EXPLORE DETECTIONS
Python Spawning Pretty TTY on Windows
Detects python spawning a pretty tty
Python Spawning Pretty TTY Via PTY Module
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
Python SQL Exceptions
Generic rule for SQL exceptions in Python according to PEP 249
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
Query Usage To Exfil Data
Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
QuickAssist Execution
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Rar Usage with Password and Compression Level
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Rare Subscription-level Operations In Azure
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
Rclone Activity via Proxy
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
Rclone Config File Creation
Detects Rclone config files being created
RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP. In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
RDP Over Reverse SSH Tunnel
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
RDP Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.
RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443