EXPLORE DETECTIONS
PsExec Tool Execution From Suspicious Locations - PipeName
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
PSScriptPolicyTest Creation By Uncommon Process
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
PST Export Alert Using eDiscovery Alert
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
PST Export Alert Using New-ComplianceSearchAction
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
PUA - 3Proxy Execution
Detects the use of 3proxy, a tiny free proxy server
PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
PUA - AdFind.EXE Execution
Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
PUA - Adidnsdump Execution
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
PUA - Advanced IP Scanner Execution
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
PUA - Advanced IP/Port Scanner Update Check
Detect the update check performed by Advanced IP/Port Scanner utilities.
PUA - Advanced Port Scanner Execution
Detects the use of Advanced Port Scanner.
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
PUA - AdvancedRun Suspicious Execution
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
PUA - Chisel Tunneling Tool Execution
Detects usage of the Chisel tunneling tool via the commandline arguments
PUA - CleanWipe Execution
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
PUA - CSExec Default Named Pipe
Detects default CSExec pipe creation
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
PUA - Fast Reverse Proxy (FRP) Execution
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.