0ac56170-1ec2-0fcb-1654-0178ffa1487b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Local File Read Using Curl.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b580d34f-60c7-757b-d2d5-f622237ad56f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpChisel Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7d08c255-caa9-d1ce-ba23-4030c6718e0b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Network Sniffing Activity Using Network Tools"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0e017e81-3278-cb76-d706-690f05a18a0e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Powershell ReverseShell Connection"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "683820e7-ec9c-fd2b-4e30-d67656765081",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Suspicious Windows Feature Enabled - ProcCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e09795ef-2d7f-3f65-8286-c3267b89622e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Curl.EXE Download"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "afc0e7da-4e96-1953-3fa3-8e9112c06c1c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Recon Command Output Piped To Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "403a879a-c765-af55-2a45-cce39e1f5cdb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Script Run in AppData"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ded5cb8d-2fb5-7bbb-b00c-0009dc64f546",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Launched Without Image Name"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "991e932e-5798-025f-120d-6f19994ad2a4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - CrackMapExec Process Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "63b59ec7-e487-aef1-5cca-722ee215db7f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Password Provided In Command Line Of Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b4f46720-2a2a-38d0-a77b-cd70dfbd3151",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f8039355-05ea-ab7a-159d-51b07b17da1e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c4d044b3-d308-8957-f679-6b4a595d47a7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Binary In User Directory Spawned From Office Application"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "86d129d1-cd78-4f07-9be8-edf76d9e2131",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - PPID Spoofing SelectMyParent Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "549eb2a1-da80-3ed5-9385-6358ef00fe24",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpImpersonation Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c7c4727f-4a16-4625-f1f0-4d6a7b7eb808",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Data Export From MSSQL Table Via BCP.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "115e60c2-cee5-d274-5b18-9313cca77106",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Esentutl Steals Browser Information"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "68ad4ec6-5204-d63f-155f-0ad495ef92b3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Fast Reverse Proxy (FRP) Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e3c946f5-fbf9-ed84-e993-6f80a6467aae",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "AgentExecutor PowerShell Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fd14e822-33da-bc04-253d-2c8cc8659a30",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7516a7b1-84de-fe17-e375-6395aa84f270",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious HH.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "351d47d4-a048-9463-4aea-54964c77adee",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "RDP Port Forwarding Rule Added Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a2d19cf-4378-c7a2-7a77-b268c7875c7c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MpiExec Lolbin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "693159ba-e2b9-cb03-30d0-5234a23b26d7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5c3a9984-9934-58ca-15e5-cc96b8da7455",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SOAPHound Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8a9278f4-40c8-30f3-c1ab-7dc224491477",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Findstr GPP Passwords"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a42438c9-7c08-7a7e-2791-43440efb6047",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Execution of Sysinternals Tools"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1e2a7e53-8c4f-8c72-f7cc-26dca620d1c8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Process Start Locations"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "90b43135-d789-00ee-977c-ed235554c372",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Obfuscated PowerShell Code"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aa1b5f1a-0f18-adfb-7274-ca82c7711c36",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Data Copied To Clipboard Via Clip.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "82956673-bd55-9f29-96a4-e5bdd4083071",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cf0e4cea-8b93-73a0-c4f6-1d496da38fea",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MMC Spawning Windows Shell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cee773e9-972f-17a6-5cec-90899c703f16",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via MSOHTMED.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "eae2fe25-e367-9c8d-111c-fe4507f8e1be",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Compressed File Creation Via Tar.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e44a6a45-107b-0cdb-3b8a-61b2e33d55d7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DNS Exfiltration and Tunneling Tools Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d6747b91-0f0d-b0e6-e128-10f8dd2feb2e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b0b6f0e2-8ed1-fa15-6ebb-cf992c0fd7ea",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Mimikatz Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ba78b609-b5f0-41e2-1081-e3424cdfe02d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Launch-VsDevShell.PS1 Proxy Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "32f1537a-1af8-ef18-4ff0-71b68b6b84ec",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Remote Desktop Tunneling"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "476ef906-3f50-4b93-19a2-cf02ea63f392",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon One Time Only Scheduled Task At 00:00"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "627c728d-1a1a-0871-ead7-d1537f0a152b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Schtasks Creation Or Modification With SYSTEM Privileges"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a4547750-0b4d-019c-4808-0da01680cddb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Driver Install by pnputil.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7a6b455d-a8d7-2cba-6d4e-05d8c6c9278c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "REGISTER_APP.VBS Proxy Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a296b8da-2f61-8a80-7fa6-f2063c0b5969",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Ie4uinit Lolbin Use From Invalid Path"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b229510a-6249-effe-47a7-1453bddf03a7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "AddinUtil.EXE Execution From Uncommon Directory"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e1b669ee-98b7-25ba-818f-8198fdb19b0d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1704d7d3-0c6c-8a4d-b02a-55dd951e5f61",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Downgrade Attack"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae801fc7-f16f-247e-f3da-918f64136e9d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download via CertOC.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "57fc2f43-fec9-1e23-2c1e-a5bddad94af2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Netsh Allow Group Policy on Microsoft Defender Firewall"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "96951861-e068-11a1-bdd8-1fdc951102b8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Usage Of Web Request Commands And Cmdlets"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2b62781d-0af4-f828-f915-7b0039020526",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - Simple Help Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a4c2d962-184c-6b0f-6155-edee8fac04c8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "905bbb47-6ae3-1ee8-e0d8-092361cf61e7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Executing Encoded Payload from Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6cbe870d-ed2f-e585-6d9e-201323d379a7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Service Security Descriptor Tampering Via Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "53138fa3-42f4-bab3-4939-cdc55f014842",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Detect Virtualbox Driver Installation OR Starting Of VMs"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d1521b48-cb82-dd9a-0d90-4e3a69b29fb2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Command Targeting Teams Sensitive Files"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fbee28d8-8e92-176d-b6bc-0532d9a98eac",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Memory Dump Via Comsvcs.DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5fc3dbcc-6777-a314-9939-6cb33e4afe74",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Htran/NATBypass Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b23c27a3-ce02-1abb-0aa3-f1376bd9d0bd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - UACMe Akagi Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f4b9cf98-c3c6-4a42-a20e-6728d79f8fec",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Firewall Rule Deleted Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5400e5cd-e82b-a457-8209-7ea3515c05e4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell SAM Copy"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "79657164-232b-d42a-7eab-1d9b88196e7a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7fd1971c-8117-58b7-9bfd-d42cda435945",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious NTLM Authentication on the Printer Spooler Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "775ae677-184d-c90f-016f-f337fd79aa75",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious RunAs-Like Flag Combination"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c2a0770d-11ab-758f-a9ed-de4bbee89af7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via Microsoft Compatibility Appraiser"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0e292cea-6680-a95e-46e2-4b938a65597e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3679f255-d90a-49da-389c-bb16db65853c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Always Install Elevated MSI Spawned Cmd And Powershell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0c504797-106a-bd3f-6172-cebfb63391b1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "101d5724-f172-6946-1713-7b535e7c5af9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Process Execution From Fake Recycle.Bin Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ed8f1915-a7b9-2b25-cfbe-702f1a275a5d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Writing Of Malicious Files To The Fonts Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "06305885-4321-1104-1a1d-5f6dcddf76af",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Access via TrolleyExpress Exclusion"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b881e130-b2f3-59a2-f31f-1ab4f003c199",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Mstsc.EXE Execution With Local RDP File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b68cfad0-0e22-e824-aed8-8c1c3d1accdc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of Remote.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "063b6d5e-3f4e-c3a0-f506-0f8296b9eec4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PsExec Service Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8750a67b-7c72-11af-21f3-3e37ed642ab4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Network Trace Capture Started Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bfa46528-db30-f4b6-d9b2-afca48a92538",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Reg Add Open Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "24194c4a-9136-8ccc-cb24-c32ee6a83d2f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PsExec/PAExec Escalation to LOCAL SYSTEM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7d6acc1b-aef6-8fb8-8b37-50e258273f6a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Net WebClient Casing Anomalies"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8f07f78d-22f4-9cc9-b3fb-8d8c7b056395",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Command Line Obfuscation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8d2051ab-4ac8-617f-7be7-3a2c8e1a8aa8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Userinit Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "95c13570-33d5-adaa-36e9-f489d326fd40",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Security Privileges Enumeration Via Whoami.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9ea6664e-70c1-5f36-42c2-1fdb75330fb7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious CMD Shell Output Redirect"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c4cc0668-2b35-4884-9119-8a558a544a6d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sysinternals PsSuspend Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ac40503f-520c-79c6-d0e8-3a32c8cec7eb",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Hardware Model Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3135cfd1-5a2f-468b-9cf2-fbf03902985f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Fake Instance Of Hxtsr.EXE Executed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8b3afca9-f927-14ee-58f5-238c5f845d71",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Fsutil Suspicious Invocation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "49fe14e0-e6d2-95cc-58a2-431e7dd03cf5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Active Directory Structure Export Via Ldifde.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e88b49c4-9d10-2b2d-da20-8934c2de27db",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Adidnsdump Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3a1e9d54-cfc2-0052-abc5-2271eee0dd8c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Process Created Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4c7b96eb-1897-7935-762d-58700203bb94",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Winrar Compressing Dump Files"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "183b6ab0-741c-5a2c-a72d-660f201d5710",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e922cc27-53d4-6ba7-9673-6c91fc2bc3ca",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - NimScan Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "af00bb3c-d23f-1210-525a-d8eaf94dd907",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Credential Manager Access via VaultCmd"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "602c5e30-f2c0-b275-aab7-2e95c70b2883",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Ruby Inline Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e51a363c-2979-56e7-4526-c49be62e6062",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Add SafeBoot Keys Via Reg Utility"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8578ef59-9a77-e58f-416e-a109c066b60e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "LOL-Binary Copied From System Directory"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f5d5ba97-4424-eaa9-ead1-528529dbee28",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass WSReset"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "13ca85ff-edb5-1f6f-fc72-7387eced96e9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Rundll32.EXE Execution of UDL File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b37bf4b0-3cd7-a1dd-ca56-4af874660093",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Network Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a56ae12f-67c8-f625-2279-f5290ba86fa9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Signing Bypass Via Windows Developer Features"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5e078b34-047a-505f-5c16-344bc38300ff",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "System Network Connections Discovery Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5bc86f64-e263-f14b-6525-bacad0b088ad",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MSExchange Transport Agent Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9eaaf7c3-c142-31ba-f615-52ed6de31344",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious SYSVOL Domain Group Policy Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "125653c0-b2ab-c23a-d7aa-6a45f2add313",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "055ae5db-808f-a1cc-57ac-99f0fadbab7f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Configuration Update"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6b74eb79-fb17-b0d5-5a82-d54803b88ead",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Kernel Dump Using Dtrace"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "457a72af-e7d7-48c0-0f9f-cd793a1a2584",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SQLite Chromium Profile Data DB Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e644857f-3d08-b5e8-61be-9e01a3706716",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - WinPwn Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f52ac08e-65ef-a059-20d3-1eca726c6659",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "96fd693f-cd31-d232-84e6-212a9dd1c530",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download From Browser Process Via Inline URL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "589134cd-5a71-4868-1ad1-623db28a1d75",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential ShellDispatch.DLL Functionality Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c94695cb-a047-b9fd-ad81-7c51224d6fd0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execute Pcwrun.EXE To Leverage Follina"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ecd9d96b-cb0c-0ae0-cdc4-1614f22b8e06",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Usage Of Qemu"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2f54a1b2-dad9-be0e-bdd0-a299137396ac",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "115267f9-0227-94b2-f6ef-56939bd2c693",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Stop Windows Service Via Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e53219c7-ae63-0b28-f372-3dc6d8b00829",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Base64 Encoded IEX Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e9360920-9296-fc5f-1231-e443387e7381",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - KrbRelay Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1f5db239-6608-ab63-3f89-95375c7872fc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Control Panel DLL Load"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7466d932-270d-a4c2-5851-05e1557ee730",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f096d3e4-a0dc-1035-8028-34c72c5504c6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - NPS Tunneling Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aed91788-6fab-61d2-104a-3a1ea483f8fd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Application Terminated Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b6a72c86-b6bb-0d2a-1470-ab688583f615",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9b584978-0d93-f10c-988d-ff3657f59e09",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - DInjector PowerShell Cradle Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9d6f9951-dc6f-66b5-290e-ff79c75550f6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Rundll32 Activity Invoking Sys File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "389f8439-d42b-53a1-cb96-9387255a319f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execute Code with Pester.bat as Parent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae6951e9-b0dd-cdaa-48f1-9c0ec91d0faf",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - AnyDesk Piped Password Via CLI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "77303e46-58e3-05a8-24a1-2274aa37201c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Dropping Of Password Filter DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9fac7dce-b844-3db0-da6c-98df4b015954",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Crassus Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6b7e9ce2-c343-23e5-2bf3-223f82753b6f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 UNC Path Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e768da19-d0fa-86b7-d2c1-93535bdac05e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Modify Group Policy Settings"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "956a39b3-a319-4b78-6305-a216732d379e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8356394a-a08b-72f9-f2f5-217abc6c1976",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "37366c60-8aea-e3e5-bae7-3c24e54f629b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Bloodhound/Sharphound Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bde2aa8e-57e6-7c83-466b-dfdcf1a7de29",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Executing Payload from Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3223b8fb-0180-c340-24b5-fc4699287906",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0b1811c8-8c1e-c6bb-1af2-2fe3b42a6b56",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Web Download"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cf674881-75bf-1708-a3d3-daf22e485a07",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Network Reconnaissance Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d9d5da14-1719-381f-170e-e347318f764f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Outlook EnableUnsafeClientMailRules Setting Enabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1f76708c-e9a2-3032-ae39-9025038a90c4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpView Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3644cb9d-2e13-2dcc-497a-9eb0710ac9b8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "16277ba9-49fc-5f62-bf22-e5c2952e32ea",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DLL Execution via Rasautou.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e653c5ce-5d53-8f18-097d-affbeeb0425a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpDPAPI Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a9dad077-e2f9-a739-8ac0-eb0e6dcbdebb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Execution From A Potentially Suspicious Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1fb003fd-3505-dd3d-39c9-067a836b7257",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Process Patterns NTDS.DIT Exfil"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e20075e6-6784-9276-2205-4f452684a4cc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "AspNetCompiler Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f483b0b8-2606-8691-2edb-5c64c3a7347e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Netcat Suspicious Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b206cc55-bd72-1034-393c-cb8b9e643aa0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Renamed CreateDump Utility Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "39bd9b2b-7c43-e7a8-e882-3de14365ae19",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary MSI Download Via Devinit.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6ed0a1fe-48ad-ebd5-4596-bd6f5005bbe0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Python Function Execution Security Warning Disabled In Excel"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4083d5ce-5bfd-6eca-7ad7-6ab633bbc01f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Service Binary Directory"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8ba4f215-e4a8-8858-ae46-4785a18094c6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Security Service Disabled Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b0fec5a0-3b3f-9e6c-b5b1-bdabd28f18ee",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rar Usage with Password and Compression Level"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7d84c2d9-4528-bdae-4cc2-945948102cbd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Processes Spawned by WinRM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "91dc62f7-9e6b-59c0-27d2-ccac03bed57c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Non-privileged Usage of Reg or Powershell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "49fcee15-4a91-2599-357b-6a1abe3d7cf4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious MSHTA Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5ced154c-67dd-89a9-5337-0da89bcd4cdc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privilege Escalation To LOCAL SYSTEM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "db8f163e-5399-d993-524b-d1c4ad63c442",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential DLL Injection Via AccCheckConsole"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5b838545-abaf-44b0-643d-b363389ecb5e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Regsvr32 Execution From Remote Share"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0931c657-0f5b-cc80-ce24-bb4f81b15b02",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Regsvr32 DLL Execution With Uncommon Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f477a622-8a8a-8528-fd42-9362defe645e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mavinject Inject DLL Into Running Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fb0cc82e-63f9-6098-cd32-7f78429aeb7a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Via InstallUtil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b9675cf5-52dc-a941-e484-247f3640e055",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Shell/Scripting Processes Spawning Suspicious Programs"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fbf11b3a-b52f-1a2a-a481-d059609954fa",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - WebBrowserPassView Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1c39c2aa-7a13-2826-f8c5-48a453dfd562",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Copying Sensitive Files with Credential Data"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "35f42a49-bad0-2ba7-87b0-62e78681838e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Delete All Scheduled Tasks"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bb3d59c6-7ec7-685a-4ae1-f39045534f39",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Processes Of SndVol.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a8e6f2d-2a56-788b-343a-a50584a15079",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpUp PrivEsc Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a641f121-9379-33a5-1c52-cda13641658a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MSHTA Suspicious Execution 01"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d8a821b1-813e-ed4c-5b7d-a4bf59182a64",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SharpEvtMute Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "36d25ea3-c267-467d-2607-8791f67b7e4e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Recon Activity Using DriverQuery.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b77adf00-db71-5767-769e-2ba7c942d820",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lolbin Runexehelper Use As Proxy"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b6abae48-2937-b8aa-70ef-ae27212059c5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Monitoring For Persistence Via BITS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "45f32609-3f8a-58cd-cf4b-13e480be32b3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious XOR Encoded PowerShell Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d4107fed-b19a-c873-993e-db24e6528e9f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ac70393b-10a3-1934-e063-2bff18e8a37c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - PingCastle Execution From Potentially Suspicious Parent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dff28edb-8cbf-0aa6-a92e-123f013ce755",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "System File Execution Location Anomaly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4657b559-a0fa-d23b-e35c-9cde37b20f8c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Diantz Download and Compress Into a CAB File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3d30b2bb-135f-d972-364f-9e41f8aa609b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary Binary Execution Using GUP Utility"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "61427f33-35de-ec51-6afd-e44b8ccf9023",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SysInternals ProcDump Evasion"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9bce1ab7-f1d3-6e4c-e5ae-6cdb2b974218",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Tap Installer Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0a237495-b305-87bb-8e26-417ba98a4546",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sticky Key Like Backdoor Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d6a5fc1c-e0e9-bcc2-daed-22823802b707",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Run PowerShell Script from ADS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "04ee126c-89e1-9dfa-1863-5f42fde61c35",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Recursive Takeown"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3acb1e73-2bdc-efdf-3865-3967cf6ce445",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a3eb659a-2a75-984c-1dd1-a034449b5d3a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Splwow64 Without Params"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5202675a-41e6-e644-d9e9-47e5f945d40a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Recovery From Backup Via Wbadmin.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ef92722b-fb96-33d7-d77b-f6770ac84d0f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Tor Client/Browser Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "47beff1b-e312-3476-6c22-0805b517fa1f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Binary Proxy Execution Via Dotnet-Trace.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b3de6fc6-2aa5-32aa-2172-7e989f524bb1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Invoke-WebRequest Execution With DirectIP"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "228eaacb-c113-c297-5804-6247ce9a2393",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Firewall Disabled via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3ff6fb4d-1767-844e-dbf0-3bfa8dd55d56",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using Windows Media Player - Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3412c13e-f0d6-c967-da33-0c43c8817356",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Driver Unloaded Via Fltmc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "767261e0-460c-37f0-aadd-2d3d361db835",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DirLister Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "af3979fb-2ecb-3ae6-3f48-ca04d867be13",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Windows Update Agent Empty Cmdline"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7ebc545f-8b8d-1d34-7a2e-99467ab1008d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Suspicious Registry File Imported Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7fe031ee-5c6c-0eea-fe28-fb72cbbe1aed",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a23f9412-323f-fd1c-1c72-ac38fdedc079",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New ActiveScriptEventConsumer Created Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cf1c2cd4-ba84-1a2d-fdbf-f970eacc2ed9",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Processes Suspicious Parent Directory"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "27bbbc51-2674-7c64-0d12-3844deb6cb4b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious MSDT Parent Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b38e988d-9ea4-447b-cc36-a30c9c3801e1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Microsoft OneNote Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d6d1a63b-5f0f-795e-fe18-4c2e1784568d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via MSEDGE_PROXY.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "70fe889c-0d1e-71e8-542d-a7ca05a0fef6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cscript/Wscript Potentially Suspicious Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "77f78d0c-79a5-d749-2130-9bea40bef10a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Commandline Obfuscation Using Escape Characters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b7adfc19-5e32-e2d7-a70c-a28e9a844564",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download And Execution Via IEExec.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0c6e9a79-2e34-53ee-92c8-a3b0e05011d0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - PingCastle Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "737bbf5e-7b83-3600-ebcc-76fd8f9c65ef",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use Icacls to Hide File to Everyone"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b2376187-e8e7-aeeb-fb7e-7636ad9dadc9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Hashcat Password Cracker Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "39720fd3-7163-2a97-3e2d-287a6b761820",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Jlaive In-Memory Assembly Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0e524b9d-1e47-2065-5827-2b8d0125307c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious WMIC Execution Via Office Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "892fa867-a4bc-7858-dc5f-0f959244b3ca",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Microsoft IIS Service Account Password Dumped"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7e75fbd5-4501-e7c8-deb1-b24ea8448793",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Fsutil Behavior Set SymlinkEvaluation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "55f4543b-1bd2-73c3-dbda-2fed3f373efa",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WMIC Remote Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4b8e07ad-57d3-608d-6f9e-31047dfeb0de",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2c256f43-053a-3f93-b183-27b3a5d312ed",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Using DismHost"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7badcd39-a428-768b-6bd0-e5db3b7fa90e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Proxy Execution Via Wuauclt.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3b38d2cf-7ccd-53a3-5491-424880982502",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Process Of Appvlp.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cfe8471d-2e7f-9e55-aa92-3b117789d6a6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Port Forwarding Rule Added Via Netsh.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4033fb39-b0df-89aa-584b-12d73c5e5bd6",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Files Added To An Archive Using Rar.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c9c7afb7-56ad-a3b2-ad8a-727beaa81d41",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - RunXCmd Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "efdfbdd6-7e24-de87-fab4-a6218c8d0740",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Certipy Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e0a1f78a-c161-fbe3-4ec6-e151177ec4f1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Obfuscated IP Download Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "512d7248-20c4-a7bb-650b-19b15c46e2a2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious VBoxDrvInst.exe Parameters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "54947316-2baa-1515-3a10-8569020a445a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious GoogleUpdate Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4e16e266-e27d-ab29-fd78-e04352a8aee7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Python Spawning Pretty TTY on Windows"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "55fe02b2-c0a4-cac3-dc5e-e79d58f78620",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Sliver C2 Implant Activity Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "325e649b-61c6-7c91-88ba-f2873675b355",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Provlaunch.EXE Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a9d391c2-0efd-3d38-0c33-49f93ab68df6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Stracciatella Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f8836306-dba7-b71c-033f-6a42b39ae975",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UAC Bypass Tools Using ComputerDefaults"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d8e1c729-6e00-4d1f-0af5-f58bd233d23a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Add New Download Source To Winget"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "62ff6ff0-2ab6-4498-2d8a-7aaf4d8bdbb1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Mftrace.EXE Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "65769ded-2258-284c-b61d-e79567f5efc0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Child Process Of Wermgr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7fba96c8-5c12-aafa-9f68-5c0c7fd6e592",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DumpMinitool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2116c0b4-e272-0fc0-40da-107d4cbaa911",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of VisualUiaVerifyNative.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bec3410f-d2b7-364a-dc0a-bef9eda222a0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential DLL Sideloading Via DeviceEnroller.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a6a22651-ffaa-7713-8313-46ce8a85ad64",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "LSA PPL Protection Disabled Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "35e14148-f5cd-9d4d-90bb-e63d555a1a02",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Manage-bde.wsf Abuse To Proxy Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "91d53283-959d-c486-79b7-288d5aa3be9c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Process Of Defaultpack.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8f82ce6b-dc46-1b1e-3024-baa24253e735",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential DLL Injection Or Execution Using Tracker.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1f2eb669-e0a1-6d98-cf43-82b1f083fb23",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Shadow Copies Creation Using Operating Systems Utilities"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ac2323f5-a7b6-baa6-4cb6-1df6089d834d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Process Hacker Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "75a50ccd-ba64-66cd-de19-003e2f044761",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Interesting Service Enumeration Via Sc.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "915fc7ae-b034-c5e8-9b05-e19566db49fb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Usage Of ShellExec_RunDLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6b169ef1-e760-a417-0794-dc36e56ea984",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e9ec99cd-f425-c533-3e51-bf39335dbe29",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - HandleKatz LSASS Dumper Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bb4392f4-17a5-e69c-88cd-53551c758da9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Download From IP Via Wget.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1a4e84c2-b143-1ac5-61c9-00faf74cb62a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Msbuild Execution By Uncommon Parent Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c833260b-e625-9fc5-e600-302e176fb76e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "756c6a71-c6c7-f447-b851-823221c5d2fc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Rundll32 Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b5e72364-d1d6-72a1-ec13-abf98d0aaa74",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Nltest.EXE Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7799eb33-05b6-9a35-9e50-e2da961e40bb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Chromium Browser Headless Execution To Mockbin Like Site"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1f7106cd-f5e2-0696-4238-9f85251a052c",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Insensitive Subfolder Search Via Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a2c55c02-a430-f460-3ee3-924318d48700",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of W32tm as Timer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "98aa5a08-85d3-1d55-d8be-07f7570e76ad",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Obfuscation Via Reversed Commands"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a405c36d-82ac-5145-4a6a-8451f4ed7205",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 Registered COM Objects"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "274285c4-15a3-9ee1-1a76-fa05fa2b17e1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Bypass UAC via Fodhelper.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "850febcc-7dad-d3e9-05e3-1c69b3ba2db3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of Pcalua For Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b408292c-4fa0-410a-a192-4228c81af02e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Explorer NOUACCHECK Flag"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "16b983b0-2a6e-197e-d708-3468b8785eb6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential LSASS Process Dump Via Procdump"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8d302e8b-d95c-0027-59e0-a3c179726623",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Powershell Base64 Encoded MpPreference Cmdlet"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cac49200-88c2-7917-c315-8a2e0981b42a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Process Created Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "74925938-de32-0417-5a62-b63a5d0dd01a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Node Process Executions"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "33de75b5-e77d-234d-db45-228cb5921cdd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of Scriptrunner.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c7a2ef80-f915-79f0-1ce3-bf61d570a990",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Operator Bloopers Cobalt Strike Modules"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "97bbdb27-032d-af8b-7a1a-2e826f3f9b02",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Service Creation Using PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "112d0b77-1699-f5e9-45f6-7e80e17de0a0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Run PowerShell Script from Redirected Input Stream"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b176b53d-4619-d65f-baf1-b3a4f1ec0b12",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Pubprn.vbs Proxy Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4411c966-d5e0-1715-f458-2221d89b7eee",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Abused Debug Privilege by Arbitrary Parent Processes"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c7b9e6e8-4212-b14e-b622-503d7c760107",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Creation Via Schtasks.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e90d5723-9e13-61f4-569b-d8b4ac050c09",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aab62ba9-1795-b6b5-47f8-75e49b89b59d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Dism Remove Online Package"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b89edd67-19bc-8e17-7967-2c47614dadee",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Webshell Detection With Command Line Keywords"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2c2fe733-6ef3-9d44-210c-fb4011ee1944",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Download From IP Via Wget.EXE - Paths"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0cb1943b-75df-d254-4a36-58c1dc6a3f97",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - SecurityXploded Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "722c7611-6b69-b8f2-4972-c405ba40d9a7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Child Process Of Setres.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "48e84a4f-20a1-de9f-6a28-37b0494dedfc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Dump Keyword In CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "68ab3429-7cf4-3d41-5a38-9474fcad4f66",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Download/Upload Activity Using Type Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "974ebcbe-549c-386f-ffce-c5c6e2fbe2d8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Raccine Uninstall"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "87226774-feb7-cb9f-bb57-e19cc4fbfb1a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WMI Persistence - Script Event Consumer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d0de4ba1-77ce-d47b-23ee-62cdcbc849a6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Suspicious Browser Launch From Document Reader Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9f52bf0b-cd07-33a3-f9c1-6cf08889812a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Port Forwarding Activity Via SSH.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5cf7d531-3e77-6eb0-d0e7-497c9a6520f2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Write Protect For Storage Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "144c93b7-e660-277e-cd3c-0141893803ea",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "IIS Native-Code Module Command Line Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "40508368-741e-4fc4-bc48-e76128b330d2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File Download Using ProtocolHandler.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5f438a3c-3bd7-d256-61ad-9ae6334543ec",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious CustomShellHost Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0f054564-5b4b-f7e3-ffa7-a1afda6c3715",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Loaded Module Enumeration Via Tasklist.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d7156c2d-f3d8-5088-3d92-b5b7ee49cb65",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious ScreenSave Change by Reg.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9069f74a-131e-643b-86fc-0f23d29805d7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SafeBoot Registry Key Deleted Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "481a16ec-1b88-6a7a-78b7-eedff1d69951",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WSL Child Process Anomaly"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9b9bf6cd-1e4c-25a1-5857-4e6793b53d32",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential AMSI Bypass Using NULL Bits"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a407b6c9-ae1a-6fb2-a44d-24de12a2e2f7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - AdvancedRun Suspicious Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e158c0fd-66a1-71d4-8c4c-0728569ed574",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UtilityFunctions.ps1 Proxy Dll"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a0d8ce28-b409-13a0-c884-65166e1aa672",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Stop Windows Service Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3e89a33f-127c-1329-d332-0d836db05ad7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - CleanWipe Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9229b93f-725b-ba48-a5e2-fd3ba4c5751b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "COM Object Execution via Xwizard.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "94528740-76e2-5bfd-e3d5-a6fc1aea5bcd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use of OpenConsole"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "be9b6aa2-633a-7833-43a7-f807dc2aa023",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Event Viewer Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "773a2339-22b1-7f0c-c821-a5831b6a43cc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Office Document Executed From Trusted Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f93df83e-4e70-cffa-f5d8-2b7c77d7bb45",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Runscripthelper.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "91a429e4-2bb4-05ef-b164-545b86f9ba8e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Winrar Execution in Non-Standard Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a3bc9093-f23e-f622-8deb-a18609cc33d8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - CrackMapExec Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bb0b061c-443d-7026-485e-32bd309fb7d9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Firewall Disabled via PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "101b11d6-0200-6a9a-daea-aaebf8b49bca",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Windows App Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "974c3659-4c63-c8c0-e3e1-1cedf5c38b24",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Read Contents From Stdin Via Cmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "fdb2c7f2-63dc-72cd-5261-f3ab65d5d157",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Call To Win32_NTEventlogFile Class"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "676111e7-0d6f-b5f4-e267-6399b5052fdc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Eventlog Clearing or Configuration Change Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3c74726b-21b2-7edc-9091-a8cb4cd92eb0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Changing Existing Service ImagePath Value Via Reg.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "86e778e7-ed84-5e14-0732-2e352101ac62",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 InstallScreenSaver Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6acffd8c-96c9-9d3b-9d69-0e0f332209c3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Proxy Execution Via Squirrel.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c3538d2c-107c-a590-509c-957631b1eaf2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Crypto Mining Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a714c62-1669-9a37-eb23-3aca9c2ca26e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "84707330-6ce4-b159-4432-712646f49a7b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Arbitrary File Download Via GfxDownloadWrapper.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cc44ef1f-3f00-4bc6-c537-2858c567e845",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execution of Powershell Script in Public Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "401fb350-d891-c9ac-1ba7-13d9cce53c20",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Set-Acl On Windows Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "89dbe2e8-d793-a90f-ede7-4e29c886f987",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Active Directory Database Snapshot Via ADExplorer"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4bfb861e-7df2-1670-f8ba-15b3d32325bf",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Product Class Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae65ef8c-318b-89f9-30d3-1f3bcfab81e9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Possible Privilege Escalation via Weak Service Permissions"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1f9094b1-f522-539a-f715-fd13acf3cd22",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UEFI Persistence Via Wpbbin - ProcessCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bf85cbac-5a6f-8e8c-535a-0c786ee46919",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious GrpConv Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6608cba0-3816-77a3-31ab-3b70c790f18c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Private Keys Reconnaissance Via CommandLine Tools"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6ea28a10-22c9-94e3-ecf6-cd29b8bc75bd",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - Team Viewer Session Started On Windows Host"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "52aeb4d7-4368-4da4-c717-f3b016a01d64",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Execution Via DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2211d14a-9a4c-d937-2a25-6428d586be6c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use Of The SFTP.EXE Binary As A LOLBIN"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "26de0206-5a40-c902-6fcf-8ab280a45735",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Execution Of PDQDeployRunner"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f9558484-5f9f-17f3-06a0-774afccc35e1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execute Code with Pester.bat"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "73845b5a-3c6f-eabe-4bcd-e9581c82d899",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Unsigned AppX Installation Attempt Using Add-AppxPackage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0b1a8cb5-34ab-b019-66ad-98f7c43bb8ff",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation STDIN+ Launcher"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f57976f9-310f-c36f-c17a-0efb253e7f94",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execution via WorkFolders.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "74dee6c8-810b-ae34-e12e-ab1a91355d18",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Rundll32 Execution With Image Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6cf859b8-6805-3164-4f58-acb0feb11cbf",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8b1a1dbd-8084-e219-f9ee-15c286aab6c9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Process Execution Proxy Via CL_Invocation.ps1"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5bdc7357-a9e6-95bc-a7cd-c6e0022b3299",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Process By Web Server Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "37cf7844-0508-0f79-123b-7bb4a92b5bf3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Kernel Memory Dump Via LiveKD"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0ac2cb1c-3284-c46e-dd61-1fd81302ad3c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Get-Process LSASS"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9fc9be53-5de8-99c5-66a1-0045cf52ff03",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Enumeration for Credentials in Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "87086e53-d522-cb93-c0a0-04cd9f2e91d3",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Git Clone"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c063426c-1b9b-025d-71cc-5097a233285d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execution of Suspicious File Type Extension"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "370b959a-526f-4355-c41d-8388206d423a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Unusual Parent Process For Cmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2138917f-b5cd-6181-bcf6-8039bc43c6a2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Powershell Defender Exclusion"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5c8771ec-db48-4d8e-8701-02680fde2531",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Gpresult Display Group Policy Information"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cec3aeb1-8e95-5fa2-4566-9463115e48b2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious GUP Usage"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "541e3fb5-f235-d13c-cd97-2e31f774193b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential UAC Bypass Via Sdclt.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "37ebc902-d86f-808a-3790-0d2051db2e46",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "617ab1b8-544d-3774-60f6-7fcbd7612a8f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Active Directory Enumeration Using AD Module - ProcCreation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1adbdfce-5fe9-9717-cc78-42b380893e97",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Change Default File Association Via Assoc"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0e400d25-3298-763d-1813-3fe64dbdb2b0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c0cc4271-ed56-6236-e21a-e9db92f30d97",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execute Files with Msdeploy.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f4ef60dd-b493-97a1-92db-e8a8146be6a4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Scripting/CommandLine Process Spawned Regsvr32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9ee3416d-660e-2be4-06ed-73f1dce70009",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Webshell Hacking Activity Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f0dcd1c8-56d8-8dd0-b4d1-4e8b9a04a6c6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PowerShell Parameter Substring"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "09f25420-43e9-2a11-7301-c1c851349604",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "314ca2e6-e324-0e58-b1e7-2d38858b534a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "11f0b956-1d1f-35ac-0745-953256f95462",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New User Created Via Net.EXE With Never Expire Option"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "38362740-fe8e-6e9d-79ad-a290fe8d5190",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Dumping Process via Sqldumper.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "226527e7-8837-a785-775d-0dfb86e3fa27",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Process Parents"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "66033013-9870-9cb6-fd4b-54502ef0aa79",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PsExec Service Child Process Execution as LOCAL SYSTEM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "502f2034-8929-9fd1-10fc-732a817671b7",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Capture Session Launched Via DXCap.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0aae20f4-4b90-f3db-47a1-d0032e30ccfd",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Recon Information for Export with Command Prompt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9493969e-1bc7-42fc-ede3-cbd493d3e20a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - WinRM Access Via Evil-WinRM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c50000d8-b326-29d3-f4c2-7f15bb158633",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Use NTFS Short Name in Image"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "65bb4129-82c6-f4f5-d2e1-7089e8799d2e",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Unmount Share Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d2fa11c1-82e2-42db-8f24-39f38b6ea6ba",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "File And SubFolder Enumeration Via Dir Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "22cc197f-f74f-a4e3-7021-a3b56dee5864",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Product Reconnaissance Via Wmic.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3d973370-afd2-629f-985f-7e5ba8e42f71",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - NirCmd Execution As LOCAL SYSTEM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae609e1c-eb91-f3a5-50b2-e6d70abc4c8b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Potential PE Metadata Tamper Using Rcedit"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "22698f6a-6197-0acb-d0f8-39939e9af18f",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Use of PsLogList"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a2dbf468-e91d-96e1-aaa1-d7a9e2cfb209",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PUA - Rclone Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "eacb8d30-18b2-df70-fb8e-b5b8bb773983",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Arbitrary DLL Load Using Winword"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "01fbd572-ed21-128f-a6f8-33d5cd9c5dd4",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Turla Group Commands May 2020"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "43b8a8bc-fb6b-2385-d4a0-7efb8523c625",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Turla Group Lateral Movement"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d0fd7844-3a95-dea8-af80-626b8fcf4e3f",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "ZxShell Malware"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8093c636-02d2-54cd-0170-9c7037dadfda",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Sysmon as Execution Parent"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "04ed5400-e750-0076-db95-3a48baa00f30",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2022-29072 Exploitation Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c673198f-36bd-eaf8-5986-f439d6b8c2a8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "9754f622-65d5-8c9b-7762-f074e2d502ed",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a34c1c69-20be-c05f-9985-e8dfdd6387df",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2023-21554 QueueJumper Exploitation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aadf7b08-beb0-7b83-9155-bc9cf4ea77be",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Serpent Backdoor Payload Execution Via Scheduled Task"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2a9fb7e5-5c2d-b57d-62d3-17245085abdc",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Hermetic Wiper TG Process Patterns"
},
{
"channel": [
"Application"
],
"event_ids": [
"8128"
],
"id": "e177969a-73cc-a32c-b948-cb580287057a",
"level": "high",
"subcategory_guids": [],
"title": "MSSQL Extended Stored Procedure Backdoor Maggie"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f0eeba30-c955-c5ae-d78a-83e0f3a115ea",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Raspberry Robin Initial Execution From External Drive"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "228eed07-6e91-fd77-f72d-32e28f0a3739",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Raspberry Robin Dot Ending File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d14ca8ab-730c-d8b6-195c-9cd426d66a34",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Raspberry Robin Subsequent Execution of Commands"
},
{
"channel": [
"sec"
],
"event_ids": [
"4656",
"4663",
"5145"
],
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "BlueSky Ransomware Artefacts"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b5aa09e0-6b91-0111-57d5-0c7dd40b2208",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Emotet Loader Execution Via .LNK File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "48adf0e2-62e3-9147-1be4-087852d3a4a5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MERCURY APT Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "08d5c383-090f-b317-6fdd-e815d17f2ab6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential ACTINIUM Persistence Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "073e0fdf-35a4-362b-a1c6-2b1b41c71231",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution"
},
{
"channel": [
"Application"
],
"event_ids": [
"1000"
],
"id": "1117f6c7-1c68-9c6e-c3e8-191e9d687387",
"level": "high",
"subcategory_guids": [],
"title": "CVE-2024-49113 Exploitation Attempt - LDAP Nightmare"
},
{
"channel": [
"sec"
],
"event_ids": [
"4728",
"4754",
"4737",
"4756",
"4755",
"4727",
"4731"
],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "15644804-cc2a-8565-e214-eefd44105fed",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "74d067bc-3f42-3855-c13d-771d589cf11c",
"level": "critical",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663"
],
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "ScreenConnect User Database Modification - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9dedfbb8-2cd0-ec0a-0822-0dee15d8a397",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lummac Stealer Activity - Execution Of More.com And Vbc.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4f676138-05ac-facf-8305-99c355044751",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Kapeka Backdoor Autorun Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "48e70678-2188-d6d9-11d7-598823558254",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Kapeka Backdoor Configuration Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1dec77f2-6e9b-fc57-6fb4-0cca63a6f812",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Kapeka Backdoor Persistence Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4698"
],
"id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Kapeka Backdoor Scheduled Task Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dd06aed2-9af7-db27-2695-f750b4a2aeb8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Kapeka Backdoor Execution Via RunDLL32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e46b4e96-6396-bb54-0d11-e1aada87c21e",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Raspberry Robin Registry Set Internet Settings ZoneMap"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4f3b55b9-3f7f-11c9-08ec-023ffed290a0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Raspberry Robin CPL Execution Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "396c509f-60dd-659f-6cd4-7e6e45322d5e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1fc29c50-4d7c-1839-46c5-1d5346ece8fa",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ee52db74-7cf0-30dd-3b79-d7de7002360a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential KamiKakaBot Activity - Lure Document Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bdf164e3-a724-140c-60ba-88a87f1416e4",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Forest Blizzard APT - Process Creation Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "30840c08-9ef9-b60c-581d-256b0a2f8041",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b08e9928-878e-3e97-524a-036710d6f3f9",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Forest Blizzard APT - Custom Protocol Handler Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "288761b1-1985-c83b-bafb-51f20cffc924",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential APT FIN7 Exploitation Activity"
},
{
"channel": [
"Application"
],
"event_ids": [
"1000"
],
"id": "f33feae7-db95-01a2-c35f-a6361e690ebb",
"level": "medium",
"subcategory_guids": [],
"title": "CVE-2023-40477 Potential Exploitation - WinRAR Application Crash"
},
{
"channel": [
"Application"
],
"event_ids": [
"2027"
],
"id": "0bcc2c11-231f-f491-7985-3571fee7f2c5",
"level": "high",
"subcategory_guids": [],
"title": "MSMQ Corrupted Packet Encountered"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1afd58da-cc18-91ca-c728-f9ead1f47317",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"5140"
],
"id": "5a3b13ed-8700-5d72-5592-4dbeacbeeb64",
"level": "high",
"subcategory_guids": [
"0CCE9224-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2023-36884 Exploitation - Share Access"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b7a9b3d7-4d7a-c3f3-3d76-9b3c30db223c",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d2c33d76-7b09-c3b4-a954-ffd2e0da3cc8",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Outlook Task/Note Reminder Received"
},
{
"channel": [
"sec"
],
"event_ids": [
"4663",
"4656"
],
"id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
"level": "critical",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-23397 Exploitation Attempt"
},
{
"channel": [
"Microsoft-Windows-SmbClient/Connectivity"
],
"event_ids": [
"30806",
"30803",
"30804"
],
"id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8",
"level": "medium",
"subcategory_guids": [],
"title": "Potential CVE-2023-23397 Exploitation Attempt - SMB"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7a1d5134-71db-5e78-20af-387288b261fe",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Qakbot Regsvr32 Calc Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c5241d42-29a7-201c-7ad6-96648cc368c3",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Qakbot Uninstaller Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "15f0b692-9547-f109-f9cc-ac165a71dfdb",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Qakbot Rundll32 Exports Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4cbce5db-f238-eaa5-7272-ed7b8122ded6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Qakbot Rundll32 Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "28b6ad8c-6543-08dc-cc45-4088c5d03882",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Qakbot Rundll32 Fake DLL Extension Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7d4d1b66-641e-c78a-a574-37e2658d3b05",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Griffon Malware Attack Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "76838840-9141-18d6-5182-11d8297d9574",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rorschach Ransomware Execution Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aaa26b8b-7089-ddc7-6b3d-b0786555177e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d1c9a56f-847c-149d-8e33-f2f0cc9d0780",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential COLDSTEEL RAT Windows User Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "71791144-4c24-e133-0435-de80fac210a6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "COLDSTEEL RAT Anonymous User Process Execution"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "d8f1ace1-c01b-3f95-34ed-993d29f876f5",
"level": "high",
"subcategory_guids": [],
"title": "COLDSTEEL Persistence Service Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cbb04740-ed1c-9f93-63da-7f0564a3b403",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "COLDSTEEL RAT Service Persistence Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e1154da5-5e71-c3d4-e8b6-f6a18c1eaf54",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Ursnif Redirection Of Discovery Commands"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2ea44b75-58f5-f91b-6aa1-6ff2c71bbb5a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DarkGate - User Created Via Net.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2d2fc033-17e9-53b1-ea07-7d2dde3b2a54",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DarkGate - Autoit3.EXE Execution Parameters"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2386a20f-b877-d41b-4f24-5561a8b788d2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4d7c1d43-5e75-8d5e-69ed-1a208dd23249",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Pikabot Discovery Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "36b7b5cb-6442-2a32-49bd-894a5b3ece4e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Pikabot Hollowing Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "465c812b-bb1a-4652-0a2a-5e9216ae9b5b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3a5c167a-3ba9-e261-65fb-e6f832c0b3f2",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "2d1ec565-2a6e-eb8c-5e3e-454aa8a32614",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Encrypted Registry Blob Related To SNAKE Malware"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4597ab1c-27ca-a1fa-2aec-793a9478be04",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SNAKE Malware Installation CLI Arguments Indicator"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "abdb2e55-7d24-7f3d-6091-2b42abca2e67",
"level": "critical",
"subcategory_guids": [],
"title": "SNAKE Malware Service Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4b4e4330-74b5-c191-3016-18ec0b0e8c15",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SNAKE Malware Installation Binary Indicator"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d5f802ef-a213-5704-405c-10cefe798d45",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SNAKE Malware Persistence Service Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "58f3d2fb-ee2d-19e8-3792-abdf0eca4067",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "SNAKE Malware Covert Store Registry Key"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "28ffa72a-4fdf-40aa-4912-e53083a61f96",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2e4649c0-d69b-e162-9c39-4d98600de98a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Diamond Sleet APT Process Activity Indicators"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0a08328e-c93e-0397-cb8e-61d93af17c09",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Diamond Sleet APT Scheduled Task Creation - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4698"
],
"id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
"level": "critical",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Diamond Sleet APT Scheduled Task Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d2624d20-f715-94ca-56f5-47923dc797a2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential APT Mustang Panda Activity Against Australian Gov"
},
{
"channel": [
"Microsoft-Windows-TaskScheduler/Operational"
],
"event_ids": [
"141",
"140",
"129"
],
"id": "51850e92-9de2-230e-98f6-5775d63df091",
"level": "high",
"subcategory_guids": [],
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler"
},
{
"channel": [
"sec"
],
"event_ids": [
"4702",
"4699",
"4698"
],
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2a5d2c0f-578d-a591-f955-6a96069d7d9d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PaperCut MF/NG Potential Exploitation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ebb92368-23b5-851f-104d-95a89838d948",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PaperCut MF/NG Exploitation Related Indicators"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dc315390-7011-bb4e-751f-f08ecd3ca85d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "b8581aed-5481-addc-116b-c0b8384cecfc",
"level": "high",
"subcategory_guids": [],
"title": "Potential POWERTRASH Script Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "384a6ce5-d681-2e87-6a43-6e1a0eb0f316",
"level": "high",
"subcategory_guids": [],
"title": "Potential APT FIN7 POWERHOLD Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bc808841-697e-7b11-dc93-e0c729b17e87",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mint Sandstorm - Log4J Wstomcat Process Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "16662367-d8c5-c609-8ef7-131dda0a9ae9",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mint Sandstorm - ManageEngine Suspicious Process Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4e26299f-1fd3-fa5e-1aad-a0c22275e7ae",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "017266c4-7b12-7c2b-d2b3-0b8ffe973af8",
"level": "high",
"subcategory_guids": [],
"title": "Lace Tempest PowerShell Evidence Eraser"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9cf64f9c-ca0e-07b8-3d01-106dac73ef8b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lace Tempest Cobalt Strike Download"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d7cc678c-bf6e-c88c-9c51-68ac731baa8b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lace Tempest Malware Loader Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "47fec53e-ab09-f2b7-fc9a-c7364aefc12f",
"level": "high",
"subcategory_guids": [],
"title": "Lace Tempest PowerShell Launcher"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dfd05613-5afb-ff48-86b9-082194e9ae79",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Compromised 3CXDesktopApp Update Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "35f3ea40-3ec2-86b1-9633-0a8230a46fc6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Compromised 3CXDesktopApp Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "55dc8b32-c836-8c99-848d-630c50764aeb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Suspicious Child Process Of 3CXDesktopApp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ad6cf96f-fa18-2ab2-281f-bbffecb4ab3a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Peach Sandstorm APT Process Activity Indicators"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a13f506e-fac9-0e14-f1b5-1cfbe9c57e46",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exploit for CVE-2015-1641"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9e9587ab-f1e4-6415-6bc7-bd47066924ba",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Droppers Exploiting CVE-2017-11882"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6beb9c36-3f8a-5de4-1979-7e2b1f7e6f27",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exploit for CVE-2017-0261"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cfbcf9de-6e1d-7197-68f5-3fc5226b6373",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exploit for CVE-2017-8759"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "57e6d496-927a-453c-36cf-2fece4eb81ae",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PlugX Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d37941e8-2688-f070-4a3d-ac1b76dec8d2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Adwind RAT / JRAT"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "56fadac1-9828-3743-02f7-df46e4e5a2b5",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WannaCry Ransomware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f9a894d9-db42-b853-3caf-28fdb62fad98",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "NotPetya Ransomware Activity"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "c1362f8e-594e-72a7-d9a9-6fe6c74334ef",
"level": "high",
"subcategory_guids": [],
"title": "StoneDrill Service Install"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "016f9629-14c0-6760-6a57-2964982c53c5",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Fireball Archer Install"
},
{
"channel": [
"sec"
],
"event_ids": [
"4697"
],
"id": "8428d90d-a928-f70a-c46e-f08457d6b01f",
"level": "critical",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "CosmicDuke Service Installation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3f54c5d2-0fd9-2b17-f9e5-c2fa4ca101d7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Ps.exe Renamed SysInternals Tool"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b0e856a7-d88c-046d-8874-70a60f6bd627",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential APT10 Cloud Hopper Activity"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "665e3be1-3ec1-2e79-bd0f-dca344762794",
"level": "high",
"subcategory_guids": [],
"title": "Turla Service Install"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "75a0da35-0e7f-e313-f974-d812b44295a4",
"level": "critical",
"subcategory_guids": [],
"title": "Turla PNG Dropper Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c451e783-f3fc-738b-e5fb-e40879c5804a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lazarus System Binary Masquerading"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "def2ec32-0d35-d282-5265-940ec8847ce0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential BearLPE Exploitation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7ff9b9f2-a79d-029b-9d23-1335adb7098c",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exploiting CVE-2019-1388"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "178d305a-d6f0-baf2-b49b-89ffaddc2ca1",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential QBot Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "588be409-8e98-409a-a4ef-4cccc7b7e865",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Formbook Process Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9dc3524d-8444-15f1-bde6-e060f0050e94",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "LockerGoga Ransomware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "4adab006-3d6b-cf15-fdcc-f081f50e87f5",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Ursnif Malware Activity - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c368d44f-914c-dda1-79ca-a54a155c8491",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Baby Shark Malware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "39724b62-2e68-3ffc-c675-c018f6c9ce11",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Dtrack RAT Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "14cb4558-9252-130c-f8d4-6662b6f951ef",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Snatch Ransomware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d7037073-136c-baf0-a9d7-cb2c03fcd245",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Ryuk Ransomware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e23a9ec2-a8a3-badf-e230-fcbe8cf7f86e",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Dridex Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "399756bd-2003-82b3-c6c6-ab44d1516146",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Emotet Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "26d86e32-1dec-3706-ae72-6314e702cb7e",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Equation Group DLL_U Export Function Load"
},
{
"channel": [
"sec"
],
"event_ids": [
"4799"
],
"id": "c9b5cb6f-906f-3a15-b77e-1b634b1d4e55",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "Operation Wocao Activity - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5a419751-992b-77c8-867f-49e5097ecddd",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Operation Wocao Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5951b1c5-52a0-6011-73e8-d5feb1c407fb",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Mustang Panda Dropper"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "95e7263a-c0ff-b3c4-7947-3f452d58d181",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "APT31 Judgement Panda Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c3a27568-59dc-1d9d-e90f-dd041655ebdf",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "88973540-d514-9331-f28d-73a9e8f21ac1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential EmpireMonkey Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3743899d-8da9-a497-6649-9838de358f7e",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Russian APT Credential Theft Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4a49be77-9768-f48f-06ff-6670c49744f2",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious RazerInstaller Explorer Subprocess"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e40fd714-eaab-3ce4-3a3d-de697f78ed6a",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "88ad8420-1fd5-6e62-470b-6eaad464d86d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a4072638-9c3a-3307-e4f9-458edbb60efb",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2021-31979 CVE-2021-33771 Exploits"
},
{
"channel": [
"System"
],
"event_ids": [
"38",
"37",
"36",
"35"
],
"id": "8a194220-2afd-d5a9-0644-0a2d76019999",
"level": "medium",
"subcategory_guids": [],
"title": "Potential CVE-2021-42278 Exploitation Attempt"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"1011",
"1116",
"1012",
"1006",
"1017",
"1007",
"1008",
"1018",
"1019",
"1009",
"1010",
"1115"
],
"id": "aef0711e-c055-e870-92bc-ea130059eed1",
"level": "critical",
"subcategory_guids": [],
"title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection"
},
{
"channel": [
"Microsoft-Windows-PrintService/Operational"
],
"event_ids": [
"316"
],
"id": "ae207e8e-3dfd-bd05-1161-e0472778f2be",
"level": "critical",
"subcategory_guids": [],
"title": "CVE-2021-1675 Print Spooler Exploitation"
},
{
"channel": [
"sec"
],
"event_ids": [
"5145"
],
"id": "52b5923e-1ef2-aaad-5513-3c830f3c5850",
"level": "critical",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2021-1675 Print Spooler Exploitation IPC Access"
},
{
"channel": [
"Microsoft-Windows-PrintService/Admin"
],
"event_ids": [
"808"
],
"id": "5c10c39e-b9f6-d321-3598-62095b34b663",
"level": "high",
"subcategory_guids": [],
"title": "Possible CVE-2021-1675 Print Spooler Exploitation"
},
{
"channel": [
"Application"
],
"event_ids": [
"1033"
],
"id": "8e38887f-8e20-477d-26c1-0862951ae91b",
"level": "high",
"subcategory_guids": [],
"title": "LPE InstallerFileTakeOver PoC CVE-2021-41379"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "963ed93f-0486-5cc3-afc2-caa06ef8b627",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2021-41379 Exploitation Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "00676efc-2e92-d9a5-446a-9ba1c79c4e85",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Exploitation Attempt From Office Application"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8e5b10ed-ce69-5075-d3d8-fbb3de65ff2f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2021-40444 Exploitation Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ccdd2798-8320-c919-4e0d-210c344a3f2e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2021-26857 Exploitation Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4084760d-7ac7-aa67-d486-64383ae4b98e",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SystemNightmare Exploitation Attempt"
},
{
"channel": [
"MSExchange Management"
],
"event_ids": [
"6",
"8"
],
"id": "429ee035-2f74-8a92-ad19-a448e450bb5e",
"level": "high",
"subcategory_guids": [],
"title": "Possible Exploitation of Exchange RCE CVE-2021-42321"
},
{
"channel": [
"sec"
],
"event_ids": [
"4781"
],
"id": "17662114-5bee-2566-359c-68d830193830",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Computer Account Name Change CVE-2021-42287"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8c7a964a-71e9-b30a-6637-7a43c307510a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "29b10082-a29d-5f77-a7da-8ef6d105ab32",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DarkSide Ransomware Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0704ac61-5014-80cc-4899-419448a02edf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Goofy Guineapig Backdoor Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f4ecb52a-58a8-1b58-2edc-0d083d0df505",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "0375abd6-f86e-a665-27a0-501b2a1621a8",
"level": "critical",
"subcategory_guids": [],
"title": "Goofy Guineapig Backdoor Service Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "8376c984-b3da-370c-ff20-3c9c0dc9f18e",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Small Sieve Malware Registry Persistence"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d0813182-98c0-431d-4f35-12d9dc087b3b",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Small Sieve Malware CommandLine Indicator"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "35938479-283e-16c7-ff2a-78b5f267f8f6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Devil Bait Malware Reconnaissance"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "de11bbb4-9429-4ee9-9039-d71a174c512e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential BlackByte Ransomware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2efc692b-49f5-1d23-c6ca-3e4e63d3026c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Pingback Backdoor Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0f5f5afd-9d5f-a6e0-5374-15a232233275",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Conti Ransomware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cff3f656-4a93-c909-b0a0-0cbc53341fe8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Conti Volume Shadow Listing"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ba261ff0-33d7-32ab-4a68-618467284009",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Conti Ransomware Database Dumping Activity Via SQLCmd"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "458bad33-8cea-bc4b-b0f7-24a975aae847",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Conti NTDS Exfiltration Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "be68dda9-dcd8-3f19-1263-fb0ec5c4f624",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HAFNIUM Exchange Exploitation Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a8018a36-765e-3a40-8a76-cc0bc318f8d6",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "REvil Kaseya Incident Malware Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9c814658-2890-e222-15ec-41330fd1fad0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SOURGUM Actor Behaviours"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f1b3071f-b77b-96a1-d05e-bd72395cb10c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exploited CVE-2020-10189 Zoho ManageEngine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c0043e8b-196f-b024-cb7f-b2a96354e011",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PrinterPorts Creation (CVE-2020-1048)"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "630f16a8-0e53-642e-ff10-1e8fdeb631b8",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry"
},
{
"channel": [
"Application"
],
"event_ids": [
"4"
],
"id": "b1a2ae27-889c-aa26-1bd3-21f277008048",
"level": "high",
"subcategory_guids": [],
"title": "CVE-2020-0688 Exploitation via Eventlog"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2160db68-9836-29f5-6e25-0d0c4c7b2f55",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6f871e64-9f5d-28c7-fbcd-63ebfc7df770",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DNS RCE CVE-2020-1350"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f6378d07-9103-4e8d-742c-4c622112632a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Blue Mockingbird"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e3ea1348-79be-c569-ad0a-4aadcc5cc216",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Maze Ransomware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "761c2906-a130-f6d9-4b0f-4935ac76ab80",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Ke3chang/TidePool Malware Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "0b8e16f0-ba71-e4bd-3716-69afe0091614",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "FlowCloud Registry Markers"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "aeae16e2-a1e2-dc9e-0228-60755dd9c6b7",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Emotet Rundll32 Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dbe85609-2e67-6297-cb1d-faed3bebc059",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "EvilNum APT Golden Chickens Deployment Via OCX Files"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "66a8b7b5-8783-4815-24bb-0ad1640f23f3",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Greenbug Espionage Group Indicators"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "3f469afc-3a19-1d2e-3bb7-e4d0e8354880",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Winnti Malware HK University Campaign"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a972ef92-1911-1a94-01aa-d73223ffb539",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Winnti Pipemon Characteristics"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "09b9f622-28c3-d403-0447-f3858c57995e",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Leviathan Registry Key Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2e608159-dacf-a4b9-091f-28534c9424d3",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lazarus Group Activity"
},
{
"channel": [
"Microsoft-Windows-DNS-Server/Analytical"
],
"event_ids": [
"257"
],
"id": "c8e0edae-2335-591c-7057-1ac58f03e06c",
"level": "high",
"subcategory_guids": [],
"title": "GALLIUM Artefacts - Builtin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c95593ac-8717-262b-cedb-792a55e2bd26",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious VBScript UN2452 Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4a5b4327-68a3-c67b-3a03-2e238380c196",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UNC2452 Process Creation Patterns"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "bd234da4-9181-62b1-7db3-48a5f00642b0",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "UNC2452 PowerShell Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d560b276-ce03-f4a8-6672-12ce7b5c62b9",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "TAIDOOR RAT DLL Load"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9a9b4771-3b2e-300a-c13e-e54163eef05a",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Elise Backdoor Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "be49803e-4da4-cf35-ee6c-374478bf4232",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "APT27 - Emissary Panda Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0f27e458-cb56-857e-1e9a-630975f5984a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential MuddyWater APT Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "e014543f-e989-3ed6-8927-b5f70f0fb598",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Defrag Deactivation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4701"
],
"id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Defrag Deactivation - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8b5c9860-1038-cd29-e1fe-e5ebcf52d6f0",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Sofacy Trojan Loader Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a9a106d5-22d5-d9b2-c10f-60f4cd7e055d",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "APT29 2018 Phishing Campaign CommandLine Indicators"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "91264309-c919-28fd-5fff-f994208d1f34",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "OceanLotus Registry Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cf360c1a-7d6f-5e83-28e6-2a8388debb83",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "TropicTrooper Campaign November 2018"
},
{
"channel": [
"sec"
],
"event_ids": [
"4698"
],
"id": "798c8f65-068a-0a31-009f-12739f547a2d",
"level": "critical",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "e3b2e8dd-18aa-f9bc-9af7-bc31d7717574",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Registry Persistence"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "afa88090-3c0b-17fc-7061-2259abc82d2b",
"level": "critical",
"subcategory_guids": [],
"title": "OilRig APT Schedule Task Persistence - System"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "18831824-9288-e5da-ec10-093f213d54b3",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Activity"
},
{
"channel": [
"Microsoft-Windows-DriverFrameworks-UserMode/Operational"
],
"event_ids": [
"2100",
"2102",
"2003"
],
"id": "12717514-9380-dabc-12b9-113f524ec3ac",
"level": "low",
"subcategory_guids": [],
"title": "USB Device Plugged"
},
{
"channel": [
"Microsoft-Windows-AppXDeploymentServer/Operational"
],
"event_ids": [
"412"
],
"id": "a902397c-6118-0a8f-7fab-3f8142297d80",
"level": "medium",
"subcategory_guids": [],
"title": "Deployment AppX Package Was Blocked By AppLocker"
},
{
"channel": [
"Microsoft-Windows-AppXDeploymentServer/Operational"
],
"event_ids": [
"854"
],
"id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious AppX Package Locations"
},
{
"channel": [
"Microsoft-Windows-AppXDeploymentServer/Operational"
],
"event_ids": [
"442",
"453",
"454",
"441"
],
"id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c",
"level": "medium",
"subcategory_guids": [],
"title": "Deployment Of The AppX Package Was Blocked By The Policy"
},
{
"channel": [
"Microsoft-Windows-AppXDeploymentServer/Operational"
],
"event_ids": [
"854"
],
"id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious Remote AppX Package Locations"
},
{
"channel": [
"Microsoft-Windows-AppXDeploymentServer/Operational"
],
"event_ids": [
"854"
],
"id": "a3dbb89a-aebc-03c7-295b-ad18d5c7924b",
"level": "medium",
"subcategory_guids": [],
"title": "Uncommon AppX Package Locations"
},
{
"channel": [
"Microsoft-Windows-AppXDeploymentServer/Operational"
],
"event_ids": [
"400",
"401"
],
"id": "8f46b318-b8a3-d268-911f-318d0b43c0f9",
"level": "medium",
"subcategory_guids": [],
"title": "Potential Malicious AppX Package Installation Attempts"
},
{
"channel": [
"Microsoft-Windows-AppXDeploymentServer/Operational"
],
"event_ids": [
"401"
],
"id": "5cfde458-a9e1-f4b7-92cd-959ead47bdd3",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious AppX Package Installation Attempt"
},
{
"channel": [
"Microsoft-Windows-LSA/Operational"
],
"event_ids": [
"300"
],
"id": "7536b3d3-6765-4433-9269-2d460cb10adf",
"level": "medium",
"subcategory_guids": [],
"title": "Standard User In High Privileged Group"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "41d54b25-deb6-4ea3-fbac-3f5b6e200939",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Outbound Network Connection Initiated By Cmstp.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "b2c34a06-251e-87ee-2d3e-fae878185d34",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Connection to Active Directory Web Services"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "bc5e54c2-1b8d-cb27-3079-f47318f4ccc7",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Network Connection Initiated By Certutil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "510d0486-0545-9178-93cb-5f5a8c75930b",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Wordpad Outbound Connections"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "8d993d6b-e44b-0df0-91c0-6093975b69f8",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated By AddinUtil.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "e02f9ef8-2edb-79a4-0626-b506436d7ebe",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Outbound RDP Connections Over Non-Standard Tools"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "7c743e5c-7a9d-ba96-9ada-1d17687e2a6d",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Outbound Kerberos Connection"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "7e448677-939e-f6d0-e901-91843a3888d7",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Local Network Connection Initiated By Script Interpreter"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "5049ed9f-e700-a499-9498-5e648851d2ad",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "RDP to HTTP or HTTPS Target Ports"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "7ac85830-5907-5206-2d25-490b3ace5587",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious Malware Callback Communication"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "141fe5f1-4de3-21fd-1b09-8d53f1019340",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated By Eqnedt32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "a0e133b9-f055-5011-01e6-75ed480ad2da",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "RegAsm.EXE Initiating Network Connection To Public IP"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "cb64ddfa-8325-dc30-db3f-e546a9b1eba5",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Python Initiated Connection"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "8cf1b63a-f161-0e51-a9d2-cc697d06a5a4",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Office Application Initiated Network Connection Over Uncommon Ports"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "1ba0b3d6-e0f7-98e9-4611-b307922a0766",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "0f4d93f0-a1eb-e6cb-7d79-f38cc95a9a55",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated By IMEWDBLD.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "94af51b6-e4c1-f780-3f48-90c3d7e35ea4",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Outbound SMTP Connections"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "7983db98-5767-b29d-2652-a01fd3e751ad",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Communication To Uncommon Destination Ports"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "3c6c2271-decf-a5c0-b983-edaa9cf7077d",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Outbound Network Connection To Public IP Via Winlogon"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "e6f76f81-e758-4001-122c-58a3ceef02f9",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated Via Notepad.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "fa5330d2-19f1-4167-52a0-fb622b6425f8",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Outbound Network Connection Initiated By Microsoft Dialer"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "e2d0c6fb-f0de-9cce-076d-f755f6ae4956",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Microsoft Sync Center Suspicious Network Connections"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "4a7137e3-d863-49dd-6199-5ca7722de62e",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 Internet Connection"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "1487f05c-b749-4322-d657-d20a2eea7e47",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Outbound Network Connection Initiated By Script Interpreter"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "6814d247-c70b-e49e-6553-149fc21c3a81",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Connection Initiated By Regsvr32.EXE"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "34ba9d0c-a415-a91a-013b-30158906f18c",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "5a099129-36a4-b13b-5345-9f37b231fb5c",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool - AnyDesk Incoming Connection"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "81ca22c3-fdfd-6c3a-051f-dc404488536c",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "RDP Over Reverse SSH Tunnel"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "7c154a7f-01a0-3b2e-927d-32c452139322",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Office Application Initiated Network Connection To Non-Local IP"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "f96b2d35-57da-bef8-3624-73634617eac6",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Silenttrinity Stager Msbuild Activity"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3023"
],
"id": "3838c754-9c4c-f500-6c7d-4c73b29717a9",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3104"
],
"id": "c2644e00-b2a8-1e98-7dfc-bbef3a929767",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3036"
],
"id": "6f9f7b5c-f44b-fe0a-bcb2-ff4a09bd4ccf",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Blocked Image Load With Revoked Certificate"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3033",
"3034"
],
"id": "f45ca591-7575-818e-9a07-7493461a33c3",
"level": "low",
"subcategory_guids": [],
"title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3037"
],
"id": "d6ea0e4a-9918-a082-1c5d-bd5d2a4f0b76",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Unsigned Image Loaded"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3035",
"3032"
],
"id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Revoked Image Loaded"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3022",
"3021"
],
"id": "4764bb53-3383-ae11-5351-b67f0001d2a5",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Revoked Kernel Driver Loaded"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3083",
"3082"
],
"id": "b1f60092-6ced-8775-b5dd-ac15a042e292",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3001"
],
"id": "23f17a2b-73ca-e465-e823-bb1d47543f6d",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Unsigned Kernel Module Loaded"
},
{
"channel": [
"Microsoft-Windows-CodeIntegrity/Operational"
],
"event_ids": [
"3077"
],
"id": "a4736e84-f507-2e6b-bc7a-573328447cbf",
"level": "high",
"subcategory_guids": [],
"title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6c99d057-c73c-6771-1c7f-a352debc5b84",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Hurricane Panda Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "1b78376c-c1d2-a830-93b1-5dee98965490",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "User Account Hidden By Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a1901cc9-34ea-0ae3-68a7-07397e0d8338",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Windows Update Client LOLBIN"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0fce2028-5a0d-536d-eafa-a00a85f184be",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Lolbin Process by Office Applications"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6ddd7376-3f18-f83d-1e75-58189e39abf1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Stop Or Remove Antivirus Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"5156"
],
"id": "58a2d80c-c77b-324c-640d-c97cf5fcbefa",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Epmap Connection"
},
{
"channel": [
"sec"
],
"event_ids": [
"634",
"4730",
"4729",
"4728",
"633",
"632"
],
"id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "Group Modification Logging"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "62e3a364-8fcf-5d67-d080-27c37fade654",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [],
"id": "12f93a4e-cd0e-18d7-6969-b345ecc8d40a",
"level": "medium",
"subcategory_guids": [],
"title": "Suspicious PowerShell Download"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "13aab741-9ea4-27bf-57c1-aac004da4b9f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Base64 Encoded Listing of Shadowcopy"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "83f40f59-3ad9-6e41-f40d-b0c6cba08720",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Cmd Execution via WMI"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dc28bbe4-14ec-d765-8514-2ff2ff532e24",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Bitstransfer via PowerShell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "b7e3098a-6c20-c6d3-df75-9b07536b3310",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Activity Related to NTDS.dit Domain Hash Retrieval"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "70824154-ca31-ca8f-0cc1-045e5d217a3a",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Cmd Stream Redirection"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "62997599-6864-08ee-302c-90c1649f5e1a",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Indirect Command Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4bea8156-6003-3037-62a5-4be1429183b9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Indirect Command Exectuion via Forfiles"
},
{
"channel": [
"sec"
],
"event_ids": [
"4689"
],
"id": "83c2f19e-f588-1826-fc7d-cf7f4db7031a",
"level": "high",
"subcategory_guids": [
"0CCE922C-69AE-11D9-BED3-505054503030"
],
"title": "Correct Execution of Nltest.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "300c09ba-ba6b-5fea-7022-567fa5593c41",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use Rundll32"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ae18b229-740e-17c7-63f2-b15422d6271e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Rundll32 Script in CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9ec2c364-89c8-b572-4a96-ddc786444ecf",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell AMSI Bypass Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "02e5fd82-2643-35a3-b104-51f4ef19c215",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PsExec Tool Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "79c252ba-3759-a153-7242-9f3de6ec7ba4",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Nslookup PwSh Download Cradle"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9fcbb5dc-f858-0445-bcf4-ade441a89dc3",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "CrackMapExecWin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "9482abf0-5008-838f-0912-a85e0c7792a7",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "SilentProcessExit Monitor Registration"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "7c470022-ced9-05c4-b9fc-5aff8e5f4dce",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Abusing Windows Telemetry For Persistence - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "dc86094c-5f6f-895a-e92a-8b82229db6b7",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious File Download Using Office Application"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "7b159be0-8034-a6cb-dcb7-f6fbcf9b2680",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Ryuk Ransomware Command Line Activity"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "5eb9df17-06bd-e2fe-8871-13bd6bd36406",
"level": "high",
"subcategory_guids": [],
"title": "PrintNightmare Powershell Exploitation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "8994ee03-9478-bde3-ab3d-3abafad0bfd1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Rundll32 JS RunHTMLApplication Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "86c08df9-01b6-6556-09cc-9ac6feb774e8",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "79389718-9e14-e5e9-1cc7-2c027078bf22",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via COM Hijacking From Suspicious Locations"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5294a012-1f07-fe01-599b-94cf8adf630e",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execute MSDT.EXE Using Diagcab File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "ea79a782-319f-b5bd-9293-cab2134f5c43",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Office Security Settings Changed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "ec8ef858-1a44-a7b3-821d-a85f6cdaa1c9",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4103"
],
"id": "65efb931-2d64-dea1-b559-544498a9b6f8",
"level": "medium",
"subcategory_guids": [],
"title": "Netcat The Powershell Version - PowerShell Module"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6e17c2a5-a828-97d2-c2f4-223c82264f3c",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Possible Applocker Bypass"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4d7489b1-282a-3c79-a3fe-e852cdea4515",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Memory Dumped Via RdrLeakDiag.EXE"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "6587075c-6239-f6e1-4717-4b7972b1c086",
"level": "high",
"subcategory_guids": [],
"title": "Execution via CL_Invocation.ps1 - Powershell"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5e1aa8a2-0c7e-a580-4093-894302350358",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Stop Windows Service"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1b8fce80-846c-a731-f21e-d6a2823fe38c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "MavInject Process Injection"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "105c3740-9666-1fe5-4e4f-e9e8bdf29dc1",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WMI Reconnaissance List Remote Services"
},
{
"channel": [
"System"
],
"event_ids": [
"16"
],
"id": "f224a2b6-2db1-a1a2-42d4-25df0c460915",
"level": "high",
"subcategory_guids": [],
"title": "SAM Dump to AppData"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "f427b1c7-bbad-7bd6-bb0f-65b6170a3cb5",
"level": "high",
"subcategory_guids": [],
"title": "Execution via CL_Mutexverifiers.ps1"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "540f0d7f-8d92-2c4b-ce07-2be23d582ede",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Certutil Command Usage"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "830423bc-69e4-b19b-5474-414e4ab0c365",
"level": "low",
"subcategory_guids": [],
"title": "Suspicious Get-WmiObject"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "1b8521f9-1e64-123d-b6f0-d133e0b6f34c",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Regsvr32 Anomaly"
},
{
"channel": [
"System"
],
"event_ids": [
"7045"
],
"id": "22b90bac-a283-6153-761c-7b6059f8f250",
"level": "high",
"subcategory_guids": [],
"title": "New Service Uses Double Ampersand in Path"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0dc4e02b-cd15-c6bf-f6ef-134ff49fa620",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "PsExec Service Start"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [],
"id": "391b98f2-3f42-0d06-a295-18a2aa29d39a",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious PowerShell Invocations - Generic"
},
{
"channel": [
"sec"
],
"event_ids": [
"1102"
],
"id": "23f0b75b-66c0-4895-ae63-4243fa898109",
"level": "medium",
"subcategory_guids": [],
"title": "Security Event Log Cleared"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "63c2d41b-b587-6c55-c256-9c0bb392f0a9",
"level": "medium",
"subcategory_guids": [],
"title": "Accessing Encrypted Credentials from Google Chrome Login Database"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0557765a-6dad-b15a-5cf0-d92eef2b33ab",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Run from a Zip File"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c4c78b6f-2ead-8d39-dc1b-9ab4e88fc5b6",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Characters in CommandLine"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f58bcb01-a76b-cc94-f698-29be1afd376b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WMI Remote Command Execution"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "113fcff8-c64d-8743-88b7-9ff2539cde7d",
"level": "low",
"subcategory_guids": [],
"title": "Powershell File and Directory Discovery"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2b349adb-9984-0950-4917-0629c50ff73b",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation RUNDLL LAUNCHER"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "f9252ab9-0f85-c10d-fd51-576b83182926",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Service Binary in Uncommon Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c155c295-ca75-0671-80f9-2910740dabe7",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lazarus Loaders"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f378e980-dd67-4968-9df5-2ac09c718d4d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Root Certificate Installed"
},
{
"channel": [
"sec"
],
"event_ids": [
"4660"
],
"id": "7bd85790-c82a-56af-7127-f257e5ef6c6f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Deleted"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "20f7b927-82bf-9d38-6573-0ed63831fdc5",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Persistence Via COM Search Order Hijacking"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "a08aa16a-ae4f-9e1e-7a2d-3ad02f750ff0",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Sysinternals SDelete Registry Keys"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "c21b19ea-3369-9fab-3ca6-767d24c85595",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Esentutl Use"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "74dda95a-b492-e2ee-4a33-b22a41a1cb57",
"level": "high",
"subcategory_guids": [],
"title": "AzureHound PowerShell Commands"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "22061fc3-84a3-c190-7b04-d735915a8912",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Read and Execute a File Via Cmd.exe"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "72d5e2d6-b55d-f6aa-2db3-4a5fd0d1dd98",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Excel Proxy Executing Regsvr32 With Payload"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a6124306-bb3c-9e0e-a088-a4dee392c1ee",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Bitsadmin Job via PowerShell"
},
{
"channel": [
"Microsoft-Windows-Windows Defender/Operational"
],
"event_ids": [
"5012",
"5001",
"5010",
"5101"
],
"id": "7424bd72-6b38-f5a1-7f25-4665452ec72b",
"level": "high",
"subcategory_guids": [],
"title": "Windows Defender Threat Detection Disabled"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "10aa2f9c-45d9-5c31-ffa2-06fc745b7e33",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Trickbot Malware Reconnaissance Activity"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "124493b3-4f31-c0bb-dbe9-97f0666635ba",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Visual Basic Script Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f4ff3d8e-34aa-51f7-6a8e-5081ec934b65",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Registry Dump of SAM Creds and Secrets"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "cb56735d-37c1-c9ff-010a-4f31ee20e531",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Add Scheduled Task From User AppData Temp"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "13dc41d6-0489-5505-887a-c3bc11ddec90",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "RClone Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "405d20b3-771f-a808-6794-c0aae7cf9cf6",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential Xor Encoded PowerShell Command"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0f27e458-cb56-857e-1e9a-630975f5984a",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "DNS Tunnel Technique from MuddyWater"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f3c0ce89-d7e4-b1be-b79d-265254701fe6",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "New Service Creation"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5ffab4e3-fa0b-4adc-c733-2754d5d2e20a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Office Applications Spawning Wmi Cli Alternate"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [],
"id": "349e3bb4-b72b-193d-810e-7d9c145b863e",
"level": "medium",
"subcategory_guids": [],
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "a3b6ca34-23c2-eedd-8733-1294655ca76a",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Malicious Base64 Encoded Powershell Invoke Cmdlets"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [
"4104"
],
"id": "47d13687-edae-dafa-bdab-416474c95f53",
"level": "critical",
"subcategory_guids": [],
"title": "Dnscat Execution"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "4973dea2-3985-affa-babc-f0c00821d2a1",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Credential Acquisition via Registry Hive Dumping"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "528921e1-f356-7cca-49a4-c5e1402eb356",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Lazarus Activity Apr21"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "b8939982-1774-1f45-f838-7bf9ac9be3c2",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Autorun Keys Modification"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "2d9870fb-01d3-f66f-b058-9bd90d56418d",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential PowerShell Base64 Encoded Shellcode"
},
{
"channel": [
"pwsh",
"pwsh"
],
"event_ids": [],
"id": "3db961f4-6217-4957-b717-e5955c82d6e5",
"level": "high",
"subcategory_guids": [],
"title": "Suspicious PowerShell Invocations - Specific"
},
{
"channel": [
"sec"
],
"event_ids": [
"4674"
],
"id": "6683ccd7-da7a-b988-1683-7f7a1bf72bf6",
"level": "low",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Lateral Movement Indicator ConDrv"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9586750a-6351-1543-241d-6d76087e4b01",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Run Whoami as SYSTEM"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9b2384e8-4067-f192-274f-73d711fc193f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Excel Proxy Executing Regsvr32 With Payload Alternate"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "9f2a9424-8e85-d783-1735-f72375b3b6d8",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "APT29"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "d5dc5032-aa74-54e8-76e0-3d264adc2ea0",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Domain Trust Discovery"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0bca1760-51b3-cdf0-9756-923f2be12c94",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "WMI Execution Via Office Process"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "5f55c592-7555-3ca2-5d49-f1b7b74454ab",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Wscript Execution from Non C Drive"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "24e2ce91-6438-41b5-d23e-48e775ae72bd",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Process Start From Suspicious Folder"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "84bff3a1-2282-883e-eaff-6e74ffbf1e5f",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Execution of Sc to Delete AV Services"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "f7b13249-d828-2008-3a24-1364b5609ab5",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Abusing Findstr for Defense Evasion"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "0a67f769-527a-e79d-fa05-a4bbdcd6fcc4",
"level": "critical",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "TA505 Dropper Load Pattern"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "af42e8c8-7702-f542-d278-68bf89a26251",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Winword.exe Loads Suspicious DLL"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "807db7b2-c1e5-520b-2e63-7b2c400be00d",
"level": "high",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Execution via MSSQL Xp_cmdshell Stored Procedure"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "6c44673b-8c80-9ce9-718d-46f34b17ffcc",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Adwind RAT / JRAT - Registry"
},
{
"channel": [
"sec"
],
"event_ids": [
"4688"
],
"id": "6dd18e44-e4a2-1c08-3d0e-f4dc7e2fa9cc",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Squirrel Lolbin"
},
{
"channel": [
"sec"
],
"event_ids": [
"4657"
],
"id": "d226853e-3dbf-ce71-60c1-5458858abbbc",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Disable Microsoft Office Security Features"
},
{
"channel": [
"Microsoft-Windows-Diagnosis-Scripted/Operational"
],
"event_ids": [
"101"
],
"id": "b0e8486c-73f6-e1ba-9684-acba841c2719",
"level": "high",
"subcategory_guids": [],
"title": "Loading Diagcab Package From Remote Path"
}
]
Reference in New Issue View Git Blame Copy Permalink