EXPLORE DETECTIONS
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation Via Use Rundll32 - Security
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation Via Use Rundll32 - System
Detects Obfuscated Powershell via use Rundll32 in Scripts
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
ISO Image Mounted
Detects the mount of an ISO image on an endpoint
ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
JAMF MDM Execution
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
Java Payload Strings
Detects possible Java payloads in web access logs
Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
JScript Compiler Execution
Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Juniper BGP Missing MD5
Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
JXA In-memory Execution Via OSAScript
Detects possible malicious execution of JXA in-memory via OSAScript
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Kerberoasting Activity - Initial Query
This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Kerberos Network Traffic RC4 Ticket Encryption
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.