EXPLORE DETECTIONS
Suspicious Shell Execution via Velociraptor
Detects shell executions (cmd, PowerShell, rundll32) spawned by Velociraptor. Threat actors have been observed installing Velociraptor to execute shell commands on compromised systems, blending in with legitimate system processes.
Suspicious SIP Check by macOS Application
Detects the unusual use of csrutil by a macOS application to check System Integrity Protection (SIP) status. While not malicious in itself, this activity is highly indicative of malware verifying it is not running in a virtual machine or protected environment prior to executing its payload.
Suspicious SolarWinds Child Process
A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL). This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution.
Suspicious Startup Shell Folder Modification
Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.
Suspicious StartupItem Plist Creation
Detects the creation or modification of a StartupParameters.plist file, indicating the presence of a StartupItem on the system. StartupItems have been deprecated on modern macOS systems (post Mavericks) in favor of Launch Daemons but still function. Creation of a StartupItem should be highly suspicious as legitimate applications no longer use this method for persistence.
Suspicious Symbolic Link Created
Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.
Suspicious System Commands Executed by Previously Unknown Executable
This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.
Suspicious TCC Access Granted for User Folders
Detects when TCC access is granted for multiple user folders like Desktop, Downloads and Documents in quick succession. Many information stealers require TCC permissions to access these locations and will prompt users to grant access for data exfiltration.
Suspicious Termination of ESXI Process
Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.
Suspicious Usage of bpf_probe_write_user Helper
This rule monitors the syslog log file for messages related to instances of a program using the "bpf_probe_write_user" helper. The "bpf_probe_write_user" helper is used to write data to user space from a BPF program. Unauthorized use of this helper can be indicative of an eBPF rootkit or other malicious activity.
Suspicious Utility Launched via ProxyChains
This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
Suspicious Web Browser Sensitive File Access
Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Suspicious WerFault Child Process
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.
Suspicious which Enumeration
This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.
Suspicious Windows Command Shell Arguments
Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.
Suspicious Windows Powershell Arguments
Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.
Suspicious WMI Event Subscription Created
Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.
Suspicious WMI Image Load from MS Office
Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
Suspicious WMIC XSL Script Execution
Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.
Suspicious Write Attempt to AppArmor Policy Management Files
Detects processes attempting to write to AppArmor policy management pseudo-files located under "/sys/kernel/security/apparmor/". These special kernel interfaces are used to load, replace, or remove AppArmor profiles (".load", ".replace", ".remove"). In normal environments, AppArmor policy management is typically performed by administrative tools such as "apparmor_parser" during system initialization or package installation. Direct interaction with these pseudo-files from shell utilities, interpreters, or scripting environments is uncommon and may indicate attempts to modify security policy at runtime. Adversaries may abuse these interfaces to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser as part of local privilege escalation chains.
Suspicious Zoom Child Process
A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.
Svchost spawning Cmd
Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe
Symbolic Link to Shadow Copy Created
Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.