EXPLORE DETECTIONS
Antivirus - Relevant File Paths Alerts Signature
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus - Remote Access Tools Signature
Detects a highly relevant Antivirus alert that reports a remote access tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus - Web Shell Detection Signature
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
Application Termination Attempt via Wmic.EXE
Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may use wmic to terminate security products or other applications on the compromised host. This event is triggered on on attempt and process creation can be either successful or unsuccessful.
Application Uninstalled
An application has been removed. Check if it is critical.
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
AppLocker Application Would Have Been Blocked
Detects when AppLocker "Audit only" enforcement mode reports that an Application, DLL, Script, MSI, or Packaged-App would have been blocked if AppLocker "Enforce rules" enforcement mode was enabled.
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL