Deployed Rules Of The Week


DNS Trace Log

  1. DNS Trace Log

Microsoft Windows@Process Creation

  1. Driver-DLL Installation Via Odbcconf.EXE
  2. New Root Certificate Installed Via CertMgr.EXE
  3. New Root Certificate Installed Via Certutil.EXE
  4. Password Protected Compressed File Extraction Via 7Zip
  5. Potential Qakbot Rundll32 Execution
  6. Potential Regsvr32 Commandline Flag Anomaly
  7. Potentially Suspicious Child Process Of Regsvr32
  8. Potentially Suspicious Regsvr32 HTTP IP Pattern
  9. Potentially Suspicious Regsvr32 HTTP-FTP Pattern
  10. Qakbot Regsvr32 Calc Pattern
  11. Qakbot Rundll32 Exports Execution
  12. Qakbot Rundll32 Fake DLL Extension Execution
  13. Regsvr32 DLL Execution With Suspicious File Extension
  14. Regsvr32 DLL Execution With Uncommon Extension
  15. Regsvr32 Execution From Highly Suspicious Location
  16. Regsvr32 Execution From Potential Suspicious Location
  17. Scripting-CommandLine Process Spawned Regsvr32
  18. Small Sieve Malware CommandLine Indicator

Microsoft Windows@System Errors

  1. Windows Server Shutdown Abnormal

Web Cache

  1. iOS Implant URL Pattern
  2. PwnDrp Access
  3. Small Sieve Malware Potential C2 Communication
  4. Suspicious Network Communication With IPFS
  5. Ursnif Malware Download URL Pattern
  6. Windows PowerShell User Agent
  7. Windows WebDAV User Agent

Web Server

  1. Suspicious Windows Strings In URI

Sysmon@Create Remote Thread

  1. CreateRemoteThread API and LoadLibrary
  2. Potential Credential Dumping Attempt Via PowerShell Remote Thread
  3. Remote Thread Creation Ttdinject.exe Proxy
  4. Remote Thread Creation Via PowerShell In Rundll32


  1. EventLog EVTX File Deleted
  2. Exchange PowerShell Cmdlet History Deleted
  3. File Deleted Via Sysinternals SDelete
  4. IIS WebServer Access Logs Deleted
  5. PowerShell Console History Logs Deleted
  6. Prefetch File Deleted
  7. TeamViewer Log File Deleted
  8. Tomcat WebServer Logs Deleted
  9. Unusual File Deletion by Dns.exe
  10. Malicious PowerShell Scripts – FileCreation
  11. Potential Binary Or Script Dropper Via PowerShell
  12. Potential MOVEit Transfer Exploitation
  13. Potential Startup Shortcut Persistence Via PowerShell.EXE
  14. Potential Suspicious PowerShell Module File Created
  15. PowerShell Module File Created
  16. PowerShell Script Dropped Via PowerShell.EXE
  17. Rclone Config File Creation
  18. Small Sieve Malware File Indicator Creation

Sysmon@Image Load

  1. Sysmon@Image Load


  1. Small Sieve Malware Registry Persistence

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration