EXPLORE DETECTIONS
Mstsc.EXE Execution From Uncommon Parent
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file
Msxsl.EXE Execution
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Multifactor Authentication Denied
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Multifactor Authentication Interrupted
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility
Narrator's Feedback-Hub Persistence
Detects abusing Windows 10 Narrator's Feedback-Hub
NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
Net WebClient Casing Anomalies
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
Net.EXE Execution
Detects execution of "Net.EXE".
Netcat The Powershell Version
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
NetNTLM Downgrade Attack
Detects NetNTLM downgrade attack
NetNTLM Downgrade Attack - Registry
Detects NetNTLM downgrade attack
Netsh Allow Group Policy on Microsoft Defender Firewall
Adversaries may modify system firewalls in order to bypass controls limiting network usage
NetSupport Manager Service Install
Detects NetSupport Manager service installation on the target system.
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Network Communication Initiated To Portmap.IO Domain
Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Network Communication With Crypto Mining Pool
Detects initiated network connections to crypto mining pools
Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Network Connection Initiated By Eqnedt32.EXE
Detects network connections from the Equation Editor process "eqnedt32.exe".
Network Connection Initiated By IMEWDBLD.EXE
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
Network Connection Initiated By PowerShell Process
Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
Network Connection Initiated By Regsvr32.EXE
Detects a network connection initiated by "Regsvr32.exe"