Detection.FYI
open-menu closeme
  • Suspicious DNS Query for IP Lookup Service APIs

    calendar Dec 1, 2023 · attack.reconnaissance attack.t1590  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.


    Read More
  • Suspicious Network Connection to IP Lookup Service APIs

    calendar Dec 1, 2023 · attack.discovery attack.t1016  ·
    Share on: twitter facebook linkedin copy

    Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.


    Read More
  • Atbroker Registry Change

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1218 attack.persistence attack.t1547  ·
    Share on: twitter facebook linkedin copy

    Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'


    Read More
  • Cisco BGP Authentication Failures

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects BGP failures which may be indicative of brute force attacks to manipulate routing


    Read More
  • Cisco LDP Authentication Failures

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels


    Read More
  • Clipboard Data Collection Via OSAScript

    calendar Dec 1, 2023 · attack.collection attack.execution attack.t1115 attack.t1059.002  ·
    Share on: twitter facebook linkedin copy

    Detects possible collection of data from the clipboard via execution of the osascript binary


    Read More
  • Copy Passwd Or Shadow From TMP Path

    calendar Dec 1, 2023 · attack.credential_access attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Detects when the file "passwd" or "shadow" is copied from tmp path


    Read More
  • Deployment AppX Package Was Blocked By AppLocker

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package deployment that was blocked by AppLocker policy


    Read More
  • Deployment Of The AppX Package Was Blocked By The Policy

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package deployment that was blocked by the local computer policy


    Read More
  • DirLister Execution

    calendar Dec 1, 2023 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.


    Read More
  • Disable Windows IIS HTTP Logging

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)


    Read More
  • Disabled RestrictedAdminMode For RDS - ProcCreation

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise


    Read More
  • DNS Query for Anonfiles.com Domain - DNS Client

    calendar Dec 1, 2023 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes


    Read More
  • DNS Query for Anonfiles.com Domain - Sysmon

    calendar Dec 1, 2023 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes


    Read More
  • Enable BPF Kprobes Tracing

    calendar Dec 1, 2023 · attack.execution attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects common command used to enable bpf kprobes tracing


    Read More
  • Execution from Suspicious Folder

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious execution from an uncommon folder


    Read More
  • Flush Iptables Ufw Chain

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic


    Read More
  • Fsutil Behavior Set SymlinkEvaluation

    calendar Dec 1, 2023 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt


    Read More
  • Github Delete Action Invoked

    calendar Dec 1, 2023 · attack.impact attack.collection attack.t1213.003  ·
    Share on: twitter facebook linkedin copy

    Detects delete action in the Github audit logs for codespaces, environment, project and repo.


    Read More
  • Github High Risk Configuration Disabled

    calendar Dec 1, 2023 · attack.credential_access attack.defense_evasion attack.persistence attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Detects when a user disables a critical security feature for an organization.


    Read More
  • Github New Secret Created

    calendar Dec 1, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.initial_access attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a user creates action secret for the organization, environment, codespaces or repository.


    Read More
  • Github Outside Collaborator Detected

    calendar Dec 1, 2023 · attack.persistence attack.collection attack.t1098.001 attack.t1098.003 attack.t1213.003  ·
    Share on: twitter facebook linkedin copy

    Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.


    Read More
  • Github Self Hosted Runner Changes Detected

    calendar Dec 1, 2023 · attack.impact attack.discovery attack.collection attack.defense_evasion attack.persistence attack.privilege_escalation attack.initial_access attack.t1526 attack.t1213.003 attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.


    Read More
  • HackTool - HandleKatz LSASS Dumper Execution

    calendar Dec 1, 2023 · attack.credential_access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same


    Read More
  • HackTool - Htran/NATBypass Execution

    calendar Dec 1, 2023 · attack.command_and_control attack.t1090 attack.s0040  ·
    Share on: twitter facebook linkedin copy

    Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)


    Read More
  • HackTool - Inveigh Execution

    calendar Dec 1, 2023 · attack.credential_access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool


    Read More
  • HackTool - KrbRelay Execution

    calendar Dec 1, 2023 · attack.credential_access attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    Detects the use of KrbRelay, a Kerberos relaying tool


    Read More
  • HackTool - KrbRelayUp Execution

    calendar Dec 1, 2023 · attack.credential_access attack.t1558.003 attack.lateral_movement attack.t1550.003  ·
    Share on: twitter facebook linkedin copy

    Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced


    Read More
  • HackTool - PowerTool Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files


    Read More
  • HackTool - SafetyKatz Execution

    calendar Dec 1, 2023 · attack.credential_access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hacktool SafetyKatz via PE information and default Image name


    Read More
  • HackTool - SharPersist Execution

    calendar Dec 1, 2023 · attack.persistence attack.t1053  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms


    Read More
  • HackTool - SharpLdapWhoami Execution

    calendar Dec 1, 2023 · attack.discovery attack.t1033 car.2016-03-001  ·
    Share on: twitter facebook linkedin copy

    Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller


    Read More
  • HackTool - SysmonEOP Execution

    calendar Dec 1, 2023 · cve.2022.41120 attack.t1068 attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120


    Read More
  • Huawei BGP Authentication Failures

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects BGP failures which may be indicative of brute force attacks to manipulate routing.


    Read More
  • Import PowerShell Modules From Suspicious Directories

    calendar Dec 1, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects powershell scripts that import modules from suspicious directories


    Read More
  • Import PowerShell Modules From Suspicious Directories - ProcCreation

    calendar Dec 1, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects powershell scripts that import modules from suspicious directories


    Read More
  • Java Payload Strings

    calendar Dec 1, 2023 · cve.2022.26134 cve.2021.26084 attack.initial_access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects possible Java payloads in web access logs


    Read More
  • Juniper BGP Missing MD5

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.


    Read More
  • JXA In-memory Execution Via OSAScript

    calendar Dec 1, 2023 · attack.t1059.002 attack.t1059.007 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects possible malicious execution of JXA in-memory via OSAScript


    Read More
  • Lolbin Ssh.exe Use As Proxy

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "ssh.exe" binary as a proxy to launch other programs


    Read More
  • Malicious Nishang PowerShell Commandlets

    calendar Dec 1, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Commandlet names and arguments from the Nishang exploitation framework


    Read More
  • Malicious PowerShell Scripts - PoshModule

    calendar Dec 1, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance


    Read More
  • Microsoft IIS Service Account Password Dumped

    calendar Dec 1, 2023 · attack.credential_access attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords


    Read More
  • Mount Execution With Hidepid Parameter

    calendar Dec 1, 2023 · attack.credential_access attack.t1564  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system


    Read More
  • New Generic Credentials Added Via Cmdkey.EXE

    calendar Dec 1, 2023 · attack.credential_access attack.t1003.005  ·
    Share on: twitter facebook linkedin copy

    Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.


    Read More
  • New Github Organization Member Added

    calendar Dec 1, 2023 · attack.persistence attack.t1136.003  ·
    Share on: twitter facebook linkedin copy

    Detects when a new member is added or invited to a github organization.


    Read More
  • New Remote Desktop Connection Initiated Via Mstsc.EXE

    calendar Dec 1, 2023 · attack.lateral_movement attack.t1021.001  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.


    Read More
  • Nimbuspwn Exploitation

    calendar Dec 1, 2023 · attack.privilege_escalation attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)


    Read More
  • Nltest.EXE Execution

    calendar Dec 1, 2023 · attack.discovery attack.t1016 attack.t1018 attack.t1482  ·
    Share on: twitter facebook linkedin copy

    Detects nltest commands that can be used for information discovery


    Read More
  • Okta Admin Role Assignment Created

    calendar Dec 1, 2023 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence


    Read More
  • Operator Bloopers Cobalt Strike Commands

    calendar Dec 1, 2023 · attack.execution attack.t1059.003 stp.1u  ·
    Share on: twitter facebook linkedin copy

    Detects use of Cobalt Strike commands accidentally entered in the CMD shell


    Read More
  • Operator Bloopers Cobalt Strike Modules

    calendar Dec 1, 2023 · attack.execution attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    Detects Cobalt Strike module/commands accidentally entered in CMD shell


    Read More
  • OSACompile Run-Only Execution

    calendar Dec 1, 2023 · attack.t1059.002 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potential suspicious run-only executions compiled using OSACompile


    Read More
  • Outdated Dependency Or Vulnerability Alert Disabled

    calendar Dec 1, 2023 · attack.initial_access attack.t1195.001  ·
    Share on: twitter facebook linkedin copy

    Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.


    Read More
  • PDQ Deploy Remote Adminstartion Tool Execution

    calendar Dec 1, 2023 · attack.execution attack.lateral_movement attack.t1072  ·
    Share on: twitter facebook linkedin copy

    Detect use of PDQ Deploy remote admin tool


    Read More
  • Potential Active Directory Enumeration Using AD Module - ProcCreation

    calendar Dec 1, 2023 · attack.reconnaissance attack.discovery attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.


    Read More
  • Potential Active Directory Enumeration Using AD Module - PsModule

    calendar Dec 1, 2023 · attack.reconnaissance attack.discovery attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.


    Read More
  • Potential Active Directory Enumeration Using AD Module - PsScript

    calendar Dec 1, 2023 · attack.reconnaissance attack.discovery attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.


    Read More
  • Potential Arbitrary Code Execution Via Node.EXE

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1127  ·
    Share on: twitter facebook linkedin copy

    Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc


    Read More
  • Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877

    calendar Dec 1, 2023 · attack.initial_access attack.t1190 cve.2022.44877 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877


    Read More
  • Potential Credential Dumping Attempt Using New NetworkProvider - CLI

    calendar Dec 1, 2023 · attack.credential_access attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it


    Read More
  • Potential CVE-2022-26809 Exploitation Attempt

    calendar Dec 1, 2023 · attack.initial_access attack.t1190 attack.execution attack.t1569.002 cve.2022.26809 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)


    Read More
  • Potential Data Exfiltration Via Audio File

    calendar Dec 1, 2023 · attack.exfiltration  ·
    Share on: twitter facebook linkedin copy

    Detects potential exfiltration attempt via audio file using PowerShell


    Read More
  • Potential Discovery Activity Via Dnscmd.EXE

    calendar Dec 1, 2023 · attack.discovery attack.execution attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.


    Read More
  • Potential DLL Sideloading Of Non-Existent DLLs From System Folders

    calendar Dec 1, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation


    Read More
  • Potential DLL Sideloading Via DeviceEnroller.EXE

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter


    Read More
  • Potential Exploitation Attempt From Office Application

    calendar Dec 1, 2023 · attack.execution attack.defense_evasion cve.2021.40444 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)


    Read More
  • Potential Exploitation Attempt Of Undocumented WindowsServer RCE

    calendar Dec 1, 2023 · detection.emerging_threats attack.initial_access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)


    Read More
  • Potential Malicious AppX Package Installation Attempts

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects potential installation or installation attempts of known malicious appx packages


    Read More
  • Potential Password Spraying Attempt Using Dsacls.EXE

    calendar Dec 1, 2023 · attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects possible password spraying attempts using Dsacls


    Read More
  • Potential PendingFileRenameOperations Tamper

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.


    Read More
  • Potential Persistence Via Powershell Search Order Hijacking - Task

    calendar Dec 1, 2023 · attack.execution attack.persistence attack.t1053.005 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader


    Read More
  • Potential PowerShell Execution Policy Tampering - ProcCreation

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine


    Read More
  • Potential PowerShell Obfuscation Using Alias Cmdlets

    calendar Dec 1, 2023 · attack.defense_evasion attack.execution attack.t1027 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts


    Read More
  • Potential PowerShell Obfuscation Using Character Join

    calendar Dec 1, 2023 · attack.defense_evasion attack.execution attack.t1027 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation


    Read More
  • Potential Process Injection Via Msra.EXE

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics


    Read More
  • Potential RDP Tunneling Via SSH

    calendar Dec 1, 2023 · attack.command_and_control attack.t1572  ·
    Share on: twitter facebook linkedin copy

    Execution of ssh.exe to perform data exfiltration and tunneling through RDP


    Read More
  • Potential Recon Activity Via Nltest.EXE

    calendar Dec 1, 2023 · attack.discovery attack.t1016 attack.t1482  ·
    Share on: twitter facebook linkedin copy

    Detects nltest commands that can be used for information discovery


    Read More
  • Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

    calendar Dec 1, 2023 · attack.credential_access attack.t1003.005  ·
    Share on: twitter facebook linkedin copy

    Detects usage of cmdkey to look for cached credentials on the system


    Read More
  • Potential Renamed Rundll32 Execution

    calendar Dec 1, 2023 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection


    Read More
  • Potential Signing Bypass Via Windows Developer Features

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.


    Read More
  • Potential Suspicious BPF Activity - Linux

    calendar Dec 1, 2023 · attack.persistence attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.


    Read More
  • Potential Svchost Memory Access

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service.


    Read More
  • Potential WinAPI Calls Via CommandLine

    calendar Dec 1, 2023 · attack.execution attack.t1106  ·
    Share on: twitter facebook linkedin copy

    Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec


    Read More
  • Potentially Over Permissive Permissions Granted Using Dsacls.EXE

    calendar Dec 1, 2023 · attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Dsacls to grant over permissive permissions


    Read More
  • Powershell Base64 Encoded MpPreference Cmdlet

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV


    Read More
  • PowerShell Base64 Encoded WMI Classes

    calendar Dec 1, 2023 · attack.execution attack.t1059.001 attack.defense_evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.


    Read More
  • Powershell XML Execute Command

    calendar Dec 1, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code


    Read More
  • PUA - DefenderCheck Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1027.005  ·
    Share on: twitter facebook linkedin copy

    Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.


    Read More
  • PUA - Fast Reverse Proxy (FRP) Execution

    calendar Dec 1, 2023 · attack.command_and_control attack.t1090  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.


    Read More
  • PUA - NPS Tunneling Tool Execution

    calendar Dec 1, 2023 · attack.command_and_control attack.t1090  ·
    Share on: twitter facebook linkedin copy

    Detects the use of NPS, a port forwarding and intranet penetration proxy server


    Read More
  • PUA - Seatbelt Execution

    calendar Dec 1, 2023 · attack.discovery attack.t1526 attack.t1087 attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters


    Read More
  • PwnKit Local Privilege Escalation

    calendar Dec 1, 2023 · attack.privilege_escalation attack.t1548.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential PwnKit exploitation CVE-2021-4034 in auth logs


    Read More
  • Query Usage To Exfil Data

    calendar Dec 1, 2023 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use


    Read More
  • Renamed BrowserCore.EXE Execution

    calendar Dec 1, 2023 · attack.t1528 attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)


    Read More
  • Renamed Mavinject.EXE Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055.001 attack.t1218.013  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag


    Read More
  • Renamed Msdt.EXE Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed "Msdt.exe" binary


    Read More
  • Renamed NetSupport RAT Execution

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings


    Read More
  • Renamed Plink Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed version of the Plink binary


    Read More
  • Renamed Remote Utilities RAT (RURAT) Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.collection attack.command_and_control attack.discovery attack.s0592  ·
    Share on: twitter facebook linkedin copy

    Detects execution of renamed Remote Utilities (RURAT) via Product PE header field


    Read More
  • Renamed Sysinternals Sdelete Execution

    calendar Dec 1, 2023 · attack.impact attack.t1485  ·
    Share on: twitter facebook linkedin copy

    Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)


    Read More
  • Renamed Vmnat.exe Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects renamed vmnat.exe or portable version that can be used for DLL side-loading


    Read More
  • Restricted Software Access By SRP

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1072  ·
    Share on: twitter facebook linkedin copy

    Detects restricted access to applications by the Software Restriction Policies (SRP) policy


    Read More
  • Root Certificate Installed From Susp Locations

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1553.004  ·
    Share on: twitter facebook linkedin copy

    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.


    Read More
  • SafeBoot Registry Key Deleted Via Reg.EXE

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products


    Read More
  • Service Registry Key Deleted Via Reg.EXE

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services


    Read More
  • SQLite Chromium Profile Data DB Access

    calendar Dec 1, 2023 · attack.credential_access attack.t1539 attack.t1555.003 attack.collection attack.t1005  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.


    Read More
  • SQLite Firefox Profile Data DB Access

    calendar Dec 1, 2023 · attack.credential_access attack.t1539 attack.collection attack.t1005  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.


    Read More
  • Suspicious AppX Package Installation Attempt

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious


    Read More
  • Suspicious AppX Package Locations

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations


    Read More
  • Suspicious Binary In User Directory Spawned From Office Application

    calendar Dec 1, 2023 · attack.execution attack.t1204.002 attack.g0046 car.2013-05-002  ·
    Share on: twitter facebook linkedin copy

    Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)


    Read More
  • Suspicious Digital Signature Of AppX Package

    calendar Dec 1, 2023 · attack.defense_evasion attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of AppX packages with known suspicious or malicious signature


    Read More
  • Suspicious Git Clone

    calendar Dec 1, 2023 · attack.reconnaissance attack.t1593.003  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious


    Read More
  • Suspicious Hacktool Execution - Imphash

    calendar Dec 1, 2023 · attack.credential_access attack.t1588.002 attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed


    Read More
  • Suspicious Hacktool Execution - PE Metadata

    calendar Dec 1, 2023 · attack.credential_access attack.t1588.002 attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed


    Read More
  • Suspicious IIS URL GlobalRules Rewrite Via AppCmd

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.


    Read More
  • Suspicious Microsoft Office Child Process - MacOS

    calendar Dec 1, 2023 · attack.execution attack.persistence attack.t1059.002 attack.t1137.002 attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution


    Read More
  • Suspicious New Instance Of An Office COM Object

    calendar Dec 1, 2023 · attack.execution attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)


    Read More
  • Suspicious PowerShell Download - PoshModule

    calendar Dec 1, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious PowerShell download command


    Read More
  • Suspicious Rundll32 Script in CommandLine

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious process related to rundll32 based on arguments


    Read More
  • Suspicious Shells Spawn by Java Utility Keytool

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)


    Read More
  • Suspicious SignIns From A Non Registered Device

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects risky authencaition from a non AD registered device without MFA being required.


    Read More
  • Suspicious Startup Folder Persistence

    calendar Dec 1, 2023 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects when a file with a suspicious extension is created in the startup folder


    Read More
  • Suspicious Use of /dev/tcp

    calendar Dec 1, 2023 · attack.reconnaissance  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious command with /dev/tcp


    Read More
  • Suspicious Use of PsLogList

    calendar Dec 1, 2023 · attack.discovery attack.t1087 attack.t1087.001 attack.t1087.002  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs


    Read More
  • Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.


    Read More
  • The Windows Defender Firewall Service Failed To Load Group Policy

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects activity when The Windows Defender Firewall service failed to load Group Policy


    Read More
  • Touch Suspicious Service File

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1070.006  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "touch" process in service file.


    Read More
  • Ufw Force Stop Using Ufw-Init

    calendar Dec 1, 2023 · attack.defense_evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to force stop the ufw using ufw-init


    Read More
  • Uncommon AppX Package Locations

    calendar Dec 1, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations


    Read More
  • Uncommon One Time Only Scheduled Task At 00:00

    calendar Dec 1, 2023 · attack.execution attack.persistence attack.privilege_escalation attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects scheduled task creation events that include suspicious actions, and is run once at 00:00


    Read More
  • Unsigned AppX Installation Attempt Using Add-AppxPackage

    calendar Dec 1, 2023 · attack.persistence attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages


    Read More
  • Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

    calendar Dec 1, 2023 · attack.persistence attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages


    Read More
  • Usage Of Web Request Commands And Cmdlets - ScriptBlock

    calendar Dec 1, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs


    Read More
  • VsCode Powershell Profile Modification

    calendar Dec 1, 2023 · attack.persistence attack.privilege_escalation attack.t1546.013  ·
    Share on: twitter facebook linkedin copy

    Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence


    Read More
  • Mint Sandstorm - Log4J Wstomcat Process Execution

    calendar Nov 29, 2023 · attack.execution detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity


    Read More
  • Enabling Dev Drive With Disabled AV

    calendar Nov 29, 2023 · attack.defense.evasion attack.T1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.


    Read More
  • New Netsh Helper DLL Registered From A Suspicious Location

    calendar Nov 28, 2023 · attack.persistence attack.t1546.007  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper


    Read More
  • Potential Persistence Via Netsh Helper DLL

    calendar Nov 28, 2023 · attack.privilege_escalation attack.persistence attack.t1546.007 attack.s0108  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.


    Read More
  • Potential Persistence Via Netsh Helper DLL - Registry

    calendar Nov 28, 2023 · attack.persistence attack.t1546.007  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper


    Read More
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

    calendar Nov 28, 2023 · detection.emerging_threats attack.initial_access attack.t1190 cve.2023.4966  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.


    Read More
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver

    calendar Nov 28, 2023 · detection.emerging_threats attack.initial_access attack.t1190 cve.2023.4966  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.


    Read More
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

    calendar Nov 28, 2023 · detection.emerging_threats attack.initial_access attack.t1190 cve.2023.4966  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.


    Read More
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver

    calendar Nov 28, 2023 · detection.emerging_threats attack.initial_access attack.t1190 cve.2023.4966  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.


    Read More
  • Load Of RstrtMgr.DLL By A Suspicious Process

    calendar Nov 28, 2023 · attack.impact attack.defense_evasion attack.t1486 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.


    Read More
  • Load Of RstrtMgr.DLL By An Uncommon Process

    calendar Nov 28, 2023 · attack.impact attack.defense_evasion attack.t1486 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.


    Read More
  • Suspicious Path In Keyboard Layout IME File Registry Value

    calendar Nov 28, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.


    Read More
  • Uncommon Extension In Keyboard Layout IME File Registry Value

    calendar Nov 28, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.


    Read More
  • Wusa.EXE Executed By Parent Process Located In Suspicious Location

    calendar Nov 28, 2023 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.


    Read More
  • Wusa.EXE Extracting Cab Files From Suspicious Paths

    calendar Nov 28, 2023 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths


    Read More
  • Chromium Browser Instance Executed With Custom Extension

    calendar Nov 28, 2023 · attack.persistence attack.t1176  ·
    Share on: twitter facebook linkedin copy

    Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension


    Read More
  • Suspicious Chromium Browser Instance Executed With Custom Extension

    calendar Nov 28, 2023 · attack.persistence attack.t1176  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension


    Read More
  • Exchange Exploitation Used by HAFNIUM

    calendar Nov 28, 2023 · attack.initial_access attack.t1190 attack.g0125 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity


    Read More
  • HAFNIUM Exchange Exploitation Activity

    calendar Nov 28, 2023 · attack.persistence attack.t1546 attack.t1053 attack.g0125 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers


    Read More
  • Lazarus APT DLL Sideloading Activity

    calendar Nov 28, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002 attack.g0032 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company


    Read More
  • Potential APT FIN7 POWERHOLD Execution

    calendar Nov 28, 2023 · attack.execution attack.t1059.001 attack.g0046 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs


    Read More
  • Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity

    calendar Nov 28, 2023 · attack.execution attack.g0046 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution


    Read More
  • Potential APT FIN7 Related PowerShell Script Created

    calendar Nov 28, 2023 · attack.execution attack.g0046 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts


    Read More
  • Potential APT Mustang Panda Activity Against Australian Gov

    calendar Nov 28, 2023 · attack.execution attack.g0129 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52


    Read More
  • Potential Operation Triangulation C2 Beaconing Activity - DNS

    calendar Nov 28, 2023 · attack.command_and_control attack.g0020 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB


    Read More
  • Potential Operation Triangulation C2 Beaconing Activity - Proxy

    calendar Nov 28, 2023 · attack.command_and_control attack.g0020 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB


    Read More
  • Potential POWERTRASH Script Execution

    calendar Nov 28, 2023 · attack.execution attack.t1059.001 attack.g0046 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential execution of the PowerShell script POWERTRASH


    Read More
  • WMI Module Loaded By Non Uncommon Process

    calendar Nov 27, 2023 · attack.execution attack.t1047  ·
    Share on: twitter facebook linkedin copy

    Detects a WMI modules being loaded by an uncommon process


    Read More
  • Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

    calendar Nov 27, 2023 · cve.2023.46214 detection.emerging_threats attack.lateral_movement attack.t1210  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code


    Read More
  • Potential CVE-2023-46214 Exploitation Attempt

    calendar Nov 27, 2023 · attack.lateral_movement attack.t1210 cve.2023.46214 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing


    Read More
  • CobaltStrike Named Pipe Patterns

    calendar Nov 27, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 stp.1k  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles


    Read More
  • Potential Access Token Abuse

    calendar Nov 27, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1134.001 stp.4u  ·
    Share on: twitter facebook linkedin copy

    Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".


    Read More
  • PUA - AdFind Suspicious Execution

    calendar Nov 27, 2023 · attack.discovery attack.t1018 attack.t1087.002 attack.t1482 attack.t1069.002 stp.1u  ·
    Share on: twitter facebook linkedin copy

    Detects AdFind execution with common flags seen used during attacks


    Read More
  • Scheduled Task Creation

    calendar Nov 27, 2023 · attack.execution attack.persistence attack.privilege_escalation attack.t1053.005 attack.s0111 car.2013-08-001 stp.1u  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of scheduled tasks in user session


    Read More
  • Service Registry Permissions Weakness Check

    calendar Nov 27, 2023 · attack.persistence attack.t1574.011 stp.2a  ·
    Share on: twitter facebook linkedin copy

    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services


    Read More
  • Enabling COR Profiler Environment Variables

    calendar Nov 27, 2023 · attack.persistence attack.privilege_escalation attack.defense_evasion attack.t1574.012  ·
    Share on: twitter facebook linkedin copy

    Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.


    Read More
  • Rundll32 Execution Without DLL File

    calendar Nov 20, 2023 · attack.defense_evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32 with a command line that doesn't contain a .dll file


    Read More
  • DNS Query To Devtunnels Domain

    calendar Nov 20, 2023 · attack.command_and_control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • DNS Query To Visual Studio Code Tunnels Domain

    calendar Nov 20, 2023 · attack.command_and_control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • Network Connection Initiated To DevTunnels Domain

    calendar Nov 20, 2023 · attack.exfiltration attack.t1567.001  ·
    Share on: twitter facebook linkedin copy

    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • Network Connection Initiated To Visual Studio Code Tunnels Domain

    calendar Nov 20, 2023 · attack.exfiltration attack.t1567.001  ·
    Share on: twitter facebook linkedin copy

    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • Disable Internal Tools or Feature in Registry

    calendar Nov 20, 2023 · attack.defense_evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)


    Read More
  • Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

    calendar Nov 20, 2023 · attack.credential_access attack.discovery attack.t1552  ·
    Share on: twitter facebook linkedin copy

    Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs.


    Read More
  • Communication To Ngrok Domains

    calendar Nov 17, 2023 · attack.exfiltration attack.t1567.001  ·
    Share on: twitter facebook linkedin copy

    Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors


    Read More
  • Potentially Suspicious Wuauclt Network Connection

    calendar Nov 17, 2023 · attack.defense_evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.


    Read More
  • Bad Opsec Defaults Sacrificial Processes With Improper Arguments

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.


    Read More
  • EVTX Created In Uncommon Location

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls


    Read More
  • Findstr GPP Passwords

    calendar Nov 15, 2023 · attack.credential_access attack.t1552.006  ·
    Share on: twitter facebook linkedin copy

    Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.


    Read More
  • Findstr Launching .lnk File

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1036 attack.t1202 attack.t1027.003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack


    Read More
  • Insensitive Subfolder Search Via Findstr.EXE

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.


    Read More
  • LSASS Process Reconnaissance Via Findstr.EXE

    calendar Nov 15, 2023 · attack.credential_access attack.t1552.006  ·
    Share on: twitter facebook linkedin copy

    Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID


    Read More
  • Permission Misconfiguration Reconnaissance Via Findstr.EXE

    calendar Nov 15, 2023 · attack.credential_access attack.t1552.006  ·
    Share on: twitter facebook linkedin copy

    Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions


    Read More
  • Proxy Execution Via Wuauclt.EXE

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1218 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.


    Read More
  • Recon Command Output Piped To Findstr.EXE

    calendar Nov 15, 2023 · attack.discovery attack.t1057  ·
    Share on: twitter facebook linkedin copy

    Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.


    Read More
  • Remote File Download Via Findstr.EXE

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.


    Read More
  • Remote Thread Creation By Uncommon Source Image

    calendar Nov 15, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon processes creating remote threads


    Read More
  • Renamed Office Binary Execution

    calendar Nov 15, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed office binary


    Read More
  • Security Tools Keyword Lookup Via Findstr.EXE

    calendar Nov 15, 2023 · attack.discovery attack.t1518.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.


    Read More
  • Suspicious Appended Extension

    calendar Nov 15, 2023 · attack.impact attack.t1486  ·
    Share on: twitter facebook linkedin copy

    Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.


    Read More
  • Suspicious Shim Database Installation via Sdbinst.EXE

    calendar Nov 15, 2023 · attack.persistence attack.privilege_escalation attack.t1546.011  ·
    Share on: twitter facebook linkedin copy

    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims


    Read More
  • Suspicious Windows Update Agent Empty Cmdline

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags


    Read More
  • Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE

    calendar Nov 15, 2023 · attack.discovery attack.t1518.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).


    Read More
  • Uncommon Userinit Child Process

    calendar Nov 15, 2023 · attack.t1037.001 attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.


    Read More
  • Windows Defender Exclusion Deleted

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions


    Read More
  • Windows Defender Exclusion List Modified

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.


    Read More
  • Windows Defender Exclusion Reigstry Key - Write Access Requested

    calendar Nov 15, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)

    calendar Nov 15, 2023 · detection.emerging_threats attack.execution attack.t1059 attack.initial_access attack.t1190 cve.2023.22518  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)

    calendar Nov 15, 2023 · detection.emerging_threats attack.execution attack.t1059 attack.initial_access attack.t1190 cve.2023.22518  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)

    calendar Nov 15, 2023 · detection.emerging_threats attack.initial_access attack.t1190 cve.2023.22518  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)

    calendar Nov 15, 2023 · detection.emerging_threats attack.initial_access attack.t1190 cve.2023.22518  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy

    calendar Nov 15, 2023 · attack.initial_access attack.t1190 cve.2023.43621 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.


    Read More
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Web

    calendar Nov 15, 2023 · attack.initial_access attack.t1190 cve.2023.43621 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.


    Read More
  • AppX Package Installation Attempts Via AppInstaller.EXE

    calendar Nov 14, 2023 · attack.command_and_control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL


    Read More
  • Arbitrary File Download Via IMEWDBLD.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "IMEWDBLD.exe" to download arbitrary files


    Read More
  • Arbitrary File Download Via MSEDGE_PROXY.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "msedge_proxy.exe" to download arbitrary files


    Read More
  • Arbitrary File Download Via MSOHTMED.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "MSOHTMED" to download arbitrary files


    Read More
  • Arbitrary File Download Via MSPUB.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files


    Read More
  • Arbitrary File Download Via PresentationHost.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files


    Read More
  • Arbitrary File Download Via Squirrel.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)


    Read More
  • File Download And Execution Via IEExec.EXE

    calendar Nov 14, 2023 · attack.command_and_control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the IEExec utility to download and execute files


    Read More
  • File Download From Browser Process Via Inline URL

    calendar Nov 14, 2023 · attack.command_and_control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.


    Read More
  • File Download Using ProtocolHandler.exe

    calendar Nov 14, 2023 · attack.defense_evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)


    Read More
  • File Download Via InstallUtil.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE"


    Read More
  • File Download Via Windows Defender MpCmpRun.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.t1218 attack.command_and_control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Windows Defender MpCmdRun.EXE to download files


    Read More
  • Msxsl.EXE Execution

    calendar Nov 14, 2023 · attack.defense_evasion attack.t1220  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.


    Read More
  • Network Connection Initiated By IMEWDBLD.EXE

    calendar Nov 14, 2023 · attack.command_and_control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility


    Read More
  • Potential File Download Via MS-AppInstaller Protocol Handler

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"


    Read More
  • Potentially Suspicious Electron Application CommandLine

    calendar Nov 14, 2023 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.


    Read More
  • Process Proxy Execution Via Squirrel.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)


    Read More
  • Remote XSL Execution Via Msxsl.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.t1220  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.


    Read More
  • Suspicious Calculator Usage

    calendar Nov 14, 2023 · attack.defense_evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.


    Read More
  • Uncommon Child Process Of Appvlp.EXE

    calendar Nov 14, 2023 · attack.t1218 attack.defense_evasion attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.


    Read More
  • XBAP Execution From Uncommon Locations Via PresentationHost.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL


    Read More
  • XSL Script Execution Via WMIC.EXE

    calendar Nov 14, 2023 · attack.defense_evasion attack.t1220  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.


    Read More
  • CobaltStrike Malleable Amazon Browsing Traffic Profile

    calendar Nov 14, 2023 · attack.defense_evasion attack.command_and_control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects Malleable Amazon Profile


    Read More
  • Confluence Exploitation CVE-2019-3398

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 cve.2019.3398 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398


    Read More
  • CVE-2021-21972 VSphere Exploitation

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 cve.2021.21972 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972


    Read More
  • CVE-2021-21978 Exploitation Attempt

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 cve.2021.21978 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978


    Read More
  • CVE-2021-33766 Exchange ProxyToken Exploitation

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 cve.2021.33766 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766


    Read More
  • CVE-2023-46747 Exploitation Activity - Proxy

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 detection.emerging_threats cve.2023.46747  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.


    Read More
  • CVE-2023-46747 Exploitation Activity - Webserver

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 detection.emerging_threats cve.2023.46747  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.


    Read More
  • Empire UserAgent URI Combo

    calendar Nov 14, 2023 · attack.defense_evasion attack.command_and_control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects user agent and URI paths used by empire agents


    Read More
  • Exchange Exploitation CVE-2021-28480

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 cve.2021.28480 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480


    Read More
  • F5 BIG-IP iControl Rest API Command Execution - Proxy

    calendar Nov 14, 2023 · attack.initial_access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP


    Read More
  • F5 BIG-IP iControl Rest API Command Execution - Webserver

    calendar Nov 14, 2023 · attack.execution attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP


    Read More
  • Potential CVE-2022-21587 Exploitation Attempt

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 cve.2022.21587 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.


    Read More
  • Potential OWASSRF Exploitation Attempt - Proxy

    calendar Nov 14, 2023 · attack.initial_access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint


    Read More
  • Potential OWASSRF Exploitation Attempt - Webserver

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint


    Read More
  • ProxyLogon Reset Virtual Directories Based On IIS Log

    calendar Nov 14, 2023 · cve.2021.26858 detection.emerging_threats attack.initial_access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories


    Read More
  • Zimbra Collaboration Suite Email Server Unauthenticated RCE

    calendar Nov 14, 2023 · attack.initial_access attack.t1190 cve.2022.27925 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection


    Read More
  • Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

    calendar Nov 14, 2023 · attack.t1021.003 attack.lateral_movement  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.


    Read More
  • APT User Agent

    calendar Nov 13, 2023 · attack.command_and_control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious user agent strings used in APT malware in proxy logs


    Read More
  • Suspicious Process By Web Server Process

    calendar Nov 11, 2023 · attack.persistence attack.t1505.003 attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation


    Read More
  • Files With System Process Name In Unsuspected Locations

    calendar Nov 10, 2023 · attack.defense_evasion attack.t1036.005  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).


    Read More
  • ISO Image Mounted

    calendar Nov 10, 2023 · attack.initial_access attack.t1566.001  ·
    Share on: twitter facebook linkedin copy

    Detects the mount of an ISO image on an endpoint


    Read More
  • NotPetya Ransomware Activity

    calendar Nov 10, 2023 · attack.defense_evasion attack.t1218.011 attack.t1070.001 attack.credential_access attack.t1003.001 car.2016-04-002 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil


    Read More
  • Portable Gpg.EXE Execution

    calendar Nov 10, 2023 · attack.impact attack.t1486  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.


    Read More
  • Potential NT API Stub Patching

    calendar Nov 10, 2023 · attack.defense_evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential NT API stub patching as seen used by the project PatchingAPI


    Read More
  • Remote Thread Creation Via PowerShell In Potentially Suspicious Target

    calendar Nov 10, 2023 · attack.defense_evasion attack.execution attack.t1218.011 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process


    Read More
  • Suspicious Whoami.EXE Execution

    calendar Nov 10, 2023 · attack.discovery attack.t1033 car.2016-03-001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.


    Read More
  • Suspicious WmiPrvSE Child Process

    calendar Nov 10, 2023 · attack.execution attack.defense_evasion attack.t1047 attack.t1204.002 attack.t1218.010  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious and uncommon child processes of WmiPrvSE


    Read More
  • smbexec.py Service Installation

    calendar Nov 10, 2023 · attack.lateral_movement attack.execution attack.t1021.002 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of smbexec.py tool by detecting a specific service installation


    Read More
  • Chopper Webshell Process Pattern

    calendar Nov 10, 2023 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells


    Read More
  • Lace Tempest Cobalt Strike Download

    calendar Nov 10, 2023 · attack.execution detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team


    Read More
  • Lace Tempest File Indicators

    calendar Nov 10, 2023 · attack.execution detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7


    Read More
  • Lace Tempest Malware Loader Execution

    calendar Nov 10, 2023 · attack.execution detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team


    Read More
  • Lace Tempest PowerShell Evidence Eraser

    calendar Nov 10, 2023 · attack.execution attack.t1059.001 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team


    Read More
  • Lace Tempest PowerShell Launcher

    calendar Nov 10, 2023 · attack.execution attack.t1059.001 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team


    Read More
  • Shell Process Spawned by Java.EXE

    calendar Nov 10, 2023 · attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)


    Read More
  • Suspicious Processes Spawned by Java.EXE

    calendar Nov 10, 2023 · attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)


    Read More
  • Webshell Detection With Command Line Keywords

    calendar Nov 10, 2023 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects certain command line parameters often used during reconnaissance activity via web shells


    Read More
  • Webshell Hacking Activity Patterns

    calendar Nov 10, 2023 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system


    Read More
  • Webshell Tool Reconnaissance Activity

    calendar Nov 10, 2023 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands


    Read More
  • Execute Code with Pester.bat

    calendar Nov 9, 2023 · attack.execution attack.t1059.001 attack.defense_evasion attack.t1216  ·
    Share on: twitter facebook linkedin copy

    Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)


    Read More
  • Office Application Startup - Office Test

    calendar Nov 8, 2023 · attack.persistence attack.t1137.002  ·
    Share on: twitter facebook linkedin copy

    Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started


    Read More
  • Potential AD User Enumeration From Non-Machine Account

    calendar Nov 8, 2023 · attack.discovery attack.t1087.002  ·
    Share on: twitter facebook linkedin copy

    Detects read access to a domain user from a non-machine account


    Read More
  • Csc.EXE Execution Form Potentially Suspicious Parent

    calendar Nov 6, 2023 · attack.execution attack.t1059.005 attack.t1059.007 attack.defense_evasion attack.t1218.005 attack.t1027.004  ·
    Share on: twitter facebook linkedin copy

    Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.


    Read More
  • Dynamic .NET Compilation Via Csc.EXE

    calendar Nov 6, 2023 · attack.defense_evasion attack.t1027.004  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.


    Read More
  • Malware User Agent

    calendar Nov 6, 2023 · attack.command_and_control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious user agent strings used by malware in proxy logs


    Read More
  • Obfuscated IP Download Activity

    calendar Nov 6, 2023 · attack.discovery  ·
    Share on: twitter facebook linkedin copy

    Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command


    Read More
  • Obfuscated IP Via CLI

    calendar Nov 6, 2023 · attack.discovery  ·
    Share on: twitter facebook linkedin copy

    Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line


    Read More
  • Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

    calendar Nov 6, 2023 · attack.defense_evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.


    Read More
  • HackTool - CrackMapExec Execution Patterns

    calendar Nov 6, 2023 · attack.execution attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.s0106  ·
    Share on: twitter facebook linkedin copy

    Detects various execution patterns of the CrackMapExec pentesting framework


    Read More
  • Port Forwarding Activity Via SSH.EXE

    calendar Nov 6, 2023 · attack.command_and_control attack.lateral_movement attack.t1572 attack.t1021.001 attack.t1021.004  ·
    Share on: twitter facebook linkedin copy

    Detects port forwarding activity via SSH.exe


    Read More
  • Potentially Suspicious Cabinet File Expansion

    calendar Nov 6, 2023 · attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks


    Read More
  • Suspicious File Creation Activity From Fake Recycle.Bin Folder

    calendar Nov 6, 2023 · attack.persistence attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware


    Read More
  • Suspicious Process Execution From Fake Recycle.Bin Folder

    calendar Nov 6, 2023 · attack.persistence attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects process execution from a fake recycle bin folder, often used to avoid security solution.


    Read More
  • Weak or Abused Passwords In CLI

    calendar Nov 6, 2023 · attack.defense_evasion attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline


    Read More
  • Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE

    calendar Nov 6, 2023 · attack.command_and_control attack.t1573 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.


    Read More
  • Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE

    calendar Nov 6, 2023 · attack.discovery attack.t1016 attack.t1049 attack.t1087 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).


    Read More
  • Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE

    calendar Nov 6, 2023 · attack.defense_evasion attack.t1055.012 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries


    Read More
  • Disabled AV On Dev Drive via Registry

    calendar Nov 5, 2023 · attack.defense.evasion attack.T1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.


    Read More
  • Potential Active Directory Reconnaissance/Enumeration Via LDAP

    calendar Nov 3, 2023 · attack.discovery attack.t1069.002 attack.t1087.002 attack.t1482  ·
    Share on: twitter facebook linkedin copy

    Detects potential Active Directory enumeration via LDAP


    Read More
  • Suspicious Non-Browser Network Communication With Google API

    calendar Nov 3, 2023 · attack.command_and_control attack.t1102  ·
    Share on: twitter facebook linkedin copy

    Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)


    Read More
  • Uncommon PowerShell Hosts

    calendar Nov 3, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe


    Read More
  • AADInternals PowerShell Cmdlets Execution - ProccessCreation

    calendar Nov 2, 2023 · attack.execution attack.reconnaissance attack.discovery attack.credential_access attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.


    Read More
  • AADInternals PowerShell Cmdlets Execution - PsScript

    calendar Nov 2, 2023 · attack.execution attack.reconnaissance attack.discovery attack.credential_access attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.


    Read More
  • AgentExecutor PowerShell Execution

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument


    Read More
  • Apache Spark Shell Command Injection - Weblogs

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2022.33891 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective


    Read More
  • Apt GTFOBin Abuse - Linux

    calendar Nov 2, 2023 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution


    Read More
  • Atlassian Bitbucket Command Injection Via Archive API

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2022.36804 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804


    Read More
  • Browser Started with Remote Debugging

    calendar Nov 2, 2023 · attack.credential_access attack.t1185  ·
    Share on: twitter facebook linkedin copy

    Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks


    Read More
  • Capabilities Discovery - Linux

    calendar Nov 2, 2023 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.


    Read More
  • Change PowerShell Policies to an Insecure Level - PowerShell

    calendar Nov 2, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects use of Set-ExecutionPolicy to set insecure policies


    Read More
  • Change the Fax Dll

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect possible persistence using Fax DLL load when service restart


    Read More
  • Change User Account Associated with the FAX Service

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect change of the user account associated with the FAX service to avoid the escalation problem.


    Read More
  • Change User Agents with WebRequest

    calendar Nov 2, 2023 · attack.command_and_control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.


    Read More
  • CVE-2021-41773 Exploitation Attempt

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2021.41773 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.


    Read More
  • CVE-2022-31656 VMware Workspace ONE Access Auth Bypass

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2022.31656 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.


    Read More
  • CVE-2022-31659 VMware Workspace ONE Access RCE

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2022.31659 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659


    Read More
  • Deletion of Volume Shadow Copies via WMI with PowerShell

    calendar Nov 2, 2023 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil


    Read More
  • Exchange PowerShell Cmdlet History Deleted

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence


    Read More
  • Group Has Been Deleted Via Groupdel

    calendar Nov 2, 2023 · attack.impact attack.t1531  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks


    Read More
  • ImagingDevices Unusual Parent/Child Processes

    calendar Nov 2, 2023 · attack.defense_evasion attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity


    Read More
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014


    Read More
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below


    Read More
  • Invoke-Obfuscation Via Use MSHTA - PowerShell Module

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use MSHTA in Scripts


    Read More
  • Linux Webshell Indicators

    calendar Nov 2, 2023 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious sub processes of web server processes


    Read More
  • Log4j RCE CVE-2021-44228 in Fields

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2021.44228 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)


    Read More
  • Lolbin Defaultpack.exe Use As Proxy

    calendar Nov 2, 2023 · attack.t1218 attack.defense_evasion attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs


    Read More
  • Lolbin Runexehelper Use As Proxy

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs


    Read More
  • Lolbin Unregmp2.exe Use As Proxy

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"


    Read More
  • Microsoft IIS Connection Strings Decryption

    calendar Nov 2, 2023 · attack.credential_access attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.


    Read More
  • Net WebClient Casing Anomalies

    calendar Nov 2, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques


    Read More
  • OWASSRF Exploitation Attempt Using Public POC - Proxy

    calendar Nov 2, 2023 · attack.initial_access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint


    Read More
  • OWASSRF Exploitation Attempt Using Public POC - Webserver

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint


    Read More
  • Perl Inline Command Execution

    calendar Nov 2, 2023 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.


    Read More
  • Persistence Via Sudoers Files

    calendar Nov 2, 2023 · attack.persistence attack.t1053.003  ·
    Share on: twitter facebook linkedin copy

    Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.


    Read More
  • Php Inline Command Execution

    calendar Nov 2, 2023 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.


    Read More
  • Potential COM Objects Download Cradles Usage - Process Creation

    calendar Nov 2, 2023 · attack.command_and_control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects usage of COM objects that can be abused to download files in PowerShell by CLSID


    Read More
  • Potential COM Objects Download Cradles Usage - PS Script

    calendar Nov 2, 2023 · attack.command_and_control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects usage of COM objects that can be abused to download files in PowerShell by CLSID


    Read More
  • Potential CVE-2022-46169 Exploitation Attempt

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2022.46169 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169


    Read More
  • Potential Data Stealing Via Chromium Headless Debugging

    calendar Nov 2, 2023 · attack.credential_access attack.t1185  ·
    Share on: twitter facebook linkedin copy

    Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control


    Read More
  • Potential Discovery Activity Using Find - Linux

    calendar Nov 2, 2023 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "find" binary in a suspicious manner to perform discovery


    Read More
  • Potential Discovery Activity Using Find - MacOS

    calendar Nov 2, 2023 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "find" binary in a suspicious manner to perform discovery


    Read More
  • Potential DLL Sideloading Using Coregen.exe

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1218 attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.


    Read More
  • Potential In-Memory Execution Using Reflection.Assembly

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1620  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory


    Read More
  • Potential Keylogger Activity

    calendar Nov 2, 2023 · attack.collection attack.credential_access attack.t1056.001  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell scripts that contains reference to keystroke capturing functions


    Read More
  • Potential Persistence Via Notepad++ Plugins

    calendar Nov 2, 2023 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence


    Read More
  • Potential Persistence Via Security Descriptors - ScriptBlock

    calendar Nov 2, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.


    Read More
  • Potential RDP Session Hijacking Activity

    calendar Nov 2, 2023 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potential RDP Session Hijacking activity on Windows systems


    Read More
  • Potential Remote Credential Dumping Activity

    calendar Nov 2, 2023 · attack.credential_access attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.


    Read More
  • Potential RipZip Attack on Startup Folder

    calendar Nov 2, 2023 · attack.persistence attack.t1547  ·
    Share on: twitter facebook linkedin copy

    Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.


    Read More
  • Potential SAM Database Dump

    calendar Nov 2, 2023 · attack.credential_access attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files that look like exports of the local SAM (Security Account Manager)


    Read More
  • Potential Suspicious Activity Using SeCEdit

    calendar Nov 2, 2023 · attack.discovery attack.persistence attack.defense_evasion attack.credential_access attack.privilege_escalation attack.t1562.002 attack.t1547.001 attack.t1505.005 attack.t1556.002 attack.t1562 attack.t1574.007 attack.t1564.002 attack.t1546.008 attack.t1546.007 attack.t1547.014 attack.t1547.010 attack.t1547.002 attack.t1557 attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy


    Read More
  • Potential Suspicious Windows Feature Enabled

    calendar Nov 2, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images


    Read More
  • Potential Suspicious Windows Feature Enabled - ProcCreation

    calendar Nov 2, 2023 · attack.defense_evasion  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images


    Read More
  • PowerShell Get Clipboard

    calendar Nov 2, 2023 · attack.collection attack.t1115  ·
    Share on: twitter facebook linkedin copy

    A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.


    Read More
  • Powershell Inline Execution From A File

    calendar Nov 2, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects inline execution of PowerShell code from a file


    Read More
  • PowerShell Remote Session Creation

    calendar Nov 2, 2023 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system


    Read More
  • Powershell Token Obfuscation - Process Creation

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1027.009  ·
    Share on: twitter facebook linkedin copy

    Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation


    Read More
  • PowerShell Web Download

    calendar Nov 2, 2023 · attack.command_and_control attack.execution attack.t1059.001 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious ways to download files or content using PowerShell


    Read More
  • Privilege Escalation via Named Pipe Impersonation

    calendar Nov 2, 2023 · attack.lateral_movement attack.t1021  ·
    Share on: twitter facebook linkedin copy

    Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.


    Read More
  • Rejetto HTTP File Server RCE

    calendar Nov 2, 2023 · attack.initial_access attack.t1190 attack.t1505.003 cve.2014.6287 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287


    Read More
  • Ruby Inline Command Execution

    calendar Nov 2, 2023 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.


    Read More
  • Service Installed By Unusual Client - Security

    calendar Nov 2, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects a service installed by a client which has PID 0 or whose parent has PID 0


    Read More
  • Service Installed By Unusual Client - System

    calendar Nov 2, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects a service installed by a client which has PID 0 or whose parent has PID 0


    Read More
  • SES Identity Has Been Deleted

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities


    Read More
  • Suspicious AgentExecutor PowerShell Execution

    calendar Nov 2, 2023 · attack.defense_evasion attack.t1218  ·
    Share on: