New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Threat Unix Commands – This context table is populated with a list of default Unix commands that are often used by attackers.

Host To IP Excluded Hosts – This context table is empty by default but can be populated with a list of domain controllers or other host servers that you want to exclude from host to IP mapping enrichment procedures. You can populate this context table manually or via an automated process as part of a Log Stream early access opportunity.

Cntx-PC-Critical-Crit – Process is a known critical command: True\False

Cntx-PC-Critical-Parent-Crit – Parent process is a known critical command: True\False

NumDCP-FWrite-AuditRule-U-DE – An abnormal number of unique endpoints where this user modified the audit.rules file in Unix system.

Fact-Web-TI-IOC – An HTTP communication attempt has been made to a known malicious URL. These events may include both failed and successful traffic.

Fact-Web-TI-RepDom – An HTTP communication attempt has been made to a bad reputation domain. These events may include both failed and successful traffic.

Fact-Web-TI-MalDom – An HTTP communication attempt has been made to a malicious site category. These events may include both failed and successful traffic.

Prof-CA-DA-O-U – This is the first time this user has successfully attached a volume to an instance.

Prof-CA-DC-FromSnapshot-O-U – This is the first time this user has successfully created a volume from a snapshot.

NumCP-PC-CritCmdC-O – An abnormal number of critical command executions have been observed for the organization.

Prof-CA-IPM-AddMember-O-U – This is the first time a user has successfully modified the attributes of a compute image in AWS and shared it with a user/group.

Prof-Login-E-U-SZ – This is the first time a successful login has been observed from this network zone for the this user.

Prof-BPM-U-PBPolicy-O-U – This is the first time this user has successful edited the IAM policy of a bucket in AWS. IAM bucket policies determine the access users and other identities have to the files and objects inside the storage bucket.

Prof-CPM-Resource-U-R – This is the first time an IAM policy of a resource in this directory has been successfully modified by this user in GCP. IAM policies determine the roles and permissions granted to users on a resource.

Prof-CA-IC-O-U – This is the first time this user has successfully created an image for compute instances.

Prof-Web-WebDom-O-Tld – This is the first time a successful HTTP communication to this top level domain has been observed for the organization.

Prof-Login-E-O-SZ – This is the first time a successful login has been observed from this network zone for the organization.

Prof-Login-E-DZ-SZ – This is the first time a successful login has been observed from this source network zone to this destination network zone.

Prof-Login-Plt-U-Plt – This is the first time this user has attempted to log into this platform. These events do not include endpoint events and may include both failed and successful logins.

Prof-DB-E-UDBN-SZ – This is the first time a successful database event in this database has been observed for this user from this network zone.

Prof-CPM-DestUT-U-DestUT – This is the first time a member with this user type was successfully granted IAM permissions in a GCP policy. IAM policies determine the roles and permissions granted to users on a resource.

Prof-BPM-U-PBACL-O-U – This is the first time this user has successful  edited the ACL policy of a bucket in AWS.

Prof-Login-E-UD-DZ – This is the first time a user in this department attempted to log into this network zone. These events may include both failed and successful logins.

Prof-Login-E-SE-DZ – This is the first time a user on this endpoint successful logged into this network zone.

Prof-DB-E-UDBN-SIP – This is the first time a database event in this database has been observed for this user from this IP address.

Prof-CPM-Resource-O-R – This is the first time an IAM policy of a resource in this directory has been successfully modified in GCP. IAM policies determine the roles and permissions granted to users on a resource.

Prof-CPM-DestD-U-DestD – This is the first time a user from this domain was successfully granted IAM permissions in a GCP policy. IAM policies determine the roles and permissions granted to users on a resource.

Prof-Login-E-DE-SZ – This is the first time a successful login has been observed from this network zone to the this endpoint.

Prof-CA-IC-Publisher-O-Publisher – This is the first time this image publisher has been observed in a successful virtual machine image creation for the organization.

Prof-CPM-URevertAWS-O-U – This is the first time this user has successfully changed the default policy version of a policy in AWS. Policies in AWS are the documents that dictate what permissions are granted to identities and resources.

Prof-Login-E-U-DZ – This is the first time this user successfully logged into this network zone.

Prof-DB-E-UDBN-SE – This is the first time a successful database event in this database has been observed for this user from this endpoint.

Prof-Web-WebDom-O-U-WebDomIP – This is the first time an HTTP communication attempt directly to an IP address has been observed for this user. These events may include both failed and successful traffic.

Fact-Web-ShellUserAgent – An HTTP communication attempt has been made with a user-agent associated with a command shell. These events may include both failed and successful traffic.

Fact-EA-KerberosNotPreAuth – A user has successfully authenticated against an endpoint via Kerberos authentication with preauthentication 0.

Prof-PC-PN-PltUD-PN – This is the first time this process has been executed in this platform for users in this department. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.

Prof-PC-PN-PltSZ-PN – This is the first time this process has been executed in this platform from this network zone. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.

Prof-PC-PN-DE-PN – This is the first time this process has been executed on this endpoint. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.

Prof-PC-PN-Plt-PN – This is the first time this process has been executed in this platform. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.

Prof-PC-PN-PltU-PN – This is the first time this process has been executed in this platform for this user. This feature only models processes from - Windows and Unix commands, pentest tools, system enumeration, account enumeration and network sniffers.

Fact-CPM-PCrit-GCPAdmin – A cloud resource policy in GCP has been successfully modified and included critical administrative permissions. IAM policies determine the roles and permissions granted to users on a resource.

Fact-Web-TITOR-Dom – An HTTP communication attempt has been made to a known TOR web proxy domain. These events may include both failed and successful traffic.

Prof-PC-PPN-PPN-PN – This is the first time this child process has been observed for this matured parent process.

Prof-PC-PPN-PN-PPN – This is the first time this parent process has been observed for this matured child process.

Prof-Login-EmD-Plt-EmD – This is the first time this email domain has been used to successfully log into this platform.

Prof-CA-SPM-AddMember-O-U – This is the first time this user has successfully modified the attributes of a compute snapshot in AWS and shared it with a user/group.

Prof-CA-SC-O-U – This is the first time this user has successfully created a snapshot of a compute instance.

Prof-Web-TI-U-WebDom-Malicious – This is the first time an HTTP communication attempt to this malicious web domain has been observed for this user. These events may include both failed and successful traffic.

Prof-DB-U-DBN-UD – This is the first time a database event in this database has been observed for a user in this department. A database event consists of any event or operation performed on a database. These events may include both failed and successful operations.

Prof-BC-U-O-U – This is the first time this user has successfully created a cloud storage bucket.

Prof-DBQ-RS-SZ-RS – An abnormal successful database query response size has been observed for this source network zone.

Fact-BPM-Public-Policy – The IAM policy or the ACL of an AWS bucket has been successfully modified to make it public to all users.

Fact-BPM-Public-AccessBlock – The public access block of a bucket or an account in AWS has been successfully modified to remove public access prevention. This activity enables the bucket or the entire account to become public to all users.

Fact-CPM-PCrit-AWSAdmin – A policy with critical administrative permissions was created or attached to an identity in AWS. Policies in AWS are the documents that dictates what permissions are granted to identities and resources.

Fact-CPM-PCrit-GCPPublic – A policy has been successfully modified to allow public access to a GCP resource. This activity should be noted since public resources can be read or downloaded by everyone.

Fact-Web-TITOR-Url – An HTTP communication attempt has been made to a URL containing '/tor/server'. These events may include both failed and successful traffic.

Fact-Web-TIPhish-PhishDom – An HTTP communication attempt has been made to a phishing associated domain. These events may include both failed and successful traffic.

Fact-Web-TIRansomware – An HTTP communication attempt has been made to a ransomware associated domain. These events may include both failed and successful traffic.

NumDCP-CA-DAC-U-Disks – An abnormal number of volumes were observed attached to instances for this user.

Prof-CA-IKM-KeyCreateGCP-O-U – This is the first time this user added or modified an SSH key of an instance in GCP. These events may include both failed and successful modifications.

Fact-CA-IPM-PublicAWS – A compute image resource in AWS has been made public, granting access to all users.

Prof-DBQ-RS-U-RS – An abnormal successful database query response size has been observed in this database for this user.

NumDCP-Login-DZC-UD-DZ – An abnormal number of unique destination network zones have been observed in login events for users in this department. These events may include both failed and successful logins.

NumDCP-Login-DZC-U-DZ – An abnormal number of unique destination network zones have been observed in login events for this user. These events may include both failed and successful logins.

NumSP-DBQ-RS-U-RS – An abnormal database query response size has been observed for this user. These events may include both failed and successful queries.

NumCP-DB-DBOpC-U – An abnormal number of database operation events were observed for this user - this can include both unique and non-unique operations. A database operation consists of any action in a database query (i.e. SELECT, DROP, UPDATE, etc...). These events may include both failed and successful operations.

Prof-DB-U-DBN-U – This is the first time a database event in this database has been observed for this user. A database event consists of any event or operation performed on a database. These events may include both failed and successful operations.

Prof-CA-IRC-O-U – This is the first time this user executed a remote command on an instance. These events may include both failed and successful executions.

Prof-AuditPolicyMod-U-O-U – This is the first time this user has performed an audit policy modification. These events may include both failed and successful modifications.

Prof-CPM-UAttachAWS-O-U – This is the first time this user attached a policy to an identity (user, group and role) in AWS. Policies in AWS are the documents that dictate what permissions are granted to identities and resources. These events may include both failed and successful attachments.

Prof-Web-BinURL-O-U – This is the first time an executable file was downloaded during an HTTP session for this user.

Prof-CPM-UCreate-O-U – This is the first time this user created or modified an IAM policy on this cloud platform. IAM policies determine the roles and permissions granted to users on a resource. These events may include both failed and successful creations\modifications.

Prof-BPM-Public-O-U – This is the first time this user has attempte to modify the IAM policy or the ACL of an AWS bucket to make it public to all users. These events may include both failed and successful modifications.

Prof-AuditPolicyMod-E-O-SE – This is the first time an audit policy modification has been observed from this endpoint. These events may include both failed and successful modifications.

NumSP-Web-Bytes-U-BytesInPost – An abnormal amount of bytes have been uploaded to the web with POST requests for this user.

NumSP-Web-Bytes-U-BytesStorageIn – An abnormal amount of bytes have been downloaded from file sharing websites for this user.

Cntx-Web-WDCrit-FS – Web domain is a file sharing domain: True\False

NumSP-Network-BytesIn-SZ-Bytes – An abnormal amount of bytes have been sent in inbound communication from this network zone.

NumSP-SADLP-Bytes-U-Bytes – An abnormal amount of outgoing bytes have been recorded in DLP alerts for this user.

NumSP-Network-BytesOut-SZ-Bytes – An abnormal amount of bytes have been sent in outbound communication from this network zone.

NumCP-FDnld-EC-UD – An abnormal amount of file download events have been observed for users in this department.

NumCP-Git-EC-U – An abnormal amount of GitHub API access events have been observed for this user.

NumDC-Git-RepoC-U-Object – An abnormal number of unique repository endpoints where secrets are generally stored, which may indicate unauthorized enumeration or insider reconnaissance activity. Repository name is parsed into the object field which is being counted here.

NumCP-FDnld-EC-O – An abnormal amount of file download events have been observed for the organization.

NumSP-NetworkF-BytesOut-SE-Bytes – An abnormal amount of bytes have failed to be sent in outbound communication from this endpoint.

NumSP-Network-BytesOut-SE-Bytes – An abnormal amount of bytes have been sent in outbound communication from this endpoint.

NumCP-AI-U-Guardrail-Block – An abnormal amount of AI guardrail violations have been observed for a user.

NumDCP-SADLP-ProtoC-U-Proto – An abnormal number of unique protocols have been observed in DLP alerts for this user.

NumCP-FDnld-EC-U – An abnormal amount of file download events have been observed for this user.

Fact-FWrite-2018APT – The 'ds7002.lnk', which is related to a known attack, was written to.

Fact-Login-PenTT – A domain associated with known hacking tools has been observed in a login event.

Prof-ShA-SZ-SN – This is the first time this network share has been successfully accessed from this network zone.

Cntx-PCplink-Exfil – Process is 'plink.exe': True\False

Cntx-ShA-AdminShare – Share is an admin share: True\False

Fact-AI-Guardrail-Block – An AI guardrail violation has been observed.

Cntx-EL-UCrit-ADomain – User is a domain account: True\False

Cntx-AuditPolicyMod-ECrit – Endpoint is critical: True\False

Cntx-PCquser-ADisc – Local accounts enumerated using quser.exe: True\False

Cntx-PC-Critical-Sniffer – Process is a sniffing tool: True\False

Cntx-Login-LType – Login type

Cntx-PCwmic-ADisc – Local accounts enumerated using wmic.exe in on endpoint: True\False

Cntx-PC-Critical-Parent-Shell – Parent process is a shell process

Cntx-ELF-LF-BadCred – Login failed due to bad credentials: True\False

Cntx-PC-Critical-Parent-Pentest – Parent process is a known pentesting tool

Cntx-FRead-Repo – File is located in a repository: True\False

Prof-SADLP-Tld-Proto-Tld – This is the first time a DLP alert triggered on this domain for this protocol.

Cntx-VPNln-UCrit-Vendor – User is a vendor: True\False

Cntx-EL-UCrit-UPriv – User is privileged: True\False

Cntx-GMA-GCrit-Admin – Security group is privileged: True\False

Cntx-Network-Protocol – Network protocol

Prof-SA-PN-U-PN – This is the first time an alert triggered on this process for this user.

Cntx-PC-Critical-Parent-SystemEnum – Parent process is a system enumeration tool: True\False

Cntx-PCapplocker-UAC – Process is a known Applocker bypass process: True\False

Cntx-PCwhoami-ADisc – Local accounts enumerated using whoami.exe on endpoint: True\False

Cntx-PC-Critical-CredEnum – Process is a credential enumeration tool: True\False

Cntx-GA-TI-SIP – Source IP is marked by threat intelligence: True\False

Cntx-EL-UCrit-Exec – User is an executive: True\False

Cntx-GA-TIRansomware-SIP – Source IP is marked as a ransomware by threat intelligence: True\False

Cntx-GA-TIRansomware-DIP – Destination IP is marked as a ransomware by threat intelligence: True\False

Cntx-LogCl-ECrit-CS – Endpoint is critical: True\False

Prof-GA-Country-SZ-DCountry – This is the first time an activity has been observed to this country for this network zone, determined by geolocation lookup.

Cntx-NetworkF-ATF – Network activity failed: True\False

Cntx-PC-FC-SusDir – Process executed from a known suspicious folder: True\False

Cntx-Web-WDCrit-IP – Web domain is an IP address: True\False

Cntx-UCreate-UCrit – User is local: True\False

Cntx-PC-Critical-Parent-Webserver – Parent process is a web server process: True\False

Cntx-EL-ECrit-CS – Destination endpoint is critical: True\False

Cntx-PCwsmprovhost-RP-PN – Process is 'wsmprovhost.exe': True\False

Prof-AI-UD-Guardrail-Block – This is the first time a user in this department has triggered an AI guardrail violation.

Cntx-PC-Critical-Pentest – Process is a known pentesting tool

Prof-SA-PN-UD-PN – This is the first time an alert triggered on this process for users in this department.

Prof-GA-Country-DZ-SCountry – This is the first time an activity has been observed from this country to this network zone, determined by geolocation lookup.

Cntx-FA-FCrit-SrcExecutable – Source file is an executable: True\False

Prof-Auth-U-Okta-AnonVPN – This is the first time an Okta user has used an anonymous VPN to authenticate.

Cntx-GA-TI-DIP – Destination IP is marked by threat intelligence: True\False

Cntx-PC-Critical-Parent-CredEnum – Parent process is a credential enumeration tool: True\False

Cntx-PC-ECrit-Server – Endpoint is a server: True\False

Cntx-USwtch-UCrit – User is privileged: True\False

Cntx-GA-SA – User is a service account: True\False

Cntx-EL-ECrit-DC – Destination endpoint is a Domain Controller: True\False

Cntx-PLA-Outcome – Physical access failed: True\False

Cntx-GMA-ULocal – User is local: True\False

Cntx-ShA-NamedPipe – Share is a known named pipe: True\False

Cntx-PC-FC-PDir – Process executed from a temporary directory: True\False

Cntx-FUSB-Outlook – File has a .pst/.ost extension: True\False

Cntx-Web-UCrit-Exec – User is an executive: True\False

Cntx-PC-Critical-SystemEnum – Process is a system enumeration tool: True\False

Cntx-ShA-PrivU – User is privileged: True\False

Cntx-Web-ECrit-DC – Endpoint is a Domain Controller: True\False

Cntx-PC-Critical-Parent-MSOffice – Parent process is a Microsoft Office process: True\False

Prof-GA-Country-O-DCountry – This is the first time an activity has been observed to this country, determined by geolocation lookup.

Prof-PCIOC-IOCPenT-U-PenT – This is the first time a process execution of a known pentesting tool has been observed for this user.

Cntx-GA-UDisabled – User owns a disabled account: True\False

Cntx-EL-ET-Wrkstn – Destination endpoint is a workstation: True\False

Cntx-PCqwinsta-ADisc – Local accounts enumerated using qwinsta.exe on endpoint: True\False

Cntx-Web-UCrit-Priv – User is privileged: True\False

Prof-Network-SEPN-DE – This is the first time this process has accessed this destination endpoint from this source endpoint.

Cntx-GMA-SelfAdd – User added themselves to a security group: True\False

Cntx-GA-AF – Activity failed: True\False

Prof-SADLP-Proto-U-Proto – This is the first time a DLP alert triggered on this protocol for this user.

Cntx-VPNln-UCrit-Exec – User is an executive: True\False

Cntx-EL-UCrit-SA – User is a service account: True\False

Cntx-PC-Critical-Shell – Process is a shell process

Prof-AI-O-Guardrail-Block – This is the first time a user in the organization has triggered an AI guardrail violation.

Cntx-EMS-Outcome – Email sent outcome

Cntx-VPNln-UCrit-SA – User is a service account: True\False

Cntx-PC-ECrit-CS – Endpoint is critical or a Domain Controller: True\False

Cntx-VPNln-UCrit-Contractor – User is a contractor : True\False

Cntx-USwtch-DUCrit – Dest user is privileged: True\False

Cntx-PCwsmprovhost-RP-PPN – Parent process is 'wsmprovhost.exe': True\False

Prof-AI-U-Guardrail-Block – This is the first time this user has triggered an AI guardrail violation.

Fact-PCwindump-NetSniff – The WinDump process (a process dumping tool) has been executed. This sigma rule is authored by Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml

Fact-PCcmdkey-UDisc – The CMDKey (Credential Manager Command Line) process has been used to enumerate cached credentials. This sigma rule is authored by jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml

Fact-PCesentutl-CDbC – The Esentutl (Extensible Storage Engine Utility) process has been used to copy files with credentials data. This sigma rule is authored by Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml

Fact-PCstunnel-Exfil – The 'stunnel.exe' (a data exfiltration tool) process has been executed. This sigma rule is authored by Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml

Fact-PCcsi-AP – The CSI (C# Interactive Console) process has been spawned by the PowerShell process. This sigma rule is authored by Michael R. (@nahamike01) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml

Fact-PCnwp-NWP – A Windows system process has been executed from a folder it shouldn't normally execute from. This sigma rule is authored by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml

Fact-PCpwrshell-SCC – The PowerShell process has been used to create a shadow copy. This sigma rule is authored by Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml

Fact-PCcsws-AP – A Windows Script Host process ('cscript.exe' or 'wscript.exe') has been spawned by the RegSvr (Register Server) process. This sigma rule is authored by Florian Roth (Nextron Systems), oscd.community, Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml

Fact-PCbcdedit-DisRec – The BCDEdit (Boot Configuration Data Edit) process has been used to disable Windows recovery mode. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml

Fact-SEPwrshell-EnumNetworkAdapter – A PowerShell script that enumerate network adapters using wmi object has been executed.

Fact-RA-WDigest – The WDigest authentication protocol, which uses clear-text credential caching, has been enabled via the registry.

Fact-PCforfiles-IC – The 'forfiles.exe' process has spawned a child process. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml

Fact-PCpcalua-IC – The PCALUA (Program Compatibility Assistant Service) process has been used to execute an indirect command. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/deprecated/windows/proc_creation_win_indirect_cmd.yml

Fact-PCjava-JavaRD – The Java process has been executed with remote debugging allowed for more than just the localhost. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml

Fact-PCnltest-DomDisc – The NLTest (Network Location Test) process has been used to discover domain trusts. This sigma rule is authored by E.M. Anhaus, Tony Lambert, oscd.community, omkar72 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml

Fact-PCwsreset-UAC – The WSReset (Windows Store Reset) process has spawned a child process that it shouldn't normally spawn. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml

Fact-PCSplashtop-InstalledAgent – The Splashtop remote desktop access agent has been installed.

Fact-PCcsws-SExec-PP – The 'wscript.exe' or 'cscript.exe' processes (Windows Script Host) were used to execute a script from the user directory or the program data directory. This sigma rule is authored by Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml

Fact-PC-MshtaScriptExecution – The MsHTA (Microsoft HTML Application) process has been used to execute a script code.

Fact-FCopy-Outlook-FExt – A file ending in a '.pst'/'.ost' extension has been copied.

Fact-PCsharphound-BloodHound – The 'sharphound.exe' (a network domain enumeration tool) process has been executed.

Fact-PCTeamViewer-StartedService – The TeamViewer remote desktop access service has been started.

Fact-PCscrcons-WMI – The 'scrcons.exe' process (WMI script event consumer) has been executed. This sigma rule is authored by Thomas Patzke and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml

Fact-PCsocat-Exfil – The 'socat.exe' (a data exfiltration tool) process has been executed. This sigma rule is authored by Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml

Fact-ELF-SA – A service account failed to log into an endpoint using an interactive Windows logon type. A service account is a user account that belongs to an application rather than an end user.

Fact-PCtaskmgr-SysPerm – The task manager process has been executed by the system user. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml

Fact-PCschtasks-TM – The SchTasks (Scheduled Tasks) process has been used to modify the user account configuration of a scheduled task.

Fact-PCschtasks-TC – The SchTasks (Scheduled Tasks) process has been spawned by a command associated with the 'PowerSploit' or 'Empire' attack tools. This sigma rule is authored by Markus Neis, @Karneades and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml

Fact-PCGoToMyPC-StartedService – The GoToMyPC remote desktop access service has been started.

Fact-EMS-Competition – An email has been sent to an email domain belonging to a competitor.

Fact-PCmklink-SCA – The 'mklink.exe' process has been used to create a symbolic link to a shadow copy. This sigma rule is authored by Teymur Kheirkhabarov, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml

Fact-PCbcdedit-ESP – The BCDEdit (Boot Configuration Data Edit) process has been used to enable test signing.

Fact-PCpwrshell-AD – The PowerShell process has executed a 'ps1' script from the AppData folder. This sigma rule is authored by Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml

Fact-PCAnyDesk-InstalledAgent – The AnyDesk remote desktop access service has been installed.

Fact-PCwhoami-SysPerm – The 'whoami.exe' process has been executed by the system user.

Fact-PC-SysP – The 'rundll32.exe' process has been used to execute a command associated with CVE-2023-23397.

Fact-PCfsutil-JDel – The FSUtil (File System Utility) process has been used to create or delete a journal. This sigma rule is authored by Ecco, E.M. Anhaus, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml

Fact-PCappcmd-ModIns – The 'appcmd.exe' (IIS Application Command Line) process has been used to install an IIS native-code module.

Fact-PCcsc-AP – The CSC (C# Compiler) process has been spawned by a command line executable or a Microsoft Office process. This sigma rule is authored by Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml

Fact-PCping-HexEn – The 'ping.exe' process has been used to ping a hex encoded IP address. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml

Fact-PCpwrshell-HidExec – The PowerShell process has been executed with a hidden or non-interactive console window. This sigma rule is authored by Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml

Fact-PCoffice-Regsvr32 – A Microsoft Office process has spawned the RegSvr (Registration Service) process. This sigma rule is authored by Florian Roth (Nextron Systems), oscd.community, Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml

Fact-PCAnyDesk-StartedAgent – The AnyDesk remote desktop access service has been started.

Fact-PCpwrshell-ELT – The PowerShell process has been used to clear or delete an event log. This sigma rule is authored by Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

Fact-PCpwrshell-En-SuspEnc – The PowerShell process has been used to execute a command associated with the ChromeLoader malware. This sigma rule is authored by Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml

Fact-PCrundll32-ProcMemDump-1 – The 'rundll32.exe' process has been used to dump process memory using the 'minidump' exported function in 'comsvcs.dll'. This sigma rule is authored by Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml

Fact-PCDotNet-CommandLine – This .NET supporting process was created with an URL in the commandline.

Fact-GA-TITOR – An IP address associated with TOR has been observed.

Fact-UModify-UACPreAuthDisable – UAC pre-authentication has been disabled for a user account.

Fact-PCLogMeIn-InstalledAgent – The LogMeIn remote desktop access agent has been installed.

Fact-PCLsass-Lsass – The WERFault (Windows Error Reporting Fault) process has been used to dump the LSASS process. This sigma rule is authored by sigma and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml

Fact-PCpsr-Screenshot – The PSR (Problem Steps Recorder) process has been used to take a screenshot. This is a benign event that is still useful to keep track of. This sigma rule is authored by Beyu Denis, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml

Fact-U-PrivMM – A non-privileged user has been observed accessing an attribute of a privileged directory service user account.

Fact-PCcsws-SExec – The 'wscript.exe' or 'cscript.exe' processes (Windows Script Host) have been used to execute a VBScript shell. These programs can be used to aid in fileless malware execution, a technique that can help evade detection. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml

Fact-PCsdbinst-SI – The SDBInst (Application Compatibility Database Installer) process has been used to register a shim database. This event is notable as shims can be used to intercept API calls and load malicious DLLs enabling an attacker to run malicious software. This sigma rule is authored by Markus Neis and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml

Fact-PCappcmd-IIS – The 'appcmd.exe' (IIS Application Command Line) process has been used to disable IIS HTTP logging .

Fact-PCrundll32-Cpl – The Windows control panel process has spawned the 'rundll32.exe' process. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml

Fact-PCschtasks-DA – The SchTasks (Scheduled Tasks) process has been used to deactivate a scheduled defragmentation task. This sigma rule is authored by Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml

Fact-PCwmic-SCD – The WMIC (WMI Command Line) process has been used to delete a shadow copy. This sigma rule is authored by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml

Fact-PCcmstp-UAC – The CMSTP (Connection Manager Profile Installer) has been used to silently install a service profile for all users on an endpoint. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml

Fact-PCLogMeIn-InstalledService – The LogMeIn remote desktop access service has been installed.

Fact-PCbitsadmin-AbP – The 'bitsadmin.exe' process has been spawned by a command line executable. This sigma rule is authored by Florian Roth (Nextron Systems), Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml

Fact-FRead-Lssas – A process has directly read from the memory space of 'lsass.exe'.

Fact-PCsvchost-DCOMLaunch – Remote DCOM activation under DcomLaunch service.

Fact-PCdir-UDisc – The 'dir.exe' process has been used to list users by enumerating the users folder.

Fact-PCbginfo-VBExec – The BgInfo (Background Information) process has used a .bgi file to bypass application whitelisting. This is notable as this method allows blindly trusted signed binaries to write code which can be leveraged to run malicious actions. This sigma rule is authored by Beyu Denis, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml

Fact-PCnwp-NWP-PPP – A Windows system process has been spawned by a parent process that's in a folder it shouldn't normally execute from. This sigma rule is authored by vburov and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml

Fact-PCsc-SvcMod-Ingt – The SC (Service Controller) process has been used to change a service binary path or failure command configuration with medium integrity level executed. This sigma rule is authored by Teymur Kheirkhabarov and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml

Fact-PCiexplorer-IHttp – The 'consent.exe' (Windows UAC consent dialogue) process has spawned the 'iexplorer.exe' (Internet Explorer) process with system permissions. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml

Fact-PCsc-SuspSP – The SC (Service Controller) process has been executed with suspicious command line parameters.

Fact-PCsr-AC – The Sound Recorder process was used to record external audio. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml

Fact-PCcertutil-AP – The CertUtil (Certification Utility) process has been spawned by a command line executable. This sigma rule is authored by Florian Roth (Nextron Systems), Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml

Fact-MPermMod-UCrit – A user has modified the mailbox permissions of an executive user.

Fact-PCbitsadmin-FDnld – The BITSAdmin (Background Intelligent Transfer Service Admin) process has been used to download a file. This sigma rule is authored by Michael Haag, FPT.EagleEye and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml

Fact-DllLoadWmiprvse-Exe – The 'wmiprvse.exe' (WMI Provider Service) process has been observed loading a 'cmd.exe' or a 'powershell.exe' image.

Fact-PCcdb-DSE – The CDB (Console Debugger) process has been used to execute a script. This sigma rule is authored by Beyu Denis, oscd.community, Nasreddine Bencherchali and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml

Fact-PCrundll32-PwrshellDll-PPN – The PowerShell process has been used to spawn 'rundll32.exe' and execute a DLL from a temporary folder.

Fact-PCwmic-SCC – The WMIC (WMI Command Line) process has been used to create a shadow copy. This sigma rule is authored by Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml

Fact-PCassoc-FAssocCh – The Assoc (File Association) process has been used to change the association of an extension to execution. This sigma rule is authored by Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml

Fact-PCpwrshell-Base64En-Hidden – The PowerShell has been used to execute a known malicious encoded command. This sigma rule is authored by John Lambert (rule) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml

Fact-PCIOC-Mimikatz – The PowerShell process has been used to execute a Mimikatz command.

Fact-PCsetspn-SPNDisc – The 'setspn.exe' process has been used to query service principal names. This sigma rule is authored by Markus Neis, keepwatch and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml

Fact-PC-RemoteExecAdminShare – A remote process has been executed and redirected to an admin share. This activity can be related to the execution of Impacket.

Fact-PCfltmc-SysmonDU – The FltMC (Filter Manager Control) process has been used to unload the Sysmon driver. This sigma rule is authored by Kirill Kiryanov, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml

Fact-PC-TsconRDPRedirection – The 'tscon.exe' has been used to redirect RDP traffic.

Fact-PCLsass-ProcDumpLsass – The 'procdump.exe' process has been used to dump the LSASS process. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml

Fact-PCwbadmin-CD – The WBAdmin (Windows Backup Admin) process has been used to delete a backup catalog.

Fact-PCcertutil-SuspCmd – The CertUtil (Certification Utility) process has been executed with suspicious command line parameters. This sigma rule is authored by Florian Roth (Nextron Systems), juju4, keepwatch and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml, https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml, https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml.

Fact-PCdllhost-UACCOM – The 'dllhost.exe' process has been used to bypass UAC using COM objects. This sigma rule is authored by Nik Seetharaman, Christian Burkard (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml

Fact-PCreg-WDigest – The 'reg.exe' has been used to enable WDigest authentication through the registry.

Fact-PCGoToMyPC-InstalledAgent – The GoToMyPC remote desktop access agent has been installed.

Fact-PCdns-SIGRed – The DNS process has spawned a child process that it shouldn't normally spawn.

Fact-PCmshta-JsExec – The MsHTA (Microsoft HTML Application) process has been used to execute javascript. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml

Fact-DNS-DomQ-Sunburst – A DNS query has been observed requesting a domain associated with the SUNBURST malware.

Fact-PCSplashtop-InstalledService – The Splashtop remote desktop access service has been installed.

Fact-PCGoToMyPC-InstalledService – The GoToMyPC remote desktop access service has been installed.

Fact-PChh-HtmlExec – The HH (HTML Help) process has loaded a '.chm' (Compiled HTML) file. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml

Fact-PCcontrol-CPLFExec – The Windows control panel process has loaded control panel items outside of the folders they are loaded from by default. This sigma rule is authored by Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml

Fact-EMS-SrcCode – An email containing a source code file attachment has been sent.

Fact-PC-TempF-Outlook – A process have been executed from an Outlook temporary folder. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml

Fact-PCIOC-Mimikatz-PN – The Mimikatz process has been executed.

Fact-FCopy-Outlook-FDir – A file from the Outlook folder has been copied to a non-Outlook folder.

Fact-PCicacls-FPermMod-Everyone – The ICACLs (Integrity Control Access Control Lists) process has been used to grant global permissions on a file.

Fact-PCcopy-TFE – The 'copy.exe' process has been used to perform task folder evasion. This sigma rule is authored by Sreeman and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml

Fact-LogCl-LogClear-AT – An audit log has been cleared.

Fact-PCiodine-PExec – The 'iodine.exe' (a DNS tunneling tool) process has been executed. This sigma rule is authored by Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml

Fact-PCntdsutil-NTDS – The 'ntdsutil.exe' (NT Directory Service Utility) process has been executed. This sigma rule is authored by Thomas Patzke and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml

Fact-PCtshark-NetSniff – The TShark process (a network sniffing tool) has been executed. This sigma rule is authored by Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml

Fact-PCat-IJob – The 'at.exe' process has been used to execute an interactive scheduled task. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml

Fact-PCgup-AF – The Notepad++ updater has been executed from a folder it shouldn't normally execute from. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml

Fact-PCvssadmin-SCD – The VSSAdmin (Volume Shadow Copy Service Admin) process has been used to delete a shadow copy. This sigma rule is authored by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml

Fact-PCrundll32-PwrshellDll-PCL – The 'rundll32.exe' process has been used to execute a PowerShell command. This sigma rule is authored by Markus Neis, Nasreddine Bencherchali and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml

Fact-PCdctask64-Zoho – The ZOHO 'dctask64.exe' process has been used to perform process injection. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml

Fact-PCTeamViewer-InstalledService – The TeamViewer remote desktop access service has been installed.

Fact-PCregsvr32-SuspExec – The RegSvr (Registration Service) process has been used to download/install/register a new DLL that is hosted on web, on this endpoint. This sigma rule is authored by Florian Roth (Nextron Systems), oscd.community, Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml

Fact-WinSC-SuspSC-Param – A service has been created with suspicious execution command parameters.

Fact-PCrundll32-ADllLoad-Susp – The 'rundll32.exe' process has executed an exported module function using an ordinal number. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml

Fact-PCLogMeIn-StartedService – The LogMeIn remote desktop access service has been started.

Fact-PCnetsh-FD – The NetSh (Network Shell) process has been used to disable the Windows firewall. This sigma rule is authored by Fatih Sirin and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml

Fact-PCbcdedit-DisRec-BootSP – The BCDEdit (Boot Configuration Data Edit) process has been used to Windows error recovery. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml

Fact-PCSplashtop-StartedService – The Splashtop remote desktop access service has been started.

Fact-PCIOC-Archer – The 'rundll32.exe' process has executed a command associated with the Archer malware service. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_malware_fireball.yml

Fact-PCecho-TFE – The 'echo.exe' process has been used to perform task folder evasion. This sigma rule is authored by Sreeman and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml

Fact-WebMtgM-RmPwd – A meeting has been modified to remove the meeting password.

Fact-PCwmic-WebExec – The WMIC (WMI Command Line) process has been used to invoke a remote XSL script. This sigma rule is authored by Markus Neis, Florian Roth and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml

Fact-EMRC-FwR-ExtDom – An inbox rule has been configured to forward emails to an email address that's in a different domain than the rule's creator.

Fact-PCpwrshell-Base64En – The PowerShell process has been used to decode a Base64 string using 'frombase64string'. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml

Fact-PCTeamViewer-InstalledAgent – The TeamViewer remote desktop access agent has been installed.

Fact-PCmsiexec-WebExec – The MsiExec process (Windows Installer) has been used to execute a remote script using a web addresses parameter. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml

Fact-PCcrackmapexec-CrackMapExecWin – The 'crackmapexec.exe' (a penetration testing tool) process has been executed. This sigma rule is authored by Markus Neis and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml

Fact-PCpwrshell-AC – The PowerShell process has been used to record external audio. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml

Fact-PCsc-SvcMod-PCL – The SC (Service Controller) process has been used to configure a PowerShell service. This sigma rule is authored by Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml

Fact-PCwmiprvse-FireEye – The WMIPrvSe (WMI Provider Host) process has been used to execute a command associated with FireEye Pentesting.

Fact-SA-ET-RN – A correlation rule has been triggered

Fact-PCeqnedt32-EE – The 'eqnedt32.exe' (EquationEditor) process has been executed. This is a known built in tool used by attackers due to its ability for exploitation. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml

Fact-PCrundll32-Meterpreter – The 'rundll32.exe' process has been used to execute a known Meterpreter/Cobalt Strike module. This sigma rule is authored by Teymur Kheirkhabarov, Ecco, Florian Roth and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml

Fact-FWrite-DExt – A file with an '.exe' extension following a non-executable extension was written to. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml

Fact-PCpwrshell-BitsJob – The PowerShell process has been used to execute a BITS (Background Intelligent Transfer Service) transfer. This sigma rule is authored by Endgame, JHasenbusch (ported to sigma for oscd.community) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules-deprecated/windows/proc_creation_win_powershell_bitsjob.yml

Fact-PCpwrshell-ADS – The PowerShell process has been used to execute a PowerShell script from an ADS (Alternate Data Stream). This sigma rule is authored by Sergey Soldatov, Kaspersky Lab, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml

Fact-WinSC-SuspSC-Temp – A service has been created from a temporary internet files directory.

Fact-PCpassworddump-SecurityXploded – The 'passworddump.exe' process (a password dumping tool from the 'SecurityXploded' toolkit) has been executed. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml

Fact-STC-SP – A scheduled task has been configured to execute the PowerShell process.

Fact-PCrundll32-ADllLoad-Trojan – The 'rundll32.exe' process has loaded a module from the AppData folder. This sigma rule is authored by Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml

Fact-PCmwc-mstsc – The MSTSC (Microsoft Terminal Services Client) process has been used to shadow an existing remote desktop session. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml

Fact-PCdevtool-BinExec – The DevToolsLauncher process has deployed a process. This sigma rule is authored by Beyu Denis, oscd.community (rule), @_felamos (idea) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml

Fact-PChttptunnel-ExfilTExec – The 'httptunnel.exe' (a data exfiltration tool) process has been executed. This sigma rule is authored by Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml

Fact-PCsvchost-NoArg – The SvcHost (Service Host) process has been executed without any command line arguments. This sigma rule is authored by David Burkett, @signalblur and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml

Fact-PCcreateminidump-ProcMemDump – The CreateMiniDump process (a memory dumping tool) has been executed. This tool is used to dump the LSASS process memory for credential extraction on the attacker's machine. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml

Fact-PCnetsniff-SniffT – A network sniffing tool has been executed.

Fact-PCtakeown-FO – The 'takeown.exe' process has been used to take ownership of a file or a folder.

Fact-PCtype-TFE – The 'type.exe' process has been used to perform task folder evasion. This sigma rule is authored by Sreeman and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml

Fact-PCreg-AutorunMod – The 'reg.exe' process has been used to modify an AutoRun registry key. This sigma rule is authored by Victor Sergeev, Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml

Fact-PCpwrshell-AMSI – The PowerShell process has been used to disable AMSI (Anti Malware Scan Interface) Scanning using AmsiInitFailed. This sigma rule is authored by Markus Neis, @Kostastsale and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml

Fact-PCIOC-ZxShell – The 'rundll32.exe' process has been used to execute a known 'ZxShell' backdooring software module. This sigma rule is authored by Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml

Fact-PCecho-EchoP – The 'echo.exe' process has been used to execute a command associated with Meterpreter and Cobalt Strike’s GetSystem system privilege escalation function.

Fact-PCreg-SRH – The 'reg.exe' process has been used to dump the security/sam/system registry hives. This sigma rule is authored by Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml

Fact-PCdnscat-DNSExfil – The DNScat (a DNS tunneling tool) process has been executed. This sigma rule is authored by Daniil Yugoslavskiy, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml

Fact-PCmwc-PExec – The Microsoft Workflow Compiler process has been executed. Microsoft Workflow Compiler may permit the execution of arbitrary unsigned code. This sigma rule is authored by Nik Seetharaman, frack113 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml

Fact-PCopenwith-Exec – The OpenWith process has been used to execute a program. This sigma rule is authored by Beyu Denis, oscd.community (rule), @harr0ey (idea) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml

Fact-PCpwrshell-Empire – The PowerShell process has been used to execute a command associated with an Empire module.

Fact-PCbcdedit-BootEM – The BCDEdit (Boot Configuration Data Edit) process has been used to delete or import boot entry data. This sigma rule is authored by @neu5ro and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml

Fact-PCfodhelper-UAC – The 'fodhelper.exe' has spawned a child process. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml

Fact-PCwmic-ELT – The WMIC (WMI Command Line) process has been used to clear or delete an event log. This sigma rule is authored by Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

Fact-PC-DExt – A process with an '.exe' extension following a non-executable extension has been executed. This sigma rule is authored by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml

NumCP-SEPwrshell-CmdInvC-O-InvC – An abnormal number of PowerShell command invocations have been observed for the organization.

NumCP-RegD-EC-DE – An abnormal number of registry deletion events have been observed on this device.

NumSP-EMR-Bytes-DU-Bytes – An abnormal amount of bytes have been received in incoming emails for this user.

NumCP-ELF-EC-U-RDP – An abnormal number of failed RDP (remote desktop protocol) logins to this endpoint have been observed for this user.

NumCP-AppAuthF-EC-U – An abnormal number of application authentication failures have been observed for this user.

NumSP-DNSReq-Bytes-O-Bytes – An abnormal amount of bytes were sent in DNS queries from endpoints in the organization.

NumCP-PC-InsmodCmdC-DE – An abnormal number of 'insmod' (Install Module) process executions have been observed on this endpoint.

NumCP-PC-ChownCount-U – An abnormal number of 'chown' (Change Owner) process executions have been observed for this user.

NumCP-PC-KextloadCmdC-U – An abnormal number of 'kextload' (Kernel Extention Load) process executions have been observed for this user.

NumSP-FRead-FS-SA-Bytes – An abnormal amount of file bytes have been read in this storage account for this user.

NumSP-Web-Bytes-UD-BytesStorageOut – An abnormal amount of bytes have been uploaded to file sharing websites for users in this department.

NumCP-FDel-LogFileCount-U – An abnormal number of log file deletion events have been observed for this user.

NumDCP-FRead-EC-UP-FP – An abnormal number of unique files have been read in this platform for this user.

NumCP-AppLF-EC-U – An abnormal number of application login failures have been observed for this user.

NumSP-Web-Bytes-O-BytesStorageOut – An abnormal amount of bytes have been uploaded to file sharing websites for the organization.

NumSP-DNSReq-Bytes-SE-Bytes – An abnormal amount of bytes were sent in DNS queries from this endpoint.

NumDCP-FRead-EC-B-FP – An abnormal number of unique files have been read in this bucket for this user.

NumCP-WebF-EC-U-Id – An abnormal number of failed HTTP events have been observed for this user.

NumCP-PC-SudoCount-U – An abnormal number of 'sudo' (Superuser Do) process executions have been observed for this user.

NumSP-VPNOut-Bytes-U-Bytes – An abnormal amount of bytes have been uploaded in VPN session for this user.

NumCP-PCpwrshell-EC-U – An abnormal number of PowerShell process executions have been observed for this user.

NumCP-DNSResp-NXC-O-NX – An abnormal number of DNS queries to NX domains have been observed for the organization.

NumDCP-FRead-FS-U-DE – An abnormal number of unique destination endpoints have been observed in file read events for this user.

NumSP-FRead-FS-B-Bytes – An abnormal amount of file bytes have been read in this bucket for this user.

NumDCP-PCCEnum-TC-U-CEnum – An abnormal number of unique credential enumeration tools have been executed for this user.

NumDCP-FRead-EC-SA-FP – An abnormal number of unique files have been read in this storage account for this user.

NumCP-PwdChkout-EC-U-SC – An abnormal number of password retrievals have been observed for this user.

NumCP-PC-ModprobeCmdC-U – An abnormal number of 'modprobe' (Module Probe, a kernel module managment tool) process executions have been observed for this user.

NumCP-DSOW-EC-O – An abnormal number of directory service write events have been observed for the organization. Directory services typically manage various types of objects to organize and administer resources within a network environment.

NumDCP-RegW-RPC-ServicesStop-DE-RP – An abnormal number of unique services have been stoped by modifying the registry on this endpoint.

NumCP-DNSResp-NXC-SE-NX – An abnormal number of DNS queries to NX domains from this endpoint have been observed.

NumCP-RegD-Services-EC-U – An abnormal number of unique service configurations have been deleted from the registry for this user.

NumSP-EMS-Bytes-U-Bytes – An abnormal amount of bytes have been sent in outgoing emails for this user.

NumCP-DSOW-EC-U – An abnormal number of directory service events have been observed for this user. Directory services typically manage various types of objects to organize and administer resources within a network environment.

NumDCP-RegW-RPC-ServicesStop-U-RP – An abnormal number of unique services have been stoped by modifying the registry for this user.

NumSP-FUSB-Bytes-U-Bytes – An abnormal amount of file bytes have been written to peripheral storage devices for this user.

NumCP-DL-EC-SE – An abnormal number of kernel module or drivers have been loaded on this endpoint.

NumCP-RegD-EC-U – An abnormal number of registry deletion events have been observed for this user.

NumSP-DNSReq-Bytes-SZ-Bytes – An abnormal amount of bytes were sent in DNS queries from this network zone.

NumDCP-SA-ANC-UD-AN – An abnormal number of unique alerts have triggered for users in this department.

NumCP-VPNlnF-EC-U – An abnormal number of vpn login failures have been observed for this user.

NumCP-PCpwrshell-EC-UD – An abnormal number of PowerShell process executions have been observed for users in this department.

NumCP-FUpld-EC-U – An abnormal amount of file upload events have been observed for this user.

NumCP-DL-EC-UPlt – An abnormal number of kernel module or drivers have been loaded for this user.

NumSP-FRead-FS-UP-Bytes – An abnormal amount of file bytes have been read in this platform for this user.

NumCP-ELF-EC-U-SE – An abnormal number of failed endpoint logins from this endpoint have been observed for this user.

NumDCP-ELF-SEC-DE-SE – An abnormal number of unique endpoints have been observed failing to log into this endpoint.

NumCP-EMS-EC-U-Id – An abnormal number of outgoing emails have been observed for this user.

NumDCP-RegR-RPC-Cert-U-RP – An abnormal number of unique certificates and private keys related registry values have been read by this user.

NumCP-SEPwrshell-WebReq-O-WebReq – An abnormal number of PowerShell web requests have been observed for the organization.

NumCP-RuleDel-EC-U – An abnormal number of security rules deletion events have been observed for this user.

NumDCP-GA-OpC-UPlt-FOp – An abnormal number of unique failed operations have been observed in this platform for this user.

NumSP-Web-Bytes-U-BytesStorageOut – An abnormal amount of bytes have been uploaded to file sharing websites for this user.

NumCP-FUpld-EC-O – An abnormal amount of file upload events have been observed for the organization.

NumDCP-FDel-U-DE – An abnormal number of unique remote destination endpoints have been observed in file deletion events on this endpoint for this user.

NumDCP-SA-ANC-SE-AN – An abnormal number of unique alerts have triggered from this endpoint.

NumCP-RegD-Services-EC-DE – An abnormal number of unique service configurations have been deleted from the registry on this device.

NumDCP-PCHEnum-TC-U-HEnum – An abnormal number of unique host enumeration tools have been executed for this user.

NumDCP-PwdChkout-SVC-U-SV – An abnormal number of unique safes have been observed in passwords retrieval events for this user.

NumDCP-PLA-LocC-U-LocDoor – An abnormal number of unique doors have been observed in physical access events for this user.

NumDCP-EL-DEC-O-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for the organization. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.

NumDCP-WebF-WebDomC-U-WebDom – An abnormal number of unique domains have been observed in failed HTTP events for this user.

NumCP-FUpld-EC-UD – An abnormal amount of file upload events have been observed for users in this department.

NumCP-PwdChkout-EC-UD-SC – An abnormal number of password retrievals have been observed for users in this department.

NumSP-Network-BytesOut-SEDP-Bytes – An abnormal amount of bytes have been sent using SSH, Telnet, SMTP, DNS, FTP, HTTP or HTTPS protocols in outbound communication from this endpoint to this port.

NumCP-FDel-EC-U – An abnormal number of file deletion events have been observed for this user.

NumDCP-PLA-LocC-U-LocCity – An abnormal number of unique cities have been observed in physical access events for this user.

NumCP-WebReqF-EC-U-Id – An abnormal number of failed HTTP requests have been observed for this user.

NumCP-MPermMod-EC-U – An abnormal number of mailbox permission modifications have been observed for this user.

NumCP-Auth-MfaEC-U – An abnormal number of Multi-Factor Authentication (MFA) authentication events for this user have been observed. These events may include both failed and successful authentications to an MFA service.

NumCP-PrivUse-EC-U-APC – An abnormal number of administrative privilege access events have been observed for this user.

NumDC-ShA-ShareC-U-DS – An abnormal number of unique network shares have been accessed for this user.

NumCP-EScrn-EC-U – An abnormal number of screenshot events have been observed for this user.

NumCP-ELF-EC-U-DZ – An abnormal number of failed logins to endpoints in this network zone have been observed for this user.

NumCP-PC-DirSearchCount-U – An abnormal number of unix file search process executions have been observed for this user.

NumDCP-Auth-TgsEC-U-Sn – An abnormal number of Ticket Granting Services (TGS) were observed for this user. In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain. This event is notable since it may indicate use of stolen credentials.

NumCP-EMR-EC-DU – An abnormal number of incoming emails have been observed for this user.

NumCP-UPwdMod-O – An abnormal amount of password reset events were observed for this user.

NumDCP-EL-DEC-SE-DE – An abnormal number of unique destination endpoints have been observed in successful endpoint login events from this endpoint. These events may include interactive Window logins and other (interactive or not) OS logins.

NumDCP-Network-DIPC-SE-DIP – An abnormal number of unique destination IPs have been accessed from this source endpoint.

NumCP-PC-ChmodCount-U – An abnormal number of 'chmod' (Change Mode) process executions have been observed for this user.

NumCP-PwdChkout-EC-O-SC – An abnormal number of password retrievals have been observed for the organization.

NumDCP-FWrite-EC-U-FP – An abnormal number of unique files have been written for this user.

NumDCP-SA-ANC-U-AN – An abnormal number of unique alerts have triggered for this user.

NumCP-ELF-EC-U-DE – An abnormal number of failed endpoint logins to this endpoint have been observed for this user.

NumCP-PC-ModprobeCmdC-DE – An abnormal number of 'modprobe' (Module Probe, a kernel module managment tool) process executions have been observed on this endpoint.

NumCP-PCpwrshell-EC-O – An abnormal number of PowerShell process executions have been observed for the organization.

NumDCP-FUSB-FPC-U-FP – An abnormal number of unique files has been written to peripheral storage devices for this user.

NumDC-RA-U-RAC – An abnormal number of role-assume requests have been observed for this user. These events can include both successful and failed assumed roles.

NumDCP-EL-DEC-U-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for this user. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.

NumCP-PC-InsmodCmdC-U – An abnormal number of 'insmod' (Install Module) process executions have been observed for this user.

NumCP-DSOW-EC-UD – An abnormal number of directory service write events have been observed for users in this department. Directory services typically manage various types of objects to organize and administer resources within a network environment.

Prof-GA-E-U-SE – This is the first time an activity from this endpoint has been observed for this user.

Prof-ELF-E-U-DE – This is the first time this user has failed to log into this endpoint. The user might have logged in successfully before, but this is the first time a failed login event was observed on the endpoint.

Fact-CA-Startup-StartupScriptAWS – A startup script was added or modified in an instance in AWS.

Fact-CA-SPM-PublicAWS – A compute snapshot resource in AWS has been made public, granting access to all users.

Fact-CA-Startup-StartupScriptGCP – A startup or shutdown script have been added or modified in a instance in GCP.

Cntx-PC-Critical-Parent-CritWindows – Parent process is a known critical Windows command: True\False

Cntx-PC-Critical-CritWindows – Process is a known critical Windows command: True\False