- Generate ad_users.csv
- Generate ldap_assets.csv
- Generate cmdb_ci_list_lookup.csv
- Domain Admins Report
- Protected Group Monitoring
- 3LOSH IoC
- AD Account Deletion
- AD Database Dump
- AD Database Read
- AD integrated DNS zone export
- AD Password Policy Change
- AD Password Policy Modified
- AWS AssumeRoot API operation
- Account Discovery Using DIR, WHOAMI, and NET
- Account Lockout in Administrator Groups
- AppLocker Audit
- Anonymous Authentication Attempt from Foreign IP
- Authentication Against a New Domain Controller
- Authentication from Foreign IP
- VPN Web Traffic from Foreign IP
- BadRabbit IoC
- Basic Brute Force Detection
- Basic Scanning
- LoLBin execution
- Non-Chrome process accessing Chrome registry
- Chrome spawned from user profile
- Clear-text password search
- ClickFix detection
- dllFake IoC
- Internal Proxies Creation
- CVE-2023-23397 Outlook SMB
- Cloudflared/Tailscaled tunnel detection
- Cobalt Strike IOC
- cmd.exe/powershell.exe auto-start
- Credential Manager/SAM Dump
- DCSync detection
- Defender Incident
- Defender traffic blocked by Windows Firewall
- Domain Administrator enabled/disabled
- Deprioritise Windows Defender
- Disable Microsoft Defender
- Disable Microsoft Defender (Powershell Script)
- Disable Microsoft Defender (Registry)
- EvilProxy IoC
- Excessive AWS WAF Blocked Events
- Excessive Account Lockout
- Excessive Blocked Websites
- Excessive RDP
- File hiding using attrib.exe observed
- FileFix detection
- Gootloader IOC
- Headless Browser
- ie4uinit.exe/msxsl.exe abuse
- Impacket detection
- InnoDownloadPlugin user-agent observed
- Kerberos Certificate Spoofing
- Kerberos TGT request without password
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- Kerberos TGT request with weak encryption
- Kerberos service ticket request with weak encryption
- Kernel driver service was installed
- LSASS.exe Read
- LSASS.exe driver loading
- Large Powershell Module
- LockBit 3.0
- Logon from External Network
- Logon with NewCredentials type
- Malicious Host Threat Intelligence
- Microsoft Public Symbol download
- Monthly Inactive Accounts Report
- Multiple Account Passwords changed by an Administrator
- Named pipe usage
- New Interactive Logon from a Service Account
- New Network Share detected
- NodeJS spawning cmd.exe
- OneNote IOC
- Open Port 53
- Plaintext credential
- Possible ShareFinder/Netscan/Sharphound/CobaltStrike Usage
- PowerShell Web Downloads
- PowerShell Web Downloads (Operational)
- Protected Group Monitoring
- Privileged Group Monitoring
- Privileged Service with SeDebugPrivilege was called
- Qbot IoC
- Rclone/Restic Exfiltration
- Reboot to safe mode
- Regasm.exe execution
- Regsvcs.exe process injection
- Remote Desktop tool installation/execution
- Remote Desktop tool auto-start
- Remote Desktop tool scheduled task
- RestartManager abuse
- Restricted Admin Mode Detection
- Root certificate installation
- Rundll32 Dumping LSASS Memory
- Rundll32 Scheduled Task
- SIDHistory compromise
- SQL Server spawning Cmd.exe
- Splunk Events Deletion
- SafeDllSearchMode is modified
- Suspicious Logon/Logoff Events
- Suspicious Netscaler CLI
- Suspicious Network Settings
- Suspicious WMI
- UPnP enablement
- Unauthorised Reverse Proxy Tunnel
- Unauthorised Computer Account Creation
- Unusual Scheduled Task
- Unusual User Agent
- Unusual printui.exe path
- User Login with Local Credentials
- VSCode tunnel
- Veeam credential extraction
- Volt Typhoon IOC
- Volume Shadow Copy
- Volume Shadow Delete
- Windows Event Log Clearing Events
- Windows Recovery Environment disabled
- Windows System Event Log Clearing Events
- Windows Firewall Modification
- Windows JScript execution
- Windows Sandbox execution
- Windows Script Executed from ZIP
- WinRAR Spawning Shell Application