Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

Read More

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Read More

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects possible collection of data from the clipboard via execution of the osascript binary

Read More

Detects when the file "passwd" or "shadow" is copied from tmp path

Read More

Detects an appx package deployment that was blocked by AppLocker policy

Read More

Detects an appx package deployment that was blocked by the local computer policy

Read More

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

Read More

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)

Read More

Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

Read More

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Read More

Detects common command used to enable bpf kprobes tracing

Read More

Detects a suspicious execution from an uncommon folder

Read More

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

Read More

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Read More

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

Read More

Detects when a user disables a critical security feature for an organization.

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Read More

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Read More

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

Read More

Detects the use of KrbRelay, a Kerberos relaying tool

Read More

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

Read More

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

Read More

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Read More

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Read More

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Read More

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects powershell scripts that import modules from suspicious directories

Read More

Detects powershell scripts that import modules from suspicious directories

Read More

Detects possible Java payloads in web access logs

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects possible malicious execution of JXA in-memory via OSAScript

Read More

Detect usage of the "ssh.exe" binary as a proxy to launch other programs

Read More

Detects Commandlet names and arguments from the Nishang exploitation framework

Read More

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Read More

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

Read More

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

Read More

Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.

Read More

Detects when a new member is added or invited to a github organization.

Read More

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Read More

Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)

Read More

Detects nltest commands that can be used for information discovery

Read More

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Read More

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More

Detects Cobalt Strike module/commands accidentally entered in CMD shell

Read More

Detects potential suspicious run-only executions compiled using OSACompile

Read More

Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

Read More

Detect use of PDQ Deploy remote admin tool

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Read More

Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877

Read More

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Read More

Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)

Read More

Detects potential exfiltration attempt via audio file using PowerShell

Read More

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Read More

Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation

Read More

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)

Read More

Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)

Read More

Detects potential installation or installation attempts of known malicious appx packages

Read More

Detects possible password spraying attempts using Dsacls

Read More

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.

Read More

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Read More

Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine

Read More

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Read More

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

Read More

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

Read More

Execution of ssh.exe to perform data exfiltration and tunneling through RDP

Read More

Detects nltest commands that can be used for information discovery

Read More

Detects usage of cmdkey to look for cached credentials on the system

Read More

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

Read More

Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Read More

Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.

Read More

Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service.

Read More

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Read More

Detects usage of Dsacls to grant over permissive permissions

Read More

Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV

Read More

Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Read More

Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.

Read More

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Read More

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Read More

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

Read More

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Read More

Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use

Read More

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

Read More

Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag

Read More

Detects the execution of a renamed "Msdt.exe" binary

Read More

Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings

Read More

Detects the execution of a renamed version of the Plink binary

Read More

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Read More

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)

Read More

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Read More

Detects restricted access to applications by the Software Restriction Policies (SRP) policy

Read More

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Read More

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

Read More

Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services

Read More

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

Read More

Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.

Read More

Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious

Read More

Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations

Read More

Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

Read More

Detects execution of AppX packages with known suspicious or malicious signature

Read More

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

Read More

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Read More

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

Read More

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

Read More

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Read More

Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)

Read More

Detects suspicious PowerShell download command

Read More

Detects suspicious process related to rundll32 based on arguments

Read More

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Read More

Detects risky authencaition from a non AD registered device without MFA being required.

Read More

Detects when a file with a suspicious extension is created in the startup folder

Read More

Detects suspicious command with /dev/tcp

Read More

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Read More

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

Read More

Detects activity when The Windows Defender Firewall service failed to load Group Policy

Read More

Detects usage of the "touch" process in service file.

Read More

Detects attempts to force stop the ufw using ufw-init

Read More

Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations

Read More

Detects scheduled task creation events that include suspicious actions, and is run once at 00:00

Read More

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Read More

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Read More

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Read More

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Read More

Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity

Read More

Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.

Read More

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

Read More

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.

Read More

Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths

Read More

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Read More

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Read More

Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Read More

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs

Read More

Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution

Read More

Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts

Read More

Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52

Read More

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Read More

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Read More

Detects potential execution of the PowerShell script POWERTRASH

Read More

Detects a WMI modules being loaded by an uncommon process

Read More

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

Read More

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

Read More

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Read More

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Read More

Detects AdFind execution with common flags seen used during attacks

Read More

Detects the creation of scheduled tasks in user session

Read More

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Read More

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Read More

Detects the execution of rundll32 with a command line that doesn't contain a .dll file

Read More

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Read More

Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs.

Read More

Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors

Read More

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

Read More

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Read More

Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls

Read More

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

Read More

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Read More

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Read More

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Read More

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions

Read More

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

Read More

Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.

Read More

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Read More

Detects uncommon processes creating remote threads

Read More

Detects the execution of a renamed office binary

Read More

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Read More

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

Read More

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Read More

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags

Read More

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Read More

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

Read More

Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions

Read More

Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Read More

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.

Read More

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Read More

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Read More

Detects usage of "msedge_proxy.exe" to download arbitrary files

Read More

Detects usage of "MSOHTMED" to download arbitrary files

Read More