EXPLORE DETECTIONS
Polkit Policy Creation
This rule monitors for the creation of Polkit policy files on Linux systems. Polkit policy files are used to define the permissions for system-wide services and applications. The creation of new Polkit policy files may indicate an attempt to modify the authentication process, which could be used for persistence by an adversary.
Polkit Version Discovery
This rule detects Polkit version discovery activity on Linux systems. Polkit version discovery can be an indication of an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service.
Port Forwarding Rule Addition
Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.
Possible FIN7 DGA Command and Control Behavior
This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.
Possible Okta DoS Attack
Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.
Potential Abuse of Resources by High Token Count and Large Response Sizes
Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.
Potential Account Takeover - Logon from New Source IP
Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.
Potential Account Takeover - Mixed Logon Types
Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected).
Potential Active Directory Replication Account Backdoor
Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
Potential ADIDNS Poisoning via Wildcard Record Creation
Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
Potential Admin Group Account Addition
Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.
Potential Antimalware Scan Interface Bypass via PowerShell
Detects PowerShell scripts that references Antimalware Scan Interface (AMSI) bypass classes, methods, or known bypass strings. Attackers attempt AMSI bypass to disable scanning and run malicious PowerShell content undetected.
Potential Application Shimming via Sdbinst
The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
Potential AWS S3 Bucket Ransomware Note Uploaded
Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call with an object name commonly associated with ransomware notes. The keywords detected here rarely overlap with common file names and have been attributed to ransomware notes with high-confidence. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
Potential Azure OpenAI Model Theft
Monitors for suspicious activities that may indicate theft or unauthorized duplication of machine learning (ML) models, such as unauthorized API calls, atypical access patterns, or large data transfers that are unusual during model interactions.
Potential Backdoor Execution Through PAM_EXEC
This rule detects SSH session ID change followed by a suspicious SSHD child process, this may indicate the successful execution of a potentially malicious process through the Pluggable Authentication Module (PAM) utility. PAM is a framework used by Linux systems to authenticate users. Adversaries may create malicious PAM modules that grant them persistence onto the target every time a user logs in by executing a backdoor script or command.
Potential Buffer Overflow Attack Detected
Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.
Potential Chroot Container Escape via Mount
Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its containarized environment. This behavior pattern is very uncommon and should be investigated.
Potential Cluster Enumeration via jq Detected via Defend for Containers
This rule detects the enumeration of the cluster by the "jq" command inside a container. The "jq" command is used to parse JSON data, and may be used by an adversary to gain information about the cluster and the services running inside it. This behavior is uncommon for interactive shells within a container, and is commonly leveraged by attackers to help parse cluster information in a more readable format, or set the output as environment variables.
Potential Code Execution via Postgresql
This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.
Potential Command and Control via Internet Explorer
Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.
Potential Command Shell via NetCat
Identifies potential attempt to execute via a reverse shell using the netcat utility to execute Windows commands using the default interpreters like Cmd.exe and Powershell.
Potential Computer Account NTLM Relay Activity
Identifies potential relay activities against a Computer account by identifying authentication events using the computer account coming from from hosts other than the server that owns the account. Attackers may relay the computer account hash after capturing it using forced authentication.
Potential Cookies Theft via Browser Debugging
Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.