EXPLORE DETECTIONS
Suspicious Activity Reported by Okta User
Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.
Suspicious Antimalware Scan Interface DLL
Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.
Suspicious Apple Mail Rule Plist Modification
Detects suspicious creation or modification of the Apple Mail SyncedRules plist file by a non-Mail application. An adversary could establish persistence by creating or modifying an Apple Mail rule to point to a script file on disk, which will execute when an email matching the trigger is received.
Suspicious APT Package Manager Execution
Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.
Suspicious APT Package Manager Network Connection
Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.
Suspicious Automator Workflows Execution
Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.
Suspicious AWS S3 Connection via Script Interpreter
Detects when a script interpreter (osascript, Node.js, Python) with minimal arguments makes an outbound connection to AWS S3 or CloudFront domains. Threat actors have used S3 buckets for both command and control and data exfiltration. Script interpreters connecting to cloud storage should be investigated for potential malicious activity.
Suspicious Browser Child Process
Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.
Suspicious Calendar File Modification
Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.
Suspicious CertUtil Commands
Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.
Suspicious Child Execution via Web Server
Identifies suspicious child processes executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.
Suspicious Child Process of Adobe Acrobat Reader Update Service
Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.
Suspicious Cmd Execution via WMI
Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.
Suspicious Command Prompt Network Connection
Identifies a network connection by the command prompt (cmd.exe) when it is executed with specific arguments, such as a script or a URL, or when it is spawned by Microsoft Office applications. Adversaries often abuse cmd.exe to download malicious payloads or establish command and control channels from a remote source.
Suspicious Communication App Child Process
Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.
Suspicious Content Extracted or Decompressed via Funzip
Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.
Suspicious CronTab Creation or Modification
Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.
Suspicious Curl from macOS Application
Detects the use of curl by a macOS application binary to connect to a raw IP URI and download a second stage payload. Threat actors often utilize a benign looking or legitimate application as a first stage dropper. Curl is commonly used as it doesn't enforce Gatekeeper checks.
Suspicious Curl to Google App Script Endpoint
Detects the use of curl to a Google Script endpoint for the purpose of downloading a second stage payload or tool. Threat actors utilize exposed Google Script endpoints to host payloads as Google URLs are generally whitelisted and bypass security controls.
Suspicious Curl to Jamf Endpoint
Detects curl requests to JAMF Pro endpoints from suspicious processes like unsigned binaries or scripting interpreters. This indicates potential abuse of stolen JAMF credentials for lateral movement in enterprise macOS environments.
Suspicious Data Encryption via OpenSSL Utility
Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.
Suspicious DLL Loaded for Persistence or Privilege Escalation
Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.
Suspicious Dynamic Linker Discovery via od
Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.
Suspicious Echo or Printf Execution Detected via Defend for Containers
This rule detects the execution of the echo/printf command to write data to potential persistence files, decode base64/32/16 and hex content or establish connections to a potential C2. The echo/printf commands are used to display a line of text or write data to a file. Threat actors may abuse the echo/printf commands to write data to files or file descriptors that are executed (by other processes or services) to establish persistence or escalate privileges.