Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Read More

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

Read More

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

Read More

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

Read More

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Read More

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Read More

Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec.

Read More

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

Read More

Detects access to ADMIN$ network share

Read More

Detect remote login by Administrator user (depending on internal pattern).

Read More

Detects an issue in apache logs that reports threading related errors

Read More

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

Read More

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Read More

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Detects Bitbucket global SSH access configuration changes.

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects a copy command or a copy utility execution to or from an Admin share or remote

Read More

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Read More

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Read More

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More

Detects external disk drives or plugged-in USB devices.

Read More

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More

Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.

Read More

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

Read More

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Read More

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Read More

Detects the execution of the hacktool Rubeus using specific command line flags

Read More

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

Read More

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Read More

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

Read More

Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022

Read More

Detects execution of Impacket's psexec.py.

Read More

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More

Alerts on Metasploit host's authentications on the domain.

Read More

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Read More

Detects a Windows command line executable started from MMC

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Read More

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Read More

Detects the modification of the PortProxy registry key which is used for port forwarding.

Read More

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Read More

Detects logons using NTLM, which could be caused by a legacy source or attackers

Read More

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Detects instances where an SMB service on an OpenCanary node has had a file open request.

Read More

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

Read More

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

Read More

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

Read More

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

Read More

Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.

Read More

Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.

Read More

Detects logon events that specify new credentials

Read More

Detects the attack technique pass the hash which is used to move laterally inside the network

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detect use of PDQ Deploy remote admin tool

Read More

Detects port forwarding activity via SSH.exe

Read More

Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Read More

Detects RDP session hijacking by using MSTSC shadowing

Read More

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Read More

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

Read More

Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.

Read More

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Read More

Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.

Read More

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

Read More

Detects blocking of process creations originating from PSExec and WMI commands

Read More

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Read More

Detects default CSExec pipe creation

Read More

Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines

Read More

Detects default RemCom pipe creation

Read More

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Read More

RDP login with localhost source address may be a tunnelled login

Read More

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Read More

Detects svchost hosting RDP termsvcs communicating with the loopback address

Read More

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Read More

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Read More

Detects potential use of Rubeus via registered new trusted logon process

Read More

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Read More

Detects the use of tools that copy files from or to remote systems

Read More

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Read More

Detects remote PowerShell sessions

Read More

Detects remote PowerShell sessions

Read More

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

Read More

Detects remote RPC calls to modify the registry and possible execute code

Read More

Detects remote RPC calls to create or execute a scheduled task via ATSvc

Read More

Detects remote RPC calls to create or execute a scheduled task

Read More

Detects remote RPC calls to create or execute a scheduled task via SASec

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Read More

Detects remote service activity via remote access to the svcctl named pipe

Read More

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Read More

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Read More

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Read More

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

Read More

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More

Detects the use of smbexec.py tool by detecting a specific service installation

Read More

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Read More

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Read More

Detects suspicious Plink tunnel port forwarding to a local port

Read More

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Read More

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Read More

Detects a suspicious RDP session redirect using tscon.exe

Read More

Detects suspicious processes logging on with explicit credentials

Read More

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

Read More

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

Read More

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Read More

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Read More

Detects automated lateral movement by Turla group

Read More

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Read More

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Read More

Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".

Read More

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Read More

Detects WannaCry ransomware activity

Read More

Detects when an admin share is mounted using net.exe

Read More

Detects when an internet hosted webdav share is mounted using the "net.exe" utility

Read More

Detects when a share is mounted using the "net.exe" utility

Read More

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Read More

Detects the creation of the default output filename used by the wmiexec tool

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Read More

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Read More