EXPLORE DETECTIONS
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
AppArmor Policy Interface Access
Identifies access to AppArmor kernel policy control interfaces through the .load, .replace, or .remove files under /sys/kernel/security/apparmor/. These special files are used to load, modify, or remove AppArmor profiles and are rarely accessed during normal system activity outside of policy administration. Reads or writes to these interfaces may indicate legitimate security configuration changes, but can also reflect defense evasion, unauthorized policy tampering, or the installation of attacker-controlled profiles. This detection is especially valuable on systems where AppArmor policy changes are uncommon or tightly controlled.
AppArmor Policy Violation Detected
Identifies events where the AppArmor security module blocked or restricted an operation due to a policy violation. AppArmor enforces mandatory access control policies that limit how processes interact with system resources such as files, network sockets, and capabilities. When a process attempts an action that is not permitted by the active profile, the kernel generates a policy violation event. While these events can occur during normal operation or misconfiguration, they may also indicate attempted privilege escalation, restricted file access, or malicious activity being prevented by the system's security policy.
AppArmor Profile Compilation via apparmor_parser
Detects the execution of "apparmor_parser" using the "-o" option to write a compiled AppArmor profile to an output file. This functionality is normally used by system administration tools or package installation scripts when building or loading AppArmor policies. In adversarial scenarios, attackers may use "apparmor_parser" to compile custom AppArmor profiles that can later be loaded into the kernel through AppArmor policy management interfaces. Malicious profiles may weaken security controls, alter the behavior of privileged programs, or assist in exploitation chains involving AppArmor policy manipulation.
AppArmor service stopped
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Apple Script Execution followed by Network Connection
Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.
Apple Scripting Execution with Administrator Privileges
Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.
Apple state-sponsored attack warning
Detects legitimate Apple threat notifications warning users about potential state-sponsored mercenary attacks targeting their iPhone. These notifications contain specific language about targeted attacks and Apple's confidence level in the warning.
Application Added to Google Workspace Domain
Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Application Removed from Blocklist in Google Workspace
Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
Application Terminated Via Wmic.EXE
Detects calls to the "terminate" function via wmic in order to kill an application