Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Process creation and related events
| Attribute | Value |
|---|---|
| Category | MDE |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountObjectId | string | Unique identifier for the account in Azure AD. |
| AccountSid | string | Security Identifier (SID) of the account. |
| AccountUpn | string | User principal name (UPN) of the account. |
| ActionType | string | Type of activity that triggered the event. |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity. |
| CreatedProcessSessionId | long | Windows session ID of the created process. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| FileName | string | Name of the file that the recorded action was applied to. |
| FileSize | long | Size of the file in bytes. |
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountObjectId | string | Azure AD object ID of the user account that ran the process responsible for the event. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessAccountUpn | string | User principal name (UPN) of the account that ran the process responsible for the event. |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
| InitiatingProcessFileSize | long | The size of the file (bytes) that ran the process responsible for the event. |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
| InitiatingProcessId | long | Process ID (PID) of the process that initiated the event. |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.. |
| InitiatingProcessLogonId | long | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.. |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event. |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event. |
| InitiatingProcessParentId | long | Process ID (PID) of the parent process that spawned the process responsible for the event. |
| InitiatingProcessRemoteSessionDeviceName | string | Device name of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessRemoteSessionIP | string | IP address of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessSessionId | long | Windows session ID of the initiating process. |
| InitiatingProcessSHA1 | string | SHA-1 hash of the process (image file) that initiated the event. |
| InitiatingProcessSHA256 | string | SHA-256 hash of the process (image file) that initiated the event. In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead. |
| InitiatingProcessSignatureStatus | string | Information about the signature status of the process (image file) that initiated the event. |
| InitiatingProcessSignerType | string | Type of file signer of the process (image file) that initiated the event. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
| InitiatingProcessUniqueId | string | Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices. |
| InitiatingProcessVersionInfoCompanyName | string | The company name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoFileDescription | string | The description in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoInternalFileName | string | The internal file name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoOriginalFileName | string | The original file name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductName | string | The product name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductVersion | string | The product version in version information (image file) responsible for the event. |
| IsInitiatingProcessRemoteSession | bool | Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| IsProcessRemoteSession | bool | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| LogonId | long | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
| ProcessCommandLine | string | Command line used to create the new process. |
| ProcessCreationTime | datetime | Date and time the process was created. |
| ProcessId | long | Process ID (PID) of the newly created process. |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources.. |
| ProcessRemoteSessionDeviceName | string | Device name of the remote device from which the created process's RDP session was initiated. |
| ProcessRemoteSessionIP | string | IP address of the remote device from which the created process's RDP session was initiated. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
| ProcessUniqueId | string | Unique identifier of the process; this is equal to the Process Start Key in Windows devices. |
| ProcessVersionInfoCompanyName | string | Company name from the version information of the newly created process. |
| ProcessVersionInfoFileDescription | string | Description from the version information of the newly created process. |
| ProcessVersionInfoInternalFileName | string | Internal file name from the version information of the newly created process. |
| ProcessVersionInfoOriginalFileName | string | Original file name from the version information of the newly created process. |
| ProcessVersionInfoProductName | string | Product name from the version information of the newly created process. |
| ProcessVersionInfoProductVersion | string | Product version from the version information of the newly created process. |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.. |
| SHA1 | string | SHA-1 hash of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time the event was recorded by the MDE agent on the endpoint. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Attacker Tools Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Probable AdFind Recon Tool Usage |
In solution Dev 0270 Detection and Hunting:
| Analytic Rule | Selection Criteria |
|---|---|
| DEV-0270 New User Creation | |
| Dev-0270 Malicious Powershell usage | |
| Dev-0270 Registry IOC - September 2022 | |
| Dev-0270 WMIC Discovery |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| Access Token Manipulation - Create Process with Token | |
| DCOM Lateral Movement | ActionType != "ListeningConnectionCreated"InitiatingProcessParentFileName == "svchost.exe" |
| Detecting UAC bypass - ChangePK and SLUI registry tampering | InitiatingProcessFileName == "changepk.exe"InitiatingProcessParentFileName == "slui.exe"ProcessIntegrityLevel == "High" |
| Detecting UAC bypass - elevated COM interface | InitiatingProcessCommandLine has_any "E9495B87-D950-4AB5-87A5-FF6D70BF3E90"InitiatingProcessFileName == "dllhost.exe"ProcessIntegrityLevel == "High" |
| Detecting UAC bypass - modify Windows Store settings | InitiatingProcessFileName == "wsreset.exe"ProcessIntegrityLevel == "High" |
| Disable or Modify Windows Defender | InitiatingProcessVersionInfoProductName != "Android Studio" |
| Ingress Tool Transfer - Certutil | ProcessCommandLine has "certutil" |
| Match Legitimate Name or Location - 2 | |
| Oracle suspicious command execution | InitiatingProcessFileName == "oracle.exe" |
| Remote Desktop Protocol - SharpRDP | ActionType == "LogonSuccess" |
| Rename System Utilities | |
| SMB/Windows Admin Shares | ActionType == "InboundConnectionAccepted"ProcessCommandLine != "msiexec.exe /V" |
| Suspicious parentprocess relationship - Office child processes. | |
| Trusted Developer Utilities Proxy Execution | FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio"InitiatingProcessFileName in "WDExpress.exe,devenv.exe"InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio"ProcessCommandLine has_any "/exe"ProcessCommandLine has_any "out" |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Account Creation | InitiatingProcessFileName == "net.exe"ProcessCommandLine !contains "/add"ProcessCommandLine !contains "/domain" |
| Bitsadmin Activity | ProcessCommandLine has "/Upload"ProcessCommandLine has_any "/Transfer" |
| Clearing of forensic evidence from event logs using wevtutil | ProcessCommandLine has "CL"ProcessCommandLine has "WEVTUTIL" |
| Deletion of data on multiple drives using cipher exe | ProcessCommandLine has "/w" |
| Detect Suspicious Commands Initiated by Webserver Processes | InitiatingProcessFileName in "beasvc.exe,httpd.exe,w3wp.exe"InitiatingProcessFileName startswith "tomcat"InitiatingProcessParentFileName in "beasvc.exe,httpd.exe,w3wp.exe"InitiatingProcessParentFileName startswith "tomcat"ProcessCommandLine contains "%temp%"ProcessCommandLine has "certutil"ProcessCommandLine has "ipconfig"ProcessCommandLine has "ping"ProcessCommandLine has "systeminfo"ProcessCommandLine has "timeout"ProcessCommandLine has "wget"ProcessCommandLine has "whoami" |
| Disabling Security Services via Registry | |
| Doppelpaymer Stop Services | InitiatingProcessFileName startswith "psexe"ProcessCommandLine has "msexchange"ProcessCommandLine has "sql"ProcessCommandLine has "stop-service" |
| DopplePaymer Procdump | ProcessCommandLine contains "-ma"ProcessCommandLine has "-accepteula"ProcessCommandLine has "lsass" |
| Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 | |
| Java Executing cmd to run Powershell | InitiatingProcessFileName == "java.exe" |
| LSASS Credential Dumping with Procdump | ProcessCommandLine contains "-ma"ProcessCommandLine has "-accepteula"ProcessCommandLine has "lsass"ProcessCommandLine has "lsass.exe" |
| LaZagne Credential Theft | |
| Office Apps Launching Wscipt | InitiatingProcessFileName in "excel.exe,outlook.exe,winword.exe"ProcessCommandLine has ".jse" |
| Potential Build Process Compromise - MDE | |
| Qakbot Campaign Self Deletion | InitiatingProcessCommandLine has "-n 6"InitiatingProcessCommandLine has "127.0.0.1"InitiatingProcessCommandLine has "calc.exe"InitiatingProcessFileName == "cmd.exe" |
| Qakbot Discovery Activies | InitiatingProcessCommandLine endswith "127.0.0.1"InitiatingProcessCommandLine has "-a"InitiatingProcessCommandLine has "-nao"InitiatingProcessCommandLine has "-t"InitiatingProcessCommandLine has "/all"InitiatingProcessFileName in "explorer.exe,mobsync.exe" |
| Rare Process as a Service | |
| Regsvr32 Rundll32 with Anomalous Parent Process | |
| Shadow Copy Deletions | |
| Stopping multiple processes using taskkill |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 | |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
In solution Cyware: ProcessCommandLine has "powershell.exe"
| Hunting Query |
|---|
| Detecting Suspicious PowerShell Command Executions |
In solution Endpoint Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Backup Deletion | |
| Potential Microsoft Security Services Tampering | InitiatingProcessCommandLine has "$true"InitiatingProcessCommandLine has "/IM"InitiatingProcessCommandLine has "Set-MpPreference"InitiatingProcessCommandLine has "Start"InitiatingProcessCommandLine has "config"InitiatingProcessParentFileName != "cscript.exe" |
| Rare Windows Firewall Rule updates using Netsh | InitiatingProcessCommandLine has_all "advfirewall"InitiatingProcessFileName == "netsh.exe" |
| Unicode Obfuscation in Command Line |
In solution Legacy IOC based Threat Protection:
| Hunting Query | Selection Criteria |
|---|---|
| Dev-0056 Command Line Activity November 2021 | |
| Dev-0322 Command Line Activity November 2021 | InitiatingProcessCommandLine matchesregex "save HKLM\\SYSTEM [^ ]*_System.HIV"ProcessCommandLine matchesregex "cmd.exe /c"ProcessCommandLine matchesregex "save HKLM\\SYSTEM [^ ]*_System.HIV" |
| Dev-0322 File Drop Activity November 2021 | |
| Nylon Typhoon Command Line Activity November 2021 | |
| SolarWinds Inventory |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Account Creation | InitiatingProcessFileName == "net.exe"ProcessCommandLine !contains "/add"ProcessCommandLine !contains "/domain" |
| Anomalous Payload Delivered from ISO files | ActionType == "BrowserLaunchedToOpenUrl" |
| Bitsadmin Activity | ProcessCommandLine has "/Upload"ProcessCommandLine has_any "/Transfer" |
| Check for multiple signs of Ransomware Activity | ProcessCommandLine has "cl"ProcessCommandLine has "config"ProcessCommandLine has "delete"ProcessCommandLine has "deletejournal"ProcessCommandLine has "disabled"ProcessCommandLine has "sc"ProcessCommandLine has "shadowcopy delete"ProcessCommandLine has "usn"ProcessCommandLine has "wbadmin"ProcessCommandLine has "wevtutil"ProcessCommandLine has "wmic" |
| Clear System Logs | ProcessCommandLine has "deletejournal"ProcessCommandLine has "usn" |
| Clearing of forensic evidence from event logs using wevtutil | ProcessCommandLine has "CL"ProcessCommandLine has "WEVTUTIL" |
| Credential Harvesting Using LaZagne | ProcessCommandLine has "hklm"ProcessCommandLine has "sam"ProcessCommandLine has "save" |
| DLLHost.exe WMIC domain discovery | InitiatingProcessCommandLine == "dllhost.exe"InitiatingProcessFileName == "dllhost.exe"ProcessCommandLine has "wmic computersystem get domain" |
| Deletion of data on multiple drives using cipher exe | ProcessCommandLine has "/w" |
| Detect MaiSniper | |
| Detect Malicious use of Msiexec Mimikatz | InitiatingProcessFileName == "msiexec.exe"ProcessCommandLine contains "privilege::"ProcessCommandLine contains "token::"ProcessCommandLine has "sekurlsa" |
| Detect Suspicious Commands Initiated by Webserver Processes | InitiatingProcessFileName in "beasvc.exe,httpd.exe,w3wp.exe"InitiatingProcessFileName startswith "tomcat"InitiatingProcessParentFileName in "beasvc.exe,httpd.exe,w3wp.exe"InitiatingProcessParentFileName startswith "tomcat"ProcessCommandLine contains "%temp%"ProcessCommandLine has "certutil"ProcessCommandLine has "ipconfig"ProcessCommandLine has "ping"ProcessCommandLine has "systeminfo"ProcessCommandLine has "timeout"ProcessCommandLine has "wget"ProcessCommandLine has "whoami" |
| Detect Suspicious Mshta Usage | InitiatingProcessCommandLine contains "<script>"InitiatingProcessFileName == "mshta.exe" |
| Disabling Services via Registry | |
| Doppelpaymer Stop Services | InitiatingProcessFileName startswith "psexe"ProcessCommandLine has "msexchange"ProcessCommandLine has "sql"ProcessCommandLine has "stop-service" |
| DopplePaymer Procdump | ProcessCommandLine contains "-ma"ProcessCommandLine has "-accepteula"ProcessCommandLine has "lsass" |
| Enumeration of Users & Groups for Lateral Movement | ProcessCommandLine !contains "/add"ProcessCommandLine !contains "\\"ProcessCommandLine contains "/do"ProcessCommandLine contains "/domain"ProcessCommandLine contains "group"ProcessCommandLine contains "user" |
| Imminent Ransomware | |
| Java Executing cmd to run Powershell | InitiatingProcessFileName == "java.exe" |
| Judgement Panda Exfil Activity | |
| LaZagne Credential Theft | |
| MITRE - Suspicious Events | |
| Malicious Use of MSBuild as LOLBin | InitiatingProcessFileName == "wmiprvse.exe"ProcessCommandLine has "programdata" |
| Office Apps Launching Wscipt | InitiatingProcessFileName in "excel.exe,outlook.exe,winword.exe"ProcessCommandLine has ".jse" |
| Possible Teams phishing activity | |
| PowerShell Downloads | ProcessCommandLine has "DownloadFile"ProcessCommandLine has "IEX"ProcessCommandLine has "Invoke-Shellcode"ProcessCommandLine has "Invoke-WebRequest"ProcessCommandLine has "Net.WebClient"ProcessCommandLine has "Start-BitsTransfer"ProcessCommandLine has "http"ProcessCommandLine has "mpcmdrun.exe" |
| PowerShell adding exclusion path for Microsoft Defender of ProgramData | |
| Qakbot Campaign Self Deletion | InitiatingProcessCommandLine has "-n 6"InitiatingProcessCommandLine has "127.0.0.1"InitiatingProcessCommandLine has "calc.exe"InitiatingProcessFileName == "cmd.exe" |
| Qakbot Discovery Activies | InitiatingProcessCommandLine endswith "127.0.0.1"InitiatingProcessCommandLine has "-a"InitiatingProcessCommandLine has "-nao"InitiatingProcessCommandLine has "-t"InitiatingProcessCommandLine has "/all"InitiatingProcessFileName in "explorer.exe,mobsync.exe" |
| Qakbot Reconnaissance Activities | ProcessCommandLine has_any "whoami /all" |
| Rare Process as a Service | |
| Regsvr32 Rundll32 with Anomalous Parent Process | |
| Shadow Copy Deletions | |
| Spoolsv Spawning Rundll32 | InitiatingProcessCommandLine endswith "rundll32.exe"InitiatingProcessFileName == "rundll32.exe"InitiatingProcessParentFileName has "spoolsv.exe" |
| Stopping multiple processes using taskkill | |
| Suspicious Tomcat Confluence Process Launch | InitiatingProcessCommandLine has "confluence" |
| Turning off services using sc exe | ProcessCommandLine has "config"ProcessCommandLine has "disabled"ProcessCommandLine has "sc" |
| Webserver Executing Suspicious Applications | InitiatingProcessFileName in "httpd.exe,w3wp.exe" |
In solution MicrosoftDefenderForEndpoint:
| Hunting Query | Selection Criteria |
|---|---|
| Probable AdFind Recon Tool Usage |
Standalone Content: InitiatingProcessFileName == "solarwinds.businesslayerhost.exe"
| Hunting Query |
|---|
| SUNBURST suspicious SolarWinds child processes |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Detect Malicious use of MSIExec | ProcessCommandLine has "http"ProcessCommandLine has "return" |
| Hunt for RMM tool execution following Teams messages | |
| LSASS Credential Dumping with Procdump | ProcessCommandLine contains "-ma"ProcessCommandLine has "-accepteula"ProcessCommandLine has "lsass"ProcessCommandLine has "lsass.exe" |
In solution HIPAA Compliance: ProcessCommandLine has "Set-MpPreference"
| Workbook |
|---|
| HIPAACompliance |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131: ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender XDR:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForEndPoint |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimProcessEventMicrosoft365D | ProcessEvent | Microsoft 365 Defender for endpoint |
References by type: 0 connectors, 57 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ProcessCommandLine contains "-ma"ProcessCommandLine has "-accepteula"ProcessCommandLine has "lsass" |
- | 2 | - | - | 2 |
ProcessCommandLine contains "-ma"ProcessCommandLine has "-accepteula"ProcessCommandLine has "lsass"ProcessCommandLine has "lsass.exe" |
- | 2 | - | - | 2 |
InitiatingProcessFileName startswith "psexe"ProcessCommandLine has "msexchange"ProcessCommandLine has "sql"ProcessCommandLine has "stop-service" |
- | 2 | - | - | 2 |
InitiatingProcessCommandLine has "-n 6"InitiatingProcessCommandLine has "127.0.0.1"InitiatingProcessCommandLine has "calc.exe"InitiatingProcessFileName == "cmd.exe" |
- | 2 | - | - | 2 |
InitiatingProcessFileName in "beasvc.exe,httpd.exe,w3wp.exe"InitiatingProcessFileName startswith "tomcat"InitiatingProcessParentFileName in "beasvc.exe,httpd.exe,w3wp.exe"InitiatingProcessParentFileName startswith "tomcat"ProcessCommandLine contains "%temp%"ProcessCommandLine has "certutil"ProcessCommandLine has "ipconfig"ProcessCommandLine has "ping"ProcessCommandLine has "systeminfo"ProcessCommandLine has "timeout"ProcessCommandLine has "wget"ProcessCommandLine has "whoami" |
- | 2 | - | - | 2 |
ProcessCommandLine has "/Upload"ProcessCommandLine has_any "/Transfer" |
- | 2 | - | - | 2 |
InitiatingProcessFileName in "excel.exe,outlook.exe,winword.exe"ProcessCommandLine has ".jse" |
- | 2 | - | - | 2 |
InitiatingProcessFileName == "net.exe"ProcessCommandLine !contains "/add"ProcessCommandLine !contains "/domain" |
- | 2 | - | - | 2 |
ProcessCommandLine has "/w" |
- | 2 | - | - | 2 |
ProcessCommandLine has "CL"ProcessCommandLine has "WEVTUTIL" |
- | 2 | - | - | 2 |
InitiatingProcessCommandLine endswith "127.0.0.1"InitiatingProcessCommandLine has "-a"InitiatingProcessCommandLine has "-nao"InitiatingProcessCommandLine has "-t"InitiatingProcessCommandLine has "/all"InitiatingProcessFileName in "explorer.exe,mobsync.exe" |
- | 2 | - | - | 2 |
InitiatingProcessFileName == "java.exe" |
- | 2 | - | - | 2 |
ProcessCommandLine has "certutil" |
- | 1 | - | - | 1 |
ActionType != "ListeningConnectionCreated"InitiatingProcessParentFileName == "svchost.exe" |
- | 1 | - | - | 1 |
InitiatingProcessVersionInfoProductName != "Android Studio" |
- | 1 | - | - | 1 |
InitiatingProcessFileName == "oracle.exe" |
- | 1 | - | - | 1 |
ActionType == "LogonSuccess" |
- | 1 | - | - | 1 |
ActionType == "InboundConnectionAccepted"ProcessCommandLine != "msiexec.exe /V" |
- | 1 | - | - | 1 |
FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio"InitiatingProcessFileName in "WDExpress.exe,devenv.exe"InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio"ProcessCommandLine has_any "/exe"ProcessCommandLine has_any "out" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine has_any "E9495B87-D950-4AB5-87A5-FF6D70BF3E90"InitiatingProcessFileName == "dllhost.exe"ProcessIntegrityLevel == "High" |
- | 1 | - | - | 1 |
InitiatingProcessFileName == "wsreset.exe"ProcessIntegrityLevel == "High" |
- | 1 | - | - | 1 |
InitiatingProcessFileName == "changepk.exe"InitiatingProcessParentFileName == "slui.exe"ProcessIntegrityLevel == "High" |
- | 1 | - | - | 1 |
ProcessCommandLine has "powershell.exe" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine has "$true"InitiatingProcessCommandLine has "/IM"InitiatingProcessCommandLine has "Set-MpPreference"InitiatingProcessCommandLine has "Start"InitiatingProcessCommandLine has "config"InitiatingProcessParentFileName != "cscript.exe" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine has_all "advfirewall"InitiatingProcessFileName == "netsh.exe" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine matchesregex "save HKLM\\SYSTEM [^ ]*_System.HIV"ProcessCommandLine matchesregex "cmd.exe /c"ProcessCommandLine matchesregex "save HKLM\\SYSTEM [^ ]*_System.HIV" |
- | 1 | - | - | 1 |
ProcessCommandLine has "hklm"ProcessCommandLine has "sam"ProcessCommandLine has "save" |
- | 1 | - | - | 1 |
ProcessCommandLine has "deletejournal"ProcessCommandLine has "usn" |
- | 1 | - | - | 1 |
ProcessCommandLine !contains "/add"ProcessCommandLine !contains "\\"ProcessCommandLine contains "/do"ProcessCommandLine contains "/domain"ProcessCommandLine contains "group"ProcessCommandLine contains "user" |
- | 1 | - | - | 1 |
ActionType == "BrowserLaunchedToOpenUrl" |
- | 1 | - | - | 1 |
ProcessCommandLine has "http"ProcessCommandLine has "return" |
- | 1 | - | - | 1 |
InitiatingProcessFileName == "msiexec.exe"ProcessCommandLine contains "privilege::"ProcessCommandLine contains "token::"ProcessCommandLine has "sekurlsa" |
- | 1 | - | - | 1 |
ProcessCommandLine has "DownloadFile"ProcessCommandLine has "IEX"ProcessCommandLine has "Invoke-Shellcode"ProcessCommandLine has "Invoke-WebRequest"ProcessCommandLine has "Net.WebClient"ProcessCommandLine has "Start-BitsTransfer"ProcessCommandLine has "http"ProcessCommandLine has "mpcmdrun.exe" |
- | 1 | - | - | 1 |
InitiatingProcessFileName in "httpd.exe,w3wp.exe" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine contains "<script>"InitiatingProcessFileName == "mshta.exe" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine has "confluence" |
- | 1 | - | - | 1 |
ProcessCommandLine has "cl"ProcessCommandLine has "config"ProcessCommandLine has "delete"ProcessCommandLine has "deletejournal"ProcessCommandLine has "disabled"ProcessCommandLine has "sc"ProcessCommandLine has "shadowcopy delete"ProcessCommandLine has "usn"ProcessCommandLine has "wbadmin"ProcessCommandLine has "wevtutil"ProcessCommandLine has "wmic" |
- | 1 | - | - | 1 |
ProcessCommandLine has "config"ProcessCommandLine has "disabled"ProcessCommandLine has "sc" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine == "dllhost.exe"InitiatingProcessFileName == "dllhost.exe"ProcessCommandLine has "wmic computersystem get domain" |
- | 1 | - | - | 1 |
InitiatingProcessCommandLine endswith "rundll32.exe"InitiatingProcessFileName == "rundll32.exe"InitiatingProcessParentFileName has "spoolsv.exe" |
- | 1 | - | - | 1 |
InitiatingProcessFileName == "wmiprvse.exe"ProcessCommandLine has "programdata" |
- | 1 | - | - | 1 |
ProcessCommandLine has_any "whoami /all" |
- | 1 | - | - | 1 |
InitiatingProcessFileName == "solarwinds.businesslayerhost.exe" |
- | 1 | - | - | 1 |
ProcessCommandLine has "Set-MpPreference" |
- | 1 | - | - | 1 |
ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user" |
- | 1 | - | - | 1 |
| Total | 0 | 57 | 0 | 0 | 57 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= ListeningConnectionCreated |
- | 1 | - | - | 1 |
LogonSuccess |
- | 1 | - | - | 1 |
InboundConnectionAccepted |
- | 1 | - | - | 1 |
BrowserLaunchedToOpenUrl |
- | 1 | - | - | 1 |
Add member to role |
- | 1 | - | - | 1 |
Add user |
- | 1 | - | - | 1 |
InteractiveLogon |
- | 1 | - | - | 1 |
RemoteInteractiveLogon |
- | 1 | - | - | 1 |
Reset user password |
- | 1 | - | - | 1 |
ResourceAccess |
- | 1 | - | - | 1 |
Sign-in |
- | 1 | - | - | 1 |
Update user |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
startswith C:\\Program Files (x86)\\Microsoft Visual Studio |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has -n 6 |
- | 2 | - | - | 2 |
has 127.0.0.1 |
- | 2 | - | - | 2 |
has calc.exe |
- | 2 | - | - | 2 |
endswith 127.0.0.1 |
- | 2 | - | - | 2 |
has -a |
- | 2 | - | - | 2 |
has -nao |
- | 2 | - | - | 2 |
has -t |
- | 2 | - | - | 2 |
has /all |
- | 2 | - | - | 2 |
has_any E9495B87-D950-4AB5-87A5-FF6D70BF3E90 |
- | 1 | - | - | 1 |
has $true |
- | 1 | - | - | 1 |
has /IM |
- | 1 | - | - | 1 |
has Set-MpPreference |
- | 1 | - | - | 1 |
has Start |
- | 1 | - | - | 1 |
has config |
- | 1 | - | - | 1 |
has_all advfirewall |
- | 1 | - | - | 1 |
contains <script> |
- | 1 | - | - | 1 |
has confluence |
- | 1 | - | - | 1 |
dllhost.exe |
- | 1 | - | - | 1 |
endswith rundll32.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
httpd.exe |
- | 3 | - | - | 3 |
w3wp.exe |
- | 3 | - | - | 3 |
dllhost.exe |
- | 2 | - | - | 2 |
startswith psexe |
- | 2 | - | - | 2 |
cmd.exe |
- | 2 | - | - | 2 |
beasvc.exe |
- | 2 | - | - | 2 |
startswith tomcat |
- | 2 | - | - | 2 |
excel.exe |
- | 2 | - | - | 2 |
outlook.exe |
- | 2 | - | - | 2 |
winword.exe |
- | 2 | - | - | 2 |
net.exe |
- | 2 | - | - | 2 |
explorer.exe |
- | 2 | - | - | 2 |
mobsync.exe |
- | 2 | - | - | 2 |
java.exe |
- | 2 | - | - | 2 |
oracle.exe |
- | 1 | - | - | 1 |
WDExpress.exe |
- | 1 | - | - | 1 |
devenv.exe |
- | 1 | - | - | 1 |
wsreset.exe |
- | 1 | - | - | 1 |
changepk.exe |
- | 1 | - | - | 1 |
netsh.exe |
- | 1 | - | - | 1 |
msiexec.exe |
- | 1 | - | - | 1 |
mshta.exe |
- | 1 | - | - | 1 |
rundll32.exe |
- | 1 | - | - | 1 |
wmiprvse.exe |
- | 1 | - | - | 1 |
solarwinds.businesslayerhost.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
startswith C:\\Program Files (x86)\\Microsoft Visual Studio |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
beasvc.exe |
- | 2 | - | - | 2 |
httpd.exe |
- | 2 | - | - | 2 |
w3wp.exe |
- | 2 | - | - | 2 |
startswith tomcat |
- | 2 | - | - | 2 |
svchost.exe |
- | 1 | - | - | 1 |
slui.exe |
- | 1 | - | - | 1 |
!= cscript.exe |
- | 1 | - | - | 1 |
has spoolsv.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= Android Studio |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains -ma |
- | 4 | - | - | 4 |
has -accepteula |
- | 4 | - | - | 4 |
has lsass |
- | 4 | - | - | 4 |
has certutil |
- | 3 | - | - | 3 |
!contains /add |
- | 3 | - | - | 3 |
has lsass.exe |
- | 2 | - | - | 2 |
has msexchange |
- | 2 | - | - | 2 |
has sql |
- | 2 | - | - | 2 |
has stop-service |
- | 2 | - | - | 2 |
contains %temp% |
- | 2 | - | - | 2 |
has ipconfig |
- | 2 | - | - | 2 |
has ping |
- | 2 | - | - | 2 |
has systeminfo |
- | 2 | - | - | 2 |
has timeout |
- | 2 | - | - | 2 |
has wget |
- | 2 | - | - | 2 |
has whoami |
- | 2 | - | - | 2 |
has /Upload |
- | 2 | - | - | 2 |
has_any /Transfer |
- | 2 | - | - | 2 |
has .jse |
- | 2 | - | - | 2 |
!contains /domain |
- | 2 | - | - | 2 |
has /w |
- | 2 | - | - | 2 |
has CL |
- | 2 | - | - | 2 |
has WEVTUTIL |
- | 2 | - | - | 2 |
has deletejournal |
- | 2 | - | - | 2 |
has usn |
- | 2 | - | - | 2 |
has http |
- | 2 | - | - | 2 |
has config |
- | 2 | - | - | 2 |
has disabled |
- | 2 | - | - | 2 |
has sc |
- | 2 | - | - | 2 |
!= msiexec.exe /V |
- | 1 | - | - | 1 |
has_any /exe |
- | 1 | - | - | 1 |
has_any out |
- | 1 | - | - | 1 |
has powershell.exe |
- | 1 | - | - | 1 |
has hklm |
- | 1 | - | - | 1 |
has sam |
- | 1 | - | - | 1 |
has save |
- | 1 | - | - | 1 |
!contains \\ |
- | 1 | - | - | 1 |
contains /do |
- | 1 | - | - | 1 |
contains /domain |
- | 1 | - | - | 1 |
contains group |
- | 1 | - | - | 1 |
contains user |
- | 1 | - | - | 1 |
has return |
- | 1 | - | - | 1 |
contains privilege:: |
- | 1 | - | - | 1 |
contains token:: |
- | 1 | - | - | 1 |
has sekurlsa |
- | 1 | - | - | 1 |
has DownloadFile |
- | 1 | - | - | 1 |
has IEX |
- | 1 | - | - | 1 |
has Invoke-Shellcode |
- | 1 | - | - | 1 |
has Invoke-WebRequest |
- | 1 | - | - | 1 |
has Net.WebClient |
- | 1 | - | - | 1 |
has Start-BitsTransfer |
- | 1 | - | - | 1 |
has mpcmdrun.exe |
- | 1 | - | - | 1 |
has cl |
- | 1 | - | - | 1 |
has delete |
- | 1 | - | - | 1 |
has shadowcopy delete |
- | 1 | - | - | 1 |
has wbadmin |
- | 1 | - | - | 1 |
has wevtutil |
- | 1 | - | - | 1 |
has wmic |
- | 1 | - | - | 1 |
has wmic computersystem get domain |
- | 1 | - | - | 1 |
has programdata |
- | 1 | - | - | 1 |
has_any whoami /all |
- | 1 | - | - | 1 |
has Set-MpPreference |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
High |
- | 3 | - | - | 3 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊