EXPLORE DETECTIONS
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
CSExec Service File Creation
Detects default CSExec service filename which indicates CSExec service installation and execution
CSExec Service Installation
Detects CSExec service installation and execution events
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Curl File Upload To File Sharing Websites
Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Curl Web Request With Potential Custom User-Agent
Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
Curl.EXE Execution
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
Curl.EXE Execution With Custom UserAgent
Detects execution of curl.exe with custom useragent options
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Data Copied To Clipboard Via Clip.EXE
Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Data Exfiltration to Unsanctioned Apps
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.