EXPLORE DETECTIONS
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
HTML File Opened From Download Folder
Detects web browser process opening an HTML file from a user's Downloads folder. This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users. When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware. During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Huawei BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
HybridConnectionManager Service Installation
Rule to detect the Hybrid Connection Manager service installation.
HybridConnectionManager Service Installation - Registry
Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
HybridConnectionManager Service Running
Rule to detect the Hybrid Connection Manager service running on an endpoint.
Hypervisor Enforced Paging Translation Disabled
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
IE Change Domain Zone
Hides the file extension through modification of the registry
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Ie4uinit Lolbin Use From Invalid Path
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
ImagingDevices Unusual Parent/Child Processes
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Impacket PsExec Execution
Detects execution of Impacket's psexec.py.
Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Import New Module Via PowerShell CommandLine
Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
Import PowerShell Modules From Suspicious Directories
Detects powershell scripts that import modules from suspicious directories