EXPLORE DETECTIONS
Azure Virtual Network Device Modified or Deleted
Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
Azure Virtual Network Modified or Deleted
Identifies when a Virtual Network is modified or deleted in Azure.
Azure VPN Connection Modified or Deleted
Identifies when a VPN connection is modified or deleted.
BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
Backup Catalog Deleted
Detects backup catalog deletions
Backup Files Deleted
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Bad Opsec Powershell Code Artifacts
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Base64 MZ Header In CommandLine
Detects encoded base64 MZ header in the commandline
Bash Interactive Shell
Detects execution of the bash shell with the interactive flag "-i".
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Binary Proxy Execution Via Dotnet-Trace.EXE
Detects commandline arguments for executing a child process via dotnet-trace.exe
Bitbucket Audit Log Configuration Updated
Detects changes to the bitbucket audit log configuration.
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
Bitbucket Global Permission Changed
Detects global permissions change activity.
Bitbucket Global Secret Scanning Rule Deleted
Detects Bitbucket global secret scanning rule deletion activity.
Bitbucket Global SSH Settings Changed
Detects Bitbucket global SSH access configuration changes.
Bitbucket Project Secret Scanning Allowlist Added
Detects when a secret scanning allowlist rule is added for projects.
Bitbucket Secret Scanning Exempt Repository Added
Detects when a repository is exempted from secret scanning feature.
Bitbucket Secret Scanning Rule Deleted
Detects when secret scanning rule is deleted for the project or repository.
Bitbucket Unauthorized Access To A Resource
Detects unauthorized access attempts to a resource.
Bitbucket Unauthorized Full Data Export Triggered
Detects when full data export is attempted an unauthorized user.