EXPLORE DETECTIONS

JNDIExploit Pattern

Detects exploitation attempt using the JNDI-Exploit-Kit

T1190

JScript Compiler Execution

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

T1127

Juniper BGP Missing MD5

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

T1078T1110T1557

JXA In-memory Execution Via OSAScript

Detects possible malicious execution of JXA in-memory via OSAScript

T1059.002T1059.007

Kaspersky Endpoint Security Stopped Via CommandLine - Linux

Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.

T1562.001

Kavremover Dropped Binary LOLBIN Usage

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

T1127

Kerberoasting Activity - Initial Query

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

T1558.003

Kerberos Manipulation

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

T1212

Kerberos Network Traffic RC4 Ticket Encryption

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

T1558.003

Kernel Memory Dump Via LiveKD

Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory

KrbRelayUp Service Installation

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

T1543

Kubernetes Admission Controller Modification

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

T1078T1552T1552.007

Kubernetes CronJob/Job Modification

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Kubernetes Events Deleted

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

T1070

Kubernetes Rolebinding Modification

Detects when a Kubernetes Rolebinding is created or modified.

Kubernetes Secrets Enumeration

Detects enumeration of Kubernetes secrets.

T1552.007

Kubernetes Secrets Modified or Deleted

Detects when Kubernetes Secrets are Modified or Deleted.

Kubernetes Unauthorized or Unauthenticated Access

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.