Welcome you to our monthly rules update!
We take great pleasure in presenting the most recent rules we created last month to boost your SIEM’s capabilities. Depending on your monitoring products, these rules have been deployed in your system to offer you top-notch security and detection. These new rules join an extensive collection of over 1500 rules that can be integrated into your ArcSight in just a matter of minutes.
Rule Customization
We’ve simplified the process of adapting SIEM rules to suit your organization’s unique needs by allowing you to customize the rules directly from our App.
For MSSPs or companies who manage the SIEM with entities, we created rules to identify the same vector attack on multiple entities.
Cross Platform
- Cross Platform: Windows – APT
- Cross Platform: Windows – Process Access
- Cros s Platform: Windows – Process Creation
- Cross Platform: PowerShell Script
- Cross Platform: Sysmon – Create Remote Thread
- Cross Platform: Sysmon – Create Stream Hash
- Cross Platform: Sysmon – Files
- Cross Platform: Sysmon – Image Load
- Cross Platform: Sysmon – Registry
Web Cache
- Download from Suspicious Dyndns Hosts
- Goofy Guineapig Backdoor Potential C2 Communication
- Java Class Proxy Download
- Potential Base64 Encoded User-Agent
- Suspicious Base64 Encoded User-Agent
Web Server
- Path Traversal Exploitation Attempts
- Potential CVE-2023-23752 Exploitation Attempt
- Source Code Enumeration Detection by Keyword
- Successful IIS Shortname Fuzzing Scan
- Suspicious User-Agents Related To Recon Tools
- Web Server: Java Payload Strings
New Anti Virus@Check Point
- Protection – CheckPoint New Anti Virus
CMS@FireEye
- Documents With Network Activity-FireEye
- HTML Redirector As Email Attachment-FireEye
- IPS Event-FireEye
- Riskware Docx-Fireeye
- Riskware Encrypted PDF-FireEye
- Shortened Link In Email-FireEye
Fortigate@Fortinet
- Fortigate Audit – Super admin entered VDOM
- Multiple VPN Failed Login – Fortigate
- Multiple VPN Failed Login by the same User – Fortigate
Database Security@McAfee
- Database Security – Expose database tables
ePolicy Orchestrator@McAfee
- ePolicy Orchestrator – Generate SCP Bypass Key
Network Security Manager@McAfee
- TCP Sweep – Network Security Manager
DNS Trace Log@Microsoft
- Cobalt Strike DNS Beaconing
- DNS Query to External Service Interaction Domains
- Monero Crypto Coin Mining Pool Lookup
- Wannacry Killswitch Domain
Windows WindowsUpdateClient@Microsoft
- Windows Update Error
Microsoft Windows@Microsoft
- DiagTrackEoP Default Login Username
- Goofy Guineapig Backdoor Service Creation
- Important Windows Service Terminated Unexpectedly
- Important Windows Service Terminated With Error
- Malicious Service Installations
- Windows Service Terminated With Error
Microsoft Windows@Microsoft/Process Creation
- Arbitrary MSI Download Via Devinit.EXE
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- Computer Password Change Via Ksetup.EXE
- DumpMinitool Execution
- HackTool – Certify Execution
- HackTool – Covenant PowerShell Launcher
- HackTool – Rubeus Execution
- HackTool – Stracciatella Execution
- HackTool – winPEAS Execution
- Logged-On User Password Change Via Ksetup.EXE
- Odbcconf.EXE Suspicious DLL Location
- PaperCut MFNG Exploitation Related Indicators
- PaperCut MFNG Potential Exploitation
- Persistence Via Sticky Key Backdoor
- Potential APT FIN7 ReconnaissancePOWERTRASH Related Activity
- Potential Arbitrary File Download Via MSEdge.EXE
- Potential Exploitation Attempt Of Undocumented WindowsServer RCE
- Potential Goofy Guineapig Backdoor Activity
- Potential Goofy Guineapig GoolgeUpdate Process Anomaly
- Potential Obfuscated Ordinal Call Via Rundll32
- Potential Password Reconnaissance Via Findstr.EXE
- Potentially Suspicious DLL Registered Via Odbcconf.EXE
- Potentially Suspicious GoogleUpdate Child Process
- PowerShell Download and Execution Cradles
- PUA – Crassus Execution
- Read Contents From Stdin Via Cmd.EXE
- Regsvr32 Anomaly
- Regsvr32 Command Line Without DLL
- Regsvr32 Flags Anomaly
- Regsvr32 Spawning Explorer
- Remote CHM File DownloadExecution Via HH.EXE
- Rorschach Ransomware Execution Activity
- Suspicious Advpack Call Via Rundll32.EXE
- Suspicious Child Process Of Veeam Dabatase
- Suspicious Chromium Browser Instance Executed With Custom Extensions
- Suspicious DriverDLL Installation Via Odbcconf.EXE
- Suspicious DumpMinitool Execution
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- Suspicious HH.EXE Execution
- Suspicious Registration via cscript.exe
- Suspicious Regsvr32 Execution From Remote Share
- Suspicious Regsvr32 Execution With Image Extension
- Uncommon Child Process Spawned By Odbcconf.EXE
- Veeam Backup Database Suspicious Query
- Veeam Backup Database Credentials Dump Via Sqlcmd.EXE
- Visual Studio NodejsTools PressAnyKey Renamed Execution
- Windows Kernel Debugger Execution
- Windows ShellScripting Processes Spawning Suspicious Programs
PowerShell@Microsoft/PowerShell Script
- Active Directory Group Enumeration With Get-AdGroup
- Add Windows Capability Via PowerShell Script
- AMSI Bypass Pattern Assembly GetType
- Disable Powershell Command History
- Dnscat Execution
- HackTool – Rubeus Execution – ScriptBlock
- Invoke-Obfuscation Via Stdin – Powershell
- Live Memory Dump Using Powershell
- Potential Active Directory Enumeration Using AD Module – PsScript
- Potential AMSI Bypass Using NULL Bits – ScriptBlockLogging
- Potential In-Memory Execution Using Reflection.Assembly
- Potential POWERTRASH Script Execution
- Potential RemoteFXvGPUDisablement.EXE Abuse – PowerShell ScriptBlock
- PowerShell ADRecon Execution
- PowerShell Create Local User
- PowerShell Credential Prompt
- PowerShell PSAttack
- PowerShell Script With File Hostname Resolving Capabilities
- Powershell Suspicious Win32_PnPEntity
- PSAsyncShell – Asynchronous TCP Reverse Shell
- Suspicious GPO Discovery With Get-GPO
- Suspicious PowerShell Mailbox SMTP Forward Rule
- Unsigned AppX Installation Attempt Using Add-AppxPackage – PsScript
- Veeam Backup Servers Credential Dumping Script Execution
SecurityComplianceCenter@Microsoft
- Office365: Activity from Anonymous IP Addresses
- Office365: Activity from Infrequent Country
- Office365: Activity from Suspicious IP Addresses
- Office365: Activity Performed by Terminated User
- Office365: Creation of Forwarding-Redirect Rule
- Office365: Data Exfiltration to Unsanctioned Apps
- Office365: eDiscovery search or exported
- Office365: Impossible Travel Activity
- Office365: Logon from a Risky IP Address
- Office365: Potential Ransomware Activity
- Office365: PST Export Alert Using New-ComplianceSearchAction
- Office365: Suspicious inbox forwarding
- Office365: Suspicious OAuth App File Download Activities
- Office365: Unusual Volume of File Deletion
- Office365: User Restricted from Sending Email
SQL Server@Microsoft
- MSSQL: Multiple Failed Logins to SQL Server
Sysmon@Microsoft/Create Remote Thread
- HackTool – CACTUSTORCH Remote Thread Creation
- HackTool – Potential CobaltStrike Process Injection
- Remote Thread Created In KeePass.EXE
- Remote Thread Creation In Uncommon Target Image
Sysmon@Microsoft/Create Stream Hash
- Potential Suspicious Winget Package Installation
- Potentially Suspicious File Download From ZIP TLD
Sysmon@Microsoft/Files
- Goofy Guineapig Backdoor IOC
- HackTool – Dumpert Process Dumper Default File
- LiveKD Driver Creation
- LiveKD Driver Creation By Uncommon Process
- LiveKD Kernel Memory Dump File Created
- NTDS.DIT Created
- Potential APT FIN7 Related PowerShell Script Created
- Potential COLDSTEEL Persistence Service DLL Creation
- Potential COLDSTEEL RAT File Indicators
- PowerShell Module File Created By Non-PowerShell Process
- Process Explorer Driver Creation By Non-Sysinternals Binary
- Process Monitor Driver Creation By Non-Sysinternals Binary
- RDP File Creation From Suspicious Application
- SNAKE Malware Kernel Driver File Indicator
- SNAKE Malware WerFault Persistence File Creation
- Suspicious File Created In PerfLogs
- WinSxS Executable File Creation By Non-System Process
Sysmon@Microsoft/Image Load
- Active Directory Parsing DLL Loaded Via Office Application
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Potential Goopdate.DLL Sideloading
- Potential Libvlc.DLL Sideloading
- Potential SolidPDFCreator.DLL Sideloading
- UAC Bypass With Fake DLL
Sysmon@Microsoft/Network Connection
- Microsoft Binary Suspicious Communication Endpoint
Sysmon@Microsoft/Pipe Created
- ADFS Database Named Pipe Connection
Sysmon@Microsoft/Registry
- Folder Removed From Exploit Guard ProtectedFolders List – Registry
- Removal Of AMSI Provider Registry Keys
- Removal Of Index Value to Hide Schedule Task – Registry
- Removal Of SD Value to Hide Schedule Task – Registry
- Terminal Server Client Connection History Cleared – Registry
- CMSTP Execution Registry Event
- Creation of a Local Hidden User Account by Registry
- Disable Security Events Logging Adding Reg Key MiniNt
- Esentutl Volume Shadow Copy Service Keys
- FlowCloud Malware
- HybridConnectionManager Service Installation – Registry
- Leviathan Registry Key Activity
- NetNTLM Downgrade Attack – Registry
- OceanLotus Registry Activity
- OilRig APT Registry Persistence
- Pandemic Registry Key
- Registry Entries For Azorult Malware
- UAC Bypass Via Wsreset
- Wdigest CredGuard Registry Modification
- Windows Credential Editor Registry
- Enable Local Manifest Installation With Winget
- New ODBC Driver Registered
- Outlook TaskNote Reminder Received
- Potential Encrypted Registry Blob Related To SNAKE Malware
- Potentially Suspicious ODBC Driver Registered
- Winget Admin Settings Modification
System or Application Event@Microsoft
- Certificate Private Key Acquired
Windows Defender Antivirus@Microsoft
- PSExec and WMI Process Creations Block
IAM@OKTA
- OKTA: FastPass Phishing Detection
PenTera@Pcysys
- Pantera Tag (Add Pentera Tag to scanned hosts)
Portnox
- Device Received Voucher – Portnox
- Limited Authentication – Portnox
- New Endpoint – Portnox
- Dublicate IP – Portnox
- Duplicate MAC – Portnox
- Multiple MACs on Same Port – Portnox
- Service in Monitor Mode – Portnox
- Set Port Location – Portnox
- Portnox – User Login to Console
- Raspberry Pi Foundation – Portnox
- Rouge Device – Portnox
- Unauthorized Hub – Portnox
TSOC@TrapX
- TrapX – Connection Event
- TrapX – Scan Event
Deep Discovery Analyzer@Trend Micro
- TrendMicro DDA: High Risk by Sandbox