NTFS:
1. Volume Shadow Copy Mount
PowerShell Script
2. Code Executed Via Office Add-in XLL File
3. Potential Invoke-Mimikatz PowerShell Script
4. Tamper Windows Defender Remove-MpPreference – ScriptBlockLogging
5. Abuse of Service Permissions to Hide Services Via Set-Service – PS
Process Access
6. WerFault Accessing LSASS
7. LSASS Memory Dump
8. HandleKatz Duplicating LSASS Handle
9. Malware Shellcode in Verclsid Target Process
10. Potential Svchost Memory Access
11. CobaltStrike BOF Injection Pattern
12. SysmonEntry Usage
13. LSASS Access from White-Listed Processes
14. LSASS Memory Access by Tool Named Dump
15. SVCHOST Credential Dump
16. UAC Bypass Using WOW64 Logger DLL Hijack
Process Creation
17. Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
18. Suspicious Shim Database Installation via Sdbinst.EXE
19. Dumping Process via Sqldumper.exe
20. Use of TTDInject.exe
21. Potential Download-Upload Activity Using Type Command
22. Lolbin Unregmp2.exe Use As Proxy
23. UtilityFunctions.ps1 Proxy Dll
24. Use of VisualUiaVerifyNative.exe
25. Use of VSIISExeLauncher.exe
26. Use of Wfc.exe
27. Microsoft Workflow Compiler Execution
28. Use Of The SFTP.EXE Binary As A LOLBIN
29. Suspicious Sigverif Execution
30. Use of Setres.exe
31. Lolbin Runexehelper Use As Proxy
Sysmon@Microsoft
32. Sysmon Blocked File Shredding
33. Sysmon File Executable Creation Detected
Security
34. Suspicious LDAP-Attributes Used
35. Possible DC Shadow Attack
SentinelOne EDR@SentinelOne
36. SentinelOne EDR – Agent Decommissioned
37. SentinelOne EDR – Infostealer
Registry Event
38. WINEKEY Registry Modification
39. Security Support Provider (SSP) Added to LSA Configuration
40. Suspicious Run Key from Download
41. DLL Load via LSASS
Network Share Object
42. Possible PetitPotam Coerce Authentication Attempt
43. Impacket PsExec Execution
44. Persistence and Execution at Scale via GPO Scheduled Task
45. DCOM InternetExplorer.Application Iertutil DLL Hijack – Security
AWS
46. AWS GuardDuty Important Change
47. AWS S3 Data Management Tampering
48. AWS:STS Suspicious SAML Activity
49. AWS:SES Identity Has Been Deleted
50. AWS:ECS Task Definition That Queries The Credential Endpoint