EXPLORE DETECTIONS
Windows Firewall Profile Disabled
Detects when a user disables the Windows Firewall via a Profile to help evade defense.
Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Windows Hypervisor Enforced Code Integrity Disabled
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
Windows Internet Hosted WebDav Share Mount Via Net.EXE
Detects when an internet hosted webdav share is mounted using the "net.exe" utility
Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
Windows LAPS Credential Dump From Entra ID
Detects when an account dumps the LAPS password from Entra ID.
Windows Mail App Mailbox Access Via PowerShell Script
Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
Windows Network Access Suspicious desktop.ini Action
Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Windows Pcap Drivers
Detects Windows Pcap driver installation based on a list of associated .sys files.
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
Windows Processes Suspicious Parent Directory
Detect suspicious parent processes of well-known Windows processes
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Windows Recall Feature Enabled - Registry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Windows Recall Feature Enabled Via Reg.EXE
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Windows Registry Trust Record Modification
Alerts on trust record modification within the registry, indicating usage of macros
Windows Screen Capture with CopyFromScreen
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
Windows Service Terminated With Error
Detects Windows services that got terminated for whatever reason
Windows Share Mount Via Net.EXE
Detects when a share is mounted using the "net.exe" utility
Windows Shell/Scripting Application File Write to Suspicious Folder
Detects Windows shells and scripting applications that write files to suspicious folders
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Windows Terminal Profile Settings Modification By Uncommon Process
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.