DNS Trace Log
- DNS Trace Log
Microsoft Windows@Process Creation
- Driver-DLL Installation Via Odbcconf.EXE
- New Root Certificate Installed Via CertMgr.EXE
- New Root Certificate Installed Via Certutil.EXE
- Password Protected Compressed File Extraction Via 7Zip
- Potential Qakbot Rundll32 Execution
- Potential Regsvr32 Commandline Flag Anomaly
- Potentially Suspicious Child Process Of Regsvr32
- Potentially Suspicious Regsvr32 HTTP IP Pattern
- Potentially Suspicious Regsvr32 HTTP-FTP Pattern
- Qakbot Regsvr32 Calc Pattern
- Qakbot Rundll32 Exports Execution
- Qakbot Rundll32 Fake DLL Extension Execution
- Regsvr32 DLL Execution With Suspicious File Extension
- Regsvr32 DLL Execution With Uncommon Extension
- Regsvr32 Execution From Highly Suspicious Location
- Regsvr32 Execution From Potential Suspicious Location
- Scripting-CommandLine Process Spawned Regsvr32
- Small Sieve Malware CommandLine Indicator
Microsoft Windows@System Errors
- Windows Server Shutdown Abnormal
Web Cache
- iOS Implant URL Pattern
- PwnDrp Access
- Small Sieve Malware Potential C2 Communication
- Suspicious Network Communication With IPFS
- Ursnif Malware Download URL Pattern
- Windows PowerShell User Agent
- Windows WebDAV User Agent
Web Server
- Suspicious Windows Strings In URI
Sysmon@Create Remote Thread
- CreateRemoteThread API and LoadLibrary
- Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Remote Thread Creation Ttdinject.exe Proxy
- Remote Thread Creation Via PowerShell In Rundll32
Sysmon@Files
- EventLog EVTX File Deleted
- Exchange PowerShell Cmdlet History Deleted
- File Deleted Via Sysinternals SDelete
- IIS WebServer Access Logs Deleted
- PowerShell Console History Logs Deleted
- Prefetch File Deleted
- TeamViewer Log File Deleted
- Tomcat WebServer Logs Deleted
- Unusual File Deletion by Dns.exe
- Malicious PowerShell Scripts – FileCreation
- Potential Binary Or Script Dropper Via PowerShell
- Potential MOVEit Transfer Exploitation
- Potential Startup Shortcut Persistence Via PowerShell.EXE
- Potential Suspicious PowerShell Module File Created
- PowerShell Module File Created
- PowerShell Script Dropped Via PowerShell.EXE
- Rclone Config File Creation
- Small Sieve Malware File Indicator Creation
Sysmon@Image Load
- Sysmon@Image Load
Sysmon@Registry
- Small Sieve Malware Registry Persistence