Detects user account creation on ESXi system via esxcli

Read More

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Read More

Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Read More

Hunts for known SVR-specific scheduled task names

Read More

Hunts for known SVR-specific scheduled task names

Read More

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Read More

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Read More

Detects BITS transfer job downloading files from a file sharing domain.

Read More

Detects potential COM object hijacking via modification of default system CLSID.

Read More

Detects the addition of a new module to an IIS server.

Read More

Detects the removal of a previously installed IIS module.

Read More

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Read More

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Read More

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Read More

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Read More

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Read More

Detect DLL Load from Spooler Service backup folder

Read More

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Read More

Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse

Read More

Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse

Read More

Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.

Read More

Detects execution of ChromeLoader malware via a registered scheduled task

Read More

Detects creation of local users via the net.exe command with the name of "DarkGate"

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.

Read More

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

Read More

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Read More

Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.

Read More

Detects usage of bitsadmin downloading a file from a suspicious domain

Read More

Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.

Read More

Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.

Read More

Detects activity when a member is added to a security-enabled global group

Read More

Detects activity when a member is removed from a security-enabled global group

Read More

Addition of domains is seldom and should be verified for legitimacy.

Read More

Detects activity when a security-enabled global group is deleted

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes

Read More

Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes

Read More

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Read More

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Read More

An attacker can use the SID history attribute to gain additional privileges.

Read More

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Read More

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Read More

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Read More

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

Read More

Detects when an ElastiCache security group has been created.

Read More

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detects S3 Browser utility creating IAM User or AccessKey.

Read More

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Read More

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

Detects global permissions change activity.

Read More

Detects a BITS transfer job downloading file(s) from a direct IP address.

Read More

Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

Read More

Detects new BITS transfer job saving local files with potential suspicious extensions

Read More

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Read More

Detects Bitsadmin connections to IP addresses instead of FQDN names

Read More

Detects Bitsadmin connections to domains with uncommon TLDs

Read More

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Read More

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Read More

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Read More

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

Read More

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Read More

Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Detects when changes are made to PIM roles

Read More

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Read More

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Find local accounts being created or modified as well as remote authentication configurations

Read More

Modifications to a config that will serve an adversary's impacts or persistence

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs

Read More

Detects the ld.so preload persistence file. See man ld.so for more information.

Read More

Detects the creation of new services potentially related to COLDSTEEL RAT

Read More

Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL

Read More

Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples

Read More

Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT

Read More

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects programs that connect to uncommon destination ports

Read More

Detects the malicious use of a control panel item

Read More

Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.

Read More

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Read More

Sysmon registry detection of a local hidden user account.

Read More

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Read More

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Read More

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking

Read More

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

Read More

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Read More

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.

Read More

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Read More

Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.

Read More

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Read More

Detects access to DEWMODE webshell as described in FIREEYE report

Read More

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Read More

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

Read More

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Read More

Detects disabling of Multi Factor Authentication.

Read More

Detects a method to load DLL via LSASS process using an undocumented Registry key

Read More

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

Read More

Detects a driver load from a temporary directory

Read More

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Read More

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Read More

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Read More

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

Read More

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

Detects a failed installation of a Exchange Transport Agent

Read More

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Read More

Detects usage of bitsadmin downloading a file

Read More

Detects usage of bitsadmin downloading a file to a suspicious target folder

Read More

Detects usage of bitsadmin downloading a file to uncommon target folder

Read More

Detects usage of bitsadmin downloading a file with a suspicious extension

Read More

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Read More

Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

Read More

Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).

Read More

Detects when a user disables a critical security feature for an organization.

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More

Detects when a repository or an organization is being transferred to another location.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects when changes are made to the SSH certificate configuration of the organization.

Read More

Detects service creation persistence used by the Goofy Guineapig backdoor

Read More

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

Read More

Detects when an API access service account is granted domain authority.

Read More

Detects when an Google Workspace user is granted admin privileges.

Read More

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Read More

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Read More

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Read More

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Read More

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More

Detects the creation of a local hidden user account which should not happen for event ID 4720.

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Rule to detect the Hybrid Connection Manager service installation.

Read More

Rule to detect the Hybrid Connection Manager service running on an endpoint.

Read More

Hides the file extension through modification of the registry

Read More

Detects suspicious IIS native-code module installations via command line

Read More

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.

Read More

Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.

Read More

Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.

Read More

Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.

Read More

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Read More

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Read More

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Read More

Detects registry key used by Leviathan APT in Malaysian focused campaign

Read More

Detects suspicious sub processes of web server processes

Read More

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Read More

Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Read More

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

Read More

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

Read More

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

Read More

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Read More

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Read More

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Read More

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

Read More

Detects suspicious modification of crontab file.

Read More

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Read More

Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.

Read More

Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362

Read More

Detects the Installation of a Exchange Transport Agent

Read More

Detects the Installation of a Exchange Transport Agent

Read More

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

Read More

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Read More