61612 (?i)lsass\.exe B3-01 [PROD] Sysmon: LSASS process access detected (event 10) soc_prod,b3,credential_access,lsass, T1003.001 61603 (?i)select|union|insert|drop|exec B3-02 [PROD] Sysmon: SQL keyword in process command line (event 1) soc_prod,b3,webapp,sqli, T1190 61613 \.(?:php|aspx|asp|jsp)$ B3-03 [PROD] Sysmon: web script file created (possible webshell, event 11) soc_prod,b3,webapp,webshell, T1505.003 61603 (?i)msiexec (?i)/x|/uninstall B3-04 [PROD] Sysmon: msiexec uninstall detected (event 1) soc_prod,b3,defense_evasion, T1562.001 61612 (?i)Taskmgr\.exe (?i)lsass\.exe B3-05 [PROD] Sysmon: LSASS dump via Task Manager (event 10) soc_prod,b3,credential_access,lsass, T1003.001 61603 (?i)certutil\.exe B3-06 [PROD] Sysmon: certutil.exe execution detected (event 1) soc_prod,b3,download, T1105