Process Creation
- Suspicious Ping-Copy Command Combination
- LSASS Process Reconnaissance Via Findstr.EXE
- Firewall Rule Update Via Netsh.EXE
- Scheduled Task Executing Payload from Registry
- Potentially Suspicious Call To Win32_NTEventlogFile Class
- Suspicious Process Execution From Fake Recycle.Bin Folder
- Rebuild Performance Counter Values Via Lodctr.EXE
- Potential ShellDispatch.DLL Functionality Abuse
- New Virtual Smart Card Created Via TpmVscMgr.EXE
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Insecure Transfer Via Curl.EXE
- Potentially Suspicious Office Document Executed From Trusted Location
- PowerShell Execution With Potential Decryption Capabilities
- VMToolsd Suspicious Child Process
- SMB over QUIC Via Net.EXE
- HH.EXE Execution
- Remote CHM File Download-Execution Via HH.EXE
- HTML Help HH.EXE
- Suspicious Child Process
- Suspicious HH.EXE Execution
- Suspicious Shells Spawn by Java Utility Keytool
- Potentially Suspicious PowerShell Child Processes
- Renamed Mavinject.EXE Execution
- Rundll32 JS RunHTMLApplication Pattern
- Mshtml DLL RunHTMLApplication Abuse
- Suspicious Rundll32 Script in CommandLine
@Unix
27. root connection with SSH – Unix
28. Privileged Account Locked Out – Unix
365 Defender
29. Exfiltration – 365 Defender
30. Exploit – 365 Defender
31. Persistence – 365 Defender
32. Defender 365 Alerts
URI: Security
33. Security Event Log Cleared
34. CobaltStrike Service Installations – Security
35. HybridConnectionManager Service Installation
PowerShell Module
36. SyncAppvPublishingServer Bypass Powershell Restriction – PS Module
37. Remote PowerShell Session (PS Module)
PowerShell Script
38. Potentially Suspicious Call To Win32_NTEventlogFile Class – PSScript
39. SMB over QUIC Via PowerShell Script
Network Share Object
40. Suspicious PsExec Execution
41. T1047 Wmiprvse Wbemcomn DLL Hijack
42. SMB Create Remote File Admin Share
File Event
43. Suspicious File Creation Activity From Fake Recycle.Bin Folder
44. Windows Terminal Profile Settings Modification By Uncommon Process
45. Creation Exe for Service with Unquoted Path
46. New Shim Database Created in the Default Directory
47. CSExec Service File Creation
48. RemCom Service File Creation
49. Suspicious Binary Writes Via AnyDesk
Account Management
50. Login with WMI
51. Successful Overpass the Hash Attempt
