Sign up for our newsletter
- Rules
November 2nd, 2023
Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)Harvesting Of Wifi Credentials Via Netsh.EXENew Port Forwarding Rule Added Via Netsh.EXXNew
- Rules
October 26th, 2023
Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File Write Event Image LoadMicrosoft Office DLL Sideload Kernel-GeneralQuarksPwDump Clearing Access History Network Share ObjectRemote Task Creation via ATSVC
- Rules
September 20th, 2023
Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process CreationRemotely Hosted HTA File Executed Via Mshta.EXE Process CreationSuspicious JavaScript Execution Via Mshta.EXE Process CreationPotential LethalHTA Technique Execution
- Rules
October 12th, 2023
Account ManagementExternal Remote RDP Logon from Public IPKrbRelayUp Attack Pattern File EventSuspicious Get-Variable.exe CreationFile Creation In Suspicious Directory By Msdt.EXENTDS Exfiltration Filename Patterns Groups MonitoringA Member was Added into a VIP GroupA Member was Removed From Monitoring Group Image LoadPotential
- Rules
October 5th, 2023
Acount Management 1. Admin User Remote Logon 2. External Remote SMB Logon from Public IP AWS 3. AWS:Glue Development Endpoint Activity Big IP@F5 4. User Connected from two different countries – F5 Big IP CodeIntegrity 5. CodeIntegrity – Blocked Image
- Rules
September 28th, 2023
SentinelOne EDR 1. User Deleted 2. User Logged In to Management Console Process Creation 3. Use of Remote.exe 4. Use of Pcalua For Execution 5. Process Memory Dump Via Dotnet-Dump 6. Detect Virtualbox Driver Installation OR Starting Of
- Rules
September 21st, 2023
NTFS: 1. Volume Shadow Copy Mount PowerShell Script 2. Code Executed Via Office Add-in XLL File 3. Potential Invoke-Mimikatz PowerShell Script 4. Tamper Windows Defender Remove-MpPreference – ScriptBlockLogging 5. Abuse of Service Permissions to Hide Services Via Set-Service – PS
- Rules
September 14th, 2023
MSMQ: 1. MSMQ Corrupted Packet Encountered Network Share Object: 2. Protected Storage Service Access 3. Possible Impacket SecretDump Remote Activity Process Access: 4. Suspicious LSASS Access Via MalSecLogon 5. Mimikatz through Windows Remote Management Registry Event:
- MSP to MSSP
Seeking how to transform your MSP to MSSP but don’t know how to make your offerings relevant and valuable to the cyber threats out there? CyRay offers a unique value proposition that enables MSPs to transform into MSSPs in just
- Rules
September 7th, 2023
Process Creation: 1. Suspicious Execution of InstallUtil Without Log 2. Suspicious Execution of InstallUtil To Download 3. Potential PowerShell Execution Via DLL 4. Suspicious Debugger Registration Cmdline 5. Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN 6. Potential DLL
- Rules
September 1st, 2023
Process Creation Suspicious Ping-Copy Command Combination LSASS Process Reconnaissance Via Findstr.EXE Firewall Rule Update Via Netsh.EXE Scheduled Task Executing Payload from Registry Potentially Suspicious Call To Win32_NTEventlogFile Class Suspicious Process Execution From Fake Recycle.Bin Folder Rebuild Performance Counter Values Via
- MSP to MSSP
Managed Service Providers (MSPs) are increasingly looking to bolster their capabilities to meet the rising demands of clients. The transition into Managed Security Service Providers (MSSPs) has emerged as a powerful way to achieve this evolution. This shift not only
- Rules
August 25th, 2023
Windows/Network Connection: Suspicious Epmap ConnectionSuspicious Dropbox API UsageSuspicious Outbound Kerberos ConnectionSuspicious Program Location with Network Connections Windows/System or Application/Service Control Manager: Tap Driver InstallationInvoke-Obfuscation COMPRESS OBFUSCATION – SystemInvoke-Obfuscation RUNDLL LAUNCHER – SystemInvoke-Obfuscation Via Stdin – SystemInvoke-Obfuscation Via Use Clip –
- Rules
August 18th, 2023
Windows/Network Connection: Communication To Ngrok.Io Communication To Ngrok Tunneling Service Notepad Making Network Connection RDP Over Reverse SSH Tunnel RDP to HTTP or HTTPS Target Ports Silenttrinity Stager Msbuild Activity Suspicious Office Outbound Connections Windows/System or Application/Service Control Manager: 8.
- Best practices
Introducing Mobula CyRay’s groundbreaking service, “SAP Monitoring” – a cutting-edge solution designed to ensure the utmost security and operational efficiency of your SAP infrastructure. Leveraging state-of-the-art technologies and intelligent algorithms, SAP Monitoring offers comprehensive oversight and detection capabilities for all
- Rules
August 11th, 2023
Windows/Network Connection: Windows/System or Application/Service Control Manager: Drive Load: Azure/Azure Active Directory: Windows/Image Load: Windows/Files: Fortigate@Fortinet: Windows/Process Creation: Windows/PowerShell: 365 Defender: Web Cache: Pulse Connect Secure@Pulse Secure: Windows/Registry:
- Best practices
Introducing “Priority Monitoring (ERP),” an ingenious Mobula CyRay Service designed to revolutionize the way we safeguard and manage our customers’ critical infrastructure. This innovative solution takes priority monitoring to new heights, ensuring the seamless operation of priority servers and services
- Knowledge
Security Operation Center You can imagine the SOC as a physical room where the network traffic is continually monitored with alerts and visualised information that could be used to respond to a potential cyber-incident. The SOC platform interacts directly with
- Knowledge, SIEM system
Security Information and Event Management. Events are described as any activity on the network performed by event sources, such as routers, switches, applications, or anything that communicates across the network. SIEM software is designed to scan all events on the
- SIEM system
To ensure the best SIEM (Security Information and Event Management) service, there are several key factors to consider. Here are some of the important aspects to look for: 1. Log Collection and Aggregation: A robust SIEM service should have the
- Article, Knowledge
In the realm of cybersecurity, the saying “It’s good to be the king” takes on a whole new meaning. While traditional kingdoms have only one king, the modern digital landscape presents a different scenario. In the intricate world of technical
- Knowledge
The 8 leading factors to consider when choosing your MSSP A Managed Security Service Provider (MSSP) is a company that offers a range of cybersecurity services to organizations. These services include monitoring, detection, and management of network security,
- Article, Best practices
Introduction: As organizations increasingly adopt cloud technologies like Google Cloud Platform (GCP), the need for robust security and monitoring solutions becomes paramount. CyRay, a cutting-edge cybersecurity platform, offers a comprehensive suite of capabilities that enables efficient and effective monitoring of
- Article, Best practices
Mobula Keep-Alive is an essential service designed to ensure the seamless operation of SIEM (Security Information and Event Management) connectors and the overall functionality of the Mobula Platform. With its advanced monitoring capabilities, Mobula Keep-Alive constantly assesses the status of
- Article, Knowledge
Introduction In the ever-evolving landscape of cybersecurity, businesses face increasing challenges in protecting their valuable data and digital assets. As threats become more sophisticated and diverse, organizations must adopt proactive strategies to stay one step ahead of potential breaches. In
- Article
As companies increasingly rely on technology for their day-to-day operations, the amount of data generated has grown exponentially. This data is critical for maintaining the company’s infrastructure’s security and detecting potential security breaches. However, this data is only valuable if
- Best practices, SIEM system
Mobula GitHub Monitoring is a comprehensive security service designed to monitor the GitHub environment and ensure the safety and integrity of your code repositories. With advanced features and vigilant monitoring capabilities, Mobula GitHub Monitoring offers a proactive approach to identifying
- Knowledge
The Security Threat: Mail impersonation is among the most prevalent and successful cyber attacks in today’s digital landscape. This type of attack can be classified into two main categories: phishing and mail impersonation. Phishing attacks aim to steal credentials by
- Article
Introduction Among the multitudes of log sources that are essential for monitoring a company, Windows Event Forwarding (WEF) unequivocally claims the top spot. With the ability to gather thousands of types of events from every computer within an organization, WEF
- Rules
DNS Trace Log Microsoft Windows@Process Creation Microsoft Windows@System Errors Web Cache Web Server Sysmon@Create Remote Thread Sysmon@Files Sysmon@Image Load Sysmon@Registry
- Use cases
Don’t know what it is? Read here to learn: When the organization’s network is not being filtered and monitored using the organization’s firewall, that exposes the organization to a significant security risk. In most organizations the firewall is used as
- Uncategorized
If you didn’t read about it yet, here are some important details to know:Recently, a new top-level domain (TLD) called .zip was introduced by Google. While the creation of new TLDs can bring exciting opportunities, it also opens the door
- Rules
Welcome you to our monthly rules update!We take great pleasure in presenting the most recent rules we created last month to boost your SIEM’s capabilities. Depending on your monitoring products, these rules have been deployed in your system to offer
- Best practices
When dealing with timestamps in SIEM logs, it is crucial to understand the origin and context of each specific timestamp. In SIEM events, multiple timestamps can be encountered, including: 1. End Time – The moment when the event indeed took
- Arcsight, Best practices, SIEM system
Introduction: Security Information and Event Management (SIEM) systems play a crucial role in organizations’ cybersecurity efforts. They collect, analyze, and correlate logs from various sources to detect and respond to security incidents. In this article, we’ll explore the process of
