EXPLORE DETECTIONS
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add New Download Source To Winget
Detects usage of winget to add new additional download sources
Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Add or Set Windows Defender Exclusion
The following analytic detects the use of commands to add or set exclusions in Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "Add-MpPreference" or "Set-MpPreference" with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute undetected. If confirmed malicious, this behavior could enable attackers to evade antivirus detection, maintain persistence, and execute further malicious activities without interference from Windows Defender.
Add Port Monitor Persistence in Registry
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Add uncommon credential type to application [Nobelium]
The query looks for users or service principals that attached an uncommon credential type to application.
Add Windows Capability Via PowerShell Cmdlet
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
Adding Hidden File Attribute via Attrib
Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
AdFind Command Activity
This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.
ADFS Database Named Pipe Connection By Uncommon Tool
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
Admin User Remote Logon
Detect remote login by Administrator user (depending on internal pattern).
Administrator Privileges Assigned to an Okta Group
Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.
AdminSDHolder Backdoor
Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.
AdminSDHolder SDProp Exclusion Added
Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.
Adobe branded PDF file linking to a password-protected file from untrusted sender
Detects pdf files with links to a remotely hosted password-protected file. This is a common technique abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
Adobe ColdFusion Access Control Bypass
The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.