Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.

Read More

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379

Read More

Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.

Read More

Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.

Read More

Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.

Read More

Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.

Read More

Detects when an account is disabled or blocked for sign in but tried to log in

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective

Read More

Detects an issue in apache logs that reports threading related errors

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Read More

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Read More

Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Detect when authentications to important application(s) only required single-factor authentication

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Detect when users are authenticating without MFA being required.

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Identifies when an user or application modified the federation settings on the domain.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detects when there is a interruption in the authentication process.

Read More

Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Read More

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Read More

Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

Read More

Detects XSS attempts injected via GET requests in access logs

Read More

MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.

Read More

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More

Detects CVE-2020-0688 Exploitation attempts

Read More

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Read More

Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Read More

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Read More

Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

Read More

Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766

Read More

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Read More

Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Read More

Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Read More

Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659

Read More

Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.

Read More

Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.

Read More

Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.

Read More

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Read More

Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.

Read More

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

Read More

Detects an installation of a device that is forbidden by the system policy

Read More

Detects the execution of the hdiutil utility in order to mount disk images.

Read More

Detects suspicious Django web application framework exceptions that could indicate exploitation attempts

Read More

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Read More

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

Read More

Detects download of certain file types from hosts in suspicious TLDs

Read More

Detects executable downloads from suspicious remote systems

Read More

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Read More

Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480

Read More

Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Read More

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Read More

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

Read More

Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.

Read More

Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814

Read More

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

Read More

Detects external disk drives or plugged-in USB devices.

Read More

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More

Detect failed authentications from countries you do not operate out of.

Read More

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

Detects a flashplayer update from an unofficial location

Read More

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Read More

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects a successful Grafana path traversal exploitation

Read More

Detects attempts to enable the guest account using the sysadminctl utility

Read More

Detects guest users being invited to tenant by non-approved inviters

Read More

Detects suspicious user agent strings user by hack tools in proxy logs

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.

Read More

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Read More

Detects the mount of an ISO image on an endpoint

Read More

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Read More

Detects possible Java payloads in web access logs

Read More

Detects exploitation attempt using the JNDI-Exploit-Kit

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)

Read More

Detect failed attempts to sign in to disabled accounts.

Read More

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Read More

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Read More

Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.

Read More

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Read More

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Read More

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Read More

Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

Read More

Detects the addition of a new network route to a route table in AWS.

Read More

Detects the creation of a new office macro files on the systems

Read More

Detects the creation of a office macro file from a a suspicious process

Read More

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

Read More

Detects when Okta FastPass prevents a known phishing site.

Read More

Detects when Okta identifies new activity in the Admin Console.

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

Read More

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

Read More

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

Read More

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

Read More

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

Read More

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

Read More

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

Read More

Detects access to a webshell dropped into a keystore folder on the WebLogic server

Read More

Detects exploitation attempts on WebLogic servers

Read More

Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

Read More

Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects path traversal exploitation attempts

Read More

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

Read More

Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877

Read More

Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.

Read More

Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.

Read More

Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)

Read More

Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169

Read More

Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.

Read More

Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla

Read More

Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer

Read More

Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin

Read More

Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

Read More

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

Read More

Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)

Read More

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Read More

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

Read More

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

Read More

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Read More

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

Read More

Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.

Read More

Detects potential SpEL Injection exploitation, which may lead to RCE.

Read More

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

Read More

Detects process execution related exceptions in JVM based apps, often relates to RCE

Read More

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Read More

This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)

Read More

Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole

Read More

Generic rule for SQL exceptions in Python according to PEP 249

Read More

Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.

Read More

Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287

Read More

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

Read More

Detects ScreenConnect program starts that establish a remote access to a system.

Read More

Detects potential web shell execution from the ScreenConnect server process.

Read More

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Read More

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Read More

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Read More

Detects attempts to enable the root account via "dsenableroot"

Read More

Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts

Read More

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Read More

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Read More

Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx

Read More

Detects exploitation attempts of the SonicWall Jarrewrite Exploit

Read More

Detects suspicious Spring framework exceptions that could indicate exploitation attempts

Read More

Detects potential SQL injection attempts via GET requests in access logs.

Read More

Detect successful authentications from countries you do not operate out of.

Read More

Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers

Read More

When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"

Read More

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Read More

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Read More

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Read More

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Read More

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Read More

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Read More

Detects a suspicious program execution in Outlook temp folder

Read More

Detects when the macOS Script Editor utility spawns an unusual child process.

Read More

Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.

Read More

Detects suspicious file type dropped by an Exchange component in IIS

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Read More

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

Read More

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Read More