New Deployed Rules

October 26th, 2023

  • Account Management
    Outgoing Logon with New Credentials
    RottenPotato Like Attack Pattern
    Scanner PoC for CVE-2019-0708 RDP RCE Vuln

  • File Event
    WebDAV Temporary Local File Creation
    SCR File Write Event

  • Image Load
    Microsoft Office DLL Sideload

  • Kernel-General
    QuarksPwDump Clearing Access History
  • Network Share Object
    Remote Task Creation via ATSVC Named Pipe
    Remote Service Activity via SVCCTL Named Pipe
    Transferring Files with Credential Data via Network Shares
    First Time Seen Remote Named Pipe

  • PowerShell Script
    PowerShell Write-EventLog Usage
    Zip A Folder With PowerShell For Staging In Temp – PowerShell Script
    Powershell Timestomp
    Access to Browser Login Data
    Enumerate Credentials from Windows Credential Manager With PowerShell
    PowerShell ICMP Exfiltration
    Suspicious PowerShell Download – PowerShell Script
    PowerShell Execute Batch Script
    Remote PowerShell Session (PS Classic)

  • Priority Audit@Priority
    Priority: Login Outside Working Hours

  • Process Creation
    Suspicious Advpack Call Via Rundll32.EXE
    Suspicious Call by Ordinal
    Suspicious Rundll32 Invoking Inline VBScript
    Rundll32 InstallScreenSaver Execution
    Suspicious Rundll32 Without Any CommandLine Params
    Suspicious Key Manager Access
    Suspicious NTLM Authentication on the Printer Spooler Service
    Potential Obfuscated Ordinal Call Via Rundll32
    Rundll32 With Suspicious Parent Process
    Rundll32 Registered COM Objects
    Suspicious Rundll32 Setupapi.dll Activity
    Shell32 DLL Execution in Suspicious Directory
    RunDLL32 Spawning Explorer
    Suspicious Control Panel DLL Load
    Suspicious Rundll32 Execution With Image Extension
    Suspicious Usage Of ShellExec_RunDLL
    Suspicious Rundll32 Activity Invoking Sys File
    Rundll32 UNC Path Execution
    Suspicious Workstation Locking via Rundll32
    WebDav Client Execution
    Rundll32 Execution Without Parameters
    Run Once Task Execution as Configured in Registry
    Phishing Pattern ISO in Archive
    Rar Usage with Password and Compression Level
    Winrar Execution in Non-Standard Folder
    Potentially Suspicious WebDAV LNK Execution
    Indirect Command Execution From Script File Via Bash.EXE
    WSL Child Process Anomaly
    Potential Defense Evasion Via Rename Of Highly Relevant Binaries
    Suspicious Child Process Of Wermgr.EXE

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

New Deployed Rules

Account ManagementExternal Remote RDP Logon from Public IPKrbRelayUp Attack Pattern File EventSuspicious Get-Variable.exe CreationFile Creation In Suspicious Directory By Msdt.EXENTDS Exfiltration Filename

Sign up for our newsletter

Time to market

One-day SIEM integration