Detecting initial exploitation attempt against VMware Horizon deployments running vulnerable versions of Log4j.

Read More

While JavaScript is everywhere on the web, it is rather unusual for the browser to download a JavaScript file and execute it via the Windows Script Host (wscript.exe). When this downloaded script starts communicating with devices outside of your network, things get even more suspicious. That said, this detection analytic may be noisy in some environments, so be prepared to identify what scripts are normally run in this way to tune out the noise. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.

Read More

Detects URL pattern used by search(-ms)/WebDAV initial access campaign.

Read More

Detects the creation of WebDAV temporary files with suspicious extensions

Read More

Detects .lnk files created by Powershell in the startup folder. Associated with (but not unique to) Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious Powershell script load contents associated with Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.

Read More

Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.

Read More

Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.

Read More

Detects possible exploitation activity or bugs in a web application

Read More

Detects failed logins with multiple accounts from a single process on the system.

Read More

Detects a source system failing to authenticate against a remote host with multiple users.

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects a single user failing to authenticate to multiple users using explicit credentials.

Read More

Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).

Read More

Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.

Read More

Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.

Read More

Detects successful logon from public IP address via RDP, SMB, etc. This can indicate a publicly-exposed RDP or SMB port.

Read More

Detects the mount of ISO images on an endpoint

Read More

Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.

Read More