SentinelOne EDR
1. User Deleted
2. User Logged In to Management Console
Process Creation
3. Use of Remote.exe
4. Use of Pcalua For Execution
5. Process Memory Dump Via Dotnet-Dump
6. Detect Virtualbox Driver Installation OR Starting Of VMs
7. Suspicious VBoxDrvInst.exe Parameters
8. Uninstall Crowdstrike Falcon Sensor
9. Suspicious Download Via Certutil.EXE
10. Bypass UAC via Fodhelper.exe
11. Chopper Webshell Process Pattern
12. Install New Package Via Winget Local Manifest
13. Winrar Compressing Dump Files
14. Potential SNAKE Malware Installation Binary Indicator
15. Potential SNAKE Malware Persistence Service Execution
16. Rhadamanthys Stealer Module Launch Via Rundll32.EXE
17. File Decryption Using Gpg4win
18. File Encryption Using Gpg4win
19. Portable Gpg.EXE Execution
20. Potential Mpclient.DLL Sideloading Via Defender Binaries
21. Potential Provlaunch.EXE Binary Proxy Execution Abuse
22. Suspicious Provlaunch.EXE Child Process
23. Potential Provisioning Registry Key Abuse For Binary Proxy Execution
24. Renamed Gpg.EXE Execution
25. Potential Binary Proxy Execution Via VSDiagnostics.EXE
26. Tor Client-Browser Execution
27. DLL Loaded via CertOC.EXE
28. Suspicious DLL Loaded via CertOC.EXE
AWS
29. KMS CMK Disabled Or Scheduled For Deletion
30. Redshift Persistence Redshift Instance Creation
Azure
31. Success Login from Unauthorized Country – Azure AD
Big IP (F5)
32. User Connected by VPN from Unauthorized Country
33. User Connected by VPN Outside Working Hours
EventLog
34. Event Log Cleared
File Event
35. CVE-2021-44077 POC Default Dropped File
36. CVE-2022-24527 Microsoft Connected Cache LPE
37. DLL Search Order Hijacking Via Additional Space in Path
38. Suspicious ASPX File Drop by Exchange
39. Typical HiveNightmare SAM File Export
40. Octopus Scanner Malware
Fortigate (Fortinet)
41. User Removed from Admin Group
GCP
42. Full Network Traffic Packet Capture
43. VPN Tunnel Modified or Deleted
Groups Monitoring
44. Privileged Group was Deleted
45. A Member was Added into a Monitoring Group
Proxy
46. Search-ms and WebDAV Suspicious Indicators in URL
47. Devil Bait Potential C2 Communication Traffic
Pulse Connect Secure (Pulse Secure)
48. Multiple Failed User Login
Registry Event
49. Office Application Startup – Office Test
50. Windows Registry Trust Record Modification
51. Registry Persistence Mechanisms in Recycle Bin
