EXPLORE DETECTIONS
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Osacompile Execution By Potentially Suspicious Applet/Osascript
Detects potential suspicious applet or osascript executing "osacompile".
OSACompile Run-Only Execution
Detects potential suspicious run-only executions compiled using OSACompile
Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
Outbound RDP Connections Over Non-Standard Tools
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
Outgoing Logon with New Credentials
Detects logon events that specify new credentials
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
PAExec Service Installation
Detects PAExec service installation
Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Password Policy Discovery - Linux
Detects password policy discovery commands
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.