Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version 4

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SecOpsWinWmiExecVbsScript

SecOpsWinWmiprvseSpawningProcess

SecOpsWinLockoutsEndpoint

SecOpsWinExcessiveUserInteractiveLogin

SecOpsWinAnonymousAccountCreated

SecOpsWinBackupCatalogDeleted

SecOpsWinDisableAntispywareRegistry

SecOpsWinLocalSystemExecuteWhoami

SecOpsWinLsassKeyModification

SecOpsWinLsassMemDump

SecOpsWinRegUtilityHiveExport

SecOpsWinRegistryQuery

SecOpsWinRemoteSystemDiscovery

SecOpsWinScheduledTaskCreation

SecOpsWinUserAddedToLocalSecurityEnabledGroup

SecOpsWinWmiLaunchingShell

SecOpsWinWmiProcessCallCreate

SecOpsWinWmiScriptExecution

SecOpsWinADDomainEnumeration

SecOpsWinAttemptToAddCertificateToStore

SecOpsWinDisableUac

SecOpsWinMsiExecInstallWeb

SecOpsWinSchtasksForcedReboot

SecOpsWinSchtasksRemoteSystem

SecOpsWinWifiCredHarvestNetsh

SecOpsWinAdminShareSuspiciousUse

SecOpsWinNetworkShareCreated

SecOpsWinExternalSMBTrafficDetected

SecOpsAPT29byGoogleUpdateServiceInstall

SecOpsWinAuditLogCleared

SecOpsLocalUserCreation

SecOpsWinAdminRemoteLogon

SecOpsWinAtsvcRemoteExecution

SecOpsWinAuthLocalInteractiveLogin

SecOpsWinCmstpNetworkConnectionDetected

SecOpsWinCritServiceStopped

SecOpsWinDcShadowDetected

SecOpsWinDomainTrustActivity

SecOpsWinExcessiveKerberosSPNDowngrade

SecOpsWinExternalDeviceInstallationDenied

SecOpsWinNetShareScan

SecOpsWinNetShareSweep

SecOpsWinPermissionGroupDiscovery

SecOpsWinPowershellProcessDiscovery

SecOpsWinSmbAccessTempDirectory

SecOpsWinSpoolsvExeAbnormalProcessSpawn

SecOpsWinSuspiciousExternalDeviceInstallation

SecOpsWinUserAddedPrivlegedSecGroup

SecOpsWinUserCreationAbnormalNamingConvention

SecOpsADAccountNoExpires

SecOpsWinUserAddedSelfToSecGroup

SecOpsWinSamStopped

SecOpsWinSysInternalsActivityDetected

SecOpsWinSysTimeDiscovery

SecOpsWinRunasCommandExecution

SecOpsWinDefenderDownloadActivity

SecOpsWinShadowCopyDetected

SecOpsWinGoldenSamlCertificateExport

SecOpsWinDnsExeParentProcess

SecOpsWinFakeProcesses

SecOpsWinMemoryCorruptionVulnerability

SecOpsWinMimikatzLsadump

SecOpsWinFsutilDeleteChangeJournal

SecOpsWinRegistryModificationGlobalFolderOptions

SecOpsWinRegistryModificationRunKeyAdded

SecOpsWinRegistryModificationStoreLogonCred

SecOpsWinRegistryModificationNewTrustedSite

SecOpsWinRegistryModificationIExplorerSecZone

SecOpsWinPowershellSetExecutionPolicyBypass

SecOpsBlackByteRansomwareRegistryChanges

SecOpsBlackByteRansomwareRegChangesPowershell

SecOpsWinRegistryModificationDisableRegistryTool

SecOpsWinRegistryModificationDisableCMDApp

SecOpsWinRegistryModificationDisableTaskmgr

SecOpsWinRegistryModificationDisableNotificationCenter

SecOpsWinRegistryModificationDisableShutdownButton

SecOpsWinRegistryModificationDisableLogOffButton

SecOpsWinRegistryModificationDisableChangePasswdFeature

SecOpsMaliciousServiceInstallations

SecOpsWinRegistryModificationDisableLockWSFeature

SecOpsWinRegistryModificationNoDesktopGroupPolicy

SecOpsIntegrityProblem

SecOpsWinRegistryModificationActivateNoRunGroupPolicy

SecOpsWinRegistryModificationNoFindGroupPolicyFeature

SecOpsWinActivateNoControlPanelGroupPolicyFeature

SecOpsWinActivateNoFileMenuGroupPolicyFeature

SecOpsWinActivateNoCloseGroupPolicyFeature

SecOpsWinActivateNoSetTaskbarGroupPolicyFeature

SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature

SecOpsWinRegistryModificationHideClockGroupPolicyFeature

SecOpsWinRegistryModificationHideSCAHealth

SecOpsStoneDrillServiceInstall

SecOpsWinRegistryModificationHideSCANetwork

SecOpsWinRegistryModificationHideSCAPower

SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature

SecOpsWinRegistryModificationHideSCAVolume

SecOpsWinRegistryModificationPowershellLoggingDisabled

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork

SecOpsWinCredentialDumpingNppspy

SecOpsWinModifyShowCompressColorAndInfoTipRegistry

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork

SecOpsAppInitDLLsLoaded

SecOpsBypassUserAccountControl

SecOpsDLLWithNonUsualPath

SecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServers

SecOpsMaliciousPowerShellCommandletNames

SecOpsMaliciousPowerShellPrebuiltCommandlet

SecOpsPassTheHashActivityLoginBehaviour

SecOpsRevilKaseyaRegistryKey

SecOpsRareServiceInstalls

SecOpsSIGRedExploitMicrosoftWindowsDNS

SecOpsSuspiciousBehaviorAppInitDLL

SecOpsSuspiciousWMIExecution

SecOpsTurlaPNGDropperService

SecOpsTurlaServiceInstall

SecOpsWinUserCredentialDumpRegistry

SecOpsLOLBASCertreq

SecOpsLOLBASDatasvcutil

SecOpsWinWebclientClassUse

SecOpsWinInvokewebrequestUse

SecOpsWinTFTPExecution

SecOpsWinIcmpExfiltration

SecOpsLolbinBitsadminTransfer

SecOpsLolbinCertreq

SecOpsLolbinCertutil

SecOpsLolbinConfigsecuritypolicy

SecOpsLolbinDatasvcutil

SecOpsLolbinMshta

SecOpsWinCurl

SecOpsWinFTPScriptExecution

SecOpsWinSensitiveFiles

SecOpsWinServiceCreatedNonStandardPath

SecOpsWinSuspiciousWritesToRecycleBin

SecOpsWINWmiMOFProcessExecution

SecOpsWinWMIPermanentEventSubscription

SecOpsWinWmiTemporaryEventSubscription

SecOpsWinAutomatedCollectionCmd

SecOpsWinCompressEncryptData

SecOpsWinPotentialPassTheHash

SecOpsWinAutomatedCollectionPowershell

SecOpsWinPowershellKeyloggin

SecOpsWinIISWebRootProcessExecution

SecOpsWinMapSmbShare

SecOpsWinNewPsDrive

SecOpsWinRcloneExecution

SecOpsWinSmtpExfiltration

SecOpsWinAttackerToolsOnEndpoint

SecOpsWinAppInstallerExecution

SecOpsWinWMIReconRunningProcessOrSrvcs

SecOpsLolbinCertocexecution

SecOpsWinSysInfoGatheringUsingDxdiag

SecOpsWinGatherVictimIdentitySAMInfo

SecOpsWinKerberosUserEnumeration

SecOpsWermgrConnectingToIPCheckWebServices

SecOpsWinOfficeBrowserLaunchingShell

SecOpsResetPasswordAttempt

SecOpsAccountsCreatedRemovedWithinFourHours

SecOpsADPasswdNoExpires

SecOpsBlackKingdomWebshellInstalation

SecOpsBlankPasswordAsk

SecOpsChangesAccessibilityBinaries

SecOpsDeletingMassAmountOfFiles

SecOpsFailLogOn

SecOpsFsutilSuspiciousInvocation

SecOpsGenericRansomwareBehaviorIpScanner

SecOpsMultipleMachineAccessedbyUser

SecOpsNewAccountCreated

SecOpsNtds.ditDomainHashExtractionActivity

SecOpsPersistenceAndExecutionViaGPOScheduledTask

SecOpsPsExecToolExecution

SecOpsRansomwareBehaviorMaze

SecOpsRansomwareBehaviorNotPetya

SecOpsRansomwareBehaviorRyuk

SecOpsSecurityEnabledLocalGroupChanged

SecOpsSeveralPasswordChanges

SecOpsShadowCopiesDeletion

SecOpsStopSqlServicesRunning

SecOpsSuspiciousEventlogClearUsingWevtutil

SecOpsUserAccountChanged

SecOpsWannaCryBehavior

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

...