Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.

Read More

These commands were used to create a WebShell by exploiting ProxyShell vulnerabilities

Read More

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

Read More

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

Read More

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

Read More

Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.

Read More

Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

Read More

Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects potential web shell execution from the ScreenConnect server process.

Read More

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Read More

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379

Read More

Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.

Read More

Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.

Read More

Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.

Read More

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective

Read More

Detects an issue in apache logs that reports threading related errors

Read More

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Read More

Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More

Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

Read More

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Read More

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Read More

Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

Read More

MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.

Read More

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More

Detects CVE-2020-0688 Exploitation attempts

Read More

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Read More

Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Read More

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Read More

Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

Read More

Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766

Read More

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Read More

Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Read More

Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Read More

Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659

Read More

Detects suspicious Django web application framework exceptions that could indicate exploitation attempts

Read More

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Read More

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

Read More

Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480

Read More

Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Read More

Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814

Read More

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

Read More

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Read More

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Read More

Detects a successful Grafana path traversal exploitation

Read More

Detects suspicious user agent strings user by hack tools in proxy logs

Read More

Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.

Read More

Detects possible Java payloads in web access logs

Read More

Detects exploitation attempt using the JNDI-Exploit-Kit

Read More

Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)

Read More

Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

Read More

Detects the addition of a new network route to a route table in AWS.

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects access to a webshell dropped into a keystore folder on the WebLogic server

Read More

Detects exploitation attempts on WebLogic servers

Read More

Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects path traversal exploitation attempts

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

Read More

Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877

Read More

Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.

Read More

Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.

Read More

Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)

Read More

Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169

Read More

Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.

Read More

Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla

Read More

Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin

Read More

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

Read More

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

Read More

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

Read More

Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.

Read More

Detects potential SpEL Injection exploitation, which may lead to RCE.

Read More

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

Read More

Detects process execution related exceptions in JVM based apps, often relates to RCE

Read More

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Read More

This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)

Read More

Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole

Read More

Generic rule for SQL exceptions in Python according to PEP 249

Read More

Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.

Read More

Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287

Read More

Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts

Read More

Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx

Read More

Detects exploitation attempts of the SonicWall Jarrewrite Exploit

Read More

Detects suspicious Spring framework exceptions that could indicate exploitation attempts

Read More

Detects potential SQL injection attempts via GET requests in access logs.

Read More

When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"

Read More

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Read More

Detects suspicious file type dropped by an Exchange component in IIS

Read More

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Read More

Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Read More

Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Read More

Detects suspicious processes including shells spawnd from WinRM host process

Read More

Detects SQL error messages that indicate probing for an injection attack

Read More

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Read More

Detects known suspicious (default) user-agents related to scanning/recon tools

Read More

Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Read More

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Read More

Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188

Read More

Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.

Read More

Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection

Read More

Detecting initial exploitation attempt against VMware Horizon deployments running vulnerable versions of Log4j.

Read More

Detects possible exploitation activity or bugs in a web application

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detection for Confluence server activity found on webserver logs

Read More