Process activity - looking for exploration, collection and exfiltration activity by insider threat actors.
| Event Type | Description |
|---|---|
| Process Create - Sysmon | Anomalous application installation |
| Process Create - Sysmon | Anomalous chat client |
| Process Create - Sysmon | Anomalous FTP client |
| Process Create - Sysmon | Anomalous HTTP client |
| Process Create - Sysmon | Anomalous Network File Transfer |
| Process Create - Sysmon | Anomalous process |
| Process Create - Sysmon | Anomalous process calling database services |
| Process Create - Sysmon | Anomalous process calling file services |
| Process Create - Sysmon | Anomalous process reading listed file extensions |
| Process Create - Sysmon | Anomalous process reading listed file names |
| Process Create - Sysmon | Anomalous Process started from C:\Program Files |
| Process Create - Sysmon | Anomalous Process started from C:\Windows\ |
| Process Create - Sysmon | Anomalous RDP activity |
| Process Create - Sysmon | Anomalous SC client |
| Process Create - Sysmon | Anomalous script |
| Process Create - Sysmon | Anomalous SSH process |
| Process Create - Sysmon | Anomalous UNC connections |
| Process Create - Sysmon | Anomalous VPN activity |
| Process Create - Sysmon | CIFS activity outbound |
| Process Create - Sysmon | Clipboard activity in database client |
| Process Create - Sysmon | Clipboard activity in terminal emulator |
| Process Create - Sysmon | Device driver activity |
| Process Create - Sysmon | DLL module load by a browser |
| Process Create - Sysmon | FTP outbound |
| Process Create - Sysmon | Local database accepting connections |
| Process Create - Sysmon | Local web server accepting connections |
| Process Create - Sysmon | Network file upload |
| Process Create - Sysmon | Network file upload by a browser |
| Process Create - Sysmon | Network file upload by a email client |
| Process Create - Sysmon | Network file upload by anomalous process |
| Process Create - Sysmon | Network file upload from a UNC |
| Process Create - Sysmon | Network file upload, remote |
| Process Create - Sysmon | Non-HTTP connections outbound |
| Process Create - Sysmon | PDF editor activity |
| Process Create - Sysmon | PGP client activity |
| Process Create - Sysmon | Process started from C:\ directory |
| Process Create - Sysmon | Process started from Recycle Bin |
| Process Create - Sysmon | Process started from temp directories |
| Process Create - Sysmon | Process started from Temp directory |
| Process Create - Sysmon | Process started from UNC path |
| Process Create - Sysmon | Process started from user profile |
| Process Create - Sysmon | SC client outbound connection |
| Process Create - Sysmon | SSH outbound |
| Process Create - Sysmon | Suspicious CIFS client |
| Process Create - Sysmon | Text editor activity |
| Process Create - Sysmon | Unauthorized application |
| Process Create - Sysmon | Unauthorized chat client |
| Process Create - Sysmon | WinRAR activity |
| Process Create - Sysmon | Winzip activity |