Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

Read More

Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331

Read More

Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.

Read More

Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.

Read More

Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477

Read More

Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll

Read More

Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874

Read More

Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.

Read More

Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.

Read More

Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet

Read More

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Read More

Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362

Read More

Detects command line patterns used by BlackByte ransomware in different operations

Read More

Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)

Read More

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Read More

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Read More

Detects potential C2 communication related to Devil Bait malware

Read More

Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)

Read More

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More

Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.

Read More

Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.

Read More

Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA

Read More

Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective

Read More

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Read More

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

Read More

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Read More

Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

Read More

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Read More

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Read More

Detects the creation of new services potentially related to COLDSTEEL RAT

Read More

Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL

Read More

Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples

Read More

Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT

Read More

Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

Read More

Detects a command used by conti to exfiltrate NTDS

Read More

Detects a command used by conti to find volume shadow backups

Read More

MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.

Read More

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More

Detects CVE-2020-0688 Exploitation attempts

Read More

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Read More

Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Read More

Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675

Read More

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Read More

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Read More

Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

Read More

Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766

Read More

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Read More

Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Read More

Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Read More

Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659

Read More

Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.

Read More

Detects DarkSide Ransomware and helpers

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects access to DEWMODE webshell as described in FIREEYE report

Read More

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

Read More

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Read More

Detects Elise backdoor activity used by APT32

Read More

Detects a specific export function name used by one of EquationGroup tools

Read More

Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report

Read More

Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480

Read More

Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Read More

Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641

Read More

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Read More

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

Read More

Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814

Read More

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

Read More

Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM

Read More

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Read More

Detects Archer malware invocation via rundll32

Read More

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

Read More

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Read More

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Read More

Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.

Read More

Detects malicious indicators seen used by the Goofy Guineapig malware

Read More

Detects potential C2 communication related to Goofy Guineapig backdoor

Read More

Detects service creation persistence used by the Goofy Guineapig backdoor

Read More

Detects a successful Grafana path traversal exploitation

Read More

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Read More

Detects process execution patterns related to Griffon malware as reported by Kaspersky

Read More

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More

Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022

Read More

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

Read More

Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location

Read More

Detects LockerGoga ransomware activity via specific command line.

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)

Read More

Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp

Read More

Detects suspicious command line patterns seen being used by MERCURY APT

Read More

Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm

Read More

Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity

Read More

Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm

Read More

Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.

Read More

Detects specific process parameters as used by Mustang Panda droppers

Read More

Detects OilRig activity as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects access to a webshell dropped into a keystore folder on the WebLogic server

Read More

Detects exploitation attempts on WebLogic servers

Read More

Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects exploitation indicators related to PaperCut MF/NG Exploitation

Read More

Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675

Read More

Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.

Read More

Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs

Read More

Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution

Read More

Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts

Read More

Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52

Read More

Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local

Read More

Detects potential process and execution activity related to APT10 Cloud Hopper operation

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

Read More

Detects activity that could be related to Baby Shark malware

Read More

Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par

Read More

Detects remote thread injection events based on action seen used by bumblebee

Read More

Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877

Read More

Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT

Read More

Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism

Read More

Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents" directory. Seen being used by the COLDSTEEL RAT in some of its variants.

Read More

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

Read More

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

Read More

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

Read More

Detects execution of known compromised version of 3CXDesktopApp

Read More

Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository

Read More

Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software

Read More

Detects a specific command used by the Conti ransomware group

Read More

Detects a command used by conti to dump database

Read More

Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service

Read More

Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.

Read More

Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations

Read More

Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights

Read More

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

Read More

Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.

Read More

Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)

Read More

Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.

Read More

Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169

Read More

Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.

Read More

Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.

Read More

Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla

Read More

Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer

Read More

Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin

Read More

Detects specific process behavior observed with Devil Bait samples

Read More

Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC

Read More

Detects potential Dridex acitvity via specific process patterns

Read More

Detects potential Dtrack RAT activity via specific process patterns

Read More

Detects all Emotet like process executions that are not covered by the more generic rules

Read More

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

Read More

Detects potential EmpireMonkey APT activity

Read More

Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)

Read More

Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.

Read More

Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor

Read More

Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020

Read More

Detects specific process characteristics of Maze ransomware word document droppers

Read More

Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.

Read More

Detects potential Muddywater APT activity

Read More

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Read More

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location

Read More

Detects potential execution of the PowerShell script POWERTRASH

Read More

Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.

Read More

Detects potential QBot activity by looking for process executions used previously by QBot

Read More

Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin

Read More

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

Read More

Detects Ryuk ransomware activity

Read More

Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report

Read More

Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report

Read More

Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.

Read More

Detects specific process characteristics of Snatch ransomware word document droppers

Read More

Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise

Read More

Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM

Read More

Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report

Read More

This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)

Read More

Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole

Read More

Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot

Read More

Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.

Read More

Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.

Read More

Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287

Read More

Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)

Read More

Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023

Read More

Detects Rorschach ransomware execution activity

Read More

Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322

Read More

Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx

Read More

Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.

Read More

Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.

Read More

Detects potential C2 communication related to Small Sieve malware

Read More

Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA

Read More

Detects filename indicators associated with the SNAKE malware as reported by CISA in their report

Read More

Detects SNAKE malware kernel driver file indicator

Read More

Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report

Read More

Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity

Read More