EXPLORE DETECTIONS
New Virtual Smart Card Created Via TpmVscMgr.EXE
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
Nginx Core Dump
Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
Ngrok Usage with Remote Desktop Service
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Nltest.EXE Execution
Detects nltest commands that can be used for information discovery
No Suitable Encryption Key Found For Generating Kerberos Ticket
Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
NodeJS Execution of JavaScript File
Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Non Interactive PowerShell Process Spawned
Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
Non-DLL Extension File Renamed With DLL Extension
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Notepad Password Files Discovery
Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
Nslookup PowerShell Download Cradle - ProcessCreation
Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
NtdllPipe Like Activity Execution
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
NTDS.DIT Created
Detects creation of a file named "ntds.dit" (Active Directory Database)
NTDS.DIT Creation By Uncommon Parent Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
NTDS.DIT Creation By Uncommon Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
NTFS Alternate Data Stream
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.