New Rules Deployed

August 25th, 2023


Windows/Network Connection:

Suspicious Epmap Connection
Suspicious Dropbox API Usage
Suspicious Outbound Kerberos Connection
Suspicious Program Location with Network Connections

Windows/System or Application/Service Control Manager:

Tap Driver Installation
Invoke-Obfuscation COMPRESS OBFUSCATION – System
Invoke-Obfuscation RUNDLL LAUNCHER – System
Invoke-Obfuscation Via Stdin – System
Invoke-Obfuscation Via Use Clip – System
Invoke-Obfuscation Via Use MSHTA – System
Invoke-Obfuscation Via Use Rundll32 – System
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION – System

Drive Load:

Vulnerable Lenovo Driver Load

Azure/Azure Active Directory:

Member Added to Role – Azure AD
Member was Added to Administrative Role – Azure AD
Success Login Following Multiple Failed Login (Same User and Address) – AzureAD

Windows/Image Load:

Python Py2Exe Image Load
DLL Load By System Process From Suspicious Locations


UAC Bypass Using EventVwr
UAC Bypass Using .NET Code Profiler on MMC
UAC Bypass Using Consent and Comctl32 – File
Hijack Legit RDP Session to Move Laterally
Potential Privilege Escalation Attempt Via .Exe.Local Technique
Legitimate Application Dropped Executable
Legitimate Application Dropped Archive
Potential CVE-2023-36884 Exploitation Dropped File
Suspicious Outlook Macro Created
Publisher Attachment File Dropped In Suspicious Location
Suspicious File Created Via OneNote Application
LSASS Process Dump Artefact In CrashDumps Folder
WerFault LSASS Process Memory Dump


Tamper Windows Defender – PSClassic
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
Windows Mail App Mailbox Access Via PowerShell Script
Enable Windows Remote Management


Potential CVE-2023-36884 Exploitation – Share Access


Success Login from Malicious Address – Fortigate


Success Login from Malicious Address – NetScaler

365 Defender:

Initial Access – 365 Defender
Suspicious Activity – 365 Defender
Discovery – 365 Defender
Command And Control – 365 Defender

Windows/Process Creation:

Execution via WorkFolders.exe


Virus Found – Kaspersky Security Center

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration