EXPLORE DETECTIONS
RestrictedAdminMode Registry Value Tampering - ProcCreation
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Roles Activated Too Frequently
Identifies when the same privilege role has multiple activations by the same user.
Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
Roles Are Not Being Used
Identifies when a user has been assigned a privilege role and are not using that role.
Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Ruby Inline Command Execution
Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Run Once Task Configuration in Registry
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
Run Once Task Execution as Configured in Registry
This rule detects the execution of Run Once task as configured in the registry
Run PowerShell Script from ADS
Detects PowerShell script execution from Alternate Data Stream (ADS)
Run PowerShell Script from Redirected Input Stream
Detects PowerShell script execution via input stream redirect
Rundll32 Execution With Uncommon DLL Extension
Detects the execution of rundll32 with a command line that doesn't contain a common extension
Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Rundll32 InstallScreenSaver Execution
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
Rundll32 Registered COM Objects
load malicious registered COM objects
Rundll32 Spawned Via Explorer.EXE
Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
RunDLL32 Spawning Explorer
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way