Windows/Network Connection:
- Communication To Ngrok.Io
- Communication To Ngrok Tunneling Service
- Notepad Making Network Connection
- RDP Over Reverse SSH Tunnel
- RDP to HTTP or HTTPS Target Ports
- Silenttrinity Stager Msbuild Activity
- Suspicious Office Outbound Connections
Windows/System or Application/Service Control Manager:
8. Mesh Agent Service Installation
9. NetSupport Manager Service Install
10. PAExec Service Installation
11. Service Installation in Suspicious Folder
12. Remote Access Tool Services Have Been Installed – System
13. New PDQDeploy Service – Client Side
14. New PDQDeploy Service – Server Side
15. TacticalRMM Service Installation
16. Moriya Rootkit – System
17. Remote Utilities Host Service Install
Drive Load:
18. PUA – System Informer Driver Load
19. Vulnerable AVAST Anti Rootkit Driver Load
Azure/Azure Active Directory:
20. Owner Added to Group – Azure AD
21. Success Login from Malicious Address – Azure AD
Windows/Image Load:
22. Microsoft Excel Add-In Loaded From Uncommon Location
23. WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
24. Potential appverifUI.DLL Sideloading
Windows/Files:
25. UAC Bypass Using NTFS Reparse Point – File
26. UAC Bypass Using MSConfig Token Modification – File
27. UAC Bypass Using IEInstal – File
28. UAC Bypass Using IDiagnostic Profile – File
29. PowerShell Profile Modification
30. Legitimate Application Dropped Script
31. SafetyKatz Default Dump Filename
32. Malicious DLL File Dropped in the Teams or OneDrive Folder
33. LSASS Memory Dump File Creation
34. EVTX Created In Uncommon Location
35. GatherNetworkInfo.VBS Reconnaissance Script Output
36. OneNote Attachment File Dropped In Suspicious Location
Web Cache:
37. Potential CVE-2023-36884 Exploitation – File Downloads
38. Potential CVE-2023-36884 Exploitation – URL Marker
39. Potential CVE-2023-36884 Exploitation Pattern
365 Defender:
40. Malware – 365 Defender
41. Execution – 365 Defender
42. New Category Alert – 365 Defender
43. Unwanted Software – 365 Defender
44. Privilege Escalation – 365 Defender
Windows/PowerShell:
45. Windows Firewall Profile Disabled
Windows/Process Creation:
46. Windows Defender Definition Files Removed
47. DNS Exfiltration and Tunneling Tools Execution
48. File Decoded From Base64-Hex Via Certutil.EXE
lambda@Amazon:
49. AWS:Lambda AWS Attached Malicious Lambda Layer