Grouped by Detection Method
- mstsc.exe from an unexpected source user
- wscript.exe
- cscript.exe
- bitsadmin.exe
- Unexpected Process Names with network activity
- Processes Matching or Similar to System Processes in Unexpected Directories
- Newly observed Process
- Newly observed Port
- Newly observed Source Port
- Newly observed Source Port Name
- Newly observed Destination Port
- Newly observed Destnation Port Name
- Processes with Random Names
- Source System, Destination System, Protocol=UDP where Source System Count exceeds threshold
- Source System, Destination System, Protocol=UDP where Destination System Count exceeds threshold
- Source System, Protocol=TCP where Count exceeds threshold
- Destination System, Protocol=TCP where Count exceeds threshold
- Bytes In Total, Bytes Out Total, Bytes In/Out Ratio where Bytes In/Out Ratio exceeds threshold
- Connection Length where Connection Length exceeds threshold
- Sysmon Event ID 3