Hunt for web browser downloaded files: Sysmon: 15 (FileCreateStreamHash)
event.code:15 AND file.name:*filename.extensionWe can tie this to FileCreate events: Sysmon: 11
event.code:11 AND file.name:*filename.extensionWe can inspect network connections with: Sysmon: 3 (NetworkConnection)
event.code:3 AND host.hostname:MS01We if identified request resolve to a domain name
source.ip:<IP> AND dns.question.name:*Add relevant fields as columns
Check process creation events from identified executable/docs: Sysmon: 1
event.code:1 AND process.parent.name:"process.EXE"Pivot from discovered IOCs
event.code:1 AND process.parent.command_line:*script.bat*Inspect discovered process
process.pid:"1337" and process.name:"powershell.exe"Failed and successful logins from specific host
(event.code:4624 OR event.code:4625) AND winlog.event_data.LogonType:3 AND source.ip:<SOURCEIP>Search for registry persistence /UAC bypass
event.code:13 AND registry.path: (HKU\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\* OR HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*)