Detects when a DNS zone transfer failed.
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Detects events with patterns found in commands used for reconnaissance on linux systems
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Detects exploitation attempt using public exploit code for CVE-2018-15473
Detects suspicious command with /dev/tcp