New Deployed Rules

September 28th, 2023


SentinelOne EDR
   1. User Deleted
   2. User Logged In to Management Console

Process Creation
   3. Use of Remote.exe
   4. Use of Pcalua For Execution
   5. Process Memory Dump Via Dotnet-Dump
   6. Detect Virtualbox Driver Installation OR Starting Of VMs
   7. Suspicious VBoxDrvInst.exe Parameters
   8. Uninstall Crowdstrike Falcon Sensor
   9. Suspicious Download Via Certutil.EXE
   10. Bypass UAC via Fodhelper.exe
   11. Chopper Webshell Process Pattern
   12. Install New Package Via Winget Local Manifest
   13. Winrar Compressing Dump Files
   14. Potential SNAKE Malware Installation Binary Indicator
   15. Potential SNAKE Malware Persistence Service Execution
   16. Rhadamanthys Stealer Module Launch Via Rundll32.EXE
   17. File Decryption Using Gpg4win
   18. File Encryption Using Gpg4win
   19. Portable Gpg.EXE Execution
   20. Potential Mpclient.DLL Sideloading Via Defender Binaries
   21. Potential Provlaunch.EXE Binary Proxy Execution Abuse
   22. Suspicious Provlaunch.EXE Child Process
   23. Potential Provisioning Registry Key Abuse For Binary Proxy Execution
   24. Renamed Gpg.EXE Execution
   25. Potential Binary Proxy Execution Via VSDiagnostics.EXE
   26. Tor Client-Browser Execution
   27. DLL Loaded via CertOC.EXE
   28. Suspicious DLL Loaded via CertOC.EXE

   29. KMS CMK Disabled Or Scheduled For Deletion
   30. Redshift Persistence Redshift Instance Creation

   31. Success Login from Unauthorized Country – Azure AD

Big IP (F5)
   32. User Connected by VPN from Unauthorized Country
   33. User Connected by VPN Outside Working Hours

   34. Event Log Cleared

File Event
   35. CVE-2021-44077 POC Default Dropped File
   36. CVE-2022-24527 Microsoft Connected Cache LPE
   37. DLL Search Order Hijacking Via Additional Space in Path
   38. Suspicious ASPX File Drop by Exchange
   39. Typical HiveNightmare SAM File Export
   40. Octopus Scanner Malware

Fortigate (Fortinet)
   41. User Removed from Admin Group

   42. Full Network Traffic Packet Capture
   43. VPN Tunnel Modified or Deleted

Groups Monitoring
   44. Privileged Group was Deleted
   45. A Member was Added into a Monitoring Group

   46. Search-ms and WebDAV Suspicious Indicators in URL
   47. Devil Bait Potential C2 Communication Traffic

Pulse Connect Secure (Pulse Secure)
   48. Multiple Failed User Login

Registry Event
   49. Office Application Startup – Office Test
   50. Windows Registry Trust Record Modification
   51. Registry Persistence Mechanisms in Recycle Bin

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration