Detect when System Manager successfully executes commands against an instance.

Read More

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Read More

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Read More

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Read More

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Read More

Detects the image load of VSS DLL by uncommon executables

Read More

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Read More

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

Read More

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Read More

Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations

Read More

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects uncommon processes creating remote threads.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Read More

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Read More

Detects the execution of a renamed office binary

Read More

Detects attempts to use system dialog prompts to capture user credentials

Read More

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:

• Use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
• Modification of the /proc/sys/kernel/randomize_va_space file
• Execution of the sysctl command to set kernel.randomize_va_space=0 Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Read More

Detects attempts to record audio using the arecord and ecasound utilities.

Read More

Detect changes in auditd configuration files

Read More

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Read More

detects BPFDoor .lock and .pid files access in temporary file storage facility

Read More

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

Read More

Detects the use of the syslog syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running dmesg -c, which triggers this syscall internally.

Read More

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Read More

Detecting attempts to extract passwords with grep

Read More

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Read More

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Read More

Detects file and folder permission changes.

Read More

Detect file time attribute change to hide new or changes to existing files.

Read More

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Read More

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Read More

Detects enumeration of local or remote network services.

Read More

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Read More

Detect changes of syslog daemons configuration files

Read More

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Read More

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Read More

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Read More

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More

Detects overwriting (effectively wiping/deleting) of a file.

Read More

Detects command line parameter very often used with coin miners

Read More

Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.

Read More

Detects program executions in suspicious non-program folders related to malware or hacking activity

Read More

Detects removing immutable file attribute.

Read More

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Read More

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Read More

Detects the start, reload or restart of a service.

Read More

Detects usage of the mknod syscall to create special files (e.g., character or block devices). Attackers or malware might use mknod to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of mknod is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.

Read More

Detection use of the command "split" to split files into parts and possible transfer.

Read More

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Read More

Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Read More

Detects appending of zip file to image

Read More

Detects extracting of zip file from image file

Read More

Detects relevant commands often related to malware or hacking activity

Read More

Detects commandline operations on shell history files

Read More

Detects system information discovery commands

Read More

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.

Read More

Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Read More

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Read More

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Read More

Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.

Read More

Detects calls to hidden files or files located in hidden directories in NIX systems.

Read More

Detects possible command execution by web application/web shell

Read More

Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.

Read More

Detects the execution of certutil with certain flags that allow the utility to download files.

Read More

Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.

Read More

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Read More

Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.

Read More

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

Read More

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

Read More

Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.

Read More

Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.

Read More

Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.

Read More

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

Read More

Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such network connections can also help identify potential malicious infrastructure used by threat actors

Read More

Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.

Read More

Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.

Read More

Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.

Read More

Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations. This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.

Read More

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Read More

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Read More

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Read More

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Read More

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Bypasses User Account Control using a fileless method

Read More

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Read More

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Read More

Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.

Read More

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More

Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).

Read More

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Read More

Detects use of chcp to look up the system locale value as part of host discovery

Read More

Sysmon registry detection of a local hidden user account.

Read More

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Read More

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Read More

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Read More

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Read More

Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives

Read More

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Read More

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

Read More

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

Read More

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

Read More

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Read More

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More

Detects execution of "dsquery.exe" for domain trust discovery

Read More

Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers

Read More

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

Read More

Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.

Read More

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

Read More

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.

Read More

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

Read More

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

Read More

Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.

Read More

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

Read More

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Read More

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

Read More

Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information

Read More

Detects the execution of "hh.exe" to open ".chm" files.

Read More

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More

Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Read More

Hides the file extension through modification of the registry

Read More

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Read More

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Read More

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Read More

Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.

Read More

Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Read More

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

Read More

Detects COM object hijacking via TreatAs subkey

Read More

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More

Detects possible NTLM coercion via certutil using the 'syncwithWU' flag

Read More

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Read More

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Read More

Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content. This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.

Read More

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Read More

Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers

Read More

Detects usage of cmdkey to look for cached credentials on the system

Read More

Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.

Read More

Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.

Read More

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

Read More

Detects AdFind execution with common flags seen used during attacks

Read More

Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment

Read More

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Read More

Detects the use of Advanced Port Scanner.

Read More

Detects the execution of AdvancedRun utility

Read More

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

Read More

Detects active directory enumeration activity using known AdFind CLI flags

Read More

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

Read More

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

Read More

Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.

Read More

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

Read More

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Read More

Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

Read More

Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

Read More

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Read More

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Read More

Detects the execution of a renamed "Msdt.exe" binary

Read More

Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.

Read More

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Read More

Detects the stopping of a Windows service via the "sc.exe" utility

Read More

Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.

Read More

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Read More

Detects a code page switch in command line or batch scripts to a rare language

Read More

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Read More

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Read More

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Read More

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

Read More

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Read More

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Read More

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

Read More

Detects attempts to query system information directly from the Windows Registry.

Read More

Detects the use of Tor or Tor-Browser to connect to onion routing networks

Read More

Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates files with suspicious file types, indicating that they may be executables, script files, or otherwise unusual.

Read More

This rule detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.

Read More

Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.

Read More

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Read More

Detects an interactive AT job, which may be used as a form of privilege escalation.

Read More

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Read More

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

Read More

Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.

Read More

Detection of unusual child processes by different system processes

Read More

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Read More

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

Read More

Detects suspicious user agent strings used in APT malware in proxy logs

Read More

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Read More

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More

Detects the modification of the findings on SecurityHub.

Read More

Detects Bitsadmin connections to domains with uncommon TLDs

Read More

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

Read More

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

Read More

Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detect a system being shutdown or put into different boot mode

Read More

Turn off logging locally or remote

Read More

See what files are being deleted from flash file systems

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Find local accounts being created or modified as well as remote authentication configurations

Read More

Modifications to a config that will serve an adversary's impacts or persistence

Read More

See what commands are being input into the device by other people, full credentials can be in the history

Read More

Show when a monitor or a span/rspan is setup or modified

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Read More

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Read More