EXPLORE DETECTIONS
Google Workspace Password Policy Modified
Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.
Google Workspace Restrictions for Marketplace Modified to Allow Any App
Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.
Google Workspace Role Modified
Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.
Google Workspace Suspended User Account Renewed
Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.
Google Workspace User Organizational Unit Changed
Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Group Policy Discovery via Microsoft GPResult Utility
Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.
GRUB Configuration File Creation
This rule detects the creation of GRUB configuration files on Linux systems. The GRUB configuration file is used to configure the boot loader, which is responsible for loading the operating system. Attackers may create malicious GRUB configuration files to execute arbitrary code or escalate privileges during the boot process, which can be leveraged to maintain persistence on the system.
GRUB Configuration Generation through Built-in Utilities
This rule detects the generation of a new GRUB configuration file using built-in Linux commands. The GRUB configuration file is used to configure the GRUB bootloader, which is responsible for loading the Linux kernel and initramfs image during the boot process. Attackers may use these built-in utilities to generate a new GRUB configuration file that includes malicious kernel parameters or boot options, which can be leveraged to maintain persistence on the system.
Halfbaked Command and Control Beacon
Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.
Hidden Directory Creation via Unusual Parent
This rule detects the creation of a hidden directory via an unusual parent executable. Hidden directories are directories that are not visible to the user by default. They are often used by attackers to hide malicious files or tools.
Hidden Files and Directories via Hidden Flag
Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection. This behavior is often observed in attempts to conceal malicious files or maintain persistence on a compromised system.
High Command Line Entropy Detected for Privileged Commands
A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user, suggesting possible privileged access activity through command lines. High entropy often indicates that the commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged access.
High Mean of Process Arguments in an RDP Session
A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.
High Mean of RDP Session Duration
A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.
High Number of Cloned GitHub Repos From PAT
Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
High Number of Closed Pull Requests by User
Detects a high number of closed pull requests by a single user within a short time frame. Adversaries may close multiple pull requests to disrupt development workflows or hide malicious changes.
High Number of Egress Network Connections from Unusual Executable
This rule detects a high number of egress network connections from an unusual executable on a Linux system. This could indicate a command and control (C2) communication attempt, a brute force attack via a malware infection, or other malicious activity. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
High Number of Okta User Password Reset or Unlock Attempts
Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.
High Number of Process and/or Service Terminations
This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.
High Number of Process Terminations
This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.
High Number of Protected Branch Force Pushes by User
Detects a high number of force push actions to protected branches by a single user within a short time frame. Adversaries may perform force pushes to overwrite commit history on protected branches, potentially leading to data loss or disruption of development workflows.
High Variance in RDP Session Duration
A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.
Host Detected with Suspicious Windows Process(es)
A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.