Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.

Read More

Detects attempts to disable the Windows Firewall using PowerShell

Read More

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Read More

Detects application popup reporting a failure of the Sysmon service

Read More

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Read More

Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

Read More

Detects the modification of the findings on SecurityHub.

Read More

Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

Read More

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Read More

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

Read More

Detect filter driver unloading activity via fltmc.exe

Read More

Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Detects possible Sysmon filter driver unloaded via fltmc.exe

Read More

Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

Read More

Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

Read More

Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects powershell scripts attempting to disable MS Defender components using Set-MpPreference as performed by Vice Society ransomware gang. This includes additional techniques to evade existing rules by feeding in a proxy value of $true using a powershell boolean expression like (0 -eq $false).

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects use of the reg utility to tamper with MS Defender protections.

Read More

Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More