attack.defense-impairment on Detection.FYI

A Rule Has Been Deleted From The Windows Firewall Exception List

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

Activate Suppression of Windows Security Center Notifications

Tue, 28 Apr 2026 23:20:23 +0000

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Active Directory Certificate Services Denied Certificate Enrollment Request

Tue, 28 Apr 2026 23:20:23 +0000

Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

AD Object WriteDAC Access

Tue, 28 Apr 2026 23:20:23 +0000

Detects WRITE_DAC access to a domain object

Add DisallowRun Execution to Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detect set DisallowRun to 1 to prevent user running specific computer program

Add or Remove Computer from DC

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Add SafeBoot Keys Via Reg Utility

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

All Rules Have Been Deleted From The Windows Firewall Configuration

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Allow RDP Remote Assistance Feature

Tue, 28 Apr 2026 23:20:23 +0000

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

AMSI Bypass Pattern Assembly GetType

Tue, 28 Apr 2026 23:20:23 +0000

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

AMSI Disabled via Registry Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.

Amsi.DLL Loaded Via LOLBIN Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Antivirus Filter Driver Disallowed On Dev Drive - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".

ASLR Disabled Via Sysctl or Direct Syscall - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Audit Policy Tampering Via Auditpol

Tue, 28 Apr 2026 23:20:23 +0000

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Audit Policy Tampering Via NT Resource Kit Auditpol

Tue, 28 Apr 2026 23:20:23 +0000

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Audit Rules Deleted Via Auditctl

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.

Auditing Configuration Changes on Linux Host

Tue, 28 Apr 2026 23:20:23 +0000

Detect changes in auditd configuration files

AWS CloudTrail Important Change

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling, deleting and updating of a Trail

AWS Config Disabling Channel/Recorder

Tue, 28 Apr 2026 23:20:23 +0000

Detects AWS Config Service disabling

AWS GuardDuty Detector Deleted Or Updated

Tue, 28 Apr 2026 23:20:23 +0000

Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.

AWS GuardDuty Important Change

Tue, 28 Apr 2026 23:20:23 +0000

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

AWS Identity Center Identity Provider Change

Tue, 28 Apr 2026 23:20:23 +0000

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

AWS SecurityHub Findings Evasion

Tue, 28 Apr 2026 23:20:23 +0000

Detects the modification of the findings on SecurityHub.

Azure Active Directory Hybrid Health AD FS New Server

Tue, 28 Apr 2026 23:20:23 +0000

This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

Azure Active Directory Hybrid Health AD FS Service Delete

Tue, 28 Apr 2026 23:20:23 +0000

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Azure AD Only Single Factor Authentication Required

Tue, 28 Apr 2026 23:20:23 +0000

Detect when users are authenticating without MFA being required.

Azure Firewall Modified or Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a firewall is created, modified, or deleted.

Azure Firewall Rule Collection Modified or Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Azure Kubernetes Events Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Azure Network Firewall Policy Modified or Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a Firewall Policy is Modified or Deleted.

Bitbucket Audit Log Configuration Updated

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the bitbucket audit log configuration.

Bitbucket Global Secret Scanning Rule Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects Bitbucket global secret scanning rule deletion activity.

Bitbucket Global SSH Settings Changed

Tue, 28 Apr 2026 23:20:23 +0000

Detects Bitbucket global SSH access configuration changes.

Bitbucket Project Secret Scanning Allowlist Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a secret scanning allowlist rule is added for projects.

Bitbucket Secret Scanning Exempt Repository Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a repository is exempted from secret scanning feature.

Bitbucket Secret Scanning Rule Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects when secret scanning rule is deleted for the project or repository.

Blackbyte Ransomware Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.

Blue Mockingbird

Tue, 28 Apr 2026 23:20:23 +0000

Attempts to detect system changes made by Blue Mockingbird

Blue Mockingbird - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Attempts to detect system changes made by Blue Mockingbird

Bpfdoor TCP Ports Redirect

Tue, 28 Apr 2026 23:20:23 +0000

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

CA Policy Removed by Non Approved Actor

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

CA Policy Updated by Non Approved Actor

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Certificate-Based Authentication Enabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Change the Fax Dll

Tue, 28 Apr 2026 23:20:23 +0000

Detect possible persistence using Fax DLL load when service restart

Change to Authentication Method

Tue, 28 Apr 2026 23:20:23 +0000

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Change User Account Associated with the FAX Service

Tue, 28 Apr 2026 23:20:23 +0000

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Change Winevt Channel Access Permission Via Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

Changes to Device Registration Policy

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert for changes to the device registration policy.

Chmod Targeting Sensitive Directories

Tue, 28 Apr 2026 23:20:23 +0000

Detects chmod targeting files in sensitive directory paths on Linux systems. Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.

Cisco Crypto Commands

Tue, 28 Apr 2026 23:20:23 +0000

Show when private keys are being exported from the device, or when new certificates are installed

Cisco Disabling Logging

Tue, 28 Apr 2026 23:20:23 +0000

Turn off logging locally or remote

Cisco Dot1x Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.

Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.

ClickOnce Trust Prompt Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

CrashControl CrashDump Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling the CrashDump per registry (as used by HermeticWiper)

CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

Delete Defender Scan ShellEx Context Menu Registry Key

Tue, 28 Apr 2026 23:20:23 +0000

Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.

Deployment Of The AppX Package Was Blocked By The Policy

Tue, 28 Apr 2026 23:20:23 +0000

Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.

Devcon Execution Disabling VMware VMCI Device

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.

DHCP Callout DLL Installation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Diamond Sleet APT Scheduled Task Creation - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Directory Service Restore Mode(DSRM) Registry Value Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

Disable Exploit Guard Network Protection on Windows Defender

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling Windows Defender Exploit Guard Network Protection

Disable Internal Tools or Feature in Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Disable Macro Runtime Scan Scope

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros

Disable Microsoft Defender Firewall via Registry

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

Disable of ETW Trace - Powershell

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Disable Or Stop Services

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems. Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.

Disable Privacy Settings Experience in Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications that disable Privacy Settings Experience

Disable PUA Protection on Windows Defender

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling Windows Defender PUA protection

Disable Security Events Logging Adding Reg Key MiniNt

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.

Disable Security Tools

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling security tools

Disable System Firewall

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Disable Tamper Protection on Windows Defender

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling Windows Defender Tamper Protection

Disable Windows Defender AV Security Monitoring

Tue, 28 Apr 2026 23:20:23 +0000

Detects attackers attempting to disable Windows Defender using Powershell

Disable Windows Defender Functionalities Via Registry Keys

Tue, 28 Apr 2026 23:20:23 +0000

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Disable Windows Event Logging Via Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

Disable Windows Firewall by Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detect set EnableFirewall to 0 to disable the Windows firewall

Disable Windows IIS HTTP Logging

Tue, 28 Apr 2026 23:20:23 +0000

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)

Disable Windows Security Center Notifications

Tue, 28 Apr 2026 23:20:23 +0000

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Disable-WindowsOptionalFeature Command PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Disabled IE Security Features

Tue, 28 Apr 2026 23:20:23 +0000

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Disabled MFA to Bypass Authentication Mechanisms

Tue, 28 Apr 2026 23:20:23 +0000

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Disabled Volume Snapshots

Tue, 28 Apr 2026 23:20:23 +0000

Detects commands that temporarily turn off Volume Snapshots

Disabled Windows Defender Eventlog

Tue, 28 Apr 2026 23:20:23 +0000

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Disabling Multi Factor Authentication

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling of Multi Factor Authentication.

Disabling Security Tools

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling security tools

Disabling Security Tools - Builtin

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling security tools

Disabling Windows Defender WMI Autologger Session via Reg.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.

Dism Remove Online Package

Tue, 28 Apr 2026 23:20:23 +0000

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

DNS-over-HTTPS Enabled by Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Dropping Of Password Filter DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

DumpStack.log Defender Evasion

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Enable LM Hash Storage

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Enable LM Hash Storage - ProcCreation

Tue, 28 Apr 2026 23:20:23 +0000

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Tue, 28 Apr 2026 23:20:23 +0000

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

ESXi Syslog Configuration Change Via ESXCLI

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the ESXi syslog configuration via "esxcli"

ETW Logging Disabled For rpcrt4.dll

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

ETW Logging Disabled For SCM

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

ETW Logging Disabled In .NET Processes - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

ETW Logging Disabled In .NET Processes - Sysmon Registry

Tue, 28 Apr 2026 23:20:23 +0000

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

ETW Logging Tamper In .NET Processes Via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

ETW Logging/Processing Option Disabled On IIS Server

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.

ETW Trace Evasion Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

Eventlog Cleared

Tue, 28 Apr 2026 23:20:23 +0000

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

EVTX Created In Uncommon Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

File or Folder Permissions Change

Tue, 28 Apr 2026 23:20:23 +0000

Detects file and folder permission changes.

Filter Driver Unloaded Via Fltmc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detect filter driver unloading activity via fltmc.exe

Firewall Disabled via Netsh.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects netsh commands that turns off the Windows firewall

Firewall Rule Deleted Via Netsh.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

Firewall Rule Update Via Netsh.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule

FlowCloud Registry Markers

Tue, 28 Apr 2026 23:20:23 +0000

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Flush Iptables Ufw Chain

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

Folder Removed From Exploit Guard ProtectedFolders List - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

Forest Blizzard APT - File Creation Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.

Forest Blizzard APT - JavaScript Constrained File Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

FortiGate - Firewall Address Object Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.

FortiGate - New Firewall Policy Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.

Gatekeeper Bypass via Xattr

Tue, 28 Apr 2026 23:20:23 +0000

Detects macOS Gatekeeper bypass via xattr utility

Github High Risk Configuration Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user disables a critical security feature for an organization.

Github Push Protection Bypass Detected

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user bypasses the push protection on a secret detected by secret scanning.

Github Push Protection Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

GitHub Repository Archive Status Changed

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.

Github Secret Scanning Feature Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects if the secret scanning feature is disabled for an enterprise or repository.

Google Cloud Firewall Modified or Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

Group Policy Abuse for Privilege Addition

Tue, 28 Apr 2026 23:20:23 +0000

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

HackTool - CobaltStrike BOF Injection Pattern

Tue, 28 Apr 2026 23:20:23 +0000

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Hacktool - EDR-Freeze Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.

HackTool - EDRSilencer Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

HackTool - EDRSilencer Execution - Filter Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

HackTool - PowerTool Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

HackTool - SharpEvtMute DLL Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs

HackTool - SharpEvtMute Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

HackTool - Stracciatella Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

HackTool - SysmonEnte Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon

Hide Schedule Task Via Index Value Tamper

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

HTTP Logging Disabled On IIS Server

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.

Hypervisor Enforced Paging Translation Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.

Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.

Important Windows Event Auditing Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Important Windows Eventlog Cleared

Tue, 28 Apr 2026 23:20:23 +0000

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Imports Registry Key From a File

Tue, 28 Apr 2026 23:20:23 +0000

Detects the import of the specified file to the registry with regedit.exe.

Imports Registry Key From an ADS

Tue, 28 Apr 2026 23:20:23 +0000

Detects the import of a alternate datastream to the registry with regedit.exe.

Indicator Removal on Host - Clear Mac System Logs

Tue, 28 Apr 2026 23:20:23 +0000

Detects deletion of local audit logs

Install Root Certificate

Tue, 28 Apr 2026 23:20:23 +0000

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

Internet Explorer DisableFirstRunCustomize Enabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Kapeka Backdoor Configuration Persistence

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.

Kaspersky Endpoint Security Stopped Via CommandLine - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.

Linux Logs Clearing Attempts

Tue, 28 Apr 2026 23:20:23 +0000

Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. Adversaries often try to clear logs to cover their tracks after performing malicious activities.

Load Of RstrtMgr.DLL By A Suspicious Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Load Of RstrtMgr.DLL By An Uncommon Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Logging Configuration Changes on Linux Host

Tue, 28 Apr 2026 23:20:23 +0000

Detect changes of syslog daemons configuration files

LSA PPL Protection Setting Modification via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects modification of LSA PPL protection settings via CommandLine. It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.

Macro Enabled In A Potentially Suspicious Document

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Microsoft Defender Tamper Protection Trigger

Tue, 28 Apr 2026 23:20:23 +0000

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Microsoft Malware Protection Engine Crash

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Microsoft Malware Protection Engine Crash - WER

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Microsoft Office Protected View Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

Modification of IE Registry Settings

Tue, 28 Apr 2026 23:20:23 +0000

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence

Modify Group Policy Settings

Tue, 28 Apr 2026 23:20:23 +0000

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Modify Group Policy Settings - ScriptBlockLogging

Tue, 28 Apr 2026 23:20:23 +0000

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Modify System Firewall

Tue, 28 Apr 2026 23:20:23 +0000

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

MSSQL Disable Audit Settings

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server

NET NGenAssemblyUsageLog Registry Key Tamper

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

NetNTLM Downgrade Attack

Tue, 28 Apr 2026 23:20:23 +0000

Detects NetNTLM downgrade attack

NetNTLM Downgrade Attack - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects NetNTLM downgrade attack

Netsh Allow Group Policy on Microsoft Defender Firewall

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may modify system firewalls in order to bypass controls limiting network usage

New BgInfo.EXE Custom DB Path Registry Configuration

Tue, 28 Apr 2026 23:20:23 +0000

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

New BgInfo.EXE Custom VBScript Registry Configuration

Tue, 28 Apr 2026 23:20:23 +0000

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

New BgInfo.EXE Custom WMI Query Registry Configuration

Tue, 28 Apr 2026 23:20:23 +0000

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

New DNS ServerLevelPluginDll Installed

Tue, 28 Apr 2026 23:20:23 +0000

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

New Federated Domain Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new Federated Domain.

New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

New Firewall Rule Added Via Netsh.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new rule to the Windows firewall via netsh

New Module Module Added To IIS Server

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new module to an IIS server.

New Network ACL Entry Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

New Network Route Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new network route to a route table in AWS.

New Root Certificate Authority Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.

New Root Certificate Installed Via CertMgr.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

New Root Certificate Installed Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Non-privileged Usage of Reg or Powershell

Tue, 28 Apr 2026 23:20:23 +0000

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

NotPetya Ransomware Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

NtdllPipe Like Activity Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe

Obfuscated PowerShell OneLiner Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

OceanLotus Registry Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry keys created in OceanLotus (also known as APT32) attacks

Office Macros Warning Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

OilRig APT Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects OilRig activity as reported by Nyotron in their March 2018 report

OilRig APT Registry Persistence

Tue, 28 Apr 2026 23:20:23 +0000

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

OilRig APT Schedule Task Persistence - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

OilRig APT Schedule Task Persistence - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Okta MFA Reset or Deactivated

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an attempt at deactivating or resetting MFA.

Okta User Session Start Via An Anonymising Proxy Service

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Persistence Via New SIP Provider

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an attacker register a new SIP provider for persistence and defense evasion

Possible DC Shadow Attack

Tue, 28 Apr 2026 23:20:23 +0000

Detects DCShadow via create new SPN

Possible Shadow Credentials Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects possible addition of shadow credentials to an active directory object.

Potential AMSI Bypass Script Using NULL Bits

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Potential AMSI Bypass Using NULL Bits

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Potential AMSI Bypass Via .NET Reflection

Tue, 28 Apr 2026 23:20:23 +0000

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

Potential AMSI COM Server Hijacking

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Potential Attachment Manager Settings Associations Tamper

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Potential Attachment Manager Settings Attachments Tamper

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering with attachment manager settings policies attachments (See reference for more information)

Potential AutoLogger Sessions Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.

Potential EventLog File Location Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Potential Ke3chang/TidePool Malware Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020

Potential NetWire RAT Activity - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry keys related to NetWire RAT

Potential Persistence Via Custom Protocol Handler

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

Potential Persistence Via Event Viewer Events.asp

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

Potential Persistence Via Outlook Home Page

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

Potential Persistence Via Outlook Today Page

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".

Potential Persistence Via Security Descriptors - ScriptBlock

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.

Potential PowerShell Execution Policy Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Potential PowerShell Execution Policy Tampering - ProcCreation

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine

Potential Privileged System Service Operation - SeLoadDriverPrivilege

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Potential Qakbot Registry Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

Potential Raspberry Robin Registry Set Internet Settings ZoneMap

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.

Potential Secure Deletion with SDelete

Tue, 28 Apr 2026 23:20:23 +0000

Detects files that have extensions commonly seen while SDelete is used to wipe files.

Potential Suspicious Activity Using SeCEdit

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Potential Suspicious Registry File Imported Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

Potential Tampering With RDP Related Registry Keys Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Potential Tampering With Security Products Via WMIC

Tue, 28 Apr 2026 23:20:23 +0000

Detects uninstallation or termination of security products using the WMIC utility

Potential Ursnif Malware Activity - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry keys related to Ursnif malware.

Potential Windows Defender Tampering Via Wmic.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential tampering with Windows Defender settings such as adding exclusion using wmic

Potentially Suspicious Call To Win32_NTEventlogFile Class

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

Potentially Suspicious Desktop Background Change Using Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Potentially Suspicious Desktop Background Change Via Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Potentially Suspicious NTFS Symlink Behavior Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.

Potentially Suspicious WDAC Policy File Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Powershell Base64 Encoded MpPreference Cmdlet

Tue, 28 Apr 2026 23:20:23 +0000

Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV

Powershell Defender Disable Scan Feature

Tue, 28 Apr 2026 23:20:23 +0000

Detects requests to disable Microsoft Defender features using PowerShell commands

Powershell Defender Exclusion

Tue, 28 Apr 2026 23:20:23 +0000

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.

Powershell Install a DLL in System Directory

Tue, 28 Apr 2026 23:20:23 +0000

Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"

PowerShell Logging Disabled Via Registry Key Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

PowerShell Script Change Permission Via Set-Acl - PsScript

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell scripts set ACL to of a file or a folder

PowerShell Set-Acl On Windows Folder - PsScript

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell scripts to set the ACL to a file in the Windows folder

PowerShell Write-EventLog Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use

PPL Tampering Via WerFaultSecure

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.

Previously Installed IIS Module Was Removed

Tue, 28 Apr 2026 23:20:23 +0000

Detects the removal of a previously installed IIS module.

PUA - CleanWipe Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.

Python Function Execution Security Warning Disabled In Excel

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Python Function Execution Security Warning Disabled In Excel - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Raccine Uninstall

Tue, 28 Apr 2026 23:20:23 +0000

Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.

RDP Connection Allowed Via Netsh.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

RDP Sensitive Settings Changed

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.

RDP Sensitive Settings Changed to Zero

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

RedMimicry Winnti Playbook Registry Manipulation

Tue, 28 Apr 2026 23:20:23 +0000

Detects actions caused by the RedMimicry Winnti playbook

RedSun - Named Pipe Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \\??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution.

RedSun - TieringEngineService.exe Detected as EICAR Test File

Tue, 28 Apr 2026 23:20:23 +0000

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool. RedSun works as follows: 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\ 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \\?\C:\Windows\System32 to the attacker-controlled temp path 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

Reg Add Suspicious Paths

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Registry Entries For Azorult Malware

Tue, 28 Apr 2026 23:20:23 +0000

Detects the presence of a registry key created during Azorult execution

Registry Explorer Policy Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)

Registry Hide Function from User

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

Registry Manipulation via WMI Stdregprov

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.

Registry Modification Attempt Via VBScript

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Registry Modification Attempt Via VBScript - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.

Registry Modification for OCI DLL Redirection

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.

Registry Modification of MS-settings Protocol Handler

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.

Registry Modification Via Regini.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Registry Tampering by Potentially Suspicious Processes

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Remote Registry Lateral Movement

Tue, 28 Apr 2026 23:20:23 +0000

Detects remote RPC calls to modify the registry and possible execute code

Removal Of AMSI Provider Registry Keys

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Removal Of Index Value to Hide Schedule Task - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

Removal of Potential COM Hijacking Registry Keys

Tue, 28 Apr 2026 23:20:23 +0000

Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

Removal Of SD Value to Hide Schedule Task - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

Remove Immutable File Attribute

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the 'chattr' utility to remove immutable file attribute.

Remove Immutable File Attribute - Auditd

Tue, 28 Apr 2026 23:20:23 +0000

Detects removing immutable file attribute.

Renamed BOINC Client Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed BOINC binary.

RestrictedAdminMode Registry Value Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

RestrictedAdminMode Registry Value Tampering - ProcCreation

Tue, 28 Apr 2026 23:20:23 +0000

Root Certificate Installed - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Root Certificate Installed From Susp Locations

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Run Once Task Configuration in Registry

Tue, 28 Apr 2026 23:20:23 +0000

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Run Once Task Execution as Configured in Registry

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects the execution of Run Once task as configured in the registry

SafeBoot Registry Key Deleted Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

ScreenConnect User Database Modification - Security

Tue, 28 Apr 2026 23:20:23 +0000

This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Scripted Diagnostics Turn Off Check Enabled - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability

Security Event Logging Disabled via MiniNt Registry Key - Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to disable security event logging by adding the `MiniNt` registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.

Security Event Logging Disabled via MiniNt Registry Key - Registry Set

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.

Security Eventlog Cleared

Tue, 28 Apr 2026 23:20:23 +0000

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Security Service Disabled Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "reg.exe" to disable security services such as Windows Defender.

Service Binary in Suspicious Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detect the creation of a service with a service binary located in a suspicious directory

Service Registry Key Deleted Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services

Service Startup Type Change Via Wmic.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.

Service StartupType Change Via PowerShell Set-Service

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"

Service StartupType Change Via Sc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"

ShimCache Flush

Tue, 28 Apr 2026 23:20:23 +0000

Detects actions that clear the local ShimCache and remove forensic evidence

Startup/Logon Script Added to Group Policy Object

Tue, 28 Apr 2026 23:20:23 +0000

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Suspicious Application Allowed Through Exploit Guard

Tue, 28 Apr 2026 23:20:23 +0000

Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings

Suspicious Eventlog Clear

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs

Suspicious Eventlog Clearing or Configuration Change Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Suspicious Execution via macOS Script Editor

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the macOS Script Editor utility spawns an unusual child process.

Suspicious Invoke-Item From Mount-DiskImage

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.

Suspicious Mount-DiskImage

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Suspicious Package Installed - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Detects installation of suspicious packages using system installation utilities

Suspicious Path In Keyboard Layout IME File Registry Value

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze

Tue, 28 Apr 2026 23:20:23 +0000

Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.

Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.

Suspicious PROCEXP152.sys File Created In TMP

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

Suspicious RazerInstaller Explorer Subprocess

Tue, 28 Apr 2026 23:20:23 +0000

Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM

Suspicious Recursive Takeown

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders

Suspicious Registry Modification From ADS Via Regini.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

Suspicious Service Installed

Tue, 28 Apr 2026 23:20:23 +0000

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

Suspicious Svchost Process Access

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Suspicious Unblock-File

Tue, 28 Apr 2026 23:20:23 +0000

Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.

Suspicious Uninstall of Windows Defender Feature via PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.

Suspicious VBoxDrvInst.exe Parameters

Tue, 28 Apr 2026 23:20:23 +0000

Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys

Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Suspicious Windows Service Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "logman" utility in order to disable or delete Windows trace sessions

Suspicious X509Enrollment - Process Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of X509Enrollment

Suspicious X509Enrollment - Ps Script

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of X509Enrollment

Sysinternals PsSuspend Suspicious Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

Syslog Clearing or Removal Via System Utilities

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks

Sysmon Application Crashed

Tue, 28 Apr 2026 23:20:23 +0000

Detects application popup reporting a failure of the Sysmon service

Sysmon Blocked Executable

Tue, 28 Apr 2026 23:20:23 +0000

Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy

Sysmon Blocked File Shredding

Tue, 28 Apr 2026 23:20:23 +0000

Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

Sysmon Channel Reference Deletion

Tue, 28 Apr 2026 23:20:23 +0000

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Sysmon Configuration Change

Tue, 28 Apr 2026 23:20:23 +0000

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

Sysmon Configuration Update

Tue, 28 Apr 2026 23:20:23 +0000

Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely

Sysmon Driver Altitude Change

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Sysmon Driver Unloaded Via Fltmc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects possible Sysmon filter driver unloaded via fltmc.exe

Sysmon File Executable Creation Detected

Tue, 28 Apr 2026 23:20:23 +0000

Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.

Tamper Windows Defender - PSClassic

Tue, 28 Apr 2026 23:20:23 +0000

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Tamper Windows Defender - ScriptBlockLogging

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Tamper Windows Defender Remove-MpPreference

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet

Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet

Tamper With Sophos AV Registry Keys

Tue, 28 Apr 2026 23:20:23 +0000

Detects tamper attempts to sophos av functionality via registry key modification

Taskkill Symantec Endpoint Protection

Tue, 28 Apr 2026 23:20:23 +0000

Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.

Terminal Server Client Connection History Cleared - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of registry keys containing the MSTSC connection history

The Windows Defender Firewall Service Failed To Load Group Policy

Tue, 28 Apr 2026 23:20:23 +0000

Detects activity when The Windows Defender Firewall service failed to load Group Policy

Trust Access Disable For VBApplications

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Ufw Force Stop Using Ufw-Init

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to force stop the ufw using ufw-init

Uncommon Extension In Keyboard Layout IME File Registry Value

Tue, 28 Apr 2026 23:20:23 +0000

Uncommon Microsoft Office Trusted Location Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

Uncommon New Firewall Rule Added In Windows Firewall Exception List

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a rule has been added to the Windows Firewall exception list

Uninstall Crowdstrike Falcon Sensor

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

Uninstall Sysinternals Sysmon

Tue, 28 Apr 2026 23:20:23 +0000

Detects the removal of Sysmon, which could be a potential attempt at defense evasion

User Added To Group With CA Policy Modification Access

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert on group membership additions of groups that have CA policy modification access

User Removed From Group With CA Policy Modification Access

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert on group membership removal of groups that have CA policy modification access

User Shell Folders Registry Modification via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.

Vulnerable Driver Blocklist Registry Tampering Via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response

WannaCry Ransomware Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects WannaCry ransomware activity

Wdigest CredGuard Registry Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

Wdigest Enable UseLogonCredential

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Weak Encryption Enabled and Kerberoast

Tue, 28 Apr 2026 23:20:23 +0000

Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

WFP Filter Added via Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.

Win Defender Restored Quarantine File

Tue, 28 Apr 2026 23:20:23 +0000

Detects the restoration of files from the defender quarantine

WinDivert Driver Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Windows AMSI Related Registry Tampering Via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.

Windows AppX Deployment Full Trust Package Installation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions

Windows AppX Deployment Unsigned Package Installation

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events

Windows Credential Guard Disabled - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

Windows Credential Guard Registry Tampering Via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.

Windows Credential Guard Related Registry Value Deleted - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.

Windows Default Domain GPO Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.

Windows Default Domain GPO Modification via GPME

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.

Windows Defender Configuration Changes

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious changes to the Windows Defender configuration

Windows Defender Context Menu Removed

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.

Windows Defender Definition Files Removed

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files

Windows Defender Exclusion List Modified

Tue, 28 Apr 2026 23:20:23 +0000

Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Windows Defender Exclusion Registry Key - Write Access Requested

Tue, 28 Apr 2026 23:20:23 +0000

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Windows Defender Exclusions Added

Tue, 28 Apr 2026 23:20:23 +0000

Detects the Setting of Windows Defender Exclusions

Windows Defender Exclusions Added - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Windows Defender Exclusions Added - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects the Setting of Windows Defender Exclusions

Windows Defender Exploit Guard Tamper

Tue, 28 Apr 2026 23:20:23 +0000

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

Windows Defender Firewall Has Been Reset To Its Default Configuration

Tue, 28 Apr 2026 23:20:23 +0000

Detects activity when Windows Defender Firewall has been reset to its default configuration

Windows Defender Grace Period Expired

Tue, 28 Apr 2026 23:20:23 +0000

Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

Windows Defender Malware And PUA Scanning Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software

Windows Defender Malware Detection History Deletion

Tue, 28 Apr 2026 23:20:23 +0000

Windows Defender logs when the history of detected infections is deleted.

Windows Defender Real-time Protection Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

Windows Defender Real-Time Protection Failure/Restart

Tue, 28 Apr 2026 23:20:23 +0000

Detects issues with Windows Defender Real-Time Protection features

Windows Defender Service Disabled - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

Windows Defender Submit Sample Feature Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

Windows Defender Threat Detection Service Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the "Windows Defender Threat Protection" service is disabled.

Windows Defender Threat Severity Default Action Modified

Tue, 28 Apr 2026 23:20:23 +0000

Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.

Windows Defender Virus Scanning Feature Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling of the Windows Defender virus scanning feature

Windows Event Auditing Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

Windows Event Log Access Tampering Via Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

Windows EventLog Autologger Session Registry Modification Via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.

Windows Filtering Platform Blocked Connection From EDR Agent Binary

Tue, 28 Apr 2026 23:20:23 +0000

Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

Windows Firewall Disabled via PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to disable the Windows Firewall using PowerShell

Windows Firewall Profile Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user disables the Windows Firewall via a Profile to help evade defense.

Windows Firewall Settings Have Been Changed

Tue, 28 Apr 2026 23:20:23 +0000

Detects activity when the settings of the Windows firewall have been changed

Windows Hypervisor Enforced Code Integrity Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Windows MSIX Package Support Framework AI_STUBS Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.

Windows Vulnerable Driver Blocklist Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.

Winget Admin Settings Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Winlogon AllowMultipleTSSessions Enable

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

Write Protect For Storage Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.