Windows/Network Connection:
Suspicious Epmap Connection
Suspicious Dropbox API Usage
Suspicious Outbound Kerberos Connection
Suspicious Program Location with Network Connections
Windows/System or Application/Service Control Manager:
Tap Driver Installation
Invoke-Obfuscation COMPRESS OBFUSCATION – System
Invoke-Obfuscation RUNDLL LAUNCHER – System
Invoke-Obfuscation Via Stdin – System
Invoke-Obfuscation Via Use Clip – System
Invoke-Obfuscation Via Use MSHTA – System
Invoke-Obfuscation Via Use Rundll32 – System
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION – System
Drive Load:
Vulnerable Lenovo Driver Load
Azure/Azure Active Directory:
Member Added to Role – Azure AD
Member was Added to Administrative Role – Azure AD
Success Login Following Multiple Failed Login (Same User and Address) – AzureAD
Windows/Image Load:
Python Py2Exe Image Load
DLL Load By System Process From Suspicious Locations
Windows/Files:
UAC Bypass Using EventVwr
UAC Bypass Using .NET Code Profiler on MMC
UAC Bypass Using Consent and Comctl32 – File
Hijack Legit RDP Session to Move Laterally
Potential Privilege Escalation Attempt Via .Exe.Local Technique
Legitimate Application Dropped Executable
Legitimate Application Dropped Archive
Potential CVE-2023-36884 Exploitation Dropped File
Suspicious Outlook Macro Created
Publisher Attachment File Dropped In Suspicious Location
Suspicious File Created Via OneNote Application
LSASS Process Dump Artefact In CrashDumps Folder
WerFault LSASS Process Memory Dump
Windows/PowerShell:
Tamper Windows Defender – PSClassic
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
Windows Mail App Mailbox Access Via PowerShell Script
Enable Windows Remote Management
Windows/Security:
Potential CVE-2023-36884 Exploitation – Share Access
Fortigate@Fortinet:
Success Login from Malicious Address – Fortigate
NetScaler@Citrix:
Success Login from Malicious Address – NetScaler
365 Defender:
Initial Access – 365 Defender
Suspicious Activity – 365 Defender
Discovery – 365 Defender
Command And Control – 365 Defender
Windows/Process Creation:
Execution via WorkFolders.exe
SecurityCenter@KasperskyLab:
Virus Found – Kaspersky Security Center