New Deployed Rules

September 1st, 2023


Process Creation

  1. Suspicious Ping-Copy Command Combination
  2. LSASS Process Reconnaissance Via Findstr.EXE
  3. Firewall Rule Update Via Netsh.EXE
  4. Scheduled Task Executing Payload from Registry
  5. Potentially Suspicious Call To Win32_NTEventlogFile Class
  6. Suspicious Process Execution From Fake Recycle.Bin Folder
  7. Rebuild Performance Counter Values Via Lodctr.EXE
  8. Potential ShellDispatch.DLL Functionality Abuse
  9. New Virtual Smart Card Created Via TpmVscMgr.EXE
  10. Potential ReflectDebugger Content Execution Via WerFault.EXE
  11. Insecure Transfer Via Curl.EXE
  12. Potentially Suspicious Office Document Executed From Trusted Location
  13. PowerShell Execution With Potential Decryption Capabilities
  14. VMToolsd Suspicious Child Process
  15. SMB over QUIC Via Net.EXE
  16. HH.EXE Execution
  17. Remote CHM File Download-Execution Via HH.EXE
  18. HTML Help HH.EXE
  19. Suspicious Child Process
  20. Suspicious HH.EXE Execution
  21. Suspicious Shells Spawn by Java Utility Keytool
  22. Potentially Suspicious PowerShell Child Processes
  23. Renamed Mavinject.EXE Execution
  24. Rundll32 JS RunHTMLApplication Pattern
  25. Mshtml DLL RunHTMLApplication Abuse
  26. Suspicious Rundll32 Script in CommandLine



   27. root connection with SSH – Unix
   28. Privileged Account Locked Out – Unix

365 Defender

   29. Exfiltration – 365 Defender
   30. Exploit – 365 Defender
   31. Persistence – 365 Defender
   32. Defender 365 Alerts

URI: Security

   33. Security Event Log Cleared
   34. CobaltStrike Service Installations – Security
   35. HybridConnectionManager Service Installation

PowerShell Module

   36. SyncAppvPublishingServer Bypass Powershell Restriction – PS Module
   37. Remote PowerShell Session (PS Module)

PowerShell Script

   38. Potentially Suspicious Call To Win32_NTEventlogFile Class – PSScript
   39. SMB over QUIC Via PowerShell Script

Network Share Object

   40. Suspicious PsExec Execution
   41. T1047 Wmiprvse Wbemcomn DLL Hijack
   42. SMB Create Remote File Admin Share

File Event

   43. Suspicious File Creation Activity From Fake Recycle.Bin Folder
   44. Windows Terminal Profile Settings Modification By Uncommon Process
   45. Creation Exe for Service with Unquoted Path
   46. New Shim Database Created in the Default Directory
   47. CSExec Service File Creation
   48. RemCom Service File Creation
   49. Suspicious Binary Writes Via AnyDesk

Account Management

   50. Login with WMI
   51. Successful Overpass the Hash Attempt

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration