EXPLORE DETECTIONS
Browser Process Spawned from an Unusual Parent
Identifies instances where an unusual process spawns a chrome browser child process. This behavior could be related to malware stealing browser information.
Bypass UAC via Event Viewer
Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.
Chkconfig Service Add
Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.
Chroot Execution Detected via Defend for Containers
This rule detects when chroot is executed inside a container. Chroot is a Linux utility that allows a user to run a command in a different directory. This can be used to escape a container and gain access to the host system.
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Clearing Windows Event Logs
Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.
Cloud Credential Search Detected via Defend for Containers
This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.
Cobalt Strike Command and Control Beacon
Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.
Code Signing Policy Modification Through Built-in tools
Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.
Code Signing Policy Modification Through Registry
Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.
Command and Scripting Interpreter via Windows Scripts
Identifies PowerShell.exe or Cmd.exe execution spawning from Windows Script Host processes Wscript.exe.
Command Execution via ForFiles
Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy execution via a trusted parent process.
Command Execution via SolarWinds Process
A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.
Command Line Obfuscation via Whitespace Padding
Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.
Command Obfuscation via Unicode Modifier Letters
Identifies the presence of unicode modifier letters in the process command_line. Adversaries sometimes replace ASCII characters with visually similar Unicode modifier letters or combining marks to evade simple string-based detections.
Command Shell Activity Started via RunDLL32
Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.
Component Object Model Hijacking
Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.
Conhost Spawned By Suspicious Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.
Connection to Common Large Language Model Endpoints
Identifies DNS queries to known Large Language Model domains by unsigned binaries or common Windows scripting utilities. Malwares may leverage the capabilities of LLM to perform actions in the affected system in a dynamic way.
Connection to Commonly Abused Free SSL Certificate Providers
Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.
Connection to Commonly Abused Web Services
Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.
Connection to External Network via Telnet
Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.
Connection to Internal Network via Telnet
Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.
Container Management Utility Execution Detected via Defend for Containers
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.