EXPLORE DETECTIONS
Removal Of Index Value to Hide Schedule Task - Registry
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
Removal of Potential COM Hijacking Registry Keys
Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
Removal Of SD Value to Hide Schedule Task - Registry
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Remove Exported Mailbox from Exchange Webserver
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
Remove Scheduled Cron Task/Job
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
Renamed AdFind Execution
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Renamed AutoHotkey.EXE Execution
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
Renamed AutoIt Execution
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
Renamed BOINC Client Execution
Detects the execution of a renamed BOINC binary.
Renamed BrowserCore.EXE Execution
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
Renamed Cloudflared.EXE Execution
Detects the execution of a renamed "cloudflared" binary.
Renamed CreateDump Utility Execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Renamed CURL.EXE Execution
Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
Renamed FTP.EXE Execution
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
Renamed Gpg.EXE Execution
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Renamed Jusched.EXE Execution
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Renamed Mavinject.EXE Execution
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Renamed MegaSync Execution
Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Renamed Microsoft Teams Execution
Detects the execution of a renamed Microsoft Teams binary.
Renamed Msdt.EXE Execution
Detects the execution of a renamed "Msdt.exe" binary
Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings