Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.

Read More

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.

Read More

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.

Read More

Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

Read More

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects the presence and execution of Inveigh via dropped artefacts

Read More

Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.

Read More

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

Read More

TeamViewer_Desktop.exe is create during install

Read More

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Read More

Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Read More

Detects logons using NTLM to hosts that are potentially not part of the domain.

Read More

Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic

Read More

Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.

Read More

Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.

Read More

Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects potentially suspicious child processes launched via the ScreenConnect client service.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Read More

Detects a tscon.exe start as LOCAL SYSTEM

Read More

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Read More

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Read More

Detects the creation of log files during a TeamViewer remote session

Read More

An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks

Read More

Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects the creation of known offensive powershell scripts used for exploitation

Read More

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Read More

Detects attempts to query system information directly from the Windows Registry.

Read More

Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.

Read More

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Read More

Detects suspicious user agent string of APT40 Dropbox tool

Read More

Detects HTTP request used by Chafer malware to receive data from its C2.

Read More

Detects Turla ComRAT network communication.

Read More

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

Read More

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Read More

Detects Ursnif C2 traffic.

Read More

Detects download of Ursnif malware done by dropper documents.

Read More

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

Read More

Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions. This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.

Read More

Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter. This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.

Read More

Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.

Read More

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Read More

Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".

Read More

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Read More

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Read More

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.

Read More

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Read More

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Read More

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

Read More

Detects usage of the mknod syscall to create special files (e.g., character or block devices). Attackers or malware might use mknod to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of mknod is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.

Read More

Detects attempts to record audio using the arecord and ecasound utilities.

Read More

Detects the use of the syslog syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running dmesg -c, which triggers this syscall internally.

Read More

Detects the use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000), which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers exploit development, or to bypass memory protection mechanisms. A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Read More

Detects possible command execution by web application/web shell

Read More

Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Read More

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

Read More

Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.

Read More

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

Read More

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Read More

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Read More

Detects potential DLL sideloading of "mscorsvc.dll".

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Read More

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

Read More

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

Read More

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Read More

Detects suspicious encoded character syntax often used for defense evasion

Read More

Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Read More

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Read More

Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.

Read More

Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.

Read More

Detects when a process tries to access the memory of svchost to potentially dump credentials.

Read More

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

Read More

Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.

Read More

Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

Read More

Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.

Read More

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).

Read More

Detects when a repository or an organization is being transferred to another location.

Read More

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

Read More

Detects the process injection of a LittleCorporal generated Maldoc.

Read More

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Read More

Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

Read More

Detects enumeration of Kubernetes secrets.

Read More

Detects usage of a PowerShell command to dump the live memory of a Windows machine

Read More

Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.

Read More

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

Read More

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

Read More

Detects Octopus Scanner Malware.

Read More

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

Read More

Detect when System Manager successfully executes commands against an instance.

Read More

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

Read More

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

Read More

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Read More

Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse

Read More

Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields

Read More

Detects user accept agreement execution in psexec commandline

Read More

Detect the update check performed by Advanced IP/Port Scanner utilities.

Read More

Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.

Read More

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Read More

Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.

Read More

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Read More

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Read More

Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).

Read More

Detects remote RPC calls to modify the registry and possible execute code

Read More

Detects remote RPC calls to create or execute a scheduled task via ATSvc

Read More

Detects remote RPC calls to create or execute a scheduled task via SASec

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Read More

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

Read More

Detects rundll32 execution where the DLL is located on a remote location (share)

Read More

Detects suspicious change of file privileges with chown and chmod commands

Read More

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

Read More

Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.

Read More

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Read More

Detects the creation of the default output filename used by the wmiexec tool

Read More

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Read More

Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (WindowsInstaller.Installer). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of InstallProduct and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.

Read More

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detects when a Container Registry is created or deleted.

Read More

Detects when a Azure Kubernetes Cluster is created or deleted.

Read More

Identifies when a Azure Kubernetes network policy is modified or deleted.

Read More

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Read More

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Read More

Identifies when ClusterRoles/Roles are being modified or deleted.

Read More

Identifies when a service account is modified or deleted.

Read More

Detects buffer overflow attempts in Unix system log files

Read More

Detects setting proxy configuration

Read More

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Read More

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Read More

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Read More

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More

Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon

Read More

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Read More

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Read More

Detects installation of a remote msi file from web.

Read More

Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation

Read More

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Read More

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Read More

Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut

Read More

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

Read More

Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.

Read More

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

Read More

Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321

Read More

Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.

Read More

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Read More

Detects remote RPC calls to read information about scheduled tasks via SASec

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Read More

Detects remote RPC calls to get event log information via EVEN or EVEN6

Read More

Detects the use of tools that copy files from or to remote systems

Read More

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

Read More

Detects remote RPC calls to collect information

Read More

Detects remote RPC calls to create or execute a scheduled task

Read More

Detects remote RPC calls to read information about scheduled tasks via AtScv

Read More

Detects remote RPC calls to read information about scheduled tasks

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

Read More

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Read More

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Read More

Detects space after filename

Read More

Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications

Read More

Detects suspicious log entries in Linux log files

Read More

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Read More

Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)

Read More

Detects a named pipe used by Turla group samples

Read More

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

Read More

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Read More

Modifications to a config that will serve an adversary's impacts or persistence

Read More

Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.

Read More

Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.

Read More

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Read More

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Read More

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

Read More

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Read More

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

Read More

Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.

Read More

Detects if the secret scanning feature is disabled for an enterprise or repository.

Read More

Detects when changes are made to the SSH certificate configuration of the organization.

Read More

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Read More

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Read More

Detects when a Kubernetes Rolebinding is created or modified.

Read More

Detects when Kubernetes Secrets are Modified or Deleted.

Read More

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Read More

Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.

Read More

Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Read More

Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.

Read More

Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.

Read More