Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Detects file download using curl.exe

Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

Detects uncommon processes creating remote threads

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

Detects remote thread creation from CACTUSTORCH as described in references.

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

Detects creation of a file named "ntds.dit" (Active Directory Database)

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Detects remote thread creation by PowerShell processes into "lsass.exe"

Detects DLL sideloading of "dbgcore.dll"

Detects DLL sideloading of "dbghelp.dll"

Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

Detects uncommon target processes for remote thread creation

Detects the creation of a remote thread from a Powershell process to another process

Detects the creation of a remote thread from a Powershell process in a rundll32 process

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Detects suspicious file based on their extension being created in "C:\PerfLogs". Note that this directory mostly contains ".etl" files

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Detects issues with Windows Defender Real-Time Protection features

Detects the creation of a file on disk that has an imphash of a well-known hack tool

Detects use of chcp to look up the system locale value as part of host discovery

Detect standard users login that are part of high privileged groups such as the Administrator group

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

Detects suspicious encoded User-Agent strings, as seen used by some malware.

Detects the image load of VSS DLL by uncommon executables

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Detects a suspicious curl process start the adds a file to a web request

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Detects activity when a member is added to a security-enabled global group

Detects activity when a member is removed from a security-enabled global group

Detects activity when a security-enabled global group is deleted

Detect remote login by Administrator user (depending on internal pattern).

Detects the default "UserName" used by the DiagTrackEoP POC

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

A login from a public IP can indicate a misconfigured firewall or network boundary.

Detects the creation of a local hidden user account which should not happen for event ID 4720.

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like