New Deployed Rules

October 5th, 2023


Acount Management
   1. Admin User Remote Logon 
   2. External Remote SMB Logon from Public IP

   3. AWS:Glue Development Endpoint Activity

Big IP@F5
   4. User Connected from two different countries – F5 Big IP

   5. CodeIntegrity – Blocked Image Load With Revoked Certificate

Create Remote Thread
   6. Remote Thread Creation In Mstsc.Exe From Suspicious Location

Endpoint Protection@Symantec
   7. Antivirus detection – Symantec Endpoint Protection
   8. Antivirus advanced heuristic detection – Symantec Endpoint Protection

File Event
   9. Adwind RAT-JRAT File Artifact
   10. PCRE.NET Package Temp Files
   11. Potential RipZip Attack on Startup Folder
   12. Potential Winnti Dropper Activity
   13. Suspicious Creation TXT File in User Desktop

Groups Monitoring
   14. A Member was Removed From VIP Group
   15. Interactive Login Alert – Windows

Image Load
   16. VMMap Dbghelp.DLL Potential Sideloading
   17. Potential AVKkid.DLL Sideloading
   18. Potential EACore.DLL Sideloading
   19. Potential Mfdetours.DLL Sideloading

Process Creation
   20. Deleted Data Overwritten Via Cipher.EXE
   21. Potential NTLM Coercion Via Certutil.EXE
   22. Active Directory Structure Export Via Csvde.EXE
   23. Data Copied To Clipboard Via Clip.EXE
   24. Arbitrary MSI Download Via Devinit.EXE
   25. Conhost.exe CommandLine Path Traversal
   26. DirLister Execution
   27. Suspicious HWP Sub Processes
   28. Fake Instance Of Hxtsr.exe
   29. Use Icacls to Hide File to Everyone
   30. Disable Windows IIS HTTP Logging
   31. Microsoft IIS Service Account Password Dumped
   32. Suspicious IIS URL GlobalRules Rewrite Via AppCmd
   33. IIS Native-Code Module Command Line Installation
   34. Microsoft IIS Connection Strings Decryption
   35. Suspicious IIS Module Registration
   36. Suspicious SysAidServer Child
   37. AspNetCompiler Execution
   38. Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
   39. Suspicious Child Process of AspNetCompiler
   40. Indirect Inline Command Execution Via Bash.EXE
   41. Suspicious Child Process Of BgInfo.EXE
   42. Uncommon Child Process Of BgInfo.EXE
   43. Potential Process Execution Proxy Via CL_Invocation.ps1
   44. LOLBIN Execution Of The FTP.EXE Binary
   45. Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

TMES@Trend Micro
   46. TMES – Suspicious Web Reputation
   47. TMES – Suspicious Phishing from One Source to Many Users
   48. TMES – Suspicious Phishing or Social Engineering

Web Server
   49. Potential CVE-2023-27997 Exploitation Indicators
   50. JNDIExploit Pattern

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration