New Deployed Rules

November 2nd, 2023

  • Process Creation
    Suspicious Execution Location Of Wermgr.EXE
    Potential CVE-2023-36874 Exploitation – Fake Wermgr Execution
    Network Reconnaissance Activity
    Node Process Executions
    Nslookup PowerShell Download Cradle – Process Creation
    Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
    Harvesting Of Wifi Credentials Via Netsh.EXE
    New Port Forwarding Rule Added Via Netsh.EXX
    New Network Trace Capture Started Via Netsh.EXE
    Firewall Rule Deleted Via Netsh.EXE
    Potential Recon Activity Via Nltest.EXE
    Potential Arbitrary Code Execution Via Node.EXE
    Wscript Shell Run In CommandLine
    Suspicious Cabinet File Execution Via Msdt.EXE
    Perl Inline Command Execution
    Php Inline Command Execution
    Ping Hex IP
    PktMon.EXE Execution
    Suspicious Plink Port Forwarding
    Psr.exe Capture Screenshots
    Use of FSharp Interpreters
    GfxDownloadWrapper.exe Downloads File from Suspicious URL
    Ie4uinit Lolbin Use From Invalid Path
    Ilasm Lolbin Use Compile C-Sharp
    JSC Convert Javascript To Executable
    Launch-VsDevShell.PS1 Proxy Execution
    Execute Files with Msdeploy.exe
    Replace.exe Usage
    Suspicious Runscripthelper.exe
    Use of Scriptrunner.exe
    Lolbin Defaultpack.exe Use As Proxy
    DeviceCredentialDeployment Execution

  • Proxy
    Telegram API Access
    Rclone Activity via Proxy

  • Registry Set
    Potential Persistence Via Shim Database In Uncommon Location
    Suspicious Shim Database Patching Activity
    Potential Persistence Via Shim Database Modification
    Potential Registry Persistence Attempt Via Windows Telemetry
    Potential Provisioning Registry Key Abuse For Binary Proxy Execution – REG
    New BgInfo.EXE Custom DB Path Registry Configuration
    New BgInfo.EXE Custom VBScript Registry Configuration
    New BgInfo.EXE Custom WMI Query Registry Configuration

  • Security
    Activity By User Without any Characters or Digits
    Addition of Domain Trusts
    Suspicious Windows ANONYMOUS LOGON Local Account Created
    Possible Shadow Credentials Added
    Powerview Add-DomainObjectAcl DCSync AD Extend Right

More to explorer

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

New Deployed Rules

Account ManagementExternal Remote RDP Logon from Public IPKrbRelayUp Attack Pattern File EventSuspicious Get-Variable.exe CreationFile Creation In Suspicious Directory By Msdt.EXENTDS Exfiltration Filename

Sign up for our newsletter

Time to market

One-day SIEM integration