How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

    Wednesday, September 25, 2024 In: Threat Research Print

    Date: 09/25/2024

    Severity: Medium

    Summary

    RansomHub is recognized for its affiliate model and for employing techniques that disable or terminate endpoint detection and response (EDR) systems, allowing it to evade detection and maintain a foothold in compromised environments. Recently, our threat hunting team uncovered Ransomhub's latest evasion method: the integration of EDRKillShifter into its attack chain. This discovery enabled us to investigate a recent incident using telemetry data from Trend Micro’s Vision One.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://82.147.85.52/Loader.exe

    Hash

    de1241a592760cc1d850be8f41beebcd460b66ec

86cdb729094c013e411ac9b4c72485a55a629e5d

3b035da6c69f9b05868ffe55d7a267d098c6f290

77daf77d9d2a08cc22981c004689b870f74544b5

e187d58f59e0444f7ef9ddefec88d2b11b96e734

e38082ae727aeaef4f241a1920150fdf6f149106

bcdb721d5be41a9d61bee20a458ae748e023238f

8de2d38d33294586b4758599fdf65f1a265e013b

2d3a95e91449a366ccf56177a4542cc439635768

6764ddb2e5b18bf5d0c621f3078d7ac72865c1c3

189c638388acd0189fe164cf81e455e41d9629d6

    Commandlines

    "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f

    "muxencode"

    "Windows.Globalization/Analytic"

    "Windows PowerShell"

    "Windows Networking Vpn Plugin Platform/OperationalVerbose"

    "Windows Networking Vpn Plugin Platform/Operational"

    "WMPSyncEngine"

    "WMPSetup"

    "WINDOWS_wmvdecod_CHANNEL"

    "WINDOWS_WMPHOTO_CHANNEL"

    "WINDOWS_VC1ENC_CHANNEL"

    "WINDOWS_MSMPEG2VDEC_CHANNEL"

    "WINDOWS_MP4SDECD_CHANNEL"

    "WINDOWS_MFH264Enc_CHANNEL"

    "WINDOWS_KS_CHANNEL"

    "UIManager_Channel"

    "TimeBroker"

    "TabletPC_InputPanel_Channel/IHM"

    "TabletPC_InputPanel_Channel"

    "SystemEventsBroker"

    "System"

    "SmbWmiAnalytic"

    "Setup"

    "Security"

    "SMSApi"

    "RTWorkQueueTheading"

    "RTWorkQueueExtended"

    "Physical_Keyboard_Manager_Channel"

    "PICAgentLog"

    "OSK_SoftKeyboard_Channel"

    "Network Isolation Operational"

    "Navigator"

    "NIS-Driver-WFP/Diagnostic"

    "Microsoft-WindowsPhone-LocationServiceProvider/Debug"

    "Microsoft-Windows-stobject/Diagnostic"

    "Microsoft-Windows-osk/Diagnostic"

    "Microsoft-Windows-ntshrui-perf"

    "Microsoft-Windows-ntshrui"

    "Microsoft-Windows-mobsync/Diagnostic"

    "Microsoft-Windows-glcnd/Diagnostic"

    "Microsoft-Windows-glcnd/Debug"

    "Microsoft-Windows-glcnd/Admin"

    "Microsoft-Windows-XAudio2/Performance"

    "Microsoft-Windows-XAudio2/Debug"

    "Microsoft-Windows-XAML/Default"

    "Microsoft-Windows-XAML-Diagnostics/Default"

    "Microsoft-Windows-Workplace Join/Admin"

    "Microsoft-Windows-Wordpad/Diagnostic"

    "Microsoft-Windows-Wordpad/Debug"

    "Microsoft-Windows-Wordpad/Admin"

    "Microsoft-Windows-Wired-AutoConfig/Operational"

    "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

    "Microsoft-Windows-Winsrv/Analytic"

    "Microsoft-Windows-Winsock-WS2HELP/Operational"

    "Microsoft-Windows-Winsock-NameResolution/Operational"

    "Microsoft-Windows-Winsock-AFD/Operational"

    "Microsoft-Windows-Winlogon/Operational"

    "Microsoft-Windows-Winlogon/Diagnostic"

    "Microsoft-Windows-Wininit/Diagnostic"

    "Microsoft-Windows-WindowsUpdateClient/Operational"

    "Microsoft-Windows-WindowsUpdateClient/Analytic"

    "Microsoft-Windows-WindowsUIImmersive/Operational"

    "Microsoft-Windows-WindowsUIImmersive/Diagnostic"

    "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

    "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

    "Microsoft-Windows-WindowsColorSystem/Operational"

    "Microsoft-Windows-WindowsColorSystem/Debug"

    "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

    "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

    "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

    "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

    "Microsoft-Windows-Windows Defender/WHC"

    "Microsoft-Windows-Windows Defender/Operational"

    "Microsoft-Windows-Windeploy/Analytic"

    "Microsoft-Windows-WinURLMon/Analytic"

    "Microsoft-Windows-WinRM/Operational"

    "Microsoft-Windows-WinRM/Debug"

    "Microsoft-Windows-WinRM/Analytic"

    "Microsoft-Windows-WinNat/Trace"

    "Microsoft-Windows-WinNat/Oper"

    "Microsoft-Windows-WinMDE/MDE"

    "Microsoft-Windows-WinINet/WebSocket"

    "Microsoft-Windows-WinINet/UsageLog"

    "Microsoft-Windows-WinINet/Analytic"

    "Microsoft-Windows-WinINet-Config/ProxyConfigChanged"

    "Microsoft-Windows-WinINet-Capture/Analytic"

    "Microsoft-Windows-WinHttp/Diagnostic"

    "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

    "Microsoft-Windows-Win32k/UIPI"

    "Microsoft-Windows-Win32k/Tracing"

    "Microsoft-Windows-Win32k/Render"

    "Microsoft-Windows-Win32k/Power"

    "Microsoft-Windows-Win32k/Operational"

    "Microsoft-Windows-Win32k/Messages"

    "Microsoft-Windows-Win32k/Contention"

    "Microsoft-Windows-Win32k/Concurrency"

    "Microsoft-Windows-Websocket-Protocol-Component/Tracing"

    "Microsoft-Windows-WebcamProvider/Analytic"

    "Microsoft-Windows-WebServices/Tracing"

    "Microsoft-Windows-WebIO/Diagnostic"

    "Microsoft-Windows-WebIO-NDF/Diagnostic"

    "Microsoft-Windows-WebAuth/Operational"

    "Microsoft-Windows-Wcmsvc/Operational"

    "Microsoft-Windows-Wcmsvc/Diagnostic"

    "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

    "Microsoft-Windows-WUSA/Debug"

    "Microsoft-Windows-WPD-MTPUS/Analytic"

    "Microsoft-Windows-WPD-MTPIP/Analytic"

    "Microsoft-Windows-WPD-MTPClassDriver/Operational"

    "Microsoft-Windows-WPD-MTPClassDriver/Analytic"

    "Microsoft-Windows-WPD-MTPBT/Analytic"

    "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

    "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

    "Microsoft-Windows-WPD-ClassInstaller/Operational"

    "Microsoft-Windows-WPD-ClassInstaller/Analytic"

    "Microsoft-Windows-WPD-API/Analytic"

    "Microsoft-Windows-WMPDMCUI/Diagnostic"

    "Microsoft-Windows-WMI-Activity/Trace"

    "Microsoft-Windows-WMI-Activity/Operational"

    "Microsoft-Windows-WMI-Activity/Debug"

    "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

    "Microsoft-Windows-WLAN-MediaManager/Diagnostic"

    "Microsoft-Windows-WFP/Operational"

    "Microsoft-Windows-WFP/Analytic"

    "Microsoft-Windows-WEPHOSTSVC/Operational"

    "Microsoft-Windows-WCNWiz/Analytic"

    "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

    "Microsoft-Windows-WABSyncProvider/Analytic"

    "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

    "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"

    "Microsoft-Windows-VolumeControl/Performance"

    "Microsoft-Windows-Volume/Diagnostic"

    "Microsoft-Windows-VerifyHardwareSecurity/Operational"

    "Microsoft-Windows-VerifyHardwareSecurity/Admin"

    "Microsoft-Windows-VPN/Operational"

    "Microsoft-Windows-VPN-Client/Operational"

    "Microsoft-Windows-VHDMP-Operational"

    "Microsoft-Windows-VHDMP-Analytic"

    "Microsoft-Windows-VDRVROOT/Operational"

    "Microsoft-Windows-VAN/Diagnostic"

    "Microsoft-Windows-UxTheme/Diagnostic"

    "Microsoft-Windows-UxInit/Diagnostic"

    "Microsoft-Windows-UserPnp/SchedulerOperations"

    "Microsoft-Windows-UserPnp/Performance"

    "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

    "Microsoft-Windows-UserPnp/DeviceInstall"

    "Microsoft-Windows-UserPnp/ActionCenter"

    "Microsoft-Windows-UserModePowerService/Diagnostic"

    "Microsoft-Windows-UserAccountControl/Diagnostic"

    "Microsoft-Windows-User-Loader/Operational"

    "Microsoft-Windows-User-Loader/Analytic"

    "Microsoft-Windows-User Profile Service/Operational"

    "Microsoft-Windows-User Profile Service/Diagnostic"

    "Microsoft-Windows-User Device Registration/Debug"

    "Microsoft-Windows-User Device Registration/Admin"

    "Microsoft-Windows-User Control Panel/Operational"

    "Microsoft-Windows-User Control Panel/Diagnostic"

    "Microsoft-Windows-User Control Panel Usage/Diagnostic"

    "Microsoft-Windows-User Control Panel Performance/Diagnostic"

    "Microsoft-Windows-Usbstor/Analytic"

    "Microsoft-Windows-UniversalTelemetryClient/Operational"

    "Microsoft-Windows-USB-USBXHCI-Analytic"

    "Microsoft-Windows-USB-USBPORT/Diagnostic"

    "Microsoft-Windows-USB-USBHUB3-Analytic"

    "Microsoft-Windows-USB-USBHUB/Diagnostic"

    "Microsoft-Windows-USB-UCX-Analytic"

    "Microsoft-Windows-UIRibbon/Diagnostic"

    "Microsoft-Windows-UIAutomationCore/Perf"

    "Microsoft-Windows-UIAutomationCore/Diagnostic"

    "Microsoft-Windows-UIAutomationCore/Debug"

    "Microsoft-Windows-UIAnimation/Diagnostic"

    "Microsoft-Windows-UI-Shell/Diagnostic"

    "Microsoft-Windows-UAC/Operational"

    "Microsoft-Windows-UAC-FileVirtualization/Operational"

    "Microsoft-Windows-TunnelDriver"

    "Microsoft-Windows-Threat-Intelligence/Analytic"

    "Microsoft-Windows-ThemeUI/Diagnostic"

    "Microsoft-Windows-ThemeCPL/Diagnostic"

    "Microsoft-Windows-Tethering-Manager/Analytic"

    "Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational"

    "Microsoft-Windows-TerminalServices-SessionBroker-Client/Debug"

    "Microsoft-Windows-TerminalServices-SessionBroker-Client/Analytic"

    "Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin"

    "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

    "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

    "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

    "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

    "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

    "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

    "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

    "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

    "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

    "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

    "Microsoft-Windows-TerminalServices-RDPClient/Operational"

    "Microsoft-Windows-TerminalServices-RDPClient/Debug"

    "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

    "Microsoft-Windows-TerminalServices-Printers/Operational"

    "Microsoft-Windows-TerminalServices-Printers/Debug"

    "Microsoft-Windows-TerminalServices-Printers/Analytic"

    "Microsoft-Windows-TerminalServices-Printers/Admin"

    "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

    "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

    "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

    "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

    "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

    "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

    "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

    "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

    "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

    "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

    "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

    "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

    "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

    "Microsoft-Windows-TaskbarCPL/Diagnostic"

    "Microsoft-Windows-TaskScheduler/Operational"

    "Microsoft-Windows-TaskScheduler/Maintenance"

    "Microsoft-Windows-TaskScheduler/Diagnostic"

    "Microsoft-Windows-TaskScheduler/Debug"

    "Microsoft-Windows-TZUtil/Operational"

    "Microsoft-Windows-TZSync/Operational"

    "Microsoft-Windows-TZSync/Analytic"

    "Microsoft-Windows-TWinUI/Operational"

    "Microsoft-Windows-TWinUI/Diagnostic"

    "Microsoft-Windows-TWinAPI/Diagnostic"

    "Microsoft-Windows-TTS/Diagnostic"

    "Microsoft-Windows-TSF-msutb/Diagnostic"

    "Microsoft-Windows-TSF-msutb/Debug"

    "Microsoft-Windows-TSF-msctf/Diagnostic"

    "Microsoft-Windows-TSF-msctf/Debug"

    "Microsoft-Windows-TCPIP/Operational"

    "Microsoft-Windows-TCPIP/Diagnostic"

    "Microsoft-Windows-SystemSettingsThreshold/Operational"

    "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"

    "Microsoft-Windows-SystemSettingsThreshold/Debug"

    "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"

    "Microsoft-Windows-Sysprep/Analytic"

    "Microsoft-Windows-Superfetch/StoreLog"

    "Microsoft-Windows-Superfetch/PfApLog"

    "Microsoft-Windows-Superfetch/Main"

    "Microsoft-Windows-Subsys-SMSS/Operational"

    "Microsoft-Windows-Subsys-Csr/Operational"

    "Microsoft-Windows-Store/Operational"

    "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"

    "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"

    "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"

    "Microsoft-Windows-StorageSpaces-Driver/Performance"

    "Microsoft-Windows-StorageSpaces-Driver/Operational"

    "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"

    "Microsoft-Windows-StorageManagement/Operational"

    "Microsoft-Windows-StorageManagement/Debug"

    "Microsoft-Windows-Storage-Tiering/Admin"

    "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"

    "Microsoft-Windows-Storage-Storport/Operational"

    "Microsoft-Windows-Storage-Storport/Diagnose"

    "Microsoft-Windows-Storage-Storport/Debug"

    "Microsoft-Windows-Storage-Storport/Analytic"

    "Microsoft-Windows-Storage-Storport/Admin"

    "Microsoft-Windows-Storage-Disk/Operational"

    "Microsoft-Windows-Storage-Disk/Diagnose"

    "Microsoft-Windows-Storage-Disk/Debug"

    "Microsoft-Windows-Storage-Disk/Analytic"

    "Microsoft-Windows-Storage-Disk/Admin"

    "Microsoft-Windows-Storage-ClassPnP/Operational"

    "Microsoft-Windows-Storage-ClassPnP/Diagnose"

    "Microsoft-Windows-Storage-ClassPnP/Debug"

    "Microsoft-Windows-Storage-ClassPnP/Analytic"

    "Microsoft-Windows-Storage-ClassPnP/Admin"

    "Microsoft-Windows-Storage-ATAPort/Operational"

    "Microsoft-Windows-Storage-ATAPort/Diagnose"

    "Microsoft-Windows-Storage-ATAPort/Debug"

    "Microsoft-Windows-Storage-ATAPort/Analytic"

    "Microsoft-Windows-Storage-ATAPort/Admin"

    "Microsoft-Windows-StorPort/Operational"

    "Microsoft-Windows-StorDiag/Operational"

    "Microsoft-Windows-StateRepository/Restricted"

    "Microsoft-Windows-StateRepository/Operational"

    "Microsoft-Windows-StateRepository/Diagnostic"

    "Microsoft-Windows-StateRepository/Debug"

    "Microsoft-Windows-SrumTelemetry"

    "Microsoft-Windows-Spellchecking-Host/Analytic"

    "Microsoft-Windows-SpellChecker/Analytic"

    "Microsoft-Windows-Spell-Checking/Analytic"

    "Microsoft-Windows-Speech-UserExperience/Diagnostic"

    "Microsoft-Windows-SmbClient/Security"

    "Microsoft-Windows-SmbClient/Diagnostic"

    "Microsoft-Windows-SmbClient/Connectivity"

    "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"

    "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"

    "Microsoft-Windows-SmartCard-DeviceEnum/Operational"

    "Microsoft-Windows-SmartCard-Audit/Authentication"

    "Microsoft-Windows-SleepStudy/Diagnostic"

    "Microsoft-Windows-SilProvider/Operational"

    "Microsoft-Windows-SilProvider/Debug"

    "Microsoft-Windows-Shsvcs/Diagnostic"

    "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

    "Microsoft-Windows-Shell-Shwebsvc"

    "Microsoft-Windows-Shell-Search-UriHandler"

    "Microsoft-Windows-Shell-OpenWith/Diagnostic"

    "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"

    "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

    "Microsoft-Windows-Shell-Core/Operational"

    "Microsoft-Windows-Shell-Core/LogonTasksChannel"

    "Microsoft-Windows-Shell-Core/Diagnostic"

    "Microsoft-Windows-Shell-Core/AppDefaults"

    "Microsoft-Windows-Shell-Core/ActionCenter"

    "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"

    "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

    "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"

    "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

    "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"

    "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

    "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

    "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

    "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"

    "Microsoft-Windows-SetupUGC/Analytic"

    "Microsoft-Windows-SetupQueue/Analytic"

    "Microsoft-Windows-SetupPlatform/Analytic"

    "Microsoft-Windows-SetupCl/Analytic"

    "Microsoft-Windows-Setup/Analytic"

    "Microsoft-Windows-SettingSync/VerboseDebug"

    "Microsoft-Windows-SettingSync/Operational"

    "Microsoft-Windows-SettingSync/Debug"

    "Microsoft-Windows-SettingSync/Analytic"

    "Microsoft-Windows-SettingSync-Azure/Operational"

    "Microsoft-Windows-SettingSync-Azure/Debug"

    "Microsoft-Windows-Servicing/Debug"

    "Microsoft-Windows-Services/Diagnostic"

    "Microsoft-Windows-Services-Svchost/Diagnostic"

    "Microsoft-Windows-ServiceReportingApi/Debug"

    "Microsoft-Windows-ServerManager-MultiMachine/Operational"

    "Microsoft-Windows-ServerManager-MultiMachine/Debug"

    "Microsoft-Windows-ServerManager-MultiMachine/Admin"

    "Microsoft-Windows-ServerManager-MgmtProvider/Operational"

    "Microsoft-Windows-ServerManager-MgmtProvider/Debug"

    "Microsoft-Windows-ServerManager-DeploymentProvider/Operational"

    "Microsoft-Windows-ServerManager-DeploymentProvider/Debug"

    "Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational"

    "Microsoft-Windows-ServerManager-ConfigureSMRemoting/Debug"

    "Microsoft-Windows-ServerEssentials-Deployment/Deploy"

    "Microsoft-Windows-Serial-ClassExtension/Analytic"

    "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"

    "Microsoft-Windows-Sensors/Performance"

    "Microsoft-Windows-Sensors/Debug"

    "Microsoft-Windows-Sens/Debug"

    "Microsoft-Windows-SendTo/Diagnostic"

    "Microsoft-Windows-Security-Vault/Performance"

    "Microsoft-Windows-Security-UserConsentVerifier/Audit"

    "Microsoft-Windows-Security-SPP/Perf"

    "Microsoft-Windows-Security-SPP-UX/Analytic"

    "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"

    "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"

    "Microsoft-Windows-Security-SPP-UX-GC/Analytic"

    "Microsoft-Windows-Security-Netlogon/Operational"

    "Microsoft-Windows-Security-Mitigations/UserMode"

    "Microsoft-Windows-Security-Mitigations/KernelMode"

    "Microsoft-Windows-Security-IdentityStore/Performance"

    "Microsoft-Windows-Security-IdentityListener/Operational"

    "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"

    "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"

    "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"

    "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

    "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

    "Microsoft-Windows-SearchUI/Operational"

    "Microsoft-Windows-SearchUI/Diagnostic"

    "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

    "Microsoft-Windows-Search-Core/Diagnostic"

    "Microsoft-Windows-Sdstor/Analytic"

    "Microsoft-Windows-Sdbus/Debug"

    "Microsoft-Windows-Sdbus/Analytic"

    "Microsoft-Windows-ScmDisk0101/Operational"

    "Microsoft-Windows-ScmDisk0101/Diagnostic"

    "Microsoft-Windows-ScmDisk0101/Analytic"

    "Microsoft-Windows-ScmBus/Operational"

    "Microsoft-Windows-ScmBus/Diagnose"

    "Microsoft-Windows-ScmBus/Certification"

    "Microsoft-Windows-ScmBus/Analytic"

    "Microsoft-Windows-Schannel-Events/Perf"

    "Microsoft-Windows-SPB-HIDI2C/Analytic"

    "Microsoft-Windows-SPB-ClassExtension/Analytic"

    "Microsoft-Windows-SMBWitnessClient/Informational"

    "Microsoft-Windows-SMBWitnessClient/Admin"

    "Microsoft-Windows-SMBServer/Security"

    "Microsoft-Windows-SMBServer/Performance"

    "Microsoft-Windows-SMBServer/Operational"

    "Microsoft-Windows-SMBServer/Diagnostic"

    "Microsoft-Windows-SMBServer/Connectivity"

    "Microsoft-Windows-SMBServer/Audit"

    "Microsoft-Windows-SMBServer/Analytic"

    "Microsoft-Windows-SMBDirect/Netmon"

    "Microsoft-Windows-SMBDirect/Debug"

    "Microsoft-Windows-SMBDirect/Admin"

    "Microsoft-Windows-SMBClient/Operational"

    "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"

    "Microsoft-Windows-SMBClient/HelperClassDiagnostic"

    "Microsoft-Windows-SMBClient/Analytic"

    "Microsoft-Windows-SDDC-Management/Operational"

    "Microsoft-Windows-SDDC-Management/Admin"

    "Microsoft-Windows-Runtime/Error"

    "Microsoft-Windows-Runtime/CreateInstance"

    "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"

    "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"

    "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"

    "Microsoft-Windows-Runtime-WebAPI/Tracing"

    "Microsoft-Windows-Runtime-Web-Http/Tracing"

    "Microsoft-Windows-Runtime-Networking/Tracing"

    "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"

    "Microsoft-Windows-Runtime-Graphics/Analytic"

    "Microsoft-Windows-RestartManager/Operational"

    "Microsoft-Windows-ResourcePublication/Tracing"

    "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

    "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

    "Microsoft-Windows-ResetEng-Trace/Diagnostic"

    "Microsoft-Windows-Remotefs-Rdbss/Operational"

    "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"

    "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"

    "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"

    "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"

    "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"

    "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

    "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"

    "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

    "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"

    "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

    "Microsoft-Windows-Regsvr32/Operational"

    "Microsoft-Windows-ReadyBoost/Operational"

    "Microsoft-Windows-ReadyBoost/Analytic"

    "Microsoft-Windows-ReFS/Operational"

    "Microsoft-Windows-RasAgileVpn/Operational"

    "Microsoft-Windows-RasAgileVpn/Debug"

    "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"

    "Microsoft-Windows-RadioManager/Analytic"

    "Microsoft-Windows-RRAS/Operational"

    "Microsoft-Windows-RRAS/Debug"

    "Microsoft-Windows-RPC/EEInfo"

    "Microsoft-Windows-RPC/Debug"

    "Microsoft-Windows-RPC-Proxy/Debug"

    "Microsoft-Windows-QoS-qWAVE/Debug"

    "Microsoft-Windows-QoS-Pacer/Diagnostic"

    "Microsoft-Windows-PushNotification-Platform/Operational"

    "Microsoft-Windows-PushNotification-Platform/Debug"

    "Microsoft-Windows-PushNotification-Platform/Admin"

    "Microsoft-Windows-PushNotification-InProc/Debug"

    "Microsoft-Windows-PushNotification-Developer/Debug"

    "Microsoft-Windows-Proximity-Common/Performance"

    "Microsoft-Windows-Proximity-Common/Informational"

    "Microsoft-Windows-Proximity-Common/Diagnostic"

    "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"

    "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"

    "Microsoft-Windows-ProcessStateManager/Diagnostic"

    "Microsoft-Windows-PrintService/Operational"

    "Microsoft-Windows-PrintService/Debug"

    "Microsoft-Windows-PrintService/Admin"

    "Microsoft-Windows-PrintService-USBMon/Debug"

    "Microsoft-Windows-PrintDialogs3D/Analytic"

    "Microsoft-Windows-PrintDialogs/Analytic"

    "Microsoft-Windows-PrintBRM/Admin"

    "Microsoft-Windows-PrimaryNetworkIcon/Performance"

    "Microsoft-Windows-PowerShell/Operational"

    "Microsoft-Windows-PowerShell/Debug"

    "Microsoft-Windows-PowerShell/Analytic"

    "Microsoft-Windows-PowerShell/Admin"

    "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"

    "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"

    "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"

    "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

    "Microsoft-Windows-PowerCpl/Diagnostic"

    "Microsoft-Windows-PowerCfg/Diagnostic"

    "Microsoft-Windows-Power-Meter-Polling/Diagnostic"

    "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

    "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

    "Microsoft-Windows-Policy/Operational"

    "Microsoft-Windows-Policy/Analytic"

    "Microsoft-Windows-PlayToManager/Analytic"

    "Microsoft-Windows-PhotoAcq/Analytic"

    "Microsoft-Windows-PerceptionSensorDataService/Operational"

    "Microsoft-Windows-PerceptionRuntime/Operational"

    "Microsoft-Windows-Partition/Diagnostic"

    "Microsoft-Windows-Partition/Analytic"

    "Microsoft-Windows-PackageStateRoaming/Operational"

    "Microsoft-Windows-PackageStateRoaming/Debug"

    "Microsoft-Windows-PackageStateRoaming/Analytic"

    "Microsoft-Windows-PCI/Diagnostic"

    "Microsoft-Windows-OtpCredentialProvider/Operational"

    "Microsoft-Windows-OobeLdr/Analytic"

    "Microsoft-Windows-OneX/Operational"

    "Microsoft-Windows-OneX/Diagnostic"

    "Microsoft-Windows-OneBackup/Debug"

    "Microsoft-Windows-OfflineFiles/SyncLog"

    "Microsoft-Windows-OfflineFiles/Operational"

    "Microsoft-Windows-OfflineFiles/Debug"

    "Microsoft-Windows-OfflineFiles/Analytic"

    "Microsoft-Windows-OOBE-Machine-Plugins/Diagnostic"

    "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"

    "Microsoft-Windows-OOBE-Machine-DUI/Operational"

    "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"

    "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"

    "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://82.147.85.52/Loader.exe" or url like "http://82.147.85.52/Loader.exe"

    Detection Query 2

    sha1hash IN ("de1241a592760cc1d850be8f41beebcd460b66ec","86cdb729094c013e411ac9b4c72485a55a629e5d","3b035da6c69f9b05868ffe55d7a267d098c6f290","77daf77d9d2a08cc22981c004689b870f74544b5","e187d58f59e0444f7ef9ddefec88d2b11b96e734","e38082ae727aeaef4f241a1920150fdf6f149106","bcdb721d5be41a9d61bee20a458ae748e023238f","8de2d38d33294586b4758599fdf65f1a265e013b","2d3a95e91449a366ccf56177a4542cc439635768","6764ddb2e5b18bf5d0c621f3078d7ac72865c1c3","189c638388acd0189fe164cf81e455e41d9629d6")

    Detection Query 3

    (resourc ename in ("Windows Security") AND eventtype = "4688") AND winmessage IN ("HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers","HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers /f","HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default /va /f","muxencode","Windows.Globalization/Analytic","Windows PowerShell","Windows Networking Vpn Plugin Platform/OperationalVerbose","Windows Networking Vpn Plugin Platform/Operational","WMPSyncEngine","WMPSetup","WINDOWS_wmvdecod_CHANNEL","WINDOWS_WMPHOTO_CHANNEL","WINDOWS_VC1ENC_CHANNEL","WINDOWS_MSMPEG2VDEC_CHANNEL","WINDOWS_MP4SDECD_CHANNEL","WINDOWS_MFH264Enc_CHANNEL","WINDOWS_KS_CHANNEL","UIManager_Channel","TimeBroker","TabletPC_InputPanel_Channel/IHM","TabletPC_InputPanel_Channel","SystemEventsBroker","System","SmbWmiAnalytic","Setup","Security","SMSApi","RTWorkQueueTheading","RTWorkQueueExtended","Physical_Keyboard_Manager_Channel","PICAgentLog","OSK_SoftKeyboard_Channel","Network Isolation Operational","Navigator","NIS-Driver-WFP/Diagnostic","Microsoft-WindowsPhone-LocationServiceProvider/Debug","Microsoft-Windows-stobject/Diagnostic","Microsoft-Windows-osk/Diagnostic","Microsoft-Windows-ntshrui-perf","Microsoft-Windows-ntshrui","Microsoft-Windows-mobsync/Diagnostic","Microsoft-Windows-glcnd/Diagnostic","Microsoft-Windows-glcnd/Debug","Microsoft-Windows-glcnd/Admin","Microsoft-Windows-XAudio2/Performance","Microsoft-Windows-XAudio2/Debug","Microsoft-Windows-XAML/Default","Microsoft-Windows-XAML-Diagnostics/Default","Microsoft-Windows-Workplace Join/Admin","Microsoft-Windows-Wordpad/Diagnostic","Microsoft-Windows-Wordpad/Debug","Microsoft-Windows-Wordpad/Admin","Microsoft-Windows-Wired-AutoConfig/Operational","Microsoft-Windows-Wired-AutoConfig/Diagnostic","Microsoft-Windows-Winsrv/Analytic","Microsoft-Windows-Winsock-WS2HELP/Operational","Microsoft-Windows-Winsock-NameResolution/Operational","Microsoft-Windows-Winsock-AFD/Operational","Microsoft-Windows-Winlogon/Operational","Microsoft-Windows-Winlogon/Diagnostic","Microsoft-Windows-Wininit/Diagnostic","Microsoft-Windows-WindowsUpdateClient/Operational","Microsoft-Windows-WindowsUpdateClient/Analytic","Microsoft-Windows-WindowsUIImmersive/Operational","Microsoft-Windows-WindowsUIImmersive/Diagnostic","Microsoft-Windows-WindowsSystemAssessmentTool/Tracing","Microsoft-Windows-WindowsSystemAssessmentTool/Operational","Microsoft-Windows-WindowsColorSystem/Operational","Microsoft-Windows-WindowsColorSystem/Debug","Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose","Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose","Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity","Microsoft-Windows-Windows Defender/WHC","Microsoft-Windows-Windows Defender/Operational","Microsoft-Windows-Windeploy/Analytic","Microsoft-Windows-WinURLMon/Analytic","Microsoft-Windows-WinRM/Operational","Microsoft-Windows-WinRM/Debug","Microsoft-Windows-WinRM/Analytic","Microsoft-Windows-WinNat/Trace","Microsoft-Windows-WinNat/Oper","Microsoft-Windows-WinMDE/MDE","Microsoft-Windows-WinINet/WebSocket","Microsoft-Windows-WinINet/UsageLog","Microsoft-Windows-WinINet/Analytic","Microsoft-Windows-WinINet-Config/ProxyConfigChanged","Microsoft-Windows-WinINet-Capture/Analytic","Microsoft-Windows-WinHttp/Diagnostic","Microsoft-Windows-WinHTTP-NDF/Diagnostic","Microsoft-Windows-Win32k/UIPI","Microsoft-Windows-Win32k/Tracing","Microsoft-Windows-Win32k/Render","Microsoft-Windows-Win32k/Power","Microsoft-Windows-Win32k/Operational","Microsoft-Windows-Win32k/Messages","Microsoft-Windows-Win32k/Contention","Microsoft-Windows-Win32k/Concurrency","Microsoft-Windows-Websocket-Protocol-Component/Tracing","Microsoft-Windows-WebcamProvider/Analytic","Microsoft-Windows-WebServices/Tracing","Microsoft-Windows-WebIO/Diagnostic","Microsoft-Windows-WebIO-NDF/Diagnostic","Microsoft-Windows-WebAuth/Operational","Microsoft-Windows-Wcmsvc/Operational","Microsoft-Windows-Wcmsvc/Diagnostic","Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic","Microsoft-Windows-WUSA/Debug","Microsoft-Windows-WPD-MTPUS/Analytic","Microsoft-Windows-WPD-MTPIP/Analytic","Microsoft-Windows-WPD-MTPClassDriver/Operational","Microsoft-Windows-WPD-MTPClassDriver/Analytic","Microsoft-Windows-WPD-MTPBT/Analytic","Microsoft-Windows-WPD-CompositeClassDriver/Operational","Microsoft-Windows-WPD-CompositeClassDriver/Analytic","Microsoft-Windows-WPD-ClassInstaller/Operational","Microsoft-Windows-WPD-ClassInstaller/Analytic","Microsoft-Windows-WPD-API/Analytic","Microsoft-Windows-WMPDMCUI/Diagnostic","Microsoft-Windows-WMI-Activity/Trace","Microsoft-Windows-WMI-Activity/Operational","Microsoft-Windows-WMI-Activity/Debug","Microsoft-Windows-WLANConnectionFlow/Diagnostic","Microsoft-Windows-WLAN-MediaManager/Diagnostic","Microsoft-Windows-WFP/Operational","Microsoft-Windows-WFP/Analytic","Microsoft-Windows-WEPHOSTSVC/Operational","Microsoft-Windows-WCNWiz/Analytic","Microsoft-Windows-WCN-Config-Registrar/Diagnostic","Microsoft-Windows-WABSyncProvider/Analytic","Microsoft-Windows-VolumeSnapshot-Driver/Operational","Microsoft-Windows-VolumeSnapshot-Driver/Analytic","Microsoft-Windows-VolumeControl/Performance","Microsoft-Windows-Volume/Diagnostic","Microsoft-Windows-VerifyHardwareSecurity/Operational","Microsoft-Windows-VerifyHardwareSecurity/Admin","Microsoft-Windows-VPN/Operational","Microsoft-Windows-VPN-Client/Operational","Microsoft-Windows-VHDMP-Operational","Microsoft-Windows-VHDMP-Analytic","Microsoft-Windows-VDRVROOT/Operational","Microsoft-Windows-VAN/Diagnostic","Microsoft-Windows-UxTheme/Diagnostic","Microsoft-Windows-UxInit/Diagnostic","Microsoft-Windows-UserPnp/SchedulerOperations","Microsoft-Windows-UserPnp/Performance","Microsoft-Windows-UserPnp/DeviceMetadata/Debug","Microsoft-Windows-UserPnp/DeviceInstall","Microsoft-Windows-UserPnp/ActionCenter","Microsoft-Windows-UserModePowerService/Diagnostic","Microsoft-Windows-UserAccountControl/Diagnostic","Microsoft-Windows-User-Loader/Operational","Microsoft-Windows-User-Loader/Analytic","Microsoft-Windows-User Profile Service/Operational","Microsoft-Windows-User Profile Service/Diagnostic","Microsoft-Windows-User Device Registration/Debug","Microsoft-Windows-User Device Registration/Admin","Microsoft-Windows-User Control Panel/Operational","Microsoft-Windows-User Control Panel/Diagnostic","Microsoft-Windows-User Control Panel Usage/Diagnostic","Microsoft-Windows-User Control Panel Performance/Diagnostic","Microsoft-Windows-Usbstor/Analytic","Microsoft-Windows-UniversalTelemetryClient/Operational","Microsoft-Windows-USB-USBXHCI-Analytic","Microsoft-Windows-USB-USBPORT/Diagnostic","Microsoft-Windows-USB-USBHUB3-Analytic","Microsoft-Windows-USB-USBHUB/Diagnostic","Microsoft-Windows-USB-UCX-Analytic","Microsoft-Windows-UIRibbon/Diagnostic","Microsoft-Windows-UIAutomationCore/Perf","Microsoft-Windows-UIAutomationCore/Diagnostic","Microsoft-Windows-UIAutomationCore/Debug","Microsoft-Windows-UIAnimation/Diagnostic","Microsoft-Windows-UI-Shell/Diagnostic","Microsoft-Windows-UAC/Operational","Microsoft-Windows-UAC-FileVirtualization/Operational","Microsoft-Windows-TunnelDriver","Microsoft-Windows-Threat-Intelligence/Analytic","Microsoft-Windows-ThemeUI/Diagnostic","Microsoft-Windows-ThemeCPL/Diagnostic","Microsoft-Windows-Tethering-Manager/Analytic","Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational","Microsoft-Windows-TerminalServices-SessionBroker-Client/Debug","Microsoft-Windows-TerminalServices-SessionBroker-Client/Analytic","Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin","Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational","Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug","Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic","Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin","Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback","Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture","Microsoft-Windows-TerminalServices-RDPClient/Operational","Microsoft-Windows-TerminalServices-RDPClient/Debug","Microsoft-Windows-TerminalServices-RDPClient/Analytic","Microsoft-Windows-TerminalServices-Printers/Operational","Microsoft-Windows-TerminalServices-Printers/Debug","Microsoft-Windows-TerminalServices-Printers/Analytic","Microsoft-Windows-TerminalServices-Printers/Admin","Microsoft-Windows-TerminalServices-PnPDevices/Operational","Microsoft-Windows-TerminalServices-PnPDevices/Debug","Microsoft-Windows-TerminalServices-PnPDevices/Analytic","Microsoft-Windows-TerminalServices-PnPDevices/Admin","Microsoft-Windows-TerminalServices-MediaRedirection/Analytic","Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Microsoft-Windows-TerminalServices-LocalSessionManager/Debug","Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic","Microsoft-Windows-TerminalServices-LocalSessionManager/Admin","Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational","Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug","Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic","Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin","Microsoft-Windows-TaskbarCPL/Diagnostic","Microsoft-Windows-TaskScheduler/Operational","Microsoft-Windows-TaskScheduler/Maintenance","Microsoft-Windows-TaskScheduler/Diagnostic","Microsoft-Windows-TaskScheduler/Debug","Microsoft-Windows-TZUtil/Operational","Microsoft-Windows-TZSync/Operational","Microsoft-Windows-TZSync/Analytic","Microsoft-Windows-TWinUI/Operational","Microsoft-Windows-TWinUI/Diagnostic","Microsoft-Windows-TWinAPI/Diagnostic","Microsoft-Windows-TTS/Diagnostic","Microsoft-Windows-TSF-msutb/Diagnostic","Microsoft-Windows-TSF-msutb/Debug","Microsoft-Windows-TSF-msctf/Diagnostic","Microsoft-Windows-TSF-msctf/Debug","Microsoft-Windows-TCPIP/Operational","Microsoft-Windows-TCPIP/Diagnostic","Microsoft-Windows-SystemSettingsThreshold/Operational","Microsoft-Windows-SystemSettingsThreshold/Diagnostic","Microsoft-Windows-SystemSettingsThreshold/Debug","Microsoft-Windows-System-Profile-HardwareId/Diagnostic","Microsoft-Windows-Sysprep/Analytic","Microsoft-Windows-Superfetch/StoreLog","Microsoft-Windows-Superfetch/PfApLog","Microsoft-Windows-Superfetch/Main","Microsoft-Windows-Subsys-SMSS/Operational","Microsoft-Windows-Subsys-Csr/Operational","Microsoft-Windows-Store/Operational","Microsoft-Windows-StorageSpaces-SpaceManager/Operational","Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic","Microsoft-Windows-StorageSpaces-ManagementAgent/WHC","Microsoft-Windows-StorageSpaces-Driver/Performance","Microsoft-Windows-StorageSpaces-Driver/Operational","Microsoft-Windows-StorageSpaces-Driver/Diagnostic","Microsoft-Windows-StorageManagement/Operational","Microsoft-Windows-StorageManagement/Debug","Microsoft-Windows-Storage-Tiering/Admin","Microsoft-Windows-Storage-Tiering-IoHeat/Heat","Microsoft-Windows-Storage-Storport/Operational","Microsoft-Windows-Storage-Storport/Diagnose","Microsoft-Windows-Storage-Storport/Debug","Microsoft-Windows-Storage-Storport/Analytic","Microsoft-Windows-Storage-Storport/Admin","Microsoft-Windows-Storage-Disk/Operational","Microsoft-Windows-Storage-Disk/Diagnose","Microsoft-Windows-Storage-Disk/Debug","Microsoft-Windows-Storage-Disk/Analytic","Microsoft-Windows-Storage-Disk/Admin","Microsoft-Windows-Storage-ClassPnP/Operational","Microsoft-Windows-Storage-ClassPnP/Diagnose","Microsoft-Windows-Storage-ClassPnP/Debug","Microsoft-Windows-Storage-ClassPnP/Analytic","Microsoft-Windows-Storage-ClassPnP/Admin","Microsoft-Windows-Storage-ATAPort/Operational","Microsoft-Windows-Storage-ATAPort/Diagnose","Microsoft-Windows-Storage-ATAPort/Debug","Microsoft-Windows-Storage-ATAPort/Analytic","Microsoft-Windows-Storage-ATAPort/Admin","Microsoft-Windows-StorPort/Operational","Microsoft-Windows-StorDiag/Operational","Microsoft-Windows-StateRepository/Restricted","Microsoft-Windows-StateRepository/Operational","Microsoft-Windows-StateRepository/Diagnostic","Microsoft-Windows-StateRepository/Debug","Microsoft-Windows-SrumTelemetry","Microsoft-Windows-Spellchecking-Host/Analytic","Microsoft-Windows-SpellChecker/Analytic","Microsoft-Windows-Spell-Checking/Analytic","Microsoft-Windows-Speech-UserExperience/Diagnostic","Microsoft-Windows-SmbClient/Security","Microsoft-Windows-SmbClient/Diagnostic","Microsoft-Windows-SmbClient/Connectivity","Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational","Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin","Microsoft-Windows-SmartCard-DeviceEnum/Operational","Microsoft-Windows-SmartCard-Audit/Authentication","Microsoft-Windows-SleepStudy/Diagnostic","Microsoft-Windows-SilProvider/Operational","Microsoft-Windows-SilProvider/Debug","Microsoft-Windows-Shsvcs/Diagnostic","Microsoft-Windows-Shell-ZipFolder/Diagnostic","Microsoft-Windows-Shell-Shwebsvc","Microsoft-Windows-Shell-Search-UriHandler","Microsoft-Windows-Shell-OpenWith/Diagnostic","Microsoft-Windows-Shell-LockScreenContent/Diagnostic","Microsoft-Windows-Shell-DefaultPrograms/Diagnostic","Microsoft-Windows-Shell-Core/Operational","Microsoft-Windows-Shell-Core/LogonTasksChannel","Microsoft-Windows-Shell-Core/Diagnostic","Microsoft-Windows-Shell-Core/AppDefaults","Microsoft-Windows-Shell-Core/ActionCenter","Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter","Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic","Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic","Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic","Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic","Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic","Microsoft-Windows-Shell-AuthUI-Common/Diagnostic","Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic","Microsoft-Windows-Shell-AppWizCpl/Diagnostic","Microsoft-Windows-SetupUGC/Analytic","Microsoft-Windows-SetupQueue/Analytic","Microsoft-Windows-SetupPlatform/Analytic","Microsoft-Windows-SetupCl/Analytic","Microsoft-Windows-Setup/Analytic","Microsoft-Windows-SettingSync/VerboseDebug","Microsoft-Windows-SettingSync/Operational","Microsoft-Windows-SettingSync/Debug","Microsoft-Windows-SettingSync/Analytic","Microsoft-Windows-SettingSync-Azure/Operational","Microsoft-Windows-SettingSync-Azure/Debug","Microsoft-Windows-Servicing/Debug","Microsoft-Windows-Services/Diagnostic","Microsoft-Windows-Services-Svchost/Diagnostic","Microsoft-Windows-ServiceReportingApi/Debug","Microsoft-Windows-ServerManager-MultiMachine/Operational","Microsoft-Windows-ServerManager-MultiMachine/Debug","Microsoft-Windows-ServerManager-MultiMachine/Admin","Microsoft-Windows-ServerManager-MgmtProvider/Operational","Microsoft-Windows-ServerManager-MgmtProvider/Debug","Microsoft-Windows-ServerManager-DeploymentProvider/Operational","Microsoft-Windows-ServerManager-DeploymentProvider/Debug","Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational","Microsoft-Windows-ServerManager-ConfigureSMRemoting/Debug","Microsoft-Windows-ServerEssentials-Deployment/Deploy","Microsoft-Windows-Serial-ClassExtension/Analytic","Microsoft-Windows-Serial-ClassExtension-V2/Analytic","Microsoft-Windows-Sensors/Performance","Microsoft-Windows-Sensors/Debug","Microsoft-Windows-Sens/Debug","Microsoft-Windows-SendTo/Diagnostic","Microsoft-Windows-Security-Vault/Performance","Microsoft-Windows-Security-UserConsentVerifier/Audit","Microsoft-Windows-Security-SPP/Perf","Microsoft-Windows-Security-SPP-UX/Analytic","Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter","Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational","Microsoft-Windows-Security-SPP-UX-GC/Analytic","Microsoft-Windows-Security-Netlogon/Operational","Microsoft-Windows-Security-Mitigations/UserMode","Microsoft-Windows-Security-Mitigations/KernelMode","Microsoft-Windows-Security-IdentityStore/Performance","Microsoft-Windows-Security-IdentityListener/Operational","Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance","Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational","Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational","Microsoft-Windows-Security-Audit-Configuration-Client/Operational","Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic","Microsoft-Windows-SearchUI/Operational","Microsoft-Windows-SearchUI/Diagnostic","Microsoft-Windows-Search-ProtocolHandlers/Diagnostic","Microsoft-Windows-Search-Core/Diagnostic","Microsoft-Windows-Sdstor/Analytic","Microsoft-Windows-Sdbus/Debug","Microsoft-Windows-Sdbus/Analytic","Microsoft-Windows-ScmDisk0101/Operational","Microsoft-Windows-ScmDisk0101/Diagnostic","Microsoft-Windows-ScmDisk0101/Analytic","Microsoft-Windows-ScmBus/Operational","Microsoft-Windows-ScmBus/Diagnose","Microsoft-Windows-ScmBus/Certification","Microsoft-Windows-ScmBus/Analytic","Microsoft-Windows-Schannel-Events/Perf","Microsoft-Windows-SPB-HIDI2C/Analytic","Microsoft-Windows-SPB-ClassExtension/Analytic","Microsoft-Windows-SMBWitnessClient/Informational","Microsoft-Windows-SMBWitnessClient/Admin","Microsoft-Windows-SMBServer/Security","Microsoft-Windows-SMBServer/Performance","Microsoft-Windows-SMBServer/Operational","Microsoft-Windows-SMBServer/Diagnostic","Microsoft-Windows-SMBServer/Connectivity","Microsoft-Windows-SMBServer/Audit","Microsoft-Windows-SMBServer/Analytic","Microsoft-Windows-SMBDirect/Netmon","Microsoft-Windows-SMBDirect/Debug","Microsoft-Windows-SMBDirect/Admin","Microsoft-Windows-SMBClient/Operational","Microsoft-Windows-SMBClient/ObjectStateDiagnostic","Microsoft-Windows-SMBClient/HelperClassDiagnostic","Microsoft-Windows-SMBClient/Analytic","Microsoft-Windows-SDDC-Management/Operational","Microsoft-Windows-SDDC-Management/Admin","Microsoft-Windows-Runtime/Error","Microsoft-Windows-Runtime/CreateInstance","Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode","Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource","Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine","Microsoft-Windows-Runtime-WebAPI/Tracing","Microsoft-Windows-Runtime-Web-Http/Tracing","Microsoft-Windows-Runtime-Networking/Tracing","Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing","Microsoft-Windows-Runtime-Graphics/Analytic","Microsoft-Windows-RestartManager/Operational","Microsoft-Windows-ResourcePublication/Tracing","Microsoft-Windows-Resource-Exhaustion-Resolver/Operational","Microsoft-Windows-Resource-Exhaustion-Detector/Operational","Microsoft-Windows-ResetEng-Trace/Diagnostic","Microsoft-Windows-Remotefs-Rdbss/Operational","Microsoft-Windows-Remotefs-Rdbss/Diagnostic","Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational","Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug","Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug","Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin","Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug","Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin","Microsoft-Windows-RemoteApp and Desktop Connections/Operational","Microsoft-Windows-RemoteApp and Desktop Connections/Admin","Microsoft-Windows-Regsvr32/Operational","Microsoft-Windows-ReadyBoost/Operational","Microsoft-Windows-ReadyBoost/Analytic","Microsoft-Windows-ReFS/Operational","Microsoft-Windows-RasAgileVpn/Operational","Microsoft-Windows-RasAgileVpn/Debug","Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic","Microsoft-Windows-RadioManager/Analytic","Microsoft-Windows-RRAS/Operational","Microsoft-Windows-RRAS/Debug","Microsoft-Windows-RPC/EEInfo","Microsoft-Windows-RPC/Debug","Microsoft-Windows-RPC-Proxy/Debug","Microsoft-Windows-QoS-qWAVE/Debug","Microsoft-Windows-QoS-Pacer/Diagnostic","Microsoft-Windows-PushNotification-Platform/Operational","Microsoft-Windows-PushNotification-Platform/Debug","Microsoft-Windows-PushNotification-Platform/Admin","Microsoft-Windows-PushNotification-InProc/Debug","Microsoft-Windows-PushNotification-Developer/Debug","Microsoft-Windows-Proximity-Common/Performance","Microsoft-Windows-Proximity-Common/Informational","Microsoft-Windows-Proximity-Common/Diagnostic","Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade","Microsoft-Windows-Program-Compatibility-Assistant/Analytic","Microsoft-Windows-ProcessStateManager/Diagnostic","Microsoft-Windows-PrintService/Operational","Microsoft-Windows-PrintService/Debug","Microsoft-Windows-PrintService/Admin","Microsoft-Windows-PrintService-USBMon/Debug","Microsoft-Windows-PrintDialogs3D/Analytic","Microsoft-Windows-PrintDialogs/Analytic","Microsoft-Windows-PrintBRM/Admin","Microsoft-Windows-PrimaryNetworkIcon/Performance","Microsoft-Windows-PowerShell/Operational","Microsoft-Windows-PowerShell/Debug","Microsoft-Windows-PowerShell/Analytic","Microsoft-Windows-PowerShell/Admin","Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational","Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug","Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic","Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic","Microsoft-Windows-PowerCpl/Diagnostic","Microsoft-Windows-PowerCfg/Diagnostic","Microsoft-Windows-Power-Meter-Polling/Diagnostic","Microsoft-Windows-PortableDeviceSyncProvider/Analytic","Microsoft-Windows-PortableDeviceStatusProvider/Analytic","Microsoft-Windows-Policy/Operational","Microsoft-Windows-Policy/Analytic","Microsoft-Windows-PlayToManager/Analytic","Microsoft-Windows-PhotoAcq/Analytic","Microsoft-Windows-PerceptionSensorDataService/Operational","Microsoft-Windows-PerceptionRuntime/Operational","Microsoft-Windows-Partition/Diagnostic","Microsoft-Windows-Partition/Analytic","Microsoft-Windows-PackageStateRoaming/Operational","Microsoft-Windows-PackageStateRoaming/Debug","Microsoft-Windows-PackageStateRoaming/Analytic","Microsoft-Windows-PCI/Diagnostic","Microsoft-Windows-OtpCredentialProvider/Operational","Microsoft-Windows-OobeLdr/Analytic","Microsoft-Windows-OneX/Operational","Microsoft-Windows-OneX/Diagnostic","Microsoft-Windows-OneBackup/Debug","Microsoft-Windows-OfflineFiles/SyncLog","Microsoft-Windows-OfflineFiles/Operational","Microsoft-Windows-OfflineFiles/Debug","Microsoft-Windows-OfflineFiles/Analytic","Microsoft-Windows-OOBE-Machine-Plugins/Diagnostic","Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic","Microsoft-Windows-OOBE-Machine-DUI/Operational","Microsoft-Windows-OOBE-Machine-DUI/Diagnostic","Microsoft-Windows-OOBE-Machine-Core/Diagnostic","Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic")

    Detection Query 4

    (technologygroup = "EDR" ) AND winmessage IN ("HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers","HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers /f","HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default /va /f","muxencode","Windows.Globalization/Analytic","Windows PowerShell","Windows Networking Vpn Plugin Platform/OperationalVerbose","Windows Networking Vpn Plugin Platform/Operational","WMPSyncEngine","WMPSetup","WINDOWS_wmvdecod_CHANNEL","WINDOWS_WMPHOTO_CHANNEL","WINDOWS_VC1ENC_CHANNEL","WINDOWS_MSMPEG2VDEC_CHANNEL","WINDOWS_MP4SDECD_CHANNEL","WINDOWS_MFH264Enc_CHANNEL","WINDOWS_KS_CHANNEL","UIManager_Channel","TimeBroker","TabletPC_InputPanel_Channel/IHM","TabletPC_InputPanel_Channel","SystemEventsBroker","System","SmbWmiAnalytic","Setup","Security","SMSApi","RTWorkQueueTheading","RTWorkQueueExtended","Physical_Keyboard_Manager_Channel","PICAgentLog","OSK_SoftKeyboard_Channel","Network Isolation Operational","Navigator","NIS-Driver-WFP/Diagnostic","Microsoft-WindowsPhone-LocationServiceProvider/Debug","Microsoft-Windows-stobject/Diagnostic","Microsoft-Windows-osk/Diagnostic","Microsoft-Windows-ntshrui-perf","Microsoft-Windows-ntshrui","Microsoft-Windows-mobsync/Diagnostic","Microsoft-Windows-glcnd/Diagnostic","Microsoft-Windows-glcnd/Debug","Microsoft-Windows-glcnd/Admin","Microsoft-Windows-XAudio2/Performance","Microsoft-Windows-XAudio2/Debug","Microsoft-Windows-XAML/Default","Microsoft-Windows-XAML-Diagnostics/Default","Microsoft-Windows-Workplace Join/Admin","Microsoft-Windows-Wordpad/Diagnostic","Microsoft-Windows-Wordpad/Debug","Microsoft-Windows-Wordpad/Admin","Microsoft-Windows-Wired-AutoConfig/Operational","Microsoft-Windows-Wired-AutoConfig/Diagnostic","Microsoft-Windows-Winsrv/Analytic","Microsoft-Windows-Winsock-WS2HELP/Operational","Microsoft-Windows-Winsock-NameResolution/Operational","Microsoft-Windows-Winsock-AFD/Operational","Microsoft-Windows-Winlogon/Operational","Microsoft-Windows-Winlogon/Diagnostic","Microsoft-Windows-Wininit/Diagnostic","Microsoft-Windows-WindowsUpdateClient/Operational","Microsoft-Windows-WindowsUpdateClient/Analytic","Microsoft-Windows-WindowsUIImmersive/Operational","Microsoft-Windows-WindowsUIImmersive/Diagnostic","Microsoft-Windows-WindowsSystemAssessmentTool/Tracing","Microsoft-Windows-WindowsSystemAssessmentTool/Operational","Microsoft-Windows-WindowsColorSystem/Operational","Microsoft-Windows-WindowsColorSystem/Debug","Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose","Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose","Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity","Microsoft-Windows-Windows Defender/WHC","Microsoft-Windows-Windows Defender/Operational","Microsoft-Windows-Windeploy/Analytic","Microsoft-Windows-WinURLMon/Analytic","Microsoft-Windows-WinRM/Operational","Microsoft-Windows-WinRM/Debug","Microsoft-Windows-WinRM/Analytic","Microsoft-Windows-WinNat/Trace","Microsoft-Windows-WinNat/Oper","Microsoft-Windows-WinMDE/MDE","Microsoft-Windows-WinINet/WebSocket","Microsoft-Windows-WinINet/UsageLog","Microsoft-Windows-WinINet/Analytic","Microsoft-Windows-WinINet-Config/ProxyConfigChanged","Microsoft-Windows-WinINet-Capture/Analytic","Microsoft-Windows-WinHttp/Diagnostic","Microsoft-Windows-WinHTTP-NDF/Diagnostic","Microsoft-Windows-Win32k/UIPI","Microsoft-Windows-Win32k/Tracing","Microsoft-Windows-Win32k/Render","Microsoft-Windows-Win32k/Power","Microsoft-Windows-Win32k/Operational","Microsoft-Windows-Win32k/Messages","Microsoft-Windows-Win32k/Contention","Microsoft-Windows-Win32k/Concurrency","Microsoft-Windows-Websocket-Protocol-Component/Tracing","Microsoft-Windows-WebcamProvider/Analytic","Microsoft-Windows-WebServices/Tracing","Microsoft-Windows-WebIO/Diagnostic","Microsoft-Windows-WebIO-NDF/Diagnostic","Microsoft-Windows-WebAuth/Operational","Microsoft-Windows-Wcmsvc/Operational","Microsoft-Windows-Wcmsvc/Diagnostic","Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic","Microsoft-Windows-WUSA/Debug","Microsoft-Windows-WPD-MTPUS/Analytic","Microsoft-Windows-WPD-MTPIP/Analytic","Microsoft-Windows-WPD-MTPClassDriver/Operational","Microsoft-Windows-WPD-MTPClassDriver/Analytic","Microsoft-Windows-WPD-MTPBT/Analytic","Microsoft-Windows-WPD-CompositeClassDriver/Operational","Microsoft-Windows-WPD-CompositeClassDriver/Analytic","Microsoft-Windows-WPD-ClassInstaller/Operational","Microsoft-Windows-WPD-ClassInstaller/Analytic","Microsoft-Windows-WPD-API/Analytic","Microsoft-Windows-WMPDMCUI/Diagnostic","Microsoft-Windows-WMI-Activity/Trace","Microsoft-Windows-WMI-Activity/Operational","Microsoft-Windows-WMI-Activity/Debug","Microsoft-Windows-WLANConnectionFlow/Diagnostic","Microsoft-Windows-WLAN-MediaManager/Diagnostic","Microsoft-Windows-WFP/Operational","Microsoft-Windows-WFP/Analytic","Microsoft-Windows-WEPHOSTSVC/Operational","Microsoft-Windows-WCNWiz/Analytic","Microsoft-Windows-WCN-Config-Registrar/Diagnostic","Microsoft-Windows-WABSyncProvider/Analytic","Microsoft-Windows-VolumeSnapshot-Driver/Operational","Microsoft-Windows-VolumeSnapshot-Driver/Analytic","Microsoft-Windows-VolumeControl/Performance","Microsoft-Windows-Volume/Diagnostic","Microsoft-Windows-VerifyHardwareSecurity/Operational","Microsoft-Windows-VerifyHardwareSecurity/Admin","Microsoft-Windows-VPN/Operational","Microsoft-Windows-VPN-Client/Operational","Microsoft-Windows-VHDMP-Operational","Microsoft-Windows-VHDMP-Analytic","Microsoft-Windows-VDRVROOT/Operational","Microsoft-Windows-VAN/Diagnostic","Microsoft-Windows-UxTheme/Diagnostic","Microsoft-Windows-UxInit/Diagnostic","Microsoft-Windows-UserPnp/SchedulerOperations","Microsoft-Windows-UserPnp/Performance","Microsoft-Windows-UserPnp/DeviceMetadata/Debug","Microsoft-Windows-UserPnp/DeviceInstall","Microsoft-Windows-UserPnp/ActionCenter","Microsoft-Windows-UserModePowerService/Diagnostic","Microsoft-Windows-UserAccountControl/Diagnostic","Microsoft-Windows-User-Loader/Operational","Microsoft-Windows-User-Loader/Analytic","Microsoft-Windows-User Profile Service/Operational","Microsoft-Windows-User Profile Service/Diagnostic","Microsoft-Windows-User Device Registration/Debug","Microsoft-Windows-User Device Registration/Admin","Microsoft-Windows-User Control Panel/Operational","Microsoft-Windows-User Control Panel/Diagnostic","Microsoft-Windows-User Control Panel Usage/Diagnostic","Microsoft-Windows-User Control Panel Performance/Diagnostic","Microsoft-Windows-Usbstor/Analytic","Microsoft-Windows-UniversalTelemetryClient/Operational","Microsoft-Windows-USB-USBXHCI-Analytic","Microsoft-Windows-USB-USBPORT/Diagnostic","Microsoft-Windows-USB-USBHUB3-Analytic","Microsoft-Windows-USB-USBHUB/Diagnostic","Microsoft-Windows-USB-UCX-Analytic","Microsoft-Windows-UIRibbon/Diagnostic","Microsoft-Windows-UIAutomationCore/Perf","Microsoft-Windows-UIAutomationCore/Diagnostic","Microsoft-Windows-UIAutomationCore/Debug","Microsoft-Windows-UIAnimation/Diagnostic","Microsoft-Windows-UI-Shell/Diagnostic","Microsoft-Windows-UAC/Operational","Microsoft-Windows-UAC-FileVirtualization/Operational","Microsoft-Windows-TunnelDriver","Microsoft-Windows-Threat-Intelligence/Analytic","Microsoft-Windows-ThemeUI/Diagnostic","Microsoft-Windows-ThemeCPL/Diagnostic","Microsoft-Windows-Tethering-Manager/Analytic","Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational","Microsoft-Windows-TerminalServices-SessionBroker-Client/Debug","Microsoft-Windows-TerminalServices-SessionBroker-Client/Analytic","Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin","Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational","Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug","Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic","Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic","Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin","Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback","Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture","Microsoft-Windows-TerminalServices-RDPClient/Operational","Microsoft-Windows-TerminalServices-RDPClient/Debug","Microsoft-Windows-TerminalServices-RDPClient/Analytic","Microsoft-Windows-TerminalServices-Printers/Operational","Microsoft-Windows-TerminalServices-Printers/Debug","Microsoft-Windows-TerminalServices-Printers/Analytic","Microsoft-Windows-TerminalServices-Printers/Admin","Microsoft-Windows-TerminalServices-PnPDevices/Operational","Microsoft-Windows-TerminalServices-PnPDevices/Debug","Microsoft-Windows-TerminalServices-PnPDevices/Analytic","Microsoft-Windows-TerminalServices-PnPDevices/Admin","Microsoft-Windows-TerminalServices-MediaRedirection/Analytic","Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Microsoft-Windows-TerminalServices-LocalSessionManager/Debug","Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic","Microsoft-Windows-TerminalServices-LocalSessionManager/Admin","Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational","Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug","Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic","Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin","Microsoft-Windows-TaskbarCPL/Diagnostic","Microsoft-Windows-TaskScheduler/Operational","Microsoft-Windows-TaskScheduler/Maintenance","Microsoft-Windows-TaskScheduler/Diagnostic","Microsoft-Windows-TaskScheduler/Debug","Microsoft-Windows-TZUtil/Operational","Microsoft-Windows-TZSync/Operational","Microsoft-Windows-TZSync/Analytic","Microsoft-Windows-TWinUI/Operational","Microsoft-Windows-TWinUI/Diagnostic","Microsoft-Windows-TWinAPI/Diagnostic","Microsoft-Windows-TTS/Diagnostic","Microsoft-Windows-TSF-msutb/Diagnostic","Microsoft-Windows-TSF-msutb/Debug","Microsoft-Windows-TSF-msctf/Diagnostic","Microsoft-Windows-TSF-msctf/Debug","Microsoft-Windows-TCPIP/Operational","Microsoft-Windows-TCPIP/Diagnostic","Microsoft-Windows-SystemSettingsThreshold/Operational","Microsoft-Windows-SystemSettingsThreshold/Diagnostic","Microsoft-Windows-SystemSettingsThreshold/Debug","Microsoft-Windows-System-Profile-HardwareId/Diagnostic","Microsoft-Windows-Sysprep/Analytic","Microsoft-Windows-Superfetch/StoreLog","Microsoft-Windows-Superfetch/PfApLog","Microsoft-Windows-Superfetch/Main","Microsoft-Windows-Subsys-SMSS/Operational","Microsoft-Windows-Subsys-Csr/Operational","Microsoft-Windows-Store/Operational","Microsoft-Windows-StorageSpaces-SpaceManager/Operational","Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic","Microsoft-Windows-StorageSpaces-ManagementAgent/WHC","Microsoft-Windows-StorageSpaces-Driver/Performance","Microsoft-Windows-StorageSpaces-Driver/Operational","Microsoft-Windows-StorageSpaces-Driver/Diagnostic","Microsoft-Windows-StorageManagement/Operational","Microsoft-Windows-StorageManagement/Debug","Microsoft-Windows-Storage-Tiering/Admin","Microsoft-Windows-Storage-Tiering-IoHeat/Heat","Microsoft-Windows-Storage-Storport/Operational","Microsoft-Windows-Storage-Storport/Diagnose","Microsoft-Windows-Storage-Storport/Debug","Microsoft-Windows-Storage-Storport/Analytic","Microsoft-Windows-Storage-Storport/Admin","Microsoft-Windows-Storage-Disk/Operational","Microsoft-Windows-Storage-Disk/Diagnose","Microsoft-Windows-Storage-Disk/Debug","Microsoft-Windows-Storage-Disk/Analytic","Microsoft-Windows-Storage-Disk/Admin","Microsoft-Windows-Storage-ClassPnP/Operational","Microsoft-Windows-Storage-ClassPnP/Diagnose","Microsoft-Windows-Storage-ClassPnP/Debug","Microsoft-Windows-Storage-ClassPnP/Analytic","Microsoft-Windows-Storage-ClassPnP/Admin","Microsoft-Windows-Storage-ATAPort/Operational","Microsoft-Windows-Storage-ATAPort/Diagnose","Microsoft-Windows-Storage-ATAPort/Debug","Microsoft-Windows-Storage-ATAPort/Analytic","Microsoft-Windows-Storage-ATAPort/Admin","Microsoft-Windows-StorPort/Operational","Microsoft-Windows-StorDiag/Operational","Microsoft-Windows-StateRepository/Restricted","Microsoft-Windows-StateRepository/Operational","Microsoft-Windows-StateRepository/Diagnostic","Microsoft-Windows-StateRepository/Debug","Microsoft-Windows-SrumTelemetry","Microsoft-Windows-Spellchecking-Host/Analytic","Microsoft-Windows-SpellChecker/Analytic","Microsoft-Windows-Spell-Checking/Analytic","Microsoft-Windows-Speech-UserExperience/Diagnostic","Microsoft-Windows-SmbClient/Security","Microsoft-Windows-SmbClient/Diagnostic","Microsoft-Windows-SmbClient/Connectivity","Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational","Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin","Microsoft-Windows-SmartCard-DeviceEnum/Operational","Microsoft-Windows-SmartCard-Audit/Authentication","Microsoft-Windows-SleepStudy/Diagnostic","Microsoft-Windows-SilProvider/Operational","Microsoft-Windows-SilProvider/Debug","Microsoft-Windows-Shsvcs/Diagnostic","Microsoft-Windows-Shell-ZipFolder/Diagnostic","Microsoft-Windows-Shell-Shwebsvc","Microsoft-Windows-Shell-Search-UriHandler","Microsoft-Windows-Shell-OpenWith/Diagnostic","Microsoft-Windows-Shell-LockScreenContent/Diagnostic","Microsoft-Windows-Shell-DefaultPrograms/Diagnostic","Microsoft-Windows-Shell-Core/Operational","Microsoft-Windows-Shell-Core/LogonTasksChannel","Microsoft-Windows-Shell-Core/Diagnostic","Microsoft-Windows-Shell-Core/AppDefaults","Microsoft-Windows-Shell-Core/ActionCenter","Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter","Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic","Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic","Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic","Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic","Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic","Microsoft-Windows-Shell-AuthUI-Common/Diagnostic","Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic","Microsoft-Windows-Shell-AppWizCpl/Diagnostic","Microsoft-Windows-SetupUGC/Analytic","Microsoft-Windows-SetupQueue/Analytic","Microsoft-Windows-SetupPlatform/Analytic","Microsoft-Windows-SetupCl/Analytic","Microsoft-Windows-Setup/Analytic","Microsoft-Windows-SettingSync/VerboseDebug","Microsoft-Windows-SettingSync/Operational","Microsoft-Windows-SettingSync/Debug","Microsoft-Windows-SettingSync/Analytic","Microsoft-Windows-SettingSync-Azure/Operational","Microsoft-Windows-SettingSync-Azure/Debug","Microsoft-Windows-Servicing/Debug","Microsoft-Windows-Services/Diagnostic","Microsoft-Windows-Services-Svchost/Diagnostic","Microsoft-Windows-ServiceReportingApi/Debug","Microsoft-Windows-ServerManager-MultiMachine/Operational","Microsoft-Windows-ServerManager-MultiMachine/Debug","Microsoft-Windows-ServerManager-MultiMachine/Admin","Microsoft-Windows-ServerManager-MgmtProvider/Operational","Microsoft-Windows-ServerManager-MgmtProvider/Debug","Microsoft-Windows-ServerManager-DeploymentProvider/Operational","Microsoft-Windows-ServerManager-DeploymentProvider/Debug","Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational","Microsoft-Windows-ServerManager-ConfigureSMRemoting/Debug","Microsoft-Windows-ServerEssentials-Deployment/Deploy","Microsoft-Windows-Serial-ClassExtension/Analytic","Microsoft-Windows-Serial-ClassExtension-V2/Analytic","Microsoft-Windows-Sensors/Performance","Microsoft-Windows-Sensors/Debug","Microsoft-Windows-Sens/Debug","Microsoft-Windows-SendTo/Diagnostic","Microsoft-Windows-Security-Vault/Performance","Microsoft-Windows-Security-UserConsentVerifier/Audit","Microsoft-Windows-Security-SPP/Perf","Microsoft-Windows-Security-SPP-UX/Analytic","Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter","Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational","Microsoft-Windows-Security-SPP-UX-GC/Analytic","Microsoft-Windows-Security-Netlogon/Operational","Microsoft-Windows-Security-Mitigations/UserMode","Microsoft-Windows-Security-Mitigations/KernelMode","Microsoft-Windows-Security-IdentityStore/Performance","Microsoft-Windows-Security-IdentityListener/Operational","Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance","Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational","Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational","Microsoft-Windows-Security-Audit-Configuration-Client/Operational","Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic","Microsoft-Windows-SearchUI/Operational","Microsoft-Windows-SearchUI/Diagnostic","Microsoft-Windows-Search-ProtocolHandlers/Diagnostic","Microsoft-Windows-Search-Core/Diagnostic","Microsoft-Windows-Sdstor/Analytic","Microsoft-Windows-Sdbus/Debug","Microsoft-Windows-Sdbus/Analytic","Microsoft-Windows-ScmDisk0101/Operational","Microsoft-Windows-ScmDisk0101/Diagnostic","Microsoft-Windows-ScmDisk0101/Analytic","Microsoft-Windows-ScmBus/Operational","Microsoft-Windows-ScmBus/Diagnose","Microsoft-Windows-ScmBus/Certification","Microsoft-Windows-ScmBus/Analytic","Microsoft-Windows-Schannel-Events/Perf","Microsoft-Windows-SPB-HIDI2C/Analytic","Microsoft-Windows-SPB-ClassExtension/Analytic","Microsoft-Windows-SMBWitnessClient/Informational","Microsoft-Windows-SMBWitnessClient/Admin","Microsoft-Windows-SMBServer/Security","Microsoft-Windows-SMBServer/Performance","Microsoft-Windows-SMBServer/Operational","Microsoft-Windows-SMBServer/Diagnostic","Microsoft-Windows-SMBServer/Connectivity","Microsoft-Windows-SMBServer/Audit","Microsoft-Windows-SMBServer/Analytic","Microsoft-Windows-SMBDirect/Netmon","Microsoft-Windows-SMBDirect/Debug","Microsoft-Windows-SMBDirect/Admin","Microsoft-Windows-SMBClient/Operational","Microsoft-Windows-SMBClient/ObjectStateDiagnostic","Microsoft-Windows-SMBClient/HelperClassDiagnostic","Microsoft-Windows-SMBClient/Analytic","Microsoft-Windows-SDDC-Management/Operational","Microsoft-Windows-SDDC-Management/Admin","Microsoft-Windows-Runtime/Error","Microsoft-Windows-Runtime/CreateInstance","Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode","Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource","Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine","Microsoft-Windows-Runtime-WebAPI/Tracing","Microsoft-Windows-Runtime-Web-Http/Tracing","Microsoft-Windows-Runtime-Networking/Tracing","Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing","Microsoft-Windows-Runtime-Graphics/Analytic","Microsoft-Windows-RestartManager/Operational","Microsoft-Windows-ResourcePublication/Tracing","Microsoft-Windows-Resource-Exhaustion-Resolver/Operational","Microsoft-Windows-Resource-Exhaustion-Detector/Operational","Microsoft-Windows-ResetEng-Trace/Diagnostic","Microsoft-Windows-Remotefs-Rdbss/Operational","Microsoft-Windows-Remotefs-Rdbss/Diagnostic","Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational","Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug","Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug","Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin","Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug","Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin","Microsoft-Windows-RemoteApp and Desktop Connections/Operational","Microsoft-Windows-RemoteApp and Desktop Connections/Admin","Microsoft-Windows-Regsvr32/Operational","Microsoft-Windows-ReadyBoost/Operational","Microsoft-Windows-ReadyBoost/Analytic","Microsoft-Windows-ReFS/Operational","Microsoft-Windows-RasAgileVpn/Operational","Microsoft-Windows-RasAgileVpn/Debug","Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic","Microsoft-Windows-RadioManager/Analytic","Microsoft-Windows-RRAS/Operational","Microsoft-Windows-RRAS/Debug","Microsoft-Windows-RPC/EEInfo","Microsoft-Windows-RPC/Debug","Microsoft-Windows-RPC-Proxy/Debug","Microsoft-Windows-QoS-qWAVE/Debug","Microsoft-Windows-QoS-Pacer/Diagnostic","Microsoft-Windows-PushNotification-Platform/Operational","Microsoft-Windows-PushNotification-Platform/Debug","Microsoft-Windows-PushNotification-Platform/Admin","Microsoft-Windows-PushNotification-InProc/Debug","Microsoft-Windows-PushNotification-Developer/Debug","Microsoft-Windows-Proximity-Common/Performance","Microsoft-Windows-Proximity-Common/Informational","Microsoft-Windows-Proximity-Common/Diagnostic","Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade","Microsoft-Windows-Program-Compatibility-Assistant/Analytic","Microsoft-Windows-ProcessStateManager/Diagnostic","Microsoft-Windows-PrintService/Operational","Microsoft-Windows-PrintService/Debug","Microsoft-Windows-PrintService/Admin","Microsoft-Windows-PrintService-USBMon/Debug","Microsoft-Windows-PrintDialogs3D/Analytic","Microsoft-Windows-PrintDialogs/Analytic","Microsoft-Windows-PrintBRM/Admin","Microsoft-Windows-PrimaryNetworkIcon/Performance","Microsoft-Windows-PowerShell/Operational","Microsoft-Windows-PowerShell/Debug","Microsoft-Windows-PowerShell/Analytic","Microsoft-Windows-PowerShell/Admin","Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational","Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug","Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic","Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic","Microsoft-Windows-PowerCpl/Diagnostic","Microsoft-Windows-PowerCfg/Diagnostic","Microsoft-Windows-Power-Meter-Polling/Diagnostic","Microsoft-Windows-PortableDeviceSyncProvider/Analytic","Microsoft-Windows-PortableDeviceStatusProvider/Analytic","Microsoft-Windows-Policy/Operational","Microsoft-Windows-Policy/Analytic","Microsoft-Windows-PlayToManager/Analytic","Microsoft-Windows-PhotoAcq/Analytic","Microsoft-Windows-PerceptionSensorDataService/Operational","Microsoft-Windows-PerceptionRuntime/Operational","Microsoft-Windows-Partition/Diagnostic","Microsoft-Windows-Partition/Analytic","Microsoft-Windows-PackageStateRoaming/Operational","Microsoft-Windows-PackageStateRoaming/Debug","Microsoft-Windows-PackageStateRoaming/Analytic","Microsoft-Windows-PCI/Diagnostic","Microsoft-Windows-OtpCredentialProvider/Operational","Microsoft-Windows-OobeLdr/Analytic","Microsoft-Windows-OneX/Operational","Microsoft-Windows-OneX/Diagnostic","Microsoft-Windows-OneBackup/Debug","Microsoft-Windows-OfflineFiles/SyncLog","Microsoft-Windows-OfflineFiles/Operational","Microsoft-Windows-OfflineFiles/Debug","Microsoft-Windows-OfflineFiles/Analytic","Microsoft-Windows-OOBE-Machine-Plugins/Diagnostic","Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic","Microsoft-Windows-OOBE-Machine-DUI/Operational","Microsoft-Windows-OOBE-Machine-DUI/Diagnostic","Microsoft-Windows-OOBE-Machine-Core/Diagnostic","Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic")


    Reference: 

    https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html


    Tags

    MalwareRansomware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.