Process Creation:
1. Suspicious Execution of InstallUtil Without Log
2. Suspicious Execution of InstallUtil To Download
3. Potential PowerShell Execution Via DLL
4. Suspicious Debugger Registration Cmdline
5. Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
6. Potential DLL Injection Or Execution Using Tracker.exe
7. Suspicious Msbuild Execution By Uncommon Parent Process
8. Masquerading Through Unicode Right-To-Left Override (RTLO)
9. SyncAppvPublishingServer Execute Arbitrary PowerShell Code
10. SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
11. Regasm-Regsvcs Suspicious Execution
12. Exfiltration and Tunneling Tools Execution
13. Potential RDP Tunneling Via SSH Plink
14. Renamed Plink Execution
15. Potential RDP Tunneling Via SSH
16. Potential Maze Ransomware Activity
17. Remote PowerShell Session Host Process (WinRM)
18. Suspicious Processes Spawned by WinRM
19. Shadow Copies Creation Using Operating Systems Utilities
20. SystemStateBackup Deleted Using Wbadmin.EXE
21. Shadow Copies Deletion Using Operating Systems Utilities
22. Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
23. Boot Configuration Tampering Via Bcdedit.EXE
24. Use of Forfiles For Execution
25. PUA – CsExec Execution
26. File Download with Headless Browser
File Event:
27. Suspicious File Event With Teams Objects
28. BloodHound Collection Files
29. Cred Dump Tools Dropped Files
30. WScript or CScript Dropper – File
31. CVE-2021-26858 Exchange Exploitation
AWS:
32. AWS EFS Fileshare Mount Modified or Deleted
33. AWS ElastiCache Security Group Modified or Deleted
Groups Monitoring:
34. VIP User Deleted – Windows
35. VIP User Disabled – Windows
36. VIP User Password Changed – Windows
37. A Member was Removed From Privileged Group
User and Group Management:
38. User Was Created With a Space On The End – Windows
39. User Was Created With Non Charecters or Digits (Ghost) – Windows
40. User Was Created With Non Charecter or Digit on The End – Windows
SentinelOne EDR@SentinelOne:
41. SentinelOne EDR – Added Firewall Rule
42. SentinelOne EDR – Malware
Image Load:
43. Abusable DLL Potential Sideloading From Suspicious Location
44. Potential CCleanerDU.DLL Sideloading
45. Potential CCleanerReactivator.DLL Sideloading
Pipe Created:
46. CSExec Default Named Pipe
47. RemCom Default Named Pipe
PowerShell Script:
48. Execute Invoke-command on Remote Host
49. SyncAppvPublishingServer Execution to Bypass PowerShell Restriction
50. Security Software Discovery by PowerShell