Sign up for our newsletter

Filter by Category
checkbox category

November 2nd, 2023

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)Harvesting Of Wifi Credentials Via Netsh.EXENew Port Forwarding Rule Added Via Netsh.EXXNew

October 26th, 2023

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File Write Event Image LoadMicrosoft Office DLL Sideload Kernel-GeneralQuarksPwDump Clearing Access History Network Share ObjectRemote Task Creation via ATSVC

September 20th, 2023

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process CreationRemotely Hosted HTA File Executed Via Mshta.EXE Process CreationSuspicious JavaScript Execution Via Mshta.EXE Process CreationPotential LethalHTA Technique Execution

October 12th, 2023

Account ManagementExternal Remote RDP Logon from Public IPKrbRelayUp Attack Pattern File EventSuspicious Get-Variable.exe CreationFile Creation In Suspicious Directory By Msdt.EXENTDS Exfiltration Filename Patterns Groups MonitoringA Member was Added into a VIP GroupA Member was Removed From Monitoring Group Image LoadPotential

October 5th, 2023

Acount Management   1. Admin User Remote Logon    2. External Remote SMB Logon from Public IP AWS   3. AWS:Glue Development Endpoint Activity Big IP@F5   4. User Connected from two different countries – F5 Big IP CodeIntegrity   5. CodeIntegrity – Blocked Image

September 28th, 2023

SentinelOne EDR    1. User Deleted 2. User Logged In to Management Console Process Creation    3. Use of Remote.exe 4. Use of Pcalua For Execution 5. Process Memory Dump Via Dotnet-Dump 6. Detect Virtualbox Driver Installation OR Starting Of

September 21st, 2023

NTFS:   1. Volume Shadow Copy Mount PowerShell Script   2. Code Executed Via Office Add-in XLL File   3. Potential Invoke-Mimikatz PowerShell Script   4. Tamper Windows Defender Remove-MpPreference – ScriptBlockLogging   5. Abuse of Service Permissions to Hide Services Via Set-Service – PS

September 14th, 2023

MSMQ:    1. MSMQ Corrupted Packet Encountered Network Share Object:    2. Protected Storage Service Access   3. Possible Impacket SecretDump Remote Activity Process Access:    4. Suspicious LSASS Access Via MalSecLogon   5. Mimikatz through Windows Remote Management Registry Event:  

Seeking how to transform your MSP to MSSP but don’t know how to make your offerings relevant and valuable to the cyber threats out there? CyRay offers a unique value proposition that enables MSPs to transform into MSSPs in just

September 7th, 2023

Process Creation:    1. Suspicious Execution of InstallUtil Without Log   2. Suspicious Execution of InstallUtil To Download   3. Potential PowerShell Execution Via DLL   4. Suspicious Debugger Registration Cmdline   5. Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN   6. Potential DLL

September 1st, 2023

Process Creation Suspicious Ping-Copy Command Combination LSASS Process Reconnaissance Via Findstr.EXE Firewall Rule Update Via Netsh.EXE Scheduled Task Executing Payload from Registry Potentially Suspicious Call To Win32_NTEventlogFile Class Suspicious Process Execution From Fake Recycle.Bin Folder Rebuild Performance Counter Values Via

Managed Service Providers (MSPs) are increasingly looking to bolster their capabilities to meet the rising demands of clients. The transition into Managed Security Service Providers (MSSPs) has emerged as a powerful way to achieve this evolution. This shift not only

August 25th, 2023

Windows/Network Connection: Suspicious Epmap ConnectionSuspicious Dropbox API UsageSuspicious Outbound Kerberos ConnectionSuspicious Program Location with Network Connections Windows/System or Application/Service Control Manager: Tap Driver InstallationInvoke-Obfuscation COMPRESS OBFUSCATION – SystemInvoke-Obfuscation RUNDLL LAUNCHER – SystemInvoke-Obfuscation Via Stdin – SystemInvoke-Obfuscation Via Use Clip –

August 18th, 2023

Windows/Network Connection: Communication To Ngrok.Io Communication To Ngrok Tunneling Service Notepad Making Network Connection RDP Over Reverse SSH Tunnel RDP to HTTP or HTTPS Target Ports Silenttrinity Stager Msbuild Activity Suspicious Office Outbound Connections Windows/System or Application/Service Control Manager: 8.

Introducing Mobula CyRay’s groundbreaking service, “SAP Monitoring” – a cutting-edge solution designed to ensure the utmost security and operational efficiency of your SAP infrastructure. Leveraging state-of-the-art technologies and intelligent algorithms, SAP Monitoring offers comprehensive oversight and detection capabilities for all

August 11th, 2023

Windows/Network Connection: Windows/System or Application/Service Control Manager: Drive Load: Azure/Azure Active Directory: Windows/Image Load: Windows/Files: Fortigate@Fortinet: Windows/Process Creation: Windows/PowerShell: 365 Defender: Web Cache: Pulse Connect Secure@Pulse Secure: Windows/Registry:

Introducing “Priority Monitoring (ERP),” an ingenious Mobula CyRay Service designed to revolutionize the way we safeguard and manage our customers’ critical infrastructure. This innovative solution takes priority monitoring to new heights, ensuring the seamless operation of priority servers and services

Security Operation Center You can imagine the SOC as a physical room where the network traffic is continually monitored with alerts and visualised information that could be used to respond to a potential cyber-incident.  The SOC platform interacts directly with

Security Information and Event Management.  Events are described as any activity on the network performed by event sources, such as routers, switches, applications, or anything that communicates across the network. SIEM software is designed to scan all events on the

To ensure the best SIEM (Security Information and Event Management) service, there are several key factors to consider. Here are some of the important aspects to look for: 1. Log Collection and Aggregation: A robust SIEM service should have the

In the realm of cybersecurity, the saying “It’s good to be the king” takes on a whole new meaning. While traditional kingdoms have only one king, the modern digital landscape presents a different scenario. In the intricate world of technical

The 8 leading factors to consider when choosing your MSSP     A Managed Security Service Provider (MSSP) is a company that offers a range of cybersecurity services to organizations. These services include monitoring, detection, and management of network security,

Introduction: As organizations increasingly adopt cloud technologies like Google Cloud Platform (GCP), the need for robust security and monitoring solutions becomes paramount. CyRay, a cutting-edge cybersecurity platform, offers a comprehensive suite of capabilities that enables efficient and effective monitoring of

Mobula Keep-Alive is an essential service designed to ensure the seamless operation of SIEM (Security Information and Event Management) connectors and the overall functionality of the Mobula Platform. With its advanced monitoring capabilities, Mobula Keep-Alive constantly assesses the status of

Introduction In the ever-evolving landscape of cybersecurity, businesses face increasing challenges in protecting their valuable data and digital assets. As threats become more sophisticated and diverse, organizations must adopt proactive strategies to stay one step ahead of potential breaches. In

As companies increasingly rely on technology for their day-to-day operations, the amount of data generated has grown exponentially. This data is critical for maintaining the company’s infrastructure’s security and detecting potential security breaches. However, this data is only valuable if

Mobula GitHub Monitoring is a comprehensive security service designed to monitor the GitHub environment and ensure the safety and integrity of your code repositories. With advanced features and vigilant monitoring capabilities, Mobula GitHub Monitoring offers a proactive approach to identifying

The Security Threat: Mail impersonation is among the most prevalent and successful cyber attacks in today’s digital landscape. This type of attack can be classified into two main categories: phishing and mail impersonation. Phishing attacks aim to steal credentials by

Introduction Among the multitudes of log sources that are essential for monitoring a company, Windows Event Forwarding (WEF) unequivocally claims the top spot. With the ability to gather thousands of types of events from every computer within an organization, WEF

DNS Trace Log Microsoft Windows@Process Creation Microsoft Windows@System Errors Web Cache Web Server Sysmon@Create Remote Thread Sysmon@Files Sysmon@Image Load Sysmon@Registry

Don’t know what it is? Read here to learn:  When the organization’s network is not being filtered and monitored using the organization’s firewall, that exposes the organization to a significant security risk. In most organizations the firewall is used as

If you didn’t read about it yet, here are some important details to know:Recently, a new top-level domain (TLD) called .zip was introduced by Google. While the creation of new TLDs can bring exciting opportunities, it also opens the door

Welcome you to our monthly rules update!We take great pleasure in presenting the most recent rules we created last month to boost your SIEM’s capabilities. Depending on your monitoring products, these rules have been deployed in your system to offer

When dealing with timestamps in SIEM logs, it is crucial to understand the origin and context of each specific timestamp. In SIEM events, multiple timestamps can be encountered, including: 1. End Time – The moment when the event indeed took

Introduction: Security Information and Event Management (SIEM) systems play a crucial role in organizations’ cybersecurity efforts. They collect, analyze, and correlate logs from various sources to detect and respond to security incidents. In this article, we’ll explore the process of

Time to market

One-day SIEM integration