EXPLORE DETECTIONS
Powerview Add-DomainObjectAcl DCSync AD Extend Right
Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
PowerView PowerShell Cmdlets - ScriptBlock
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Prefetch File Deleted
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Private Keys Reconnaissance Via CommandLine Tools
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Privilege Escalation via Named Pipe Impersonation
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Privileged Account Creation
Detects when a new admin is created.
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Procdump Execution
Detects usage of the SysInternals Procdump utility
Process Access via TrolleyExpress Exclusion
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
Process Discovery
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
Process Execution Error In JVM Based Application
Detects process execution related exceptions in JVM based apps, often relates to RCE
Process Execution From A Potentially Suspicious Folder
Detects a potentially suspicious execution from an uncommon folder.
Process Execution From WebDAV Share
Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
Process Explorer Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
Process Initiated Network Connection To Ngrok Domain
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.