New Rules Deployed

August 18th, 2023


Windows/Network Connection:

  1. Communication To Ngrok.Io
  2. Communication To Ngrok Tunneling Service
  3. Notepad Making Network Connection
  4. RDP Over Reverse SSH Tunnel
  5. RDP to HTTP or HTTPS Target Ports
  6. Silenttrinity Stager Msbuild Activity
  7. Suspicious Office Outbound Connections

Windows/System or Application/Service Control Manager:

     8. Mesh Agent Service Installation
     9. NetSupport Manager Service Install
     10. PAExec Service Installation
     11. Service Installation in Suspicious Folder
     12. Remote Access Tool Services Have Been Installed – System
     13. New PDQDeploy Service – Client Side
     14. New PDQDeploy Service – Server Side
     15. TacticalRMM Service Installation
     16. Moriya Rootkit – System
     17. Remote Utilities Host Service Install

Drive Load:

     18. PUA – System Informer Driver Load
     19. Vulnerable AVAST Anti Rootkit Driver Load

Azure/Azure Active Directory:

     20. Owner Added to Group – Azure AD
     21. Success Login from Malicious Address – Azure AD

Windows/Image Load:

      22. Microsoft Excel Add-In Loaded From Uncommon Location
      23. WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
      24. Potential appverifUI.DLL Sideloading


      25. UAC Bypass Using NTFS Reparse Point – File
      26. UAC Bypass Using MSConfig Token Modification – File
      27. UAC Bypass Using IEInstal – File
      28. UAC Bypass Using IDiagnostic Profile – File
      29. PowerShell Profile Modification
      30. Legitimate Application Dropped Script
      31. SafetyKatz Default Dump Filename
      32. Malicious DLL File Dropped in the Teams or OneDrive Folder
      33. LSASS Memory Dump File Creation
      34. EVTX Created In Uncommon Location
      35. GatherNetworkInfo.VBS Reconnaissance Script Output
      36. OneNote Attachment File Dropped In Suspicious Location

Web Cache:

       37. Potential CVE-2023-36884 Exploitation – File Downloads
       38. Potential CVE-2023-36884 Exploitation – URL Marker
       39. Potential CVE-2023-36884 Exploitation Pattern

365 Defender:

        40. Malware – 365 Defender
        41. Execution – 365 Defender
        42. New Category Alert – 365 Defender
        43. Unwanted Software – 365 Defender
        44. Privilege Escalation – 365 Defender


        45. Windows Firewall Profile Disabled

Windows/Process Creation:

        46. Windows Defender Definition Files Removed
        47. DNS Exfiltration and Tunneling Tools Execution
        48. File Decoded From Base64-Hex Via Certutil.EXE


         49. AWS:Lambda AWS Attached Malicious Lambda Layer

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration