EXPLORE DETECTIONS
Screensaver Plist File Modified by Unexpected Process
Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.
Script Execution via Microsoft HTML Application
Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries.
Script Interpreter Connection to Non-Standard Port
Detects the execution of a script interpreter followed by an outbound network connection to a raw IP address on a non-standard port. Many initial access scripts and malware implants connect directly to C2 or payload servers using non-standard ports to avoid detection.
Searching for Saved Credentials via VaultCmd
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
Security File Access via Common Utilities
This rule detects sensitive security file access via common utilities on Linux systems. Adversaries may attempt to read from sensitive files using common utilities to gather information about the system and its security configuration.
Security Software Discovery via Grep
Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.
SeDebugPrivilege Enabled by a Suspicious Process
Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.
SELinux Configuration Creation or Renaming
This rule detects the creation or renaming of the SELinux configuration file. SELinux is a security module that provides access control security policies. Modifications to the SELinux configuration file may indicate an attempt to impair defenses by disabling or modifying security tools.
Sensitive Audit Policy Sub-Category Disabled
Identifies attempts to disable auditing for some security sensitive audit policy sub-categories. This is often done by attackers in an attempt to evade detection and forensics on a system.
Sensitive File Access followed by Compression
Detects when a sensitive file is accessed followed by the immediate creation of a compressed file in a suspicious location. This activity can indicate an attempt to collect sensitive local data and stage it for exfiltration.
Sensitive File Compression Detected via Defend for Containers
Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.
Sensitive Files Compression
Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.
Sensitive Files Compression Inside A Container
Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.
Sensitive Keys Or Passwords Search Detected via Defend for Containers
This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.
Sensitive Keys Or Passwords Searched For Inside A Container
This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.
Sensitive Registry Hive Access via RegBack
Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder.
SentinelOne Alert External Alerts
Generates a detection alert for each SentinelOne alert written to the configured indices. Enabling this rule allows you to immediately begin investigating SentinelOne alerts in the app.
SentinelOne Threat External Alerts
Generates a detection alert for each SentinelOne threat written to the configured indices. Enabling this rule allows you to immediately begin investigating SentinelOne threat alerts in the app.
Service Account Namespace Read Detected via Defend for Containers
This rule detects the reading of the service account namespace file inside a container. The service account namespace file is used to identify the namespace of the container in which it is running, and may be used by an adversary to get a better understanding of the container and the services running inside it.
Service Account Token or Certificate Access Followed by Kubernetes API Request
This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the access to the service account token or certificate followed by the execution of a direct interactive Kubernetes API request. An adversary may need to access the service account token or certificate to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster.
Service Account Token or Certificate Read Detected via Defend for Containers
This rule detects the reading of the service account token or certificate inside a container. The service account token or certificate is used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries to gain access to the cluster.
Service Command Lateral Movement
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.
Service Control Spawned via Script Interpreter
Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.