NTFS:   1. Volume Shadow Copy Mount PowerShell Script   2. Code Executed Via Office Add-in XLL File   3. Potential Invoke-Mimikatz PowerShell Script   4. Tamper Windows Defender

MSMQ:    1. MSMQ Corrupted Packet Encountered Network Share Object:    2. Protected Storage Service Access   3. Possible Impacket SecretDump Remote Activity Process Access:  

Process Creation:    1. Suspicious Execution of InstallUtil Without Log   2. Suspicious Execution of InstallUtil To Download   3. Potential PowerShell Execution Via DLL   4. Suspicious

Process Creation Suspicious Ping-Copy Command Combination LSASS Process Reconnaissance Via Findstr.EXE Firewall Rule Update Via Netsh.EXE Scheduled Task Executing Payload from Registry Potentially Suspicious Call

Windows/Network Connection: Suspicious Epmap ConnectionSuspicious Dropbox API UsageSuspicious Outbound Kerberos ConnectionSuspicious Program Location with Network Connections Windows/System or Application/Service Control Manager: Tap Driver InstallationInvoke-Obfuscation COMPRESS

Windows/Network Connection: Communication To Ngrok.Io Communication To Ngrok Tunneling Service Notepad Making Network Connection RDP Over Reverse SSH Tunnel RDP to HTTP or HTTPS Target

Windows/Network Connection: Windows/System or Application/Service Control Manager: Drive Load: Azure/Azure Active Directory: Windows/Image Load: Windows/Files: Fortigate@Fortinet: Windows/Process Creation: Windows/PowerShell: 365 Defender: Web Cache: Pulse Connect

DNS Trace Log Microsoft Windows@Process Creation Microsoft Windows@System Errors Web Cache Web Server Sysmon@Create Remote Thread Sysmon@Files Sysmon@Image Load Sysmon@Registry