Detects download of certain file types from hosts in suspicious TLDs

Detects executable downloads from suspicious remote systems

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Detects when Okta FastPass prevents a known phishing site.

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

A login from a public IP can indicate a misconfigured firewall or network boundary.

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Detect when authentications to important application(s) only required single-factor authentication

Detects guest users being invited to tenant by non-approved inviters

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Detects a suspicious program execution in Outlook temp folder

Detects suspicious processes including shells spawnd from WinRM host process

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Detects the creation of a new office macro files on the systems

Detects the creation of a office macro file from a a suspicious process

Detects attempts to enable the guest account using the sysadminctl utility

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.

Detects potential SpEL Injection exploitation, which may lead to RCE.

Detects process execution related exceptions in JVM based apps, often relates to RCE

Detects suspicious Spring framework exceptions that could indicate exploitation attempts

Detects SQL error messages that indicate probing for an injection attack

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134