EXPLORE DETECTIONS
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
Application Terminated Via Wmic.EXE
Detects calls to the "terminate" function via wmic in order to kill an application
Application Uninstalled
An application has been removed. Check if it is critical.
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Arbitrary Command Execution Using WSL
Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.