EXPLORE DETECTIONS
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
3CX Supply Chain Attack Network Indicators
The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.
7-ZIP used by attackers to prepare data for exfiltration
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
7zip CommandLine To SMB Share Path
The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.
7Zip Compressing Dump Files
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
A Member Was Added to a Security-Enabled Global Group
Detects activity when a member is added to a security-enabled global group
A Member Was Removed From a Security-Enabled Global Group
Detects activity when a member is removed from a security-enabled global group
A New Trust Was Created To A Domain
Addition of domains is seldom and should be verified for legitimacy.
A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
A scheduled task was created
Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
A Security-Enabled Global Group Was Deleted
Detects activity when a security-enabled global group is deleted
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Abnormal Process ID or Lock File Created
Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.
Abnormally Large DNS Response
Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.
Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
Abusing Print Executable
Attackers can use print.exe for remote file copy
Accepted Default Telnet Port Connection
This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.
Access Control List Modification via setfacl
This rule detects Linux Access Control List (ACL) modification via the setfacl command. Attackers may use the setfacl utility to modify file and directory permissions in order to evade detection and maintain persistence on a compromised system.
Access LSASS Memory for Dump Creation
The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.