New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)Harvesting Of Wifi Credentials Via Netsh.EXENew Port Forwarding Rule Added Via Netsh.EXXNew Network Trace Capture Started Via Netsh.EXEFirewall Rule Deleted Via Netsh.EXEPotential Recon Activity Via Nltest.EXEPotential Arbitrary […]

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File Write Event Image LoadMicrosoft Office DLL Sideload Kernel-GeneralQuarksPwDump Clearing Access History Network Share ObjectRemote Task Creation via ATSVC Named PipeRemote Service Activity via SVCCTL Named PipeTransferring Files with Credential Data via Network SharesFirst […]

New Deployed Rules

Account ManagementExternal Remote RDP Logon from Public IPKrbRelayUp Attack Pattern File EventSuspicious Get-Variable.exe CreationFile Creation In Suspicious Directory By Msdt.EXENTDS Exfiltration Filename Patterns Groups MonitoringA Member was Added into a VIP GroupA Member was Removed From Monitoring Group Image LoadPotential Vivaldi_elf.DLL Sideloading Network Share ObjectDCERPC SMB Spoolss Named PipeCVE-2021-1675 Print Spooler Exploitation IPC Access Process […]

New Deployed Rules

Acount Management   1. Admin User Remote Logon    2. External Remote SMB Logon from Public IP AWS   3. AWS:Glue Development Endpoint Activity Big IP@F5   4. User Connected from two different countries – F5 Big IP CodeIntegrity   5. CodeIntegrity – Blocked Image Load With Revoked Certificate Create Remote Thread   6. Remote Thread Creation In Mstsc.Exe From Suspicious […]

New Deployed Rules

SentinelOne EDR    1. User Deleted 2. User Logged In to Management Console Process Creation    3. Use of Remote.exe 4. Use of Pcalua For Execution 5. Process Memory Dump Via Dotnet-Dump 6. Detect Virtualbox Driver Installation OR Starting Of VMs 7. Suspicious VBoxDrvInst.exe Parameters 8. Uninstall Crowdstrike Falcon Sensor 9. Suspicious Download Via Certutil.EXE […]

New Deployed Rules

NTFS:   1. Volume Shadow Copy Mount PowerShell Script   2. Code Executed Via Office Add-in XLL File   3. Potential Invoke-Mimikatz PowerShell Script   4. Tamper Windows Defender Remove-MpPreference – ScriptBlockLogging   5. Abuse of Service Permissions to Hide Services Via Set-Service – PS Process Access   6. WerFault Accessing LSASS   7. LSASS Memory Dump   8. HandleKatz Duplicating LSASS Handle  […]

New Deployed Rules

MSMQ:    1. MSMQ Corrupted Packet Encountered Network Share Object:    2. Protected Storage Service Access   3. Possible Impacket SecretDump Remote Activity Process Access:    4. Suspicious LSASS Access Via MalSecLogon   5. Mimikatz through Windows Remote Management Registry Event:    6. Sticky Key Like Backdoor Usage – Registry   7. SNAKE Malware Covert Store Registry Key […]

New Deployed Rules

Process Creation:    1. Suspicious Execution of InstallUtil Without Log   2. Suspicious Execution of InstallUtil To Download   3. Potential PowerShell Execution Via DLL   4. Suspicious Debugger Registration Cmdline   5. Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN   6. Potential DLL Injection Or Execution Using Tracker.exe   7. Suspicious Msbuild Execution By Uncommon Parent Process   8. Masquerading […]

Does Your CEO Moonlight as a Hacker?

IntroductionWhile we’re conditioned to scan the periphery for threats, sometimes, the most unexpected activities occur right at the heart of our organizations. Envision this: your CEO, who typically stays miles away from the nitty-gritty of IT, launching PowerShell or tinkering with an intricate script. It poses the question – would your Security Operations Center (SOC) […]

New Deployed Rules

Process Creation Suspicious Ping-Copy Command Combination LSASS Process Reconnaissance Via Findstr.EXE Firewall Rule Update Via Netsh.EXE Scheduled Task Executing Payload from Registry Potentially Suspicious Call To Win32_NTEventlogFile Class Suspicious Process Execution From Fake Recycle.Bin Folder Rebuild Performance Counter Values Via Lodctr.EXE Potential ShellDispatch.DLL Functionality Abuse New Virtual Smart Card Created Via TpmVscMgr.EXE Potential ReflectDebugger Content […]

New Rules Deployed

Windows/Network Connection: Suspicious Epmap ConnectionSuspicious Dropbox API UsageSuspicious Outbound Kerberos ConnectionSuspicious Program Location with Network Connections Windows/System or Application/Service Control Manager: Tap Driver InstallationInvoke-Obfuscation COMPRESS OBFUSCATION – SystemInvoke-Obfuscation RUNDLL LAUNCHER – SystemInvoke-Obfuscation Via Stdin – SystemInvoke-Obfuscation Via Use Clip – SystemInvoke-Obfuscation Via Use MSHTA – SystemInvoke-Obfuscation Via Use Rundll32 – SystemInvoke-Obfuscation VAR++ LAUNCHER OBFUSCATION – […]

The Subtle Threat of Usernames with a Trailing Space

In the meticulous arena of cybersecurity, the devil is often in the details. A single character, or even the absence of one, can sometimes be the chink in your armor that adversaries seek. Among such deceptively simple techniques is the creation of a username with a space at the end. A tactic that might seem […]

Wirelessly Connecting to Windows Server

Introduction Imagine your trusty Windows Server, typically bound by its Ethernet cables, suddenly embracing the wireless age. Intriguing, isn’t it? While a bold and unconventional move, it offers a novel lens through which modern SOC managers and CISOs can view potential vulnerabilities. Let’s delve into the succinct how-to, and then tackle the looming shadow – […]

New Rules Deployed

Windows/Network Connection: Communication To Ngrok.Io Communication To Ngrok Tunneling Service Notepad Making Network Connection RDP Over Reverse SSH Tunnel RDP to HTTP or HTTPS Target Ports Silenttrinity Stager Msbuild Activity Suspicious Office Outbound Connections Windows/System or Application/Service Control Manager: 8. Mesh Agent Service Installation 9. NetSupport Manager Service Install 10. PAExec Service Installation 11. Service […]

SQL Server Monitoring Essentials

In the vast expanse of a corporation’s digital assets, the Microsoft SQL server often stands as its crown jewel, safeguarding valuable data crucial to business operations. Strangely though, while companies spend large sums on front-end security, SQL servers are sometimes left in the shadows, with their innate monitoring tools overlooked. By default, SQL servers possess […]

The User Who Woke Up From a Coma

Imagine this: An old toy, forgotten and covered with dust, suddenly starts moving on its own after years of inactivity. Creepy, right? This eeriness is not limited to the world of fictional horror movies. In the digital realm, a similar unsettling scenario occurs when a user account, dormant for an extended period, suddenly springs back […]

New Rules Deployed

Windows/Network Connection: Windows/System or Application/Service Control Manager: Drive Load: Azure/Azure Active Directory: Windows/Image Load: Windows/Files: Fortigate@Fortinet: Windows/Process Creation: Windows/PowerShell: 365 Defender: Web Cache: Pulse Connect Secure@Pulse Secure: Windows/Registry:

Detect Event Log Deletions (Windows)

In the world of cybersecurity, event logs form the cornerstone of threat detection within SIEM (Security Information and Event Management) systems. But how effectively does your Security Operations Center (SOC) identify tampered event logs? This article explores SOC testing within your existing SIEM or during a POC (Proof of Concept). Understanding Conventional Practices The conventional […]

Access to stored credentials

The aim of this test is to verify that your Security Operations Center (SOC) can effectively detect the “cmdkey /list” command execution. This command is used on Windows systems to list stored credentials and could be exploited by malicious actors to gather sensitive information. Detecting this command allows your SOC to respond promptly to suspicious […]

“Is it Really Good to be the King when it comes to Cybersecurity?”

In the realm of cybersecurity, the saying “It’s good to be the king” takes on a whole new meaning. While traditional kingdoms have only one king, the modern digital landscape presents a different scenario. In the intricate world of technical systems, there isn’t just a single ruling entity, but rather multiple administrators or power users […]

Time to market

One-day SIEM integration