- CurrentVersion Autorun Keys Modification
- COM Hijacking via TreatAs
- Potential Registry Persistence Attempt Via DbgManagedDebugger
- Potential Attachment Manager Settings Attachments Tamper
- Enabling COR Profiler Environment Variables
- System Scripts Autorun Keys Modification
- Outlook Security Settings Updated - Registry
- Wow6432Node CurrentVersion Autorun Keys Modification
- Execution DLL of Choice Using WAB.EXE
- Suspicious Application Allowed Through Exploit Guard
- Potential Persistence Via Custom Protocol Handler
- Add Debugger Entry To AeDebug For Persistence
- Potentially Suspicious Desktop Background Change Via Registry
- Potential PendingFileRenameOperations Tampering
- Potential Persistence Via GlobalFlags
- Potential Attachment Manager Settings Associations Tamper
- Hiding User Account Via SpecialAccounts Registry Key
- Registry Persistence via Explorer Run Key
- Potential CobaltStrike Service Installations - Registry
- RestrictedAdminMode Registry Value Tampering
- Lsass Full Dump Request Via DumpType Registry Settings
- Hypervisor Enforced Paging Translation Disabled
- Wdigest Enable UseLogonCredential
- DHCP Callout DLL Installation
- Potential Persistence Via Outlook Today Page
- New Application in AppCompat
- New BgInfo.EXE Custom DB Path Registry Configuration
- Disabled Windows Defender Eventlog
- Disable Tamper Protection on Windows Defender
- Potential Credential Dumping Attempt Using New NetworkProvider - REG
- Potential Persistence Via AppCompat RegisterAppRestart Layer
- Internet Explorer Autorun Keys Modification
- Change User Account Associated with the FAX Service
- Disable PUA Protection on Windows Defender
- Potential PSFactoryBuffer COM Hijacking
- Suspicious Path In Keyboard Layout IME File Registry Value
- Blackbyte Ransomware Registry
- Potential Persistence Via DLLPathOverride
- Scheduled TaskCache Change by Uncommon Program
- Potential Persistence Via Shim Database Modification
- Potential Ransomware Activity Using LegalNotice Message
- Potential Persistence Via Netsh Helper DLL - Registry
- Suspicious Powershell In Registry Run Keys
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Change Winevt Channel Access Permission Via Registry
- Outlook Macro Execution Without Warning Setting Enabled
- Enable LM Hash Storage
- Office Macros Warning Disabled
- Blue Mockingbird - Registry
- Bypass UAC Using DelegateExecute
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Disable Exploit Guard Network Protection on Windows Defender
- Change the Fax Dll
- Internet Explorer DisableFirstRunCustomize Enabled
- Old TLS1.0/TLS1.1 Protocol Version Enabled
- Register New IFiltre For Persistence
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- Suspicious Service Installed
- PowerShell Logging Disabled Via Registry Key Tampering
- Potential Persistence Via Event Viewer Events.asp
- Periodic Backup For System Registry Hives Enabled
- Potential Persistence Via Scrobj.dll COM Hijacking
- Running Chrome VPN Extensions via the Registry 2 VPN Extension
- New File Association Using Exefile
- Potential EventLog File Location Tampering
- UAC Bypass via Event Viewer
- ETW Logging Disabled In .NET Processes - Sysmon Registry
- Potential Persistence Via Excel Add-in - Registry
- Potential Persistence Via MyComputer Registry Keys
- New Root or CA or AuthRoot Certificate to Store
- Potential Persistence Via CHM Helper DLL
- New Netsh Helper DLL Registered From A Suspicious Location
- Potential Persistence Via COM Search Order Hijacking
- Suspicious Keyboard Layout Load
- Sysmon Driver Altitude Change
- Allow RDP Remote Assistance Feature
- Potential Persistence Via LSA Extensions
- RDP Sensitive Settings Changed
- Registry Disable System Restore
- VBScript Payload Stored in Registry
- New TimeProviders Registered With Uncommon DLL Name
- Office Autorun Keys Modification
- Hypervisor Enforced Code Integrity Disabled
- Disable Windows Defender Functionalities Via Registry Keys
- Bypass UAC Using SilentCleanup Task
- Classes Autorun Keys Modification
- Potential SentinelOne Shell Context Menu Scan Command Tampering
- Potential AutoLogger Sessions Tampering
- Registry Modification to Hidden File Extension
- Winget Admin Settings Modification
- CurrentVersion NT Autorun Keys Modification
- Potential Persistence Via Shim Database In Uncommon Location
- ServiceDll Hijack
- WinSock2 Autorun Keys Modification
- Add Port Monitor Persistence in Registry
- Persistence Via Disk Cleanup Handler - Autorun
- DNS-over-HTTPS Enabled by Registry
- Scripted Diagnostics Turn Off Check Enabled - Registry
- Activate Suppression of Windows Security Center Notifications
- Persistence Via Hhctrl.ocx
- New BgInfo.EXE Custom VBScript Registry Configuration
- CurrentControlSet Autorun Keys Modification
- CrashControl CrashDump Disabled
- New BgInfo.EXE Custom WMI Query Registry Configuration
- Trust Access Disable For VBApplications
- Potential Registry Persistence Attempt Via Windows Telemetry
- Potential Persistence Via App Paths Default Property
- RDP Sensitive Settings Changed to Zero
- Macro Enabled In A Potentially Suspicious Document
- Bypass UAC Using Event Viewer
- Potential Persistence Via Mpnotify
- Potentially Suspicious ODBC Driver Registered
- Potential Persistence Via Visual Studio Tools for Office
- Uncommon Microsoft Office Trusted Location Added
- Modify User Shell Folders Startup Value
- Disable Administrative Share Creation at Startup
- MaxMpxCt Registry Value Changed
- New ODBC Driver Registered
- Wow6432Node Classes Autorun Keys Modification
- Uncommon Extension In Keyboard Layout IME File Registry Value
- Persistence Via New SIP Provider
- Potential Persistence Via AutodialDLL
- Custom File Open Handler Executes PowerShell
- ClickOnce Trust Prompt Tampering
- Windows Recall Feature Enabled - Registry
- COM Hijack via Sdclt
- Service Binary in Suspicious Folder
- Suspicious Printer Driver Empty Manufacturer
- Potential PowerShell Execution Policy Tampering
- UAC Bypass via Sdclt
- New RUN Key Pointing to Suspicious Folder
- Potential AMSI COM Server Hijacking
- Windows Defender Exclusions Added - Registry
- Potential Persistence Via Outlook Home Page
- ETW Logging Disabled For rpcrt4.dll
- UAC Bypass Using Windows Media Player - Registry
- Potential Persistence Using DebugPath
- Windows Defender Service Disabled - Registry
- PowerShell Script Execution Policy Enabled
- UAC Notification Disabled
- Add DisallowRun Execution to Registry
- Disable Macro Runtime Scan Scope
- Registry Hide Function from User
- Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
- Potential Persistence Via TypedPaths
- PowerShell as a Service in Registry
- Usage of Renamed Sysinternals Tools - RegistrySet
- IE Change Domain Zone
- Tamper With Sophos AV Registry Keys
- Disable Windows Event Logging Via Registry
- Potential WerFault ReflectDebugger Registry Value Abuse
- Winlogon AllowMultipleTSSessions Enable
- Registry Persistence via Service in Safe Mode
- ScreenSaver Registry Key Set
- ETW Logging Disabled For SCM
- Potential Signing Bypass Via Windows Developer Features - Registry
- Disable Internal Tools or Feature in Registry
- UAC Bypass Abusing Winsat Path Parsing - Registry
- Disable Windows Security Center Notifications
- Disable Privacy Settings Experience in Registry
- Hide Schedule Task Via Index Value Tamper
- Suspicious Shim Database Patching Activity
- Lolbas OneDriveStandaloneUpdater.exe Proxy Download
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
- UAC Secure Desktop Prompt Disabled
- Common Autorun Keys Modification
- Session Manager Autorun Keys Modification
- Displaying Hidden Files Feature Disabled
- Directory Service Restore Mode(DSRM) Registry Value Tampering
- Microsoft Office Protected View Disabled
- Winlogon Notify Key Logon Persistence
- Enable Local Manifest Installation With Winget
- Suspicious Environment Variable Has Been Registered
- Disable Windows Firewall by Registry
- Default RDP Port Changed to Non Standard Port
- NET NGenAssemblyUsageLog Registry Key Tamper
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- UAC Disabled
- Add Debugger Entry To Hangs Key For Persistence
- New DNS ServerLevelPluginDll Installed
- Registry Explorer Policy Modification
- Modification of IE Registry Settings
- Disable Microsoft Defender Firewall via Registry
- Enable Microsoft Dynamic Data Exchange
- Folder Removed From Exploit Guard ProtectedFolders List - Registry
- Removal Of SD Value to Hide Schedule Task - Registry
- Terminal Server Client Connection History Cleared - Registry
- Removal of Potential COM Hijacking Registry Keys
- Removal Of AMSI Provider Registry Keys
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Removal Of Index Value to Hide Schedule Task - Registry
- Atbroker Registry Change
- New PortProxy Registry Entry Added
- New DLL Added to AppCertDlls Registry Key
- Windows Registry Trust Record Modification
- PrinterNightmare Mimikatz Driver Name
- Registry Persistence Mechanisms in Recycle Bin
- Shell Open Registry Keys Manipulation
- Run Once Task Configuration in Registry
- Narrator's Feedback-Hub Persistence
- Creation of a Local Hidden User Account by Registry
- UAC Bypass Via Wsreset
- New DLL Added to AppInit_DLLs Registry Key
- Esentutl Volume Shadow Copy Service Keys
- Registry Entries For Azorult Malware
- Potential Qakbot Registry Activity
- Windows Credential Editor Registry
- Path To Screensaver Binary Modified
- Disable Security Events Logging Adding Reg Key MiniNt
- Office Application Startup - Office Test
- Suspicious Run Key from Download
- HybridConnectionManager Service Installation - Registry
- Security Support Provider (SSP) Added to LSA Configuration
- Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Suspicious Camera and Microphone Access
- Wdigest CredGuard Registry Modification
- RedMimicry Winnti Playbook Registry Manipulation
- Pandemic Registry Key
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- Sticky Key Like Backdoor Usage - Registry
- DLL Load via LSASS
- NetNTLM Downgrade Attack - Registry
- WINEKEY Registry Modification
- CMSTP Execution Registry Event
- PUA - Sysinternals Tools Execution - Registry
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Potential NetWire RAT Activity - Registry
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- PUA - Sysinternal Tool Execution - Registry
- Potential Persistence Via New AMSI Providers - Registry
- Potential Persistence Via Disk Cleanup Handler - Registry
- Potential Persistence Via Logon Scripts - Registry
- Vulnerable WinRing0 Driver Load
- Driver Load From A Temporary Directory
- PUA - Process Hacker Driver Load
- PUA - System Informer Driver Load
- Malicious Driver Load By Name
- Vulnerable Driver Load
- Vulnerable Driver Load By Name
- Malicious Driver Load
- Vulnerable HackSys Extreme Vulnerable Driver Load
- WinDivert Driver Load
- Suspicious Cobalt Strike DNS Beaconing - Sysmon
- Cloudflared Tunnels Related DNS Requests
- DNS Query To AzureWebsites.NET By Non-Browser Process
- AppX Package Installation Attempts Via AppInstaller.EXE
- Suspicious DNS Query for IP Lookup Service APIs
- TeamViewer Domain Query By Non-TeamViewer Application
- DNS Server Discovery Via LDAP Query
- DNS Query To Devtunnels Domain
- DNS HybridConnectionManager Service Bus
- DNS Query Tor .Onion Address - Sysmon
- DNS Query To Ufile.io
- DNS Query for Anonfiles.com Domain - Sysmon
- DNS Query To MEGA Hosting Website
- DNS Query To Visual Studio Code Tunnels Domain
- DNS Query Request To OneLaunch Update Service
- DNS Query Request By Regsvr32.EXE
- DNS Query To Remote Access Software Domain From Non-Browser App
- Malicious Named Pipe Created
- CobaltStrike Named Pipe Patterns
- PUA - RemCom Default Named Pipe
- ADFS Database Named Pipe Connection By Uncommon Tool
- CobaltStrike Named Pipe Pattern Regex
- PUA - PAExec Default Named Pipe
- PUA - CSExec Default Named Pipe
- HackTool - CoercedPotato Named Pipe Creation
- HackTool - EfsPotato Named Pipe Creation
- HackTool - DiagTrackEoP Default Named Pipe
- HackTool - Koh Default Named Pipe
- CobaltStrike Named Pipe
- Alternate PowerShell Hosts Pipe
- PsExec Tool Execution From Suspicious Locations - PipeName
- WMI Event Consumer Created Named Pipe
- HackTool - Credential Dumping Tools Named Pipe Created
- New PowerShell Instance Created
- Sysmon Configuration Modification
- Sysmon Configuration Change
- Sysmon Blocked File Shredding
- Sysmon Configuration Error
- Sysmon File Executable Creation Detected
- Sysmon Blocked Executable
- Remote Thread Creation By Uncommon Source Image
- Remote Thread Created In KeePass.EXE
- Remote Thread Created In Shell Application
- Remote Thread Creation Via PowerShell In Uncommon Target
- HackTool - CACTUSTORCH Remote Thread Creation
- HackTool - Potential CobaltStrike Process Injection
- Password Dumper Remote Thread in LSASS
- Remote Thread Creation In Mstsc.Exe From Suspicious Location
- Remote Thread Creation Ttdinject.exe Proxy
- Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Remote Thread Creation In Uncommon Target Image
- Rare Remote Thread Creation By Uncommon Source Image
- HackTool - QuarksPwDump Dump File
- LiveKD Driver Creation By Uncommon Process
- New Outlook Macro Created
- Suspicious Executable File Creation
- Office Macro File Creation From Suspicious Process
- File Creation In Suspicious Directory By Msdt.EXE
- Potentially Suspicious DMP/HDMP File Creation
- UAC Bypass Using IDiagnostic Profile - File
- Assembly DLL Creation Via AspNetCompiler
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Suspicious Desktopimgdownldr Target File
- Installation of TeamViewer Desktop
- HackTool - SafetyKatz Dump Indicator
- RDP File Creation From Suspicious Application
- UAC Bypass Using Windows Media Player - File
- Suspicious Interactive PowerShell as SYSTEM
- Legitimate Application Dropped Archive
- PowerShell Module File Created
- UAC Bypass Abusing Winsat Path Parsing - File
- Suspicious ASPX File Drop by Exchange
- Self Extraction Directive File Created In Potentially Suspicious Location
- Suspicious PROCEXP152.sys File Created In TMP
- Suspicious Binary Writes Via AnyDesk
- WinSxS Executable File Creation By Non-System Process
- Suspicious File Creation In Uncommon AppData Folder
- DLL Search Order Hijackig Via Additional Space in Path
- Advanced IP Scanner - File Event
- VHD Image Download Via Browser
- LiveKD Kernel Memory Dump File Created
- Suspicious Screensaver Binary File Creation
- Creation of a Diagcab
- GatherNetworkInfo.VBS Reconnaissance Script Output
- RemCom Service File Creation
- Anydesk Temporary Artefact
- Suspicious Creation with Colorcpl
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- Process Monitor Driver Creation By Non-Sysinternals Binary
- Potential Persistence Via Microsoft Office Startup Folder
- Process Explorer Driver Creation By Non-Sysinternals Binary
- Creation of an WerFault.exe in Unusual Folder
- WMI Persistence - Script Event Consumer File Write
- Suspicious Startup Folder Persistence
- Startup Folder File Write
- PsExec Service File Creation
- Potential Persistence Via Microsoft Office Add-In
- OneNote Attachment File Dropped In Suspicious Location
- Suspicious DotNET CLR Usage Log Artifact
- NTDS.DIT Created
- PSScriptPolicyTest Creation By Uncommon Process
- Potential Winnti Dropper Activity
- UEFI Persistence Via Wpbbin - FileCreation
- PDF File Created By RegEdit.EXE
- PowerShell Module File Created By Non-PowerShell Process
- PCRE.NET Package Temp Files
- Potential DCOM InternetExplorer.Application DLL Hijack
- Adwind RAT / JRAT File Artifact
- TeamViewer Remote Session
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Potential Homoglyph Attack Using Lookalike Characters in Filename
- WerFault LSASS Process Memory Dump
- Legitimate Application Dropped Executable
- NTDS.DIT Creation By Uncommon Process
- Writing Local Admin Share
- Suspicious MSExchangeMailboxReplication ASPX Write
- Files With System Process Name In Unsuspected Locations
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- UAC Bypass Using IEInstal - File
- Publisher Attachment File Dropped In Suspicious Location
- Potential Binary Or Script Dropper Via PowerShell
- Windows Shell/Scripting Application File Write to Suspicious Folder
- Uncommon File Created In Office Startup Folder
- DPAPI Backup Keys And Certificate Export Activity IOC
- HackTool - Mimikatz Kirbi File Creation
- Potential Persistence Via Notepad++ Plugins
- Malicious PowerShell Scripts - FileCreation
- Dynamic CSharp Compile Artefact
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- PSEXEC Remote Execution File Artefact
- LSASS Process Memory Dump Files
- UAC Bypass Using NTFS Reparse Point - File
- Suspicious Scheduled Task Write to System32 Tasks
- ISO or Image Mount Indicator in Recent Files
- Creation Exe for Service with Unquoted Path
- Windows Terminal Profile Settings Modification By Uncommon Process
- Suspicious Files in Default GPO Folder
- SCR File Write Event
- Wmiprvse Wbemcomn DLL Hijack - File
- PowerShell Script Dropped Via PowerShell.EXE
- Potential Suspicious PowerShell Module File Created
- Potential Webshell Creation On Static Website
- UAC Bypass Using EventVwr
- Suspicious desktop.ini Action
- ScreenConnect Temporary Installation Artefact
- PowerShell Profile Modification
- Potential Persistence Via Outlook Form
- Rclone Config File Creation
- Potential RipZip Attack on Startup Folder
- CSExec Service File Creation
- Suspicious PFX File Creation
- UAC Bypass Using MSConfig Token Modification - File
- Octopus Scanner Malware
- Hijack Legit RDP Session to Move Laterally
- Files With System DLL Name In Unsuspected Locations
- Renamed VsCode Code Tunnel Execution - File Indicator
- Windows Binaries Write Suspicious Extensions
- New Custom Shim Database Created
- UAC Bypass Using Consent and Comctl32 - File
- Potential Startup Shortcut Persistence Via PowerShell.EXE
- Cred Dump Tools Dropped Files
- HackTool - Inveigh Execution Artefacts
- Legitimate Application Dropped Script
- Potential Persistence Attempt Via ErrorHandler.Cmd
- Suspicious LNK Double Extension File Created
- NTDS.DIT Creation By Uncommon Parent Process
- File With Uncommon Extension Created By An Office Application
- Created Files by Microsoft Sync Center
- HackTool - CrackMapExec File Indicators
- Uncommon File Creation By Mysql Daemon Process
- HackTool - Typical HiveNightmare SAM File Export
- Suspicious Outlook Macro Created
- UAC Bypass Using .NET Code Profiler on MMC
- Suspicious File Creation Activity From Fake Recycle.Bin Folder
- LSASS Process Dump Artefact In CrashDumps Folder
- Wmiexec Default Output File
- ISO File Created Within Temp Folders
- Drop Binaries Into Spool Drivers Color Folder
- Suspicious File Drop by Exchange
- LiveKD Driver Creation
- HackTool - Dumpert Process Dumper Default File
- ADSI-Cache File Creation By Uncommon Tool
- Office Macro File Creation
- Potential Privilege Escalation Attempt Via .Exe.Local Technique
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Suspicious Get-Variable.exe Creation
- WScript or CScript Dropper - File
- Suspicious Double Extension Files
- Potential Initial Access via DLL Search Order Hijacking
- Suspicious File Created Via OneNote Application
- Office Macro File Download
- HackTool - Powerup Write Hijack DLL
- Visual Studio Code Tunnel Remote File Creation
- EVTX Created In Uncommon Location
- VsCode Powershell Profile Modification
- BloodHound Collection Files
- HackTool - NPPSpy Hacktool Usage
- Suspicious Creation TXT File in User Desktop
- GoToAssist Temporary Installation Artefact
- Creation Of Non-Existent System DLL
- Suspicious File Created In PerfLogs
- Remote Access Tool - ScreenConnect Temporary File
- NTDS Exfiltration Filename Patterns
- Potential SAM Database Dump
- Suspicious Appended Extension
- Access To Windows DPAPI Master Keys By Uncommon Applications
- Credential Manager Access By Uncommon Applications
- Access To Potentially Sensitive Sysvol Files By Uncommon Applications
- Access To Crypto Currency Wallets By Uncommon Applications
- Microsoft Teams Sensitive File Access By Uncommon Applications
- Access To Windows Credential History File By Uncommon Applications
- File Creation Date Changed to Another Year
- Unusual File Modification by dns.exe
- Prefetch File Deleted
- Backup Files Deleted
- Unusual File Deletion by Dns.exe
- IIS WebServer Access Logs Deleted
- ADS Zone.Identifier Deleted By Uncommon Application
- Exchange PowerShell Cmdlet History Deleted
- Potential PrintNightmare Exploitation Attempt
- TeamViewer Log File Deleted
- EventLog EVTX File Deleted
- Tomcat WebServer Logs Deleted
- File Deleted Via Sysinternals SDelete
- PowerShell Console History Logs Deleted
- Potentially Suspicious Self Extraction Directive File Created
- DLL Execution Via Register-cimprovider.exe
- Windows Kernel Debugger Execution
- Windows Internet Hosted WebDav Share Mount Via Net.EXE
- Uninstall Crowdstrike Falcon Sensor
- Powershell Defender Disable Scan Feature
- UAC Bypass Using ChangePK and SLUI
- UtilityFunctions.ps1 Proxy Dll
- Process Creation Using Sysnative Folder
- New Generic Credentials Added Via Cmdkey.EXE
- Sysmon Driver Unloaded Via Fltmc.EXE
- Suspicious Greedy Compression Using Rar.EXE
- PUA - Wsudo Suspicious Execution
- Esentutl Steals Browser Information
- PUA - AdvancedRun Execution
- LSASS Process Reconnaissance Via Findstr.EXE
- Suspicious Splwow64 Without Params
- Potential Arbitrary Command Execution Using Msdt.EXE
- Suspicious Key Manager Access
- HackTool - Rubeus Execution
- Uncommon System Information Discovery Via Wmic.EXE
- Diskshadow Script Mode - Uncommon Script Extension Execution
- Suspicious RDP Redirect Using TSCON
- Suspicious Redirection to Local Admin Share
- Rar Usage with Password and Compression Level
- Add Windows Capability Via PowerShell Cmdlet
- Suspicious Certreq Command to Download
- Potential SPN Enumeration Via Setspn.EXE
- Suspicious Windows Update Agent Empty Cmdline
- New Kernel Driver Via SC.EXE
- Unmount Share Via Net.EXE
- Console CodePage Lookup Via CHCP
- HackTool - EDRSilencer Execution
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- RDP Connection Allowed Via Netsh.EXE
- HTML Help HH.EXE Suspicious Child Process
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Suspicious MSHTA Child Process
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Visual Studio Code Tunnel Service Installation
- Renamed PingCastle Binary Execution
- Fsutil Drive Enumeration
- HackTool - Bloodhound/Sharphound Execution
- PUA - Seatbelt Execution
- Screen Capture Activity Via Psr.EXE
- System Network Connections Discovery Via Net.EXE
- Remote Access Tool - ScreenConnect Execution
- New Process Created Via Taskmgr.EXE
- Potential Fake Instance Of Hxtsr.EXE Executed
- HackTool - SharPersist Execution
- Suspicious RunAs-Like Flag Combination
- Suspicious Process Patterns NTDS.DIT Exfil
- User Added to Local Administrators Group
- Renamed Sysinternals Sdelete Execution
- Potentially Suspicious Usage Of Qemu
- Abuse of Service Permissions to Hide Services Via Set-Service
- Proxy Execution Via Wuauclt.EXE
- Port Forwarding Activity Via SSH.EXE
- Chopper Webshell Process Pattern
- Suspicious SYSTEM User Process Creation
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- Use of Scriptrunner.exe
- Suspect Svchost Activity
- Suspicious Mstsc.EXE Execution With Local RDP File
- New Port Forwarding Rule Added Via Netsh.EXE
- Suspicious Rundll32 Invoking Inline VBScript
- Remote PowerShell Session Host Process (WinRM)
- HackTool - Empire PowerShell Launch Parameters
- Terminal Service Process Spawn
- HackTool - Certipy Execution
- Suspicious UltraVNC Execution
- Lolbin Unregmp2.exe Use As Proxy
- Cloudflared Tunnel Execution
- Findstr GPP Passwords
- PowerShell DownloadFile
- Renamed Remote Utilities RAT (RURAT) Execution
- WhoAmI as Parameter
- Explorer NOUACCHECK Flag
- HackTool - Sliver C2 Implant Activity Pattern
- Using SettingSyncHost.exe as LOLBin
- Suspicious PowerShell IEX Execution Patterns
- Suspicious WMIC Execution Via Office Process
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Potentially Suspicious WebDAV LNK Execution
- Msxsl.EXE Execution
- Wab Execution From Non Default Location
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- Potential Commandline Obfuscation Using Escape Characters
- File Download And Execution Via IEExec.EXE
- Sdclt Child Processes
- Wusa.EXE Extracting Cab Files From Suspicious Paths
- Rundll32 Spawned Via Explorer.EXE
- Suspicious Reg Add BitLocker
- Suspicious ZipExec Execution
- Rundll32 Execution Without Parameters
- Potential Signing Bypass Via Windows Developer Features
- Suspicious Child Process Of Manage Engine ServiceDesk
- User Added To Highly Privileged Group
- HackTool - LocalPotato Execution
- Greedy File Deletion Using Del
- Suspicious PowerShell Encoded Command Patterns
- UAC Bypass Using NTFS Reparse Point - Process
- Renamed BrowserCore.EXE Execution
- Potential Network Sniffing Activity Using Network Tools
- UEFI Persistence Via Wpbbin - ProcessCreation
- Malicious Base64 Encoded PowerShell Keywords in Command Lines
- Psexec Execution
- Interesting Service Enumeration Via Sc.EXE
- Chromium Browser Instance Executed With Custom Extension
- Suspicious Service DACL Modification Via Set-Service Cmdlet
- PUA - NPS Tunneling Tool Execution
- Indirect Command Execution From Script File Via Bash.EXE
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Suspicious Processes Spawned by WinRM
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
- Potential Data Exfiltration Activity Via CommandLine Tools
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- Remote Access Tool - RURAT Execution From Unusual Location
- Use of FSharp Interpreters
- SQLite Chromium Profile Data DB Access
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- HackTool - XORDump Execution
- Suspicious WebDav Client Execution Via Rundll32.EXE
- TrustedPath UAC Bypass Pattern
- Renamed Msdt.EXE Execution
- Process Access via TrolleyExpress Exclusion
- Potential Product Reconnaissance Via Wmic.EXE
- Suspicious Download Via Certutil.EXE
- Suspicious Modification Of Scheduled Tasks
- Sensitive File Dump Via Wbadmin.EXE
- Odbcconf.EXE Suspicious DLL Location
- Replace.exe Usage
- Microsoft IIS Service Account Password Dumped
- Suspicious Copy From or To System Directory
- MsiExec Web Install
- Suspicious GUP Usage
- Security Privileges Enumeration Via Whoami.EXE
- Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- Weak or Abused Passwords In CLI
- Suspicious PowerShell Download and Execute Pattern
- Change Default File Association Via Assoc
- Suspicious Rundll32 Execution With Image Extension
- Query Usage To Exfil Data
- PowerShell Download and Execution Cradles
- Potential Execution of Sysinternals Tools
- Suspicious WindowsTerminal Child Processes
- Service StartupType Change Via PowerShell Set-Service
- Suspicious Download from Office Domain
- Response File Execution Via Odbcconf.EXE
- Service Started/Stopped Via Wmic.EXE
- PowerShell Execution With Potential Decryption Capabilities
- HackTool - TruffleSnout Execution
- UAC Bypass Tools Using ComputerDefaults
- Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
- PowerShell Set-Acl On Windows Folder
- Execute Code with Pester.bat as Parent
- Non-privileged Usage of Reg or Powershell
- Powershell Inline Execution From A File
- Non Interactive PowerShell Process Spawned
- Nltest.EXE Execution
- New User Created Via Net.EXE
- File Download Via Bitsadmin To An Uncommon Target Folder
- Exchange PowerShell Snap-Ins Usage
- Harvesting Of Wifi Credentials Via Netsh.EXE
- HackTool - KrbRelay Execution
- Application Whitelisting Bypass via Dxcap.exe
- UAC Bypass Using PkgMgr and DISM
- Local File Read Using Curl.EXE
- Active Directory Database Snapshot Via ADExplorer
- Powershell Token Obfuscation - Process Creation
- Disable Important Scheduled Task
- New Service Creation Using PowerShell
- Potential Persistence Via Logon Scripts - CommandLine
- Suspicious NTLM Authentication on the Printer Spooler Service
- Invoke-Obfuscation Via Stdin
- Suspicious Child Process of AspNetCompiler
- Potential MSTSC Shadowing Activity
- Suspicious PowerShell Parameter Substring
- Service StartupType Change Via Sc.EXE
- SQL Client Tools PowerShell Session Detection
- Active Directory Structure Export Via Csvde.EXE
- Suspicious Manipulation Of Default Accounts Via Net.EXE
- Hardware Model Reconnaissance Via Wmic.EXE
- Remote Access Tool - UltraViewer Execution
- Use of OpenConsole
- Curl Web Request With Potential Custom User-Agent
- NtdllPipe Like Activity Execution
- Suspicious File Encoded To Base64 Via Certutil.EXE
- Potential SysInternals ProcDump Evasion
- Taskmgr as LOCAL_SYSTEM
- Windows Credential Manager Access via VaultCmd
- Firewall Rule Deleted Via Netsh.EXE
- Suspicious Extrac32 Alternate Data Stream Execution
- Suspicious Execution of Powershell with Base64
- Potential File Download Via MS-AppInstaller Protocol Handler
- Suspicious Electron Application Child Processes
- Suspicious Script Execution From Temp Folder
- Use Short Name Path in Command Line
- HackTool - SafetyKatz Execution
- Suspicious Process Masquerading As SvcHost.EXE
- Computer Password Change Via Ksetup.EXE
- Suspicious Windows Service Tampering
- Suspicious Child Process Of Wermgr.EXE
- Powershell Defender Exclusion
- HackTool - ADCSPwn Execution
- Potentially Suspicious Execution Of PDQDeployRunner
- Sysinternals PsSuspend Execution
- Suspicious Service Path Modification
- Renamed Vmnat.exe Execution
- PowerShell Get-Clipboard Cmdlet Via CLI
- Potential COM Objects Download Cradles Usage - Process Creation
- Suspicious Process By Web Server Process
- Suspicious Schtasks Schedule Types
- Delete All Scheduled Tasks
- BitLockerTogo.EXE Execution
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential Tampering With Security Products Via WMIC
- Potential Suspicious Activity Using SeCEdit
- Arbitrary File Download Via Squirrel.EXE
- Suspicious Driver/DLL Installation Via Odbcconf.EXE
- Suspicious Execution of Systeminfo
- Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Use of Remote.exe
- Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
- Renamed Plink Execution
- Wscript Shell Run In CommandLine
- Uncommon Userinit Child Process
- PUA - PingCastle Execution From Potentially Suspicious Parent
- Suspicious Chromium Browser Instance Executed With Custom Extension
- HackTool - Potential Impacket Lateral Movement Activity
- Regsvr32 Execution From Potential Suspicious Location
- LSASS Dump Keyword In CommandLine
- Abusing Print Executable
- HackTool - SharpUp PrivEsc Tool Execution
- Php Inline Command Execution
- Suspicious File Download From IP Via Wget.EXE
- Suspicious Driver Install by pnputil.exe
- IIS Native-Code Module Command Line Installation
- Use of UltraVNC Remote Access Software
- Enumerate All Information With Whoami.EXE
- Potential Arbitrary Command Execution Via FTP.EXE
- Sensitive File Access Via Volume Shadow Copy Backup
- Potential LethalHTA Technique Execution
- Potentially Suspicious Office Document Executed From Trusted Location
- Remote Access Tool - AnyDesk Execution
- Potentially Suspicious Windows App Activity
- Potential Commandline Obfuscation Using Unicode Characters
- REGISTER_APP.VBS Proxy Execution
- Suspicious Where Execution
- Potential Windows Defender Tampering Via Wmic.EXE
- Firewall Disabled via Netsh.EXE
- PUA - Crassus Execution
- Potential Data Stealing Via Chromium Headless Debugging
- Remote Access Tool - ScreenConnect Installation Execution
- PowerShell Get-Process LSASS
- Suspicious Sigverif Execution
- Registry Modification Via Regini.EXE
- Suspicious Provlaunch.EXE Child Process
- Suspicious PowerShell Invocation From Script Engines
- File Download From IP URL Via Curl.EXE
- MpiExec Lolbin
- Install New Package Via Winget Local Manifest
- Suspicious Shells Spawn by Java Utility Keytool
- Suspicious IIS URL GlobalRules Rewrite Via AppCmd
- PowerShell Base64 Encoded Reflective Assembly Load
- HackTool - Certify Execution
- Suspicious Child Process Of BgInfo.EXE
- Wlrmdr.EXE Uncommon Argument Or Child Process
- Suspicious File Execution From Internet Hosted WebDav Share
- Tor Client/Browser Execution
- Audit Policy Tampering Via Auditpol
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Copy From Or To Admin Share Or Sysvol Folder
- Gpscript Execution
- New DLL Registered Via Odbcconf.EXE
- Certificate Exported Via Certutil.EXE
- File Encryption Using Gpg4win
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Root Certificate Installed From Susp Locations
- WmiPrvSE Spawned A Process
- Rundll32 Execution With Uncommon DLL Extension
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
- UAC Bypass Using Disk Cleanup
- AddinUtil.EXE Execution From Uncommon Directory
- Hidden Powershell in Link File Pattern
- HackTool - RedMimicry Winnti Playbook Execution
- PowerShell Web Download
- Potential Command Line Path Traversal Evasion Attempt
- Interactive AT Job
- PUA - DefenderCheck Execution
- Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- User Discovery And Export Via Get-ADUser Cmdlet
- Filter Driver Unloaded Via Fltmc.EXE
- Powershell Executed From Headless ConHost Process
- Renamed Whoami Execution
- HackTool - WinPwn Execution
- Suspicious Child Process Created as System
- Suspicious MSDT Parent Process
- Use Icacls to Hide File to Everyone
- HackTool - winPEAS Execution
- Arbitrary Binary Execution Using GUP Utility
- Suspicious Powercfg Execution To Change Lock Screen Timeout
- Gzip Archive Decode Via PowerShell
- Suspicious GrpConv Execution
- File Download From Browser Process Via Inline URL
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
- Potentially Suspicious Ping/Copy Command Combination
- Potential Configuration And Service Reconnaissance Via Reg.EXE
- Renamed AdFind Execution
- Procdump Execution
- Potential Suspicious Registry File Imported Via Reg.EXE
- Windows Hotfix Updates Reconnaissance Via Wmic.EXE
- Potential RDP Tunneling Via Plink
- Renamed Cloudflared.EXE Execution
- Potential Adplus.EXE Abuse
- PrintBrm ZIP Creation of Extraction
- File Decryption Using Gpg4win
- Remote Access Tool - LogMeIn Execution
- Potential Mftrace.EXE Abuse
- Sticky Key Like Backdoor Execution
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Potential Discovery Activity Via Dnscmd.EXE
- Potential Renamed Rundll32 Execution
- File Download Via InstallUtil.EXE
- Logged-On User Password Change Via Ksetup.EXE
- Potential Browser Data Stealing
- RDP Port Forwarding Rule Added Via Netsh.EXE
- Disable Windows Defender AV Security Monitoring
- LSA PPL Protection Disabled Via Reg.EXE
- Sysinternals PsSuspend Suspicious Execution
- AspNetCompiler Execution
- Devtoolslauncher.exe Executes Specified Binary
- UAC Bypass via Windows Firewall Snap-In Hijack
- Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
- Csc.EXE Execution Form Potentially Suspicious Parent
- HackTool - SharpMove Tool Execution
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Use of VisualUiaVerifyNative.exe
- PsExec Service Child Process Execution as LOCAL SYSTEM
- Computer System Reconnaissance Via Wmic.EXE
- HackTool - Impersonate Execution
- Microsoft Workflow Compiler Execution
- Potential Process Execution Proxy Via CL_Invocation.ps1
- Sysinternals PsService Execution
- Potentially Suspicious Child Process Of ClickOnce Application
- Lolbin Ssh.exe Use As Proxy
- Suspicious Execution of Shutdown
- Potentially Suspicious Child Process Of DiskShadow.EXE
- Application Terminated Via Wmic.EXE
- PUA - Nimgrab Execution
- HackTool - WinRM Access Via Evil-WinRM
- HackTool - Hashcat Password Cracker Execution
- Forfiles.EXE Child Process Masquerading
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Read Contents From Stdin Via Cmd.EXE
- Potential Password Spraying Attempt Using Dsacls.EXE
- Use of Pcalua For Execution
- Potential CobaltStrike Process Patterns
- Suspicious Use of PsLogList
- Suspicious DLL Loaded via CertOC.EXE
- Add Insecure Download Source To Winget
- Use Of The SFTP.EXE Binary As A LOLBIN
- Renamed Mavinject.EXE Execution
- Remote Access Tool - Team Viewer Session Started On Windows Host
- Renamed CreateDump Utility Execution
- Wusa Extracting Cab Files
- Potential Credential Dumping Via LSASS Process Clone
- CMSTP Execution Process Creation
- Suspicious Recursive Takeown
- Process Execution From A Potentially Suspicious Folder
- Execution Of Non-Existing File
- PowerShell Base64 Encoded WMI Classes
- PUA - NirCmd Execution
- Potentially Suspicious Call To Win32_NTEventlogFile Class
- Operator Bloopers Cobalt Strike Modules
- Wab/Wabmig Unusual Parent Or Child Processes
- UAC Bypass Using Windows Media Player - Process
- Bypass UAC via CMSTP
- Dllhost.EXE Execution Anomaly
- Suspicious Command Patterns In Scheduled Task Creation
- Execute Files with Msdeploy.exe
- Recon Command Output Piped To Findstr.EXE
- Suspicious Child Process Of SQL Server
- Potential Suspicious Mofcomp Execution
- UAC Bypass Using IEInstal - Process
- Uncommon Child Process Of Appvlp.EXE
- Suspicious Microsoft Office Child Process
- Cloudflared Tunnel Connections Cleanup
- Arbitrary File Download Via IMEWDBLD.EXE
- Potential Encoded PowerShell Patterns In CommandLine
- Suspicious Msbuild Execution By Uncommon Parent Process
- Indirect Inline Command Execution Via Bash.EXE
- Suspicious Parent Double Extension File Execution
- Firewall Rule Update Via Netsh.EXE
- CobaltStrike Load by Rundll32
- Copying Sensitive Files with Credential Data
- WMIC Remote Command Execution
- Potential Defense Evasion Via Right-to-Left Override
- Suspicious Control Panel DLL Load
- Remote Access Tool - GoToAssist Execution
- Potential Product Class Reconnaissance Via Wmic.EXE
- Scheduled Task Executing Encoded Payload from Registry
- HackTool - CrackMapExec Execution Patterns
- Potentially Suspicious Regsvr32 HTTP IP Pattern
- PUA - SoftPerfect Netscan Execution
- PUA - System Informer Execution
- Suspicious Obfuscated PowerShell Code
- Winrar Compressing Dump Files
- File Download Via Bitsadmin
- Windows Firewall Disabled via PowerShell
- Potential PowerShell Downgrade Attack
- Invoke-Obfuscation Via Use Clip
- Service Reconnaissance Via Wmic.EXE
- Suspicious Extexport Execution
- Execute Code with Pester.bat
- PUA - RunXCmd Execution
- Suspicious File Download From IP Via Wget.EXE - Paths
- PowerShell Base64 Encoded FromBase64String Cmdlet
- Change Default File Association To Executable Via Assoc
- Suspicious WmiPrvSE Child Process
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- Remote Code Execute via Winrm.vbs
- Potential Credential Dumping Via WER
- Start of NT Virtual DOS Machine
- Invoke-Obfuscation Obfuscated IEX Invocation
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Suspicious SYSVOL Domain Group Policy Access
- Suspicious Diantz Alternate Data Stream Execution
- Suspicious Encoded PowerShell Command Line
- Potential PowerShell Obfuscation Via Reversed Commands
- Uncommon Child Process Of BgInfo.EXE
- Certificate Exported Via PowerShell
- Net WebClient Casing Anomalies
- Reg Add Suspicious Paths
- Set Suspicious Files as System Files Using Attrib.EXE
- Suspicious PowerShell Mailbox Export to Share
- Scripting/CommandLine Process Spawned Regsvr32
- Rundll32 InstallScreenSaver Execution
- Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Suspicious Download From Direct IP Via Bitsadmin
- WMI Backdoor Exchange Transport Agent
- Suspicious Workstation Locking via Rundll32
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- JScript Compiler Execution
- Share And Session Enumeration Using Net.EXE
- Network Reconnaissance Activity
- Suspicious Microsoft OneNote Child Process
- Always Install Elevated Windows Installer
- Regedit as Trusted Installer
- Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- DLL Loaded via CertOC.EXE
- Uncommon Link.EXE Parent Process
- Rundll32 UNC Path Execution
- PUA - DIT Snapshot Viewer
- Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
- Raccine Uninstall
- Elevated System Shell Spawned From Uncommon Parent Location
- Explorer Process Tree Break
- Compressed File Extraction Via Tar.EXE
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Potential WinAPI Calls Via CommandLine
- Potentially Suspicious CMD Shell Output Redirect
- Whoami.EXE Execution Anomaly
- Mavinject Inject DLL Into Running Process
- New Virtual Smart Card Created Via TpmVscMgr.EXE
- UAC Bypass WSReset
- DumpStack.log Defender Evasion
- Files Added To An Archive Using Rar.EXE
- Potential RDP Session Hijacking Activity
- LOLBIN Execution From Abnormal Drive
- Potential MsiExec Masquerading
- VMToolsd Suspicious Child Process
- Uncommon Child Process Spawned By Odbcconf.EXE
- HackTool - UACMe Akagi Execution
- Run Once Task Execution as Configured in Registry
- Suspicious Remote Child Process From Outlook
- Potentially Suspicious Child Process Of Regsvr32
- Java Running with Remote Debugging
- UAC Bypass via ICMLuaUtil
- Potential Obfuscated Ordinal Call Via Rundll32
- HackTool - DInjector PowerShell Cradle Execution
- AgentExecutor PowerShell Execution
- PUA - 3Proxy Execution
- Shell32 DLL Execution in Suspicious Directory
- DumpMinitool Execution
- Hiding Files with Attrib.exe
- Suspicious X509Enrollment - Process Creation
- Sdiagnhost Calling Suspicious Child Process
- Suspicious Scheduled Task Creation via Masqueraded XML File
- DriverQuery.EXE Execution
- Suspicious Network Command
- Taskkill Symantec Endpoint Protection
- Remote Access Tool - AnyDesk Piped Password Via CLI
- PUA - WebBrowserPassView Execution
- HackTool - LaZagne Execution
- Script Event Consumer Spawning Process
- Use of Wfc.exe
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
- Delete Important Scheduled Task
- HackTool - Jlaive In-Memory Assembly Execution
- Suspicious JavaScript Execution Via Mshta.EXE
- Firewall Configuration Discovery Via Netsh.EXE
- Suspicious Ping/Del Command Combination
- Windows Defender Definition Files Removed
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Password Provided In Command Line Of Net.EXE
- HackTool - CrackMapExec Execution
- Suspicious Reg Add Open Command
- RunDLL32 Spawning Explorer
- All Backups Deleted Via Wbadmin.EXE
- PUA - Advanced Port Scanner Execution
- HackTool - SecurityXploded Execution
- Browser Started with Remote Debugging
- Renamed Microsoft Teams Execution
- Renamed MegaSync Execution
- Renamed AutoIt Execution
- Potential Memory Dumping Activity Via LiveKD
- Suspicious MsiExec Embedding Parent
- Kavremover Dropped Binary LOLBIN Usage
- Renamed NetSupport RAT Execution
- PUA - Netcat Suspicious Execution
- MMC20 Lateral Movement
- Start Windows Service Via Net.EXE
- Shadow Copies Creation Using Operating Systems Utilities
- DLL Sideloading by VMware Xfer Utility
- SQLite Firefox Profile Data DB Access
- Conhost.exe CommandLine Path Traversal
- Renamed ZOHO Dctask64 Execution
- Suspicious HWP Sub Processes
- Process Memory Dump via RdrLeakDiag.EXE
- PUA- IOX Tunneling Tool Execution
- Xwizard.EXE Execution From Non-Default Location
- Active Directory Structure Export Via Ldifde.EXE
- Add SafeBoot Keys Via Reg Utility
- File Download Using ProtocolHandler.exe
- Mshtml.DLL RunHTMLApplication Suspicious Usage
- Ping Hex IP
- Suspicious Response File Execution Via Odbcconf.EXE
- Uncommon Child Processes Of SndVol.exe
- Potentially Suspicious Command Targeting Teams Sensitive Files
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Uncommon Child Process Of AddinUtil.EXE
- Rebuild Performance Counter Values Via Lodctr.EXE
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Driver/DLL Installation Via Odbcconf.EXE
- Potentially Suspicious Rundll32 Activity
- Uncommon Svchost Parent Process
- Suspicious Query of MachineGUID
- Persistence Via Sticky Key Backdoor
- VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
- Potentially Suspicious GoogleUpdate Child Process
- Add Potential Suspicious New Download Source To Winget
- Suspicious Eventlog Clearing or Configuration Change Activity
- Webshell Tool Reconnaissance Activity
- Schtasks From Suspicious Folders
- Suspicious Advpack Call Via Rundll32.EXE
- HackTool - Quarks PwDump Execution
- PowerShell Base64 Encoded Invoke Keyword
- Insensitive Subfolder Search Via Findstr.EXE
- Enumeration for Credentials in Registry
- Finger.EXE Execution
- Launch-VsDevShell.PS1 Proxy Execution
- PUA - CsExec Execution
- Potential AMSI Bypass Via .NET Reflection
- Invoke-Obfuscation VAR+ Launcher
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- PUA - CleanWipe Execution
- Hacktool Execution - Imphash
- HackTool - SharpChisel Execution
- Suspicious Use of CSharp Interactive Console
- Rundll32 Execution Without CommandLine Parameters
- Suspicious IIS Module Registration
- Uncommon AddinUtil.EXE CommandLine Execution
- Service Security Descriptor Tampering Via Sc.EXE
- Python Inline Command Execution
- Remote Access Tool - ScreenConnect Remote Command Execution
- Suspicious Invoke-WebRequest Execution
- Execute Pcwrun.EXE To Leverage Follina
- HackTool - SharpLDAPmonitor Execution
- Cloudflared Quick Tunnel Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Discovery of a System Time
- PowerShell Download Pattern
- File Download From IP Based URL Via CertOC.EXE
- PUA - Adidnsdump Execution
- Suspicious Csi.exe Usage
- Dism Remove Online Package
- HackTool - Stracciatella Execution
- Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- Winrar Execution in Non-Standard Folder
- HackTool - Koadic Execution
- Potential Binary Proxy Execution Via Cdb.EXE
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- Suspicious Regsvr32 Execution From Remote Share
- HackTool - Inveigh Execution
- Suspicious Process Parents
- Regsvr32 DLL Execution With Uncommon Extension
- Potentially Suspicious Cabinet File Expansion
- Perl Inline Command Execution
- Domain Trust Discovery Via Dsquery
- Potentially Suspicious Child Process of KeyScrambler.exe
- HackTool - CrackMapExec PowerShell Obfuscation
- Time Travel Debugging Utility Usage
- Potential LSASS Process Dump Via Procdump
- Potential Remote Desktop Tunneling
- Tasks Folder Evasion
- Suspicious Service Binary Directory
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Add New Download Source To Winget
- HackTool - Wmiexec Default Powershell Command
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Potential Arbitrary Code Execution Via Node.EXE
- Suspicious File Download From IP Via Curl.EXE
- Potential Amazon SSM Agent Hijacking
- Visual Studio Code Tunnel Execution
- Renamed PsExec Service Execution
- Stop Windows Service Via PowerShell Stop-Service
- Malicious PowerShell Commandlets - ProcessCreation
- Webshell Detection With Command Line Keywords
- Arbitrary Command Execution Using WSL
- Potential Suspicious Browser Launch From Document Reader Process
- COM Object Execution via Xwizard.EXE
- HackTool - Windows Credential Editor (WCE) Execution
- Suspicious Desktopimgdownldr Command
- File Download Via Windows Defender MpCmpRun.EXE
- New User Created Via Net.EXE With Never Expire Option
- MSExchange Transport Agent Installation
- HackTool - CrackMapExec Process Patterns
- Powershell Base64 Encoded MpPreference Cmdlet
- HackTool - SharpLdapWhoami Execution
- Potentially Suspicious Execution From Parent Process In Public Folder
- Abused Debug Privilege by Arbitrary Parent Processes
- Cloudflared Portable Execution
- Node Process Executions
- Python Spawning Pretty TTY on Windows
- UAC Bypass Using Consent and Comctl32 - Process
- Writing Of Malicious Files To The Fonts Folder
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Audio Capture via SoundRecorder
- Insecure Transfer Via Curl.EXE
- Suspicious AgentExecutor PowerShell Execution
- Suspicious SysAidServer Child
- Suspicious Double Extension File Execution
- Visual Studio NodejsTools PressAnyKey Renamed Execution
- File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- Whoami.EXE Execution With Output Option
- File Encryption/Decryption Via Gpg4win From Suspicious Locations
- Visual Basic Command Line Compiler Usage
- Potential SMB Relay Attack Tool Execution
- XBAP Execution From Uncommon Locations Via PresentationHost.EXE
- Renamed Jusched.EXE Execution
- PUA - Advanced IP Scanner Execution
- LOL-Binary Copied From System Directory
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- Suspicious AddinUtil.EXE CommandLine Execution
- PDQ Deploy Remote Adminstartion Tool Execution
- Potentially Suspicious Child Process Of WinRAR.EXE
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Potential Active Directory Enumeration Using AD Module - ProcCreation
- Windows Binary Executed From WSL
- Arbitrary File Download Via PresentationHost.EXE
- PUA - Ngrok Execution
- Renamed SysInternals DebugView Execution
- Suspicious Msiexec Execute Arbitrary DLL
- WMI Persistence - Script Event Consumer
- RestrictedAdminMode Registry Value Tampering - ProcCreation
- Possible Privilege Escalation via Weak Service Permissions
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Potential Process Injection Via Msra.EXE
- Control Panel Items
- Script Interpreter Execution From Suspicious Folder
- Conhost Spawned By Uncommon Parent Process
- DeviceCredentialDeployment Execution
- Suspicious Process Created Via Wmic.EXE
- Always Install Elevated MSI Spawned Cmd And Powershell
- HackTool - Empire PowerShell UAC Bypass
- HackTool - CreateMiniDump Execution
- File Encoded To Base64 Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- CMSTP UAC Bypass via COM Object Access
- Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- Potential Dosfuscation Activity
- Shadow Copies Deletion Using Operating Systems Utilities
- Suspicious Invoke-WebRequest Execution With DirectIP
- Renamed Visual Studio Code Tunnel Execution
- Invoke-Obfuscation STDIN+ Launcher
- New Root Certificate Installed Via Certutil.EXE
- Potential Binary Impersonating Sysinternals Tools
- PUA - Radmin Viewer Utility Execution
- Verclsid.exe Runs COM Object
- Change PowerShell Policies to an Insecure Level
- Use NTFS Short Name in Command Line
- Scheduled Task Creation Via Schtasks.EXE
- UAC Bypass Abusing Winsat Path Parsing - Process
- Schtasks Creation Or Modification With SYSTEM Privileges
- Potential Cookies Session Hijacking
- Potential RDP Tunneling Via SSH
- Suspicious Kernel Dump Using Dtrace
- File Decoded From Base64/Hex Via Certutil.EXE
- Gpresult Display Group Policy Information
- Potential PsExec Remote Execution
- Suspicious Execution of InstallUtil Without Log
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- Suspicious Mshta.EXE Execution Patterns
- DLL Execution via Rasautou.exe
- HackTool - SharpDPAPI Execution
- Potentially Suspicious Child Process Of VsCode
- HackTool - PPID Spoofing SelectMyParent Tool Execution
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation
- ETW Logging Tamper In .NET Processes Via CommandLine
- Suspicious Child Process Of Veeam Dabatase
- MSHTA Suspicious Execution 01
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Potential Persistence Via Powershell Search Order Hijacking - Task
- New Firewall Rule Added Via Netsh.EXE
- Suspicious Binary In User Directory Spawned From Office Application
- Nslookup PowerShell Download Cradle - ProcessCreation
- Suspicious Git Clone
- Service DACL Abuse To Hide Services Via Sc.EXE
- Persistence Via TypedPaths - CommandLine
- Process Proxy Execution Via Squirrel.EXE
- File Download Via Bitsadmin To A Suspicious Target Folder
- Service Registry Key Deleted Via Reg.EXE
- Suspicious Userinit Child Process
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- HackTool - GMER Rootkit Detector and Remover Execution
- Suspicious Program Names
- Suspicious High IntegrityLevel Conhost Legacy Option
- Disable Windows IIS HTTP Logging
- Potentially Suspicious Event Viewer Child Process
- Indirect Command Execution By Program Compatibility Wizard
- Invoke-Obfuscation CLIP+ Launcher
- Suspicious Execution Location Of Wermgr.EXE
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- HackTool - Dumpert Process Dumper Execution
- HackTool - Hydra Password Bruteforce Execution
- Potential Dropper Script Execution Via WScript/CScript
- InfDefaultInstall.exe .inf Execution
- ImagingDevices Unusual Parent/Child Processes
- New Network Trace Capture Started Via Netsh.EXE
- Ruby Inline Command Execution
- Suspicious RASdial Activity
- Execution of Suspicious File Type Extension
- Mstsc.EXE Execution With Local RDP File
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Data Copied To Clipboard Via Clip.EXE
- Suspicious Diantz Download and Compress Into a CAB File
- File Download with Headless Browser
- HackTool - SysmonEOP Execution
- Suspicious Vsls-Agent Command With AgentExtensionPath Load
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Bypass UAC via WSReset.exe
- Compress Data and Lock With Password for Exfiltration With WINZIP
- Suspicious Usage Of ShellExec_RunDLL
- Run PowerShell Script from ADS
- Changing Existing Service ImagePath Value Via Reg.EXE
- Potential AMSI Bypass Using NULL Bits
- UAC Bypass Using Event Viewer RecentViews
- Renamed NirCmd.EXE Execution
- Netsh Allow Group Policy on Microsoft Defender Firewall
- HackTool - SharpEvtMute Execution
- Suspicious Rundll32 Activity Invoking Sys File
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- HackTool - HandleKatz LSASS Dumper Execution
- Suspicious Process Execution From Fake Recycle.Bin Folder
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Veeam Backup Database Suspicious Query
- Unusual Child Process of dns.exe
- SafeBoot Registry Key Deleted Via Reg.EXE
- PowerShell Script Change Permission Via Set-Acl
- PUA - NirCmd Execution As LOCAL SYSTEM
- Execution via WorkFolders.exe
- Binary Proxy Execution Via Dotnet-Trace.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Recon Information for Export with Command Prompt
- Mstsc.EXE Execution From Uncommon Parent