Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

Read More

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

Read More

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Read More

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Read More

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

Read More

Detects an issue in apache logs that reports threading related errors

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321

Read More

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

Read More

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Read More

Detects WannaCry ransomware activity

Read More

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Read More

Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More