New Deployed Rules

September 20th, 2023

  • Process Creation
    MMC20 Lateral Movement Process Creation
    MMC Spawning Windows Shell Process Creation
    Potential Arbitrary Command Execution Using Msdt.EXE Process Creation
    Suspicious MSDT Parent Process Process Creation
    Remotely Hosted HTA File Executed Via Mshta.EXE Process Creation
    Suspicious JavaScript Execution Via Mshta.EXE Process Creation
    Potential LethalHTA Technique Execution Process Creation
    MSHTA Suspicious Execution 01 Process Creation
    Potential MsiExec Masquerading Process Creation
    Potential Process Injection Via Msra.EXE Process Creation
    Potential MSTSC Shadowing Activity Process Creation
    Suspicious Child Process Of SQL Server Process Creation
    Potential Persistence Via Netsh Helper DLL Process Creation
    RDP Port Forwarding Rule Added Via Netsh.EXE Process Creation
    UEFI Persistence Via Wpbbin – ProcessCreation Process Creation
    Wusa Extracting Cab Files From Suspicious Paths Process Creation
    Potential Unquoted Service Path Reconnaissance Via Wmic.EXE Process Creation
    Potential Windows Defender Tampering Via Wmic.EXE Process Creation
    New ActiveScriptEventConsumer Created Via Wmic.EXE Process Creation
    Suspicious UltraVNC Execution Process Creation
    Bypass UAC via WSReset.exe Process Creation
    Suspicious Command With Teams Objects Paths Process Creation
    Taskkill Symantec Endpoint Protection Process Creation
    ETW Logging Tamper In .NET Processes Process Creation
    Port Forwarding Attempt Via SSH Process Creation
    Potential Rundll32 Execution With DLL Stored In ADS Process Creation

  • SentinelOne EDR@SentinelOne
    SentinelOne EDR – User Role Added SentinelOne EDR@SentinelOne
    SentinelOne EDR – Virus SentinelOne EDR@SentinelOne

  • Service Control Manager
    CSExec Service Installation Service Control Manager
    RemCom Service Installation Service Control Manager
    PsExec Service Installation Service Control Manager

  • Windows Defender Antivirus@Microsoft
    Windows Defender Threat Detection Disabled Windows

  • Defender Antivirus@Microsoft
    Win Defender Restored Quarantine File Windows Defender Antivirus@Microsoft
    Windows Defender Threat Detected Windows Defender Antivirus@Microsoft
    Windows Defender Exploit Guard Tamper Windows Defender Antivirus@Microsoft

  • SolidCore@McAfee
    SolidCore – Application in List was Installed SolidCore@McAfee
    SolidCore – Application Control Boot SolidCore@McAfee

  • Network Share Object
    Windows Network Access Suspicious desktop.ini Action Network Share Object
    Suspicious Access to Sensitive File Extensions Network Share Object

  • PowerShell Script
    Suspicious Service DACL Modification Via Set-Service Cmdlet – PS PowerShell Script
    Suspicious Get Information for SMB Share PowerShell Script
    Suspicious PowerShell WindowStyle Option PowerShell Script

  • File Event
    Potential CVE-2023-36874 Exploitation – Uncommon Report.Wer Location File Event
    Potential CVE-2023-36874 Exploitation – Fake Wermgr.Exe Creation File Event

  • Image Load
    Potential Mpclient.DLL Sideloading Image Load
    Unsigned Mfdetours.DLL Sideloading Image Load

  • Security
    Tap Driver Installation – Security Security
    Activity By User With Space On the End Security
    Hacktool Ruler Security

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Account ManagementExternal Remote RDP Logon from Public IPKrbRelayUp Attack Pattern File EventSuspicious Get-Variable.exe CreationFile Creation In Suspicious Directory By Msdt.EXENTDS Exfiltration Filename

Sign up for our newsletter

Time to market

One-day SIEM integration