Acount Management
1. Admin User Remote Logon
2. External Remote SMB Logon from Public IP
AWS
3. AWS:Glue Development Endpoint Activity
Big IP@F5
4. User Connected from two different countries – F5 Big IP
CodeIntegrity
5. CodeIntegrity – Blocked Image Load With Revoked Certificate
Create Remote Thread
6. Remote Thread Creation In Mstsc.Exe From Suspicious Location
Endpoint Protection@Symantec
7. Antivirus detection – Symantec Endpoint Protection
8. Antivirus advanced heuristic detection – Symantec Endpoint Protection
File Event
9. Adwind RAT-JRAT File Artifact
10. PCRE.NET Package Temp Files
11. Potential RipZip Attack on Startup Folder
12. Potential Winnti Dropper Activity
13. Suspicious Creation TXT File in User Desktop
Groups Monitoring
14. A Member was Removed From VIP Group
15. Interactive Login Alert – Windows
Image Load
16. VMMap Dbghelp.DLL Potential Sideloading
17. Potential AVKkid.DLL Sideloading
18. Potential EACore.DLL Sideloading
19. Potential Mfdetours.DLL Sideloading
Process Creation
20. Deleted Data Overwritten Via Cipher.EXE
21. Potential NTLM Coercion Via Certutil.EXE
22. Active Directory Structure Export Via Csvde.EXE
23. Data Copied To Clipboard Via Clip.EXE
24. Arbitrary MSI Download Via Devinit.EXE
25. Conhost.exe CommandLine Path Traversal
26. DirLister Execution
27. Suspicious HWP Sub Processes
28. Fake Instance Of Hxtsr.exe
29. Use Icacls to Hide File to Everyone
30. Disable Windows IIS HTTP Logging
31. Microsoft IIS Service Account Password Dumped
32. Suspicious IIS URL GlobalRules Rewrite Via AppCmd
33. IIS Native-Code Module Command Line Installation
34. Microsoft IIS Connection Strings Decryption
35. Suspicious IIS Module Registration
36. Suspicious SysAidServer Child
37. AspNetCompiler Execution
38. Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
39. Suspicious Child Process of AspNetCompiler
40. Indirect Inline Command Execution Via Bash.EXE
41. Suspicious Child Process Of BgInfo.EXE
42. Uncommon Child Process Of BgInfo.EXE
43. Potential Process Execution Proxy Via CL_Invocation.ps1
44. LOLBIN Execution Of The FTP.EXE Binary
45. Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
TMES@Trend Micro
46. TMES – Suspicious Web Reputation
47. TMES – Suspicious Phishing from One Source to Many Users
48. TMES – Suspicious Phishing or Social Engineering
Web Server
49. Potential CVE-2023-27997 Exploitation Indicators
50. JNDIExploit Pattern