EXPLORE DETECTIONS
Potential Homoglyph Attack Using Lookalike Characters
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
Potential In-Memory Execution Using Reflection.Assembly
Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
Potential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Potential Invoke-Mimikatz PowerShell Script
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
Potential JNDI Injection Exploitation In JVM Based Application
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
Potential Keylogger Activity
Detects PowerShell scripts that contains reference to keystroke capturing functions
Potential Lateral Movement via Windows Remote Shell
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
Potential LethalHTA Technique Execution
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
Potential Libvlc.DLL Sideloading
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Potential Linux Process Code Injection Via DD Utility
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Potential Local File Read Vulnerability In JVM Based Application
Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages
Potential Malicious Usage of CloudTrail System Manager
Detect when System Manager successfully executes commands against an instance.
Potential Manage-bde.wsf Abuse To Proxy Execution
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
Potential Memory Dumping Activity Via LiveKD
Detects execution of LiveKD based on PE metadata or image name
Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.