EXPLORE DETECTIONS
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
New Agent Skills Installation Attempt Via Node.EXE
Detects the attempt to install new skills for AI agents using the "npx skills" command. Agent skills enhance AI agents with new capabilities, but attackers may abuse this mechanism to inject malicious commands executed by the agent on behalf of the user. The "npx skills" command can install skills for various agents (e.g., Claude Code, Cursor, and others). Analysts should review any installed skills to verify their legitimacy. Note: Tune this rule based on whether AI agent tooling is allowed in your environment. In environments where such tooling is authorized, this detection may reflect normal activity and the alert level should be adjusted accordingly. In environments where AI agent tooling is not permitted, this activity is likely suspicious and may require immediate investigation.
New Application in AppCompat
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
New AWS Lambda Function URL Configuration Created
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
New BgInfo.EXE Custom VBScript Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
New BITS Job Created Via Bitsadmin
Detects the creation of a new bits job by Bitsadmin
New BITS Job Created Via PowerShell
Detects the creation of a new bits job by PowerShell
New CA Policy by Non-approved Actor
Monitor and alert on conditional access changes.
New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
New Connection Initiated To Potential Dead Drop Resolver Domain
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
New Country
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
New Cron File Created
Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
New Custom Shim Database Created
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
New DLL Added to AppInit_DLLs Registry Key
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
New DMSA Service Account Created in Specific OUs
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
New DNS ServerLevelPluginDll Installed
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
New Federated Domain Added
Detects the addition of a new Federated Domain.
New Federated Domain Added - Exchange
Detects the addition of a new Federated Domain.