EXPLORE DETECTIONS
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
Silenttrinity Stager Msbuild Activity
Detects a possible remote connections to Silenttrinity c2
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
SMB over QUIC Via Net.EXE
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
SMB over QUIC Via PowerShell Script
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
SMB Spoolss Name Piped Usage
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation
Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings
Space After Filename - macOS
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
Special File Creation via Mknod Syscall
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices). Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.
Split A File Into Pieces
Detection use of the command "split" to split files into parts and possible transfer.
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
SQL Client Tools PowerShell Session Detection
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
SQLite Firefox Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Stale Accounts In A Privileged Role
Identifies when an account hasn't signed in during the past n number of days.
Standard User In High Privileged Group
Detect standard users login that are part of high privileged groups such as the Administrator group
Start of NT Virtual DOS Machine
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
Start Windows Service Via Net.EXE
Detects the usage of the "net.exe" command to start a service using the "start" flag
Startup Folder File Write
A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.