Contact us
Eli Benitah

Eli Benitah

New Deployed Rules

September 14th, 2023

Facebook
Twitter
LinkedIn

MSMQ:

   1. MSMQ Corrupted Packet Encountered

Network Share Object:

   2. Protected Storage Service Access
   3. Possible Impacket SecretDump Remote Activity

Process Access:

   4. Suspicious LSASS Access Via MalSecLogon
   5. Mimikatz through Windows Remote Management

Registry Event:

   6. Sticky Key Like Backdoor Usage – Registry
   7. SNAKE Malware Covert Store Registry Key

Sysmon@Microsoft:

   8. Multiple System Processes on same Host – Sysmon
   9. Sysmon Configuration Change

Process Creation:

   10. New DLL Registered Via Odbcconf.EXE
   11. Suspicious Response File Execution Via Odbcconf.EXE
   12. Response File Execution Via Odbcconf.EXE
   13. Potential Privilege Escalation via Unquoted Service
   14. Persistence Via TypedPaths – CommandLine
   15. Direct Autorun Keys Modification
   16. Renamed Sysinternals Sdelete Execution
   17. Potential File Overwrite Via Sysinternals SDelete
   18. Potential Cookies Session Hijacking
   19. Curl Web Request With Potential Custom User-Agent
   20. Insecure Proxy-DOH Transfer Via Curl.EXE
   21. Local File Read Using Curl.EXE
   22. Suspicious Download From File-Sharing Website Via Bitsadmin
   23. Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
   24. Suspicious File Download From IP Via Curl.EXE
   25. Suspicious File Download From File Sharing Domain Via Curl.EXE
   26. Suspicious File Download From IP Via Wget.EXE
   27. Suspicious File Download From File Sharing Domain Via Wget.EXE
   28. Potential Amazon SSM Agent Hijacking
   29. Execution via stordiag.exe
   30. Start of NT Virtual DOS Machine
   31. UAC Bypass via Event Viewer
   32. Suspicious Eventlog Clear or Configuration Change
   33.Suspicious Use of PsLogList
   34. HackTool – SharpEvtMute Execution
   35. Potential Mftrace.EXE Abuse
   36. Pass the Hash Activity 2
   37. RDP Login from Localhost
   38. Remote WMI ActiveScriptEventConsumers
   39. WinAPI Library Calls Via PowerShell Scripts
   40. PowerShell ShellCode
   41. Potential Persistence Via Security Descriptors – ScriptBlock

Acount Management:

   42. PowerShell ShellCode
   43. Potential Persistence Via Security Descriptors – ScriptBlock
   44. Raw Paste Service Access
   45. Flash Player Update from Suspicious Location
   46. Windows Defender Suspicious Configuration Changes
   47. Microsoft Defender Tamper Protection Trigger
   48. Wireless Activity on Windows Server
   49. Incoming Mail from Suspicious Mail Address

Threat Intelligence:

   50. TMES – User Login
   51. TMES – Suspicious Phishing from Many Sources to One User

More to explorer

New Deployed Rules

September 21, 2023 No Comments

NTFS:   1. Volume Shadow Copy Mount PowerShell Script   2. Code Executed Via Office Add-in XLL File   3. Potential Invoke-Mimikatz PowerShell Script   4.

New Deployed Rules

September 7, 2023 No Comments

Process Creation:    1. Suspicious Execution of InstallUtil Without Log   2. Suspicious Execution of InstallUtil To Download   3. Potential PowerShell Execution Via

Sign up for our newsletter

Follow us:

Facebook-f Linkedin-in Twitter

Site map

Get in Touch:

[email protected]

+972-58-6333296

Hanofar 2, Raanana, israel

Contact Us >

Time to market

One-day SIEM integration

Learn more