EXPLORE DETECTIONS
Forfiles Command Execution
Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
FortiGate - New Local User Created
Detects the creation of a new local user on a Fortinet FortiGate Firewall. The new local user could be used for VPN connections.
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.
Fsutil Drive Enumeration
Attackers may leverage fsutil to enumerated connected drives.
Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
FTP Connection Open Attempt Via Winscp CLI
Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
GAC DLL Loaded Via Office Applications
Detects any GAC DLL being loaded by an Office Product
Gatekeeper Bypass via Xattr
Detects macOS Gatekeeper bypass via xattr utility
GatherNetworkInfo.VBS Reconnaissance Script Output
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
GCP Access Policy Deleted
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
GCP Break-glass Container Workload Deployed
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Get-ADUser Enumeration Using UserAccountControl Flags
Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
Github Delete Action Invoked
Detects delete action in the Github audit logs for codespaces, environment, project and repo.
Github Fork Private Repositories Setting Enabled/Cleared
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
Github New Secret Created
Detects when a user creates action secret for the organization, environment, codespaces or repository.
Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.