New Deployed Rules

September 21st, 2023


   1. Volume Shadow Copy Mount

PowerShell Script
   2. Code Executed Via Office Add-in XLL File
   3. Potential Invoke-Mimikatz PowerShell Script
   4. Tamper Windows Defender Remove-MpPreference – ScriptBlockLogging
   5. Abuse of Service Permissions to Hide Services Via Set-Service – PS

Process Access
   6. WerFault Accessing LSASS
   7. LSASS Memory Dump
   8. HandleKatz Duplicating LSASS Handle
   9. Malware Shellcode in Verclsid Target Process
   10. Potential Svchost Memory Access
   11. CobaltStrike BOF Injection Pattern
   12. SysmonEntry Usage
   13. LSASS Access from White-Listed Processes
   14. LSASS Memory Access by Tool Named Dump
   15. SVCHOST Credential Dump
   16. UAC Bypass Using WOW64 Logger DLL Hijack

Process Creation
   17. Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
   18. Suspicious Shim Database Installation via Sdbinst.EXE
   19. Dumping Process via Sqldumper.exe
   20. Use of TTDInject.exe
   21. Potential Download-Upload Activity Using Type Command
   22. Lolbin Unregmp2.exe Use As Proxy
   23. UtilityFunctions.ps1 Proxy Dll
   24. Use of VisualUiaVerifyNative.exe
   25. Use of VSIISExeLauncher.exe
   26. Use of Wfc.exe
   27. Microsoft Workflow Compiler Execution
   28. Use Of The SFTP.EXE Binary As A LOLBIN
   29. Suspicious Sigverif Execution
   30. Use of Setres.exe
   31. Lolbin Runexehelper Use As Proxy

   32. Sysmon Blocked File Shredding
   33. Sysmon File Executable Creation Detected

   34. Suspicious LDAP-Attributes Used
   35. Possible DC Shadow Attack

SentinelOne EDR@SentinelOne
   36. SentinelOne EDR – Agent Decommissioned
   37. SentinelOne EDR – Infostealer

Registry Event
   38. WINEKEY Registry Modification
   39. Security Support Provider (SSP) Added to LSA Configuration
   40. Suspicious Run Key from Download
   41. DLL Load via LSASS

Network Share Object
   42. Possible PetitPotam Coerce Authentication Attempt
   43. Impacket PsExec Execution
   44. Persistence and Execution at Scale via GPO Scheduled Task
   45. DCOM InternetExplorer.Application Iertutil DLL Hijack – Security

   46. AWS GuardDuty Important Change
   47. AWS S3 Data Management Tampering
   48. AWS:STS Suspicious SAML Activity
   49. AWS:SES Identity Has Been Deleted
   50. AWS:ECS Task Definition That Queries The Credential Endpoint

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration