Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.

Read More

Detecting possible successful exploitation using tools such as KrbRelayUp AD environment

Read More

'This technique is to detect exploitation chain of CVE-2021-42287 (samAccountName Spoofing) and CVE-2021-42278 (Domain Controller Impersonation). It is looking into event 4781 for evidence of a new computer account creation and account rename that matches the name of a domain controller account without ending in "$". Computer account names always end with $ and a change like this is highly unusual. Immediately after the 4781 event, a Kerberos Ticket Granting Ticket (TGT) must be requested on behalf of the newly created and renamed computer account. A computer account name event will occur before this TGT request. Putting everything together, we may use events 4781 and 4768 to look for a series of events in which the new computer account on event 4781 matches the requested account on event 4768. NOTE-- On selection2, the TargetUserName should equal to NewTargetUserName. I have left it as a placeholder but this should change dependingon the backend you are translating the query to. Splunk Example-- | eval RenamedComputerAccount = coalesce(New_Account_Name, mvindex(Account_Name,0)) | transaction RenamedComputerAccount endswith=(EventCode=4781)'

Read More

One persistence mechanism used by some variations of SmashJacker was an AppInit DLL. It would use a reg.exe command to create appropriate Windows Registry keys for persistence. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects unusual process modifying the modules.dep file. The modules.dep and modules.dep.bin files should only be modified by the depmod utility. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects app package installation processes where the app is not a Microsoft app based on the publisher ID. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects app package installation processes where legitimate software is included in an MSIX package, but a malicious PowerShell script may execute beforehand by employing the Package Support Framework (PSF). In these cases, the MSIX package includes the malicious script, which is executed as specified in an included config.json file. Part of the RedCanary 2024 Threat Detection Report.

Read More

Yellow Cockatoo Windows Startup folder for persistence. Not unique to Yellow Cockatoo, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects configuration files being written to specific directories that are searched when looking for loadable Linux Kernel Modules (LKM). Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the systemd process running commands that would load a Linux Kernel Modules. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the systemd process loading a Linux Kernel Modules using modprobe. Part of the RedCanary 2024 Threat Detection Report.

Read More

Looks for network connections from notepad. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.

Read More

Detects search for setuid or setgid binaries. This rule looks specifically for execution of the find binary searching for executables with the setuid or setgid bit set. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects Gamarue DLL filename in command line strings. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of PowerShell accessing any other processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes running without command lines, which can indicate process injection. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing required to trigger the heap-based buffer overflow.

Read More

Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing. required to trigger the heap-based buffer overflow.

Read More

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges

Read More

Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.

Read More

Detects suspicious failed logins with different user accounts from a single source system

Read More

Detects suspicious failed logins with different user accounts from a single source system

Read More

Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.

Read More

Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.

Read More

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes

Read More

Detects failed logins with multiple accounts from a single process on the system.

Read More

Detects a source system failing to authenticate against a remote host with multiple users.

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects a single user failing to authenticate to multiple users using explicit credentials.

Read More

Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.

Read More

Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.

Read More

Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level

Read More

Looks for process access activity where PowerShell is accessing any other processes. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for process execution with no command line arguments, which may indicate process injection. Inspired by the 2022 Red Canary Threat Detection report.

Read More