EXPLORE DETECTIONS
Certificate Exported From Local Certificate Store
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
Certificate Exported Via Certutil.EXE
Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
Certificate Exported Via PowerShell
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Certificate Exported Via PowerShell - ScriptBlock
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Certificate Private Key Acquired
Detects when an application acquires a certificate private key
Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Certificate Use With No Strong Mapping
Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
Change Default File Association To Executable Via Assoc
Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Change Default File Association Via Assoc
Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Change PowerShell Policies to an Insecure Level - PowerShell
Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Change User Agents with WebRequest
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Changes To PIM Settings
Detects when changes are made to PIM roles
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Chmod Suspicious Directory
Detects chmod targeting files in abnormal directory paths.
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Chromium Browser Instance Executed With Custom Extension
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension