Fact-Login-PenTT – A domain associated with known hacking tools has been observed in a login event.
NumDCP-FRead-EC-SA-FP – An abnormal number of unique files have been read in this storage account for this user.
Prof-USwtch-U-U-DU – This is the first time this user has performed an account switch to this account.
NumCP-ELF-EC-U-SE – An abnormal number of failed endpoint logins from this endpoint have been observed for this user.
Prof-GA-PrivU-PltOp-PrivU – This is the first time this successful operation has been performed on this platform by a non-privileged user. Operations can include function types, APIs, application activities and more.
Fact-PCpcalua-IC – The PCALUA (Program Compatibility Assistant Service) process has been used to execute an indirect command. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/deprecated/windows/proc_creation_win_indirect_cmd.yml
NumDCP-EL-DEC-SE-DE – An abnormal number of unique destination endpoints have been observed in successful endpoint login events from this endpoint. These events may include interactive Window logins and other (interactive or not) OS logins.
NumDCP-EL-DEC-O-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for the organization. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.
Fact-PCbcdedit-BootEM – bcdedit.exe usage (e.g., delete, deletevalue, import, safeboot, network) tied to boot configuration tampering which may indicate attempts to damage the system or maintain persistence. This sigma rule is authored by @neu5ron. The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml
NumDCP-GA-OpC-UPlt-FOp – An abnormal number of unique failed operations have been observed in this platform for this user.
Prof-RA-R-U-RA – This is the first time this user assumed this role.
Fact-PCrundll32-PwrshellDll-PCL – rundll32.exe to execute PowerShell related code through DLL loading techniques. This sigma rule is authored by Markus Neis, Nasreddine Bencherchali (Nextron Systems). The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml
Prof-GA-Mime-O-Mime – This is the first time this MIME type has been observed for the organization. These events do not include network or endpoint platforms.
Fact-PCbitsadmin-FDnld – The BITSAdmin (Background Intelligent Transfer Service Admin) process has been used to download a file. This sigma rule is authored by Michael Haag, FPT.EagleEye and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml
Prof-RegW-CORPROFILER-O-U – This is the first time this user has modified or created a registry value for an environment variable associated with the COR_PROFILER.
Prof-GA-RGN-O-RGN – This is the first time this cloud region has been observed for the organization.
Fact-PCmwc-PExec – The Microsoft Workflow Compiler process has been executed. Microsoft Workflow Compiler may permit the execution of arbitrary unsigned code. This sigma rule is authored by Nik Seetharaman, frack113 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml
Fact-RegW-ControlPanel – A control panel item has been registered by writing to a registry key/value under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.
Fact-ELF-SA – A service account failed to log into an endpoint using an interactive Windows logon type. A service account is a user account that belongs to an application rather than an end user.
Fact-PCcertutil-SuspCmd – The CertUtil (Certification Utility) process has been executed with suspicious command line parameters. This sigma rule is authored by Florian Roth (Nextron Systems), juju4, keepwatch and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml, https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml, https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml.
Fact-PCwmic-ELT – The WMIC (WMI Command Line) process has been used to clear or delete an event log. This sigma rule is authored by Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
Prof-GMA-U-O-UD – This is the first time a user has been added to a group by a user in this department.
Prof-PLA-Loc-U-LocCity – This is the first time this user has physically accessed a building in this city.
Prof-UPwdMod-U-O-U – This is the first time this user has modified the password of another user account.
Fact-PCdevtool-BinExec – The DevToolsLauncher process has deployed a process. This sigma rule is authored by Beyu Denis, oscd.community (rule), @_felamos (idea) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml
Fact-PCcertutil-AP – The CertUtil (Certification Utility) process has been spawned by a command line executable. This sigma rule is authored by Florian Roth (Nextron Systems), Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml
Fact-PCpwrshell-Base64En-Hidden – The PowerShell has been used to execute a known malicious encoded command. This sigma rule is authored by John Lambert (rule) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml
Prof-RegW-U-DetailsLen – An abnormal registry details length has been observed for this user.
Fact-PCrundll32-ADllLoad-Susp – The 'rundll32.exe' process has executed an exported module function using an ordinal number. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml
Fact-PCcsc-AP – The CSC (C# Compiler) process has been spawned by a command line executable or a Microsoft Office process. This sigma rule is authored by Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml
Fact-PChh-HtmlExec – The HH (HTML Help) process has loaded a '.chm' (Compiled HTML) file. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml
Prof-GA-Plt-UD-Plt – This is the first activity observed on this platform for users in this department.
NumDCP-Login-DZC-U-DZ – An abnormal number of unique destination network zones have been observed in login events for this user. These events may include both failed and successful logins.
Prof-Login-E-UD-DZ – This is the first time a user in this department successfully logged into this network zone.
Prof-FDel-UnixLogFiles-O-U – This is the first time a log file deletion has been observed for this user in Unix systems.
Fact-PCsc-SvcMod-Ingt – The SC (Service Controller) process has been used to change a service binary path or failure command configuration with medium integrity level executed. This sigma rule is authored by Teymur Kheirkhabarov and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
Prof-RegW-EnvVarPath-O-U – This is the first time this user has modified the PATH environment variable by writing to the registry value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path'.
Prof-PCnet-U-O-U-netlocalgroup – This is the first time a user account has been added to a group using 'net.exe' for this user.
Prof-RegW-Services-O-UD – This is the first time users in this department have modified or created a service by writing a registry key\value under the key 'HKLM\SYSTEM\CurrentControlSet\Services'.
Fact-RegD-RDPCon – The RDP connection history has been cleared via the registry.
Prof-PC-CmdArgs-Msbuild-O-XMLParam – This is the first time the 'msbuild.exe' process has been used to build a project with this xml file.
Fact-PCpwrshell-ADS – The PowerShell process has been used to execute a PowerShell script from an ADS (Alternate Data Stream). This sigma rule is authored by Sergey Soldatov, Kaspersky Lab, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml
Prof-PC-PN-Pdir – This is the first time a process execution has been observed from this directory for this process.
Prof-PCpwrshell-En-O-PP – This is the first time a process execution of PowerShell with an encrypted command has been observed for this parent process.
Fact-PCwevtutil-EventTracingClear – The WEvtUtil (Windows Event Utility) process has been used to clear an ETW (Event Tracing for Windows). This sigma rule is authored by @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml
Fact-PCpwrshell-BitsJob – The PowerShell process has been used to execute a BITS (Background Intelligent Transfer Service) transfer. This sigma rule is authored by Endgame, JHasenbusch (ported to sigma for oscd.community) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules-deprecated/windows/proc_creation_win_powershell_bitsjob.yml
NumDCP-EL-DEC-U-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for this user. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.
Prof-RegW-Services-O-U – This is the first time this user has modified or created a service by writing a registry key\value under the key 'HKLM\SYSTEM\CurrentControlSet\Services'.
Prof-PCnet-U-O-U-netuser – This is the first time a user account has been enabled or disabled using 'net.exe' for this user.
Fact-PCcmstp-UAC – The CMSTP (Connection Manager Profile Installer) has been used to silently install a service profile for all users on an endpoint. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml
Prof-PC-O-Pdir – This is the first time a process execution has been observed from this directory.
Fact-PC-DExt – A process with an '.exe' extension following a non-executable extension has been executed. This sigma rule is authored by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml
Prof-PLA-Loc-U-LocDoor – This is the first time this user has physically accessed this door.
Prof-PC-CmdArgs-InstallUtil-O-DLLParam – This is the first time the 'installutil.exe' process has been executed with this DLL file as a parameter.
Prof-Login-E-DE-SZ – This is the first time a successful login has been observed from this network zone to this endpoint.
Prof-FDel-U-O-U-LogFile – This is the first time a log file has been deleted by this user.
Fact-PCrundll32-PwrshellDll-PPN – The PowerShell process has been used to spawn 'rundll32.exe' and execute a DLL from a temporary folder.
Prof-Login-E-U-DZ – This is the first time this user successfully logged into this network zone.
Fact-PC-ClearComHistory – This can help the attacker ot evade detection.
Prof-Login-E-DZ-SZ – This is the first time a successful login has been observed from this source network zone to this destination network zone.
Fact-PCcdb-DSE – The CDB (Console Debugger) process has been used to execute a script. This sigma rule is authored by Beyu Denis, oscd.community, Nasreddine Bencherchali and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml
Prof-GA-RGN-U-RGN – This is the first time this cloud region has been observed for this user.
Prof-PC-CmdArgs-Msbuild-O-CsprojParam – This is the first time the 'msbuild.exe' process has been used to build this C# project.
Prof-GMA-GN-O-GN – This is the first time a user has been added to this group.
Prof-Login-E-U-SZ – This is the first time a successful login has been observed from this network zone for the this user.
Prof-GMA-U-O-U – This is the first time a user has been added to a group by this user.
NumDCP-FRead-EC-B-FP – An abnormal number of unique files have been read in this bucket for this user.
Prof-LogCl-E-O-DE – An abnormal number of unique files have been read in this bucket for this user.
Fact-LogCl-LogClear-AT – An audit log has been cleared.
Fact-PCrundll32-ProcMemDump-1 – The 'rundll32.exe' process has been used to dump process memory using the 'minidump' exported function in 'comsvcs.dll'. This sigma rule is authored by Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml
Fact-PCIOC-ZxShell – The 'rundll32.exe' process has been used to execute a known 'ZxShell' backdooring software module. This sigma rule is authored by Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml
Prof-LogCl-U-O-U – This is the first time an audit log has been cleared by this user.
Prof-Login-EmD-Plt-EmD – This is the first time this email domain has been used to successfully log into this platform.
NumCP-Auth-MfaEC-U – An abnormal number of Multi-Factor Authentication (MFA) authentication events for this user have been observed. These events may include both failed and successful authentications to an MFA service.
NumCP-ELF-EC-U-DZ – An abnormal number of failed logins to endpoints in this network zone have been observed for this user.
Fact-PC-SysP – The 'rundll32.exe' process has been used to execute a command associated with CVE-2023-23397.
Fact-PCnwp-NWP – A Windows system process has been executed from a folder it shouldn't normally execute from. This sigma rule is authored by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml
Fact-PC-TFE-Write – The Tasks folder in system32 and syswow64 are globally writable paths that can be abused using shell built-ins such as 'copy', 'echo', 'type', 'file createnew' to stage or execute payloads. This sigma rule is authored by Sreeman. The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/799acec38b9e0696cc1d5767a9416033f620aca0/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml
Fact-GA-TITOR – An IP address associated with TOR has been observed.
Fact-Fwrite-HiddenFile – Creating a file that starts with ".". File that starts with "." is a hidden file. An attacker can create hidden file to evade detection.
Fact-PC-MshtaScriptExecution – The MsHTA (Microsoft HTML Application) process has been used to execute a script code.
Fact-PCdctask64-Zoho – The ZOHO 'dctask64.exe' process has been used to perform process injection. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml
NumCP-FDel-EC-U – An abnormal number of file deletion events have been observed for this user.
Fact-PCcsi-AP – PowerShell starting the C# Interactive Console (csi.exe), which may be used to execute code in an unusual or hidden way. This sigma rule is authored by Michael R. (@nahamike01). The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml
NumSP-FRead-FS-SA-Bytes – An abnormal amount of file bytes have been read in this storage account for this user.
Prof-Login-E-SE-DZ – This is the first time a user on this endpoint successfully logged into this network zone.
Fact-PCmsiexec-WebExec – The MsiExec process (Windows Installer) has been used to execute a remote script using a web addresses parameter. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml
Prof-PC-CmdArgs-Regsvr32-O-SCTParam – This is the first time the 'regsvr32.exe' process has been executed with this SCT file as a parameter.
Fact-PCDotNet-CommandLine – This .NET supporting process was created with an URL in the commandline.
Fact-PCpwrshell-ELT – The PowerShell process has been used to clear or delete an event log. This sigma rule is authored by Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
Prof-PCMsbuild-E-O-DE – This is the first time the 'msbuild.exe' process has been used to build and execute a project on this endpoint.
Fact-PCsvchost-NoArg – The SvcHost (Service Host) process has been executed without any command line arguments. This sigma rule is authored by David Burkett, @signalblur and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml
Fact-PCrundll32-Meterpreter – The 'rundll32.exe' process has been used to execute a known Meterpreter/Cobalt Strike module. This sigma rule is authored by Teymur Kheirkhabarov, Ecco, Florian Roth and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
Fact-PCgup-AF – The Notepad++ updater has been executed from a folder it shouldn't normally execute from. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml
Fact-PCping-HexEn – The 'ping.exe' process has been used to ping a hex encoded IP address. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml
NumDCP-FDel-U-DE – An abnormal number of unique remote destination endpoints have been observed in file deletion events on this endpoint for this user.
Prof-EL-EDC-U-SZ – This is the first time an endpoint login event to a domain controller has been observed originating from this network zone for this user. These events may include both failed and successful logins.
Prof-Login-E-O-SZ – This is the first time a successful login has been observed from this network zone for the organization.
Fact-PCmshta-JsExec – The MsHTA (Microsoft HTML Application) process has been used to execute javascript. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml
Fact-PC-Shell-Base64 – Identifies base64 being decoded and passed to a Linux shell
Cntx-GA-SuspCountry – The source country is suspicious: True\False
Fact-PC-Chflags-HiddenFile – The "setfile" unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. An attacker can create hidden file to evade detection.
Fact-PCtaskmgr-SysPerm – The task manager process has been executed by the system user. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml
Fact-FWrite-EtcLldSo – The /etc/ld.so.preload file, if present, allows users to add additional shared libraries that will be loaded before the standard libraries. This can be useful for various purposes, such as implementing custom libraries, applying system-wide modifications, or debugging and profiling applications. Attackers could use this file to force the loading of their own malicious libraries, enabling them to modify system behavior, escalate privileges, or intercept sensitive data.
Prof-GA-Plt-U-Plt – This is the first activity observed on this platform for this user.
NumCP-ELF-EC-U-DE – An abnormal number of failed endpoint logins to this endpoint have been observed for this user.
Prof-EL-E-U-SC – This is the first time this user has successfully logged into an endpoint from this country, determined by geolocation lookup.
Prof-PC-CmdArgs-InstallUtil-O-EXEParam – This is the first time the 'installutil.exe' process has been executed with this EXE file as a parameter.
Fact-PCecho-EchoP – The 'echo.exe' process has been used to execute a command associated with Meterpreter and Cobalt Strike's GetSystem system privilege escalation function.
Prof-AuditPolicyMod-E-O-SE – This is the first time an audit policy modification has been observed from this endpoint. These events may include both failed and successful modifications.
Prof-GMA-OU-GN-UOU – This is the first time a user in this OU has been added to this group.
Fact-PCbginfo-VBExec – The BgInfo (Background Information) process has used a .bgi file to bypass application whitelisting. This is notable as this method allows blindly trusted signed binaries to write code which can be leveraged to run malicious actions. This sigma rule is authored by Beyu Denis, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml
Prof-ULck-U-O-U – This is the first time this user has locked a user account.
Fact-PCopenwith-Exec – The OpenWith process has been used to execute a program. This sigma rule is authored by Beyu Denis, oscd.community (rule), @harr0ey (idea) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml
Fact-PCcontrol-CPLFExec – The Windows control panel process has loaded control panel items outside of the folders they are loaded from by default. This sigma rule is authored by Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml
Fact-PCdllhost-UACCOM – The 'dllhost.exe' process has been used to bypass UAC using COM objects. This sigma rule is authored by Nik Seetharaman, Christian Burkard (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml
Fact-PCpwrshell-En-SuspEnc – The PowerShell process has been used to execute a command associated with the ChromeLoader malware. This sigma rule is authored by Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml
Fact-PCfsutil-JDel – The FSUtil (File System Utility) process has been used to create or delete a journal. This sigma rule is authored by Ecco, E.M. Anhaus, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml
Fact-PCnwp-NWP-PPP – A Windows system process has been spawned by a parent process that's in a folder it shouldn't normally execute from. This sigma rule is authored by vburov and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml
NumCP-FDel-UnixLogFilesC-U – An abnormal number of log files have been deleted by this user in Unix systems.
Fact-PCforfiles-IC – The 'forfiles.exe' process has spawned a child process. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
NumDCP-Login-DZC-UD-DZ – An abnormal number of unique destination network zones have been observed in login events for users in this department. These events may include both failed and successful logins.
Fact-PCpwrshell-Base64En – The PowerShell process has been used to decode a Base64 string using 'frombase64string'. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml
Prof-Web-WebDom-O-Tld – This is the first time a successful HTTP communication to this top level domain has been observed for the organization.
NumSP-FRead-FS-B-Bytes – An abnormal amount of file bytes have been read in this bucket for this user.
Fact-EL-UnauthorizedWindowsRDP – An unauthorized user has attempted and failed a Remote Desktop Protocol (RDP) login to a Windows endpoint.
Prof-PLA-Loc-U-LocBldg – This is the first time this user has physically accessed this building.
Prof-Login-Plt-U-Plt – This is the first time this user has attempted to log into this platform. These events do not include endpoint events and may include both failed and successful logins.
Prof-AuditPolicyMod-U-O-U – This is the first time this user has performed an audit policy modification. These events may include both failed and successful modifications.
NumDCP-PLA-LocC-U-LocCity – An abnormal number of unique cities have been observed in physical access events for this user.
Fact-PCbitsadmin-AbP – The 'bitsadmin.exe' process has been spawned by a command line executable. This sigma rule is authored by Florian Roth (Nextron Systems), Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml
Fact-PCrundll32-ADllLoad-Trojan – The 'rundll32.exe' process has loaded a module from the AppData folder. This sigma rule is authored by Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml
Prof-GA-Op-Plt-Op – This is the first time this operation has been observed for this platform. Operations can include function types, APIs, application activities and more.
Prof-GA-E-Plt-SZ – This is the first time an activity from this network zone has been observed for this platform.
NumDCP-PLA-LocC-U-LocDoor – An abnormal number of unique doors have been observed in physical access events for this user.
Fact-FWrite-DExt – A file with an '.exe' extension following a non-executable extension was written to. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml
Fact-PCrundll32-Cpl – The Windows control panel process has spawned the 'rundll32.exe' process. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml
Fact-PCIOC-Archer – The 'rundll32.exe' process has executed a command associated with the Archer malware service. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_malware_fireball.yml
Prof-PCpwrshell-En-O-U – This is the first time a process execution of a PowerShell process with an encrypted command has been observed for this user.
Fact-WebMtgM-RmPwd – A meeting has been modified to remove the meeting password.