Detects loading of Amsi.dll by uncommon processes

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.

Detects the image load of vss_ps.dll by uncommon executables

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

Detects the image load of VSS DLL by uncommon executables

Detects a segmentation fault error message caused by a crashing apache worker process

Detects initiated network connections to crypto mining pools

An application has been removed. Check if it is critical.

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

Windows Update get some error Check if need a 0-days KB

Detects Silence EmpireDNSAgent as described in the Group-IP report

Detects the image load of VSS DLL by uncommon executables

Detects the stopping of a Windows service

Detects the stopping of a Windows service

Detects the stopping of a Windows service

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Detects command line parameters or strings often used by crypto miners

Detects the rare use of the command line tool shutdown to logoff a user

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Use of the commandline to shutdown or reboot windows

Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.

Detects the use of SDelete to erase a file not the free space

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)

Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.

Detects specific commands commonly used to remove or empty the syslog

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

Detects suspicious DNS queries to Monero mining pools

Detects a command that accesses password storing registry hives via volume shadow backups

Detects suspicious log entries in Linux log files

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

Ransomware create txt file in the user Desktop

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.