EXPLORE DETECTIONS
Suspicious Get Local Groups Information - PowerShell
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Suspicious Get-ADDBAccount Usage
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
Suspicious Get-ADReplAccount
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Suspicious Get-Variable.exe Creation
Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
Suspicious GetTypeFromCLSID ShellExecute
Detects suspicious Powershell code that execute COM Objects
Suspicious Git Clone
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Suspicious Git Clone - Linux
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Suspicious GPO Discovery With Get-GPO
Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
Suspicious Greedy Compression Using Rar.EXE
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Suspicious History File Operations
Detects commandline operations on shell history files
Suspicious History File Operations - Linux
Detects commandline operations on shell history files
Suspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Suspicious Hyper-V Cmdlets
Adversaries may carry out malicious operations using a virtual instance to avoid detection
Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
Suspicious Inbox Forwarding
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Suspicious Inbox Forwarding Identity Protection
Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
Suspicious Inbox Manipulation Rules
Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters