EXPLORE DETECTIONS
Alternate PowerShell Hosts - PowerShell Module
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Alternate PowerShell Hosts Pipe
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Always Install Elevated MSI Spawned Cmd And Powershell
Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
Always Install Elevated Windows Installer
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions