New Deployed Rules

September 7th, 2023


Process Creation:

   1. Suspicious Execution of InstallUtil Without Log
   2. Suspicious Execution of InstallUtil To Download
   3. Potential PowerShell Execution Via DLL
   4. Suspicious Debugger Registration Cmdline
   5. Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
   6. Potential DLL Injection Or Execution Using Tracker.exe
   7. Suspicious Msbuild Execution By Uncommon Parent Process
   8. Masquerading Through Unicode Right-To-Left Override (RTLO)
   9. SyncAppvPublishingServer Execute Arbitrary PowerShell Code
   10. SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
   11. Regasm-Regsvcs Suspicious Execution
   12. Exfiltration and Tunneling Tools Execution
   13. Potential RDP Tunneling Via SSH Plink
   14. Renamed Plink Execution
   15. Potential RDP Tunneling Via SSH
   16. Potential Maze Ransomware Activity
   17. Remote PowerShell Session Host Process (WinRM)
   18. Suspicious Processes Spawned by WinRM
   19. Shadow Copies Creation Using Operating Systems Utilities
   20. SystemStateBackup Deleted Using Wbadmin.EXE
   21. Shadow Copies Deletion Using Operating Systems Utilities
   22. Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
   23. Boot Configuration Tampering Via Bcdedit.EXE
   24. Use of Forfiles For Execution
   25. PUA – CsExec Execution
   26. File Download with Headless Browser

File Event:

   27. Suspicious File Event With Teams Objects
   28. BloodHound Collection Files
   29. Cred Dump Tools Dropped Files
   30. WScript or CScript Dropper – File
   31. CVE-2021-26858 Exchange Exploitation


   32. AWS EFS Fileshare Mount Modified or Deleted
   33. AWS ElastiCache Security Group Modified or Deleted

Groups Monitoring:

   34. VIP User Deleted – Windows
   35. VIP User Disabled – Windows
   36. VIP User Password Changed – Windows
   37. A Member was Removed From Privileged Group

User and Group Management:

   38. User Was Created With a Space On The End – Windows
   39. User Was Created With Non Charecters or Digits (Ghost) – Windows
   40. User Was Created With Non Charecter or Digit on The End – Windows

SentinelOne EDR@SentinelOne:

   41. SentinelOne EDR – Added Firewall Rule
   42. SentinelOne EDR – Malware

Image Load:

   43. Abusable DLL Potential Sideloading From Suspicious Location
   44. Potential CCleanerDU.DLL Sideloading
   45. Potential CCleanerReactivator.DLL Sideloading

Pipe Created:

   46. CSExec Default Named Pipe
   47. RemCom Default Named Pipe

PowerShell Script:

   48. Execute Invoke-command on Remote Host
   49. SyncAppvPublishingServer Execution to Bypass PowerShell Restriction
   50. Security Software Discovery by PowerShell

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration