New Deployed Rules

September 14th, 2023

Facebook
Twitter
LinkedIn

MSMQ:

   1. MSMQ Corrupted Packet Encountered

Network Share Object:

   2. Protected Storage Service Access
   3. Possible Impacket SecretDump Remote Activity

Process Access:

   4. Suspicious LSASS Access Via MalSecLogon
   5. Mimikatz through Windows Remote Management

Registry Event:

   6. Sticky Key Like Backdoor Usage – Registry
   7. SNAKE Malware Covert Store Registry Key

Sysmon@Microsoft:

   8. Multiple System Processes on same Host – Sysmon
   9. Sysmon Configuration Change

Process Creation:

   10. New DLL Registered Via Odbcconf.EXE
   11. Suspicious Response File Execution Via Odbcconf.EXE
   12. Response File Execution Via Odbcconf.EXE
   13. Potential Privilege Escalation via Unquoted Service
   14. Persistence Via TypedPaths – CommandLine
   15. Direct Autorun Keys Modification
   16. Renamed Sysinternals Sdelete Execution
   17. Potential File Overwrite Via Sysinternals SDelete
   18. Potential Cookies Session Hijacking
   19. Curl Web Request With Potential Custom User-Agent
   20. Insecure Proxy-DOH Transfer Via Curl.EXE
   21. Local File Read Using Curl.EXE
   22. Suspicious Download From File-Sharing Website Via Bitsadmin
   23. Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
   24. Suspicious File Download From IP Via Curl.EXE
   25. Suspicious File Download From File Sharing Domain Via Curl.EXE
   26. Suspicious File Download From IP Via Wget.EXE
   27. Suspicious File Download From File Sharing Domain Via Wget.EXE
   28. Potential Amazon SSM Agent Hijacking
   29. Execution via stordiag.exe
   30. Start of NT Virtual DOS Machine
   31. UAC Bypass via Event Viewer
   32. Suspicious Eventlog Clear or Configuration Change
   33.Suspicious Use of PsLogList
   34. HackTool – SharpEvtMute Execution
   35. Potential Mftrace.EXE Abuse
   36. Pass the Hash Activity 2
   37. RDP Login from Localhost
   38. Remote WMI ActiveScriptEventConsumers
   39. WinAPI Library Calls Via PowerShell Scripts
   40. PowerShell ShellCode
   41. Potential Persistence Via Security Descriptors – ScriptBlock

Acount Management:

   42. PowerShell ShellCode
   43. Potential Persistence Via Security Descriptors – ScriptBlock
   44. Raw Paste Service Access
   45. Flash Player Update from Suspicious Location
   46. Windows Defender Suspicious Configuration Changes
   47. Microsoft Defender Tamper Protection Trigger
   48. Wireless Activity on Windows Server
   49. Incoming Mail from Suspicious Mail Address

Threat Intelligence:

   50. TMES – User Login
   51. TMES – Suspicious Phishing from Many Sources to One User

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration