New Deployed Rules

October 12th, 2023

  • Account Management
    External Remote RDP Logon from Public IP
    KrbRelayUp Attack Pattern

  • File Event
    Suspicious Get-Variable.exe Creation
    File Creation In Suspicious Directory By Msdt.EXE
    NTDS Exfiltration Filename Patterns

  • Groups Monitoring
    A Member was Added into a VIP Group
    A Member was Removed From Monitoring Group

  • Image Load
    Potential Vivaldi_elf.DLL Sideloading

  • Network Share Object
    DCERPC SMB Spoolss Named Pipe
    CVE-2021-1675 Print Spooler Exploitation IPC Access

  • Process Creation
    Assembly Loading Via CL_LoadAssembly.ps1
    7Zip Compressing Dump Files
    Potential Adplus. EXE Abuse
    Interactive AT Job
    Set Suspicious Files as System Files Using Attrib. EXE
    Audit Policy Tampering Via NT Resource Kit Auditpol
    Audit Policy Tampering Via Auditpol
    Suspicious Download From Direct IP Via Bitsadmin
    File With Suspicious Extension Downloaded Via Bitsadmin
    File Download Via Bitsadmin To A Suspicious Target Folder
    Potential Data Stealing Via Chromium Headless Debugging
    Control Panel Items
    CreateDump Process Dump
    Suspicious Use of CSharp Interactive Console
    Dllhost. EXE Execution Anomaly
    New DNS ServerLevelPluginDll Installed Via Dnscmd. EXE
    Potential Recon Activity Using DriverQuery. EXE
    Suspicious Kernel Dump Using Dtrace
    Suspicious DumpMinitool Execution
    Sysmon Discovery Via Default Driver Altitude Using Findstr. EXE
    Finger.exe Suspicious Invocation
    Sysmon Driver Unloaded Via Fltmc. EXE
    Filter Driver Unloaded Via Fltmc. EXE
    Fsutil Suspicious Invocation
    Sensitive Registry Access via Volume Shadow Copy
    WScript or CScript Dropper

  • Proxy
    Turla ComRAT

  • Registry Event
    PortProxy Registry Key
    RedMimicry Winnti Playbook Registry Manipulation

  • Registry Set
    UAC Bypass via Event Viewer – Registry Set
    Disabled Windows Defender Eventlog
    Potential EventLog File Location Tampering

  • Security
    Credential Dumping Tools Service Execution – Security
    Invoke-Obfuscation CLIP+ Launcher – Security
    PowerShell Scripts Installed as Services – Security

  • SolidCore@McAfee
    SolidCore – Any Software Installation
    SolidCore – Denie Execution or Modification Of File

  • Sysmon@Microsoft
    Sysmon Blocked Executable
    Sysmon Configuration Modification

  • Windows Defender Antivirus@Microsoft
    Windows Defender AMSI Trigger Detected

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration