EXPLORE DETECTIONS
Unexpected Child Process of macOS Screensaver Engine
Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.
Unix Socket Connection
This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.
Unknown Execution of Binary with RWX Memory Region
Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.
Unsigned DLL loaded by DNS Service
Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.
Unsigned DLL Loaded by Svchost
Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
Unsigned DLL Side-Loading from a Suspicious Folder
Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.
Untrusted DLL Loaded by Azure AD Sync Service
Identifies the load of a DLL without a valid code signature by the Azure AD Sync process, which may indicate an attempt to persist or collect sensitive credentials passing through the Azure AD synchronization server.
Untrusted Driver Loaded
Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.
Unusual AWS Command for a User
A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.
Unusual AWS S3 Object Encryption with SSE-C
Identifies when AWS S3 objects stored in a bucket are encrypted using Server-Side Encryption with Customer-Provided Keys (SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to extort the bucket owner for the decryption key. This is a New Terms rule that flags when this behavior is observed for the first time user and target bucket name.
Unusual Azure Activity Logs Event for a User
A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from user context that does not normally use the event action. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.
Unusual Base64 Encoding/Decoding Activity
This rule leverages ESQL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64 encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or network-based security controls. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
Unusual Child Process from a System Virtual Process
Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.
Unusual Child Process of dns.exe
Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.
Unusual Child Processes of RunDLL32
Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.
Unusual City For a GCP Event
A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Unusual City For an AWS Command
A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Unusual City for an Azure Activity Logs Event
A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Unusual Command Execution from Web Server Parent
This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt to execute commands from a web server parent process to blend in with normal web server activity and evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
Unusual Country For a GCP Event
A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the event action. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Unusual Country For an AWS Command
A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Unusual Country for an Azure Activity Logs Event
A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the event action. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Unusual D-Bus Daemon Child Process
This rule detects when an unusual child process is spawned from the `dbus-daemon` parent process. The `dbus-daemon` process is a message bus system that provides a way for applications to talk to each other. Attackers may abuse this process to execute malicious code or escalate privileges.
Unusual Discovery Signal Alert with Unusual Process Command Line
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.