Detects changes to the ESXi syslog configuration via "esxcli"

Read More

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Read More

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Read More

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More

Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.

Read More

Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.

Read More

Detects commandline arguments for executing a child process via dotnet-trace.exe

Read More

Hunts known SVR-specific DLL names.

Read More

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Read More

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

Read More

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Read More

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Read More

Detects the creation of a named file stream with the imphash of a well-known hack tool

Read More

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

Read More

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Read More

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Read More

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Read More

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Read More

Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.

Read More

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

Read More

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More

Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Read More

Detects BITS transfer job downloading files from a file sharing domain.

Read More

Detects the download of suspicious file type from a well-known file and paste sharing domain

Read More

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Read More

Detects the download of suspicious file type from a well-known file and paste sharing domain

Read More

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Read More

Detects potential DLL sideloading of Python DLL files.

Read More

Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.

Read More

Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.

Read More

Detects the addition of a new module to an IIS server.

Read More

Detects the removal of a previously installed IIS module.

Read More

Detects usage of winget to add new potentially suspicious download sources

Read More

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Read More

Detects usage of "msedge_proxy.exe" to download arbitrary files

Read More

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Read More

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Read More

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"

Read More

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

Read More

Detects when a memory process image does not match the disk image, indicative of process hollowing.

Read More

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects the creation of a remote thread from a Powershell process in an uncommon target process

Read More

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

Read More

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Read More

Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

Read More

Detects the use of the Dinject PowerShell cradle based on the specific flags

Read More

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Read More

Detect DLL Load from Spooler Service backup folder

Read More

Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware.

Read More

Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.

Read More

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Read More

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.

Read More

Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.

Read More

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More

Detects DLL sideloading activity seen used by Diamond Sleet APT

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

Read More

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

Read More

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Read More

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

Read More

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Read More

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Read More

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Read More

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

Read More

Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations

Read More

Detects when a rule has been added to the Windows Firewall exception list

Read More

Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".

Read More

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

Read More

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Read More

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Read More

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Read More

Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.

Read More

Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Read More

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.

Read More

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Read More

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".

Read More

Detects usage of bitsadmin downloading a file from a suspicious domain

Read More

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Read More

Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.

Read More

Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.

Read More

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Read More

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Read More

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Attackers can use print.exe for remote file copy

Read More

Detects when an account was created and deleted in a short period of time.

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Detects WRITE_DAC access to a domain object

Read More

Detect set DisallowRun to 1 to prevent user running specific computer program

Read More

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Read More

Detects usage of winget to add new additional download sources

Read More

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Read More

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Read More

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Read More

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Read More

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Read More

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Read More

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Read More

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Read More

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Read More

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.

Read More

Detects usage of "MSOHTMED" to download arbitrary files

Read More

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Read More

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Read More

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Read More

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Read More

Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.

Read More

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Read More

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Read More

Detect changes in auditd configuration files

Read More

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Read More

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Read More

Detects disabling, deleting and updating of a Trail

Read More

Detects AWS Config Service disabling

Read More

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Read More

Detects the modification of the findings on SecurityHub.

Read More

This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

Read More

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Identifies when a application is deleted in Azure.

Read More

Identifies when a firewall is created, modified, or deleted.

Read More

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Read More

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Read More

Identifies when a Firewall Policy is Modified or Deleted.

Read More

Identifies when a owner is was removed from a application or service principal in Azure.

Read More

Identifies when a service principal is created in Azure.

Read More

Identifies when a service principal was removed in Azure.

Read More

Detects backup catalog deletions

Read More

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Read More

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Read More

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Read More

Detects changes to the bitbucket audit log configuration.

Read More

Detects Bitbucket global secret scanning rule deletion activity.

Read More

Detects Bitbucket global SSH access configuration changes.

Read More

Detects when a secret scanning allowlist rule is added for projects.

Read More

Detects when a repository is exempted from secret scanning feature.

Read More

Detects when secret scanning rule is deleted for the project or repository.

Read More

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Read More

Monitor and alert for Bitlocker key retrieval.

Read More

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

Read More

Detects a BITS transfer job downloading file(s) from a direct IP address.

Read More

Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

Read More

Detects new BITS transfer job saving local files with potential suspicious extensions

Read More

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Read More

Detects Bitsadmin connections to IP addresses instead of FQDN names

Read More

Detects Bitsadmin connections to domains with uncommon TLDs

Read More

BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption

Read More

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

Read More

Bypasses User Account Control using a fileless method

Read More

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Read More

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

Read More

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

Read More

Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.

Read More

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Read More

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Read More

Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.

Read More

Detect possible persistence using Fax DLL load when service restart

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Read More

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

Read More

Monitor and alert for changes to the device registration policy.

Read More

Detects chmod targeting files in abnormal directory paths.

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Clear command history in network OS which is used for defense evasion

Read More

Show when private keys are being exported from the device, or when new certificates are installed

Read More

Turn off logging locally or remote

Read More

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Read More

See what files are being deleted from flash file systems

Read More