EXPLORE DETECTIONS
Adobe ColdFusion Unauthenticated Arbitrary File Read
The following analytic detects potential exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read. It monitors POST requests to the "/cf_scripts/scripts/ajax/ckeditor/*" endpoint using the Web datamodel. This activity can be significant due to the vulnerability's high CVSS score of 9.8, indicating severe risk. If confirmed malicious, it could lead to unauthorized data access, further attacks, or severe operational disruptions.
ADS Zone.Identifier Deleted By Uncommon Application
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
ADSI-Cache File Creation By Uncommon Tool
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
AdsiSearcher Account Discovery
The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.
Advanced IP or Port Scanner Execution
The following analytic detects the execution of network scanning utilities such as Advanced IP Scanner or Advanced Port Scanner. These legitimate administrative tools are often leveraged by threat actors and ransomware operators during the discovery phase to enumerate active hosts and open ports within a target environment. Detection is based on process creation telemetry referencing known executable names, original file names, or specific command-line parameters such as "/portable" and "/lng" that are characteristic of these tools. If confirmed malicious, this activity may indicate internal reconnaissance aimed at identifying reachable systems or services prior to lateral movement or further post-compromise actions.
Advanced IP Scanner - File Event
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
Adversary Behavior - Detected - Elastic Endgame
Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Agent Spoofing - Multiple Hosts Using Same Agent
Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.
AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Alerts From Multiple Integrations by Destination Address
This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and involving the same destination.ip are triggered. Analysts can use this to prioritize triage and response, as these IP address is more likely to be related to a compromise.
Alerts From Multiple Integrations by Source Address
This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and involving the same source.ip are triggered. Analysts can use this to prioritize triage and response, as these IP addresses are more likely to be related to a compromise.
Alerts From Multiple Integrations by User Name
This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and involving the same user.name are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.
Alerts in Different ATT&CK Tactics by Host
This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered and where the accumulated risk score is higher than a defined threshold. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Allow File And Printing Sharing In Firewall
The following analytic detects the modification of firewall settings to allow file and printer sharing. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving 'netsh' commands that enable file and printer sharing. This activity is significant because it can indicate an attempt by ransomware to discover and encrypt files on additional machines connected to the compromised host. If confirmed malicious, this could lead to widespread file encryption across the network, significantly increasing the impact of a ransomware attack.
Allow Inbound Traffic By Firewall Rule Registry
The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.
Allow Inbound Traffic In Firewall Rule
The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like "firewall," "Inbound," "Allow," and "-LocalPort." This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.
Allow Network Discovery In Firewall
The following analytic detects a suspicious modification to the firewall to allow network discovery on a machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving the 'netsh' command to enable network discovery. This activity is significant because it is commonly used by ransomware, such as REvil and RedDot, to discover and compromise additional machines on the network. If confirmed malicious, this could lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack.
Allow Operation with Consent Admin
The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.
Allow RDP Remote Assistance Feature
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.