Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.

Read More

Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

Read More

Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.

Read More

Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.

Read More

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

Read More

Detects command line patterns used by BlackByte ransomware in different operations

Read More

Detects the image load of VSS DLL by uncommon executables

Read More

Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".

Read More

Detects files that have extensions commonly seen while SDelete is used to wipe files.

Read More

Detects suspicious DNS queries to Monero mining pools

Read More

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.

Read More

Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware.

Read More

Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.

Read More

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

Read More

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

Read More

Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.

Read More

Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

Read More

Detects a segmentation fault error message caused by a crashing apache worker process

Read More

An application has been removed. Check if it is critical.

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Read More

Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.

Read More

Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.

Read More

Identifies when an EKS cluster is created or deleted.

Read More

Identifies when an ElastiCache security group has been modified or deleted.

Read More

Identifies when a application credential is modified.

Read More

Identifies when a application is deleted in Azure.

Read More

Identifies when a application gateway is modified or deleted.

Read More

Identifies when a application security group is modified or deleted.

Read More

Detects when a Container Registry is created or deleted.

Read More

Identifies when a device in azure is no longer managed or compliant

Read More

Identifies when a device or device configuration in azure is modified or deleted.

Read More

Identifies when DNS zone is modified or deleted.

Read More

Identifies when a firewall is created, modified, or deleted.

Read More

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Read More

Identifies when a Firewall Rule Configuration is Modified or Deleted.

Read More

Identifies when a key vault is modified or deleted.

Read More

Identifies when a Keyvault Key is modified or deleted in Azure.

Read More

Identifies when secrets are modified or deleted in Azure.

Read More

Detects when a Azure Kubernetes Cluster is created or deleted.

Read More

Identifies when a Azure Kubernetes network policy is modified or deleted.

Read More

Identifies the deletion of Azure Kubernetes Pods.

Read More

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Read More

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Read More

Identifies when ClusterRoles/Roles are being modified or deleted.

Read More

Identifies when a service account is modified or deleted.

Read More

Identifies when a Firewall Policy is Modified or Deleted.

Read More

Identifies when a network security configuration is modified or deleted.

Read More

Identifies when a Point-to-site VPN is Modified or Deleted.

Read More

Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.

Read More

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

Read More

Identifies when a Virtual Network is modified or deleted in Azure.

Read More

Identifies when a VPN connection is modified or deleted.

Read More

Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.

Read More

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Read More

Detect a system being shutdown or put into different boot mode

Read More

See what files are being deleted from flash file systems

Read More

Modifications to a config that will serve an adversary's impacts or persistence

Read More

Detects specific commands commonly used to remove or empty the syslog

Read More

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Read More

Detects potential overwriting and deletion of a file using DD.

Read More

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

Read More

Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Read More

Shadow Copies deletion using operating systems utilities via PowerShell

Read More

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More

Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives

Read More

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

Read More

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Read More

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Identifies when a DNS Zone is modified or deleted in Google Cloud.

Read More

Identifies when sensitive information is re-identified in google Cloud.

Read More

Identifies when a service account is disabled or deleted in Google Cloud.

Read More

Identifies when a service account is modified in Google Cloud.

Read More

Detect when a Cloud SQL DB has been modified or deleted.

Read More

Detects when storage bucket is modified or deleted in Google Cloud.

Read More

Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.

Read More

Detects when an an application is removed from Google Workspace.

Read More

Detects when multi-factor authentication (MFA) is disabled.

Read More

Detects when an a role is modified or deleted in Google Workspace.

Read More

Detects when an a role privilege is deleted in Google Workspace.

Read More

Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

Read More

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

Read More

Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Read More

Detects command line parameters or strings often used by crypto miners

Read More

Detects process connections to a Monero crypto mining pool

Read More

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Read More

Detects LockerGoga ransomware activity via specific command line.

Read More

Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.

Read More

Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.

Read More

Detects initiated network connections to crypto mining pools

Read More

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Read More

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

Read More

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

Read More

Detects when a API Token is revoked.

Read More

Detects when an application is modified or deleted.

Read More

Detects when an application Sign-on Policy is modified or deleted.

Read More

Detects when an Network Zone is Deactivated or Deleted.

Read More

Detects when an Okta policy is modified or deleted.

Read More

Detects when an Policy Rule is Modified or Deleted.

Read More

Detects when unauthorized access to app occurs.

Read More

Detects when an user account is locked out.

Read More

Detects when an user account is locked or suspended.

Read More

Detects when an user assumed another user account.

Read More

Detects overwriting (effectively wiping/deleting) of a file.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects a specific command used by the Conti ransomware group

Read More

Detects command line parameters or strings often used by crypto miners

Read More

Detects potential Dtrack RAT activity via specific process patterns

Read More

Detects the use of SDelete to erase a file not the free space

Read More

Detects specific process characteristics of Maze ransomware word document droppers

Read More

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

Read More

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.

Read More

Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.

Read More

Detects the modification of the registry to disable a system restore on the computer

Read More

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Read More

Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.

Read More

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)

Read More

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

Read More

Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)

Read More

Detects Silence EmpireDNSAgent as described in the Group-IP report

Read More

Detects the stopping of a Windows service via the "net" utility.

Read More

Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"

Read More

Detects the stopping of a Windows service via the "sc.exe" utility

Read More

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

Read More

Ransomware create txt file in the user Desktop

Read More

Use of the commandline to shutdown or reboot windows

Read More

Detects the rare use of the command line tool shutdown to logoff a user

Read More

Detects suspicious log entries in Linux log files

Read More

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.

Read More

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

Read More

Detects the image load of vss_ps.dll by uncommon executables

Read More

Detects the image load of VSS DLL by uncommon executables

Read More

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Read More

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Read More

Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks

Read More

Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

Read More

Detects WannaCry ransomware activity

Read More

Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

Read More

Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Read More

It’s not uncommon for ransomware operators to leverage WMI to delete volume shadows, significantly complicating the process for recovering access to encrypted systems and files. If you want to detect ransomware using WMI to delete shadow copies, consider looking for wmic.exe execution with command lines including shadowcopy or delete. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects multiple blocks by the mod_security module (Web Application Firewall)

Read More

Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).

Read More

Detects creation of potentially-encrypted files by Vice Society ransomeware. As this is based only on file extensions, the analyst should investigate surrounding activity to validate that this is not part of a benign applicatoin.

Read More

Detects registry modifications occuring in tandem with disruption of boot processes with bcdedit (or as a method to evade detection)

Read More

Detects the use of bcdedit to disrupt normal boot processes.

Read More

Detects adversaries using WMI to delete shadow copies. Inspired by the 2022 Red Canary Threat Detection report.

Read More