EXPLORE DETECTIONS
ASL AWS Network Access Control List Created with All Open Ports
The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.
ASL AWS Network Access Control List Deleted
The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.
ASL AWS New MFA Method Registered For User
The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.
ASL AWS SAML Update identity provider
The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.
ASL AWS UpdateLoginProfile
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Assembly DLL Creation Via AspNetCompiler
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Assigned Sensor Update Policy
This query will output a table with all hosts and their sensor update logic / assigned sensor update policy.
At Job Created or Modified
This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.
Atbroker Registry Change
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
Attachment soliciting user to enable macros
Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.
Attachment with auto-executing macro (unsolicited)
Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened. Macros are a common phishing technique used to deploy malware.
Attachment with auto-opening VBA macro (unsolicited)
Recursively scans files and archives to detect embedded VBA files with an auto open exec.
Attachment with encrypted zip (unsolicited)
Recursively scans files and archives to detect encrypted zip files.
Attachment with free subdomain host URL (unsolicited)
Recursively scans files and archives to detect links to free subdomain hosts. Free subdomain hosts are commonly used to host credential phishing sites.
Attachment with high risk VBA macro (unsolicited)
Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.
Attachment with macro calling executable
Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe. This may be an attempt to heavily obfuscate an execution through Microsoft document.
Attachment with suspicious author (unsolicited)
Recursively scans files and archives to detect embedded docx files with a specific author.
Attachment with unscannable encrypted zip (unsolicited)
Recursively scans files and archives to detect embedded ZIP files that are encrypted and could not be opened/scanned.
Attachment with URL shortener (unsolicited)
Recursively scans files and archives to detect links to URL shorteners.
Attachment with VBA macros from employee impersonation (unsolicited)
Attachment contains a VBA macro from a sender your organization has never sent an email to. Sender is using a display name that matches the display name of someone in your organization. VBA macros are a common phishing technique used to deploy malware.