Content Release Notes
2025.10.20
Summary of Changes
Totals: 42 added / 112 modified
Intelligence: 0 added / 0 modified
Detections: 38 added / 109 modified
Threats: 0 added / 0 modified
Attack Scripts: 4 added / 2 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Application Whitelisting Bypass Attempt via Rundll32
- Suspicious Sudo Parameter
- Suspicious Staging of Alternate System Files
- Suspicious GCC Invocation Building Init Shared Object
- Possible CVE-2025-10035 Exploitation
Atomic Red Team
- At - Schedule a job via kubectl in a Pod
- Curl Insecure Connection from a Pod
- Create a Linux user via kubectl in a Pod
- Simulate npm package installation on a Linux system
Microsoft Sentinel
- RSA ID Plus - Locked Administrator Account Detected
- VMware ESXi - SSH Enable on ESXi Host
- S3 Object Exfiltration from Anonymous User
- EC2 Startup Shell Script Changed
- SAP ETD - Synch investigations
Sigma Community Rules
- Suspicious BitLocker Access Agent Update Utility Execution
- AWS IAM User with Console Access Login Without MFA
- BaaUpdate.exe Suspicious DLL Load
- WinRAR Creating Files in Startup Locations
- IIS WebServer Log Deletion via CommandLine Utilities
Splunk
- M365 Copilot Jailbreak Attempts
- M365 Copilot Impersonation Jailbreak Attack
- Ollama Abnormal Network Connectivity
- M365 Copilot Agentic Jailbreak Attack
- Ollama Excessive API Requests
- M365 Copilot Failed Authentication Patterns
- Ollama Possible API Endpoint Scan Reconnaissance
- M365 Copilot Application Usage Pattern Anomalies
- M365 Copilot Non Compliant Devices Accessing M365 Copilot
- Windows Change File Association Command To Notepad
- Windows Application Whitelisting Bypass Attempt via Rundll32
- Ollama Suspicious Prompt Injection Jailbreak
- Ollama Possible RCE via Model Loading
- Windows Cabinet File Extraction Via Expand
- M365 Copilot Information Extraction Jailbreak Attack
- Ollama Possible Model Exfiltration Data Leakage
- Ollama Abnormal Service Crash Availability Attack
- Web or Application Server Spawning a Shell
- Windows Symlink Evaluation Change via Fsutil
- M365 Copilot Session Origin Anomalies
- Ollama Possible Memory Exhaustion Resource Abuse
- Windows Set Network Profile Category to Private via Registry
- Windows Visual Basic Commandline Compiler DNSQuery
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
Microsoft Sentinel
Sigma Community Rules
- PUA - TruffleHog Execution
- Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
- Shai-Hulud NPM Attack GitHub Activity
- Linux Sudo Chroot Execution
- Shai-Hulud NPM Package Malicious Exfiltration via Curl
- Shai-Hulud Malicious GitHub Workflow Creation
- PUA - TruffleHog Execution - Linux
- Potential CVE-2023-23397 Exploitation Attempt - SMB
- WannaCry Ransomware Activity
- Rare Remote Thread Creation By Uncommon Source Image
- Suspicious C2 Activities
- Firewall Configuration Discovery Via Netsh.EXE
- Office Application Initiated Network Connection To Non-Local IP
- Ping Hex IP
- CurrentVersion Autorun Keys Modification
- Uncommon AppX Package Locations
- Modify System Firewall
- WinRAR Execution in Non-Standard Folder
- Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
- Office Application Initiated Network Connection Over Uncommon Ports
- Suspicious Access to Sensitive File Extensions
- Suspicious Volume Shadow Copy Vssapi.dll Load
- Alternate PowerShell Hosts - PowerShell Module
- Office Autorun Keys Modification
- Suspicious Userinit Child Process
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
- Suspicious Access to Sensitive File Extensions - Zeek
- File With Uncommon Extension Created By An Office Application
- Potentially Suspicious Desktop Background Change Via Registry
- Account Tampering - Suspicious Failed Logon Reasons
- SMB Create Remote File Admin Share
- CurrentVersion NT Autorun Keys Modification
- Suspicious WSMAN Provider Image Loads
- Startup Folder File Write
- Program Executed Using Proxy/Local Command Via SSH.EXE
- System File Execution Location Anomaly
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Windows Binaries Write Suspicious Extensions
- Files With System Process Name In Unsuspected Locations
- Process Creation Using Sysnative Folder
- Potential JLI.dll Side-Loading
- File And SubFolder Enumeration Via Dir Command
- PowerShell Module File Created By Non-PowerShell Process
- Potential Goopdate.DLL Sideloading
- Potential Persistence Via Visual Studio Tools for Office
- Filter Driver Unloaded Via Fltmc.EXE
- Potential PendingFileRenameOperations Tampering
- Suspicious Copy From or To System Directory
- Use Short Name Path in Command Line
- Potential Antivirus Software DLL Sideloading
- Direct Autorun Keys Modification
- Potential Suspicious Browser Launch From Document Reader Process
- Removal of Potential COM Hijacking Registry Keys
- Recon Command Output Piped To Findstr.EXE
- Potential Persistence Via Netsh Helper DLL - Registry
- Change PowerShell Policies to an Insecure Level
- Verclsid.exe Runs COM Object
- Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Amsi.DLL Loaded Via LOLBIN Process
- Process Proxy Execution Via Squirrel.EXE
- HackTool - LaZagne Execution
- Service Binary in Suspicious Folder
- PowerShell Core DLL Loaded By Non PowerShell Process
- Registry Persistence via Service in Safe Mode
- Firewall Rule Deleted Via Netsh.EXE
- Potentially Suspicious Windows App Activity
- File Download with Headless Browser
- Wow6432Node CurrentVersion Autorun Keys Modification
- New RUN Key Pointing to Suspicious Folder
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential AutoLogger Sessions Tampering
- Uncommon New Firewall Rule Added In Windows Firewall Exception List
- Powershell Create Scheduled Task
- Removal Of AMSI Provider Registry Keys
- Internet Explorer DisableFirstRunCustomize Enabled
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Unsigned DLL Loaded by Windows Utility
- Suspicious Eventlog Clear
- Python Inline Command Execution
- Alternate PowerShell Hosts Pipe
- PSScriptPolicyTest Creation By Uncommon Process
- Delete Defender Scan ShellEx Context Menu Registry Key
- Potential DLL Sideloading Of DBGCORE.DLL
- New Kernel Driver Via SC.EXE
- PowerShell Deleted Mounted Share
- Suspicious Msiexec Quiet Install From Remote Location
- Browser Execution In Headless Mode
- IIS WebServer Access Logs Deleted
Splunk
- Linux Java Spawning Shell
- Common Ransomware Extensions
- Windows Renamed Powershell Execution
- Attempt To Add Certificate To Untrusted Store
- Windows Java Spawning Shells
- Windows AutoIt3 Execution
- Windows Information Discovery Fsutil
- USN Journal Deletion
- Add or Set Windows Defender Exclusion
- Windows Curl Download to Suspicious Path
- Windows Remote Management Execute Shell
- Windows Certutil Root Certificate Addition
- Windows Scheduled Task Created Via XML
- Windows Archived Collected Data In TEMP Folder
- Windows Rundll32 Apply User Settings Changes
- WinEvent Scheduled Task Created Within Public Path
- Windows AD Self DACL Assignment
- Windows Executable in Loaded Modules
2025.10.06
Summary of Changes
Totals: 141 added / 67 modified
Intelligence: 0 added / 0 modified
Detections: 134 added / 65 modified
Threats: 0 added / 0 modified
Attack Scripts: 7 added / 1 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
Atomic Red Team
- Disable ASLR Via sysctl parameters - Linux
- Windows - Display a simulated ransom note via Notepad (non-destructive)
- Abuse of linux magic system request key for Send a SIGTERM to all processes
- Freeze PPL-protected process with EDR-Freeze
- Identifying Network Shares - Linux
- Replace AtBroker.exe (App Switcher binary) with cmd.exe
- Expand CAB with expand.exe
Chronicle Detection Rules
Microsoft Sentinel
- BloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD User
- BloodHound Attack Path Finding - Owner Role on Tier Zero Resource
- BloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation Privileges
- BloodHound Attack Path Finding - Large Default Groups in SQL Admins Groups
- BloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained Delegation
- BloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName Privileges
- BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App Roles
- BloodHound Attack Path Finding - Large Default Groups in PS Remote Users Groups
- BloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Large Default Groups With Add Member Privileges
- BloodHound Attack Path Finding - Large Default Groups With WriteDacl Privilege
- BloodHound Attack Path Finding - Legacy SID History on Tier Zero Objects
- BloodHound Attack Path Finding - Large Default Groups With ForceChangePassword Privileges
- BloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP Attack
- BloodHound Attack Path Finding - App Admin Control of Tier Zero Principal
- BloodHound Attack Path Finding - Website Contributor Role on Tier Zero Resource
- BloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero Computers
- BloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero Resource
- BloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed Cluster
- BloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID Role
- BloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT Authentication
- BloodHound Attack Path Finding - Large Default Groups in DCOM Users Groups
- BloodHound Attack Path Finding - VM Admin Login Role on Tier Zero System
- BloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual Machine
- BloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights Privileges
- BloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Command Execution on Tier Zero Virtual Machine
- BloodHound Attack Path Finding - Large Default Groups With Add Self Privileges
- BloodHound Attack Path Finding - Ownership of Tier Zero Principal
- BloodHound Attack Path Finding - Large Default Groups With Ownership Privileges
- BloodHound Attack Path Finding - Kerberos Delegation on Tier Zero Objects
- BloodHound Attack Path Finding - Constrained Delegation on Tier Zero Computers
- BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 Privileges
- BloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App Role
- BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) Attack
- BloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions Privileges
- BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A Privileges
- BloodHound Attack Path Finding - Contributor Role on Tier Zero Automation Account
- BloodHound Attack Path Finding - PS Remote Users on Tier Zero Computers
- BloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App Role
- BloodHound Attack Path Finding - Large Default Groups With GenericAll Privileges
- BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero Group
- BloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic App
- BloodHound Attack Path Finding - RDP Users on Tier Zero Computers
- BloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security Groups
- BloodHound Attack Path Finding - Add Secret to Tier Zero Principal
- BloodHound Attack Path Finding - AddOwner Role on Tier Zero Resource
- BloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Large Default Groups With WriteGpLink Privilege
- BloodHound Attack Path Finding - Large Default Group With SyncLapsPassword Privileges
- BloodHound Attack Path Finding - SQL Admin Users on Tier Zero Computers
- BloodHound Attack Path Finding - AllExtended Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Kerberoastable User Accounts
- BloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security Groups
- BloodHound Attack Path Finding - Logons From Tier Zero Users
- BloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Get Secrets on Tier Zero Key Vault
- BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B Privileges
- BloodHound Attack Path Finding - GenericAll Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB Attack
- BloodHound Attack Path Finding - Get Certifcates on Tier Zero Key Vault
- BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 Privileges
- BloodHound Attack Path Finding - Get Keys on Tier Zero Key Vault
- BloodHound Attack Path Finding - Large Default Groups With Read GMSA Password Privileges
- BloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Large Default Groups With Limited Ownership Privileges
- BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A Privileges
- BloodHound Attack Path Finding - Large Default Groups With WriteOwner Privileges
- BloodHound Attack Path Finding - Large Default Groups With Read LAPS Password Privileges
- BloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App Role
- BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 Privileges
- BloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Large Default Groups in Local Administrator Groups
- BloodHound Attack Path Finding - User Access Admin Role on Tier Zero Resource
- BloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra User
- BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B Privileges
- BloodHound Attack Path Finding - Large Default Groups With RDP Access
- BloodHound Attack Path Finding - Large Default Groups With All Extended Privileges
- BloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero Computer
- BloodHound Attack Path Finding - Contributor Role on Tier Zero Resource
- BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B Privileges
- BloodHound Attack Path Finding - Large Default Groups With GenericWrite Privileges
- BloodHound Attack Path Finding - Reset a Tier Zero User's Password
- BloodHound Attack Path Finding - AS-REP Roastable User Accounts
- BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A Privileges
- BloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service Principal
- BloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Cloud App Admin Over Tier Zero Principal
- BloodHound Attack Path Finding - DCOM Users on Tier Zero Computers
- BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS Attack
- BloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - VM Contributor Role on Tier Zero System
- BloodHound Attack Path Finding - Ownership Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link Privileges
- BloodHound Attack Path Finding - Admins on Tier Zero Computers
- BloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero Objects
- BloodHound Attack Path Finding - Add Members to Tier Zero Group
- BloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync Privileges
Sigma Community Rules
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Scheduled Task Creation Masquerading as System Processes
- Potentially Suspicious Child Processes Spawned by ConHost
- MMC Executing Files with Reversed Extensions Using RTLO Abuse
- MMC Loading Script Engines DLLs
- Security Event Logging Disabled via MiniNt Registry Key - Registry Set
- Security Event Logging Disabled via MiniNt Registry Key - Process
- Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- Suspicious Child Process of SAP NetWeaver - Linux
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- NodeJS Execution of JavaScript File
- Potential Hello-World Scraper Botnet Activity
- MacOS FileGrabber Infostealer
- Suspicious Uninstall of Windows Defender Feature via PowerShell
- Suspicious Child Process of SAP NetWeaver
- Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
- WDAC Policy File Creation In CodeIntegrity Folder
- Low Reputation Effective Top-Level Domain (eTLD)
- FunkLocker Ransomware File Creation
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Potential PowerShell Console History Access Attempt via History File
- Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Suspicious Velociraptor Child Process
- Potential ClickFix Execution Pattern - Registry
- Registry Manipulation via WMI Stdregprov
Splunk
Content Updated
SnapAttack Community
Atomic Red Team
Microsoft Sentinel
- Detect port misuse by anomaly based detection (ASIM Network Session schema)
- Anomaly found in Network Session Traffic (ASIM Network Session schema)
- GSA - Detect Abnormal Deny Rate for Source to Destination IP
- GSA - Detect Protocol Changes for Destination Ports
- Snowflake - Possible privileges discovery activity
- Snowflake - Multiple login failures from single IP
- Snowflake - Abnormal query process time
- Snowflake - Unusual query
- Snowflake - Possible data destraction
- Snowflake - User granted admin privileges
- Snowflake - Multiple failed queries
- Snowflake - Possible discovery activity
- Snowflake - Multiple login failures by user
- Snowflake - Query on sensitive or restricted table
- Malware attachment delivered
- Malware Link Clicked
- High Number of Urgent Vulnerabilities Detected
- New High Severity Vulnerability Detected Across Multiple Hosts
Sigma Community Rules
- Hacktool Ruler
- Potential File Extension Spoofing Using Right-to-Left Override
- Potential Defense Evasion Via Right-to-Left Override
- Uncommon Child Process Of Conhost.EXE
- Setup16.EXE Execution With Custom .Lst File
- HackTool - LaZagne Execution
- UNC4841 - Barracuda ESG Exploitation Indicators
- Potentially Suspicious Azure Front Door Connection
- Query Tor Onion Address - DNS Client
- Suspicious Get Local Groups Information - PowerShell
- Python Image Load By Non-Python Process
- DNS Query Tor .Onion Address - Sysmon
- HackTool - CoercedPotato Execution
- Disable Security Events Logging Adding Reg Key MiniNt
- DNS TOR Proxies
- Suspicious Get Local Groups Information
- Potential Python DLL SideLoading
- Suspicious ShellExec_RunDLL Call Via Ordinal
- BITS Transfer Job Download From File Sharing Domains
- Certificate Use With No Strong Mapping
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Suspicious File Download From File Sharing Websites - File Stream
- New Service Creation Using Sc.EXE
- Regsvr32 DLL Execution With Suspicious File Extension
- Potential Persistence Via Notepad++ Plugins
- ETW Logging/Processing Option Disabled On IIS Server
- RestrictedAdminMode Registry Value Tampering - ProcCreation
- Previously Installed IIS Module Was Removed
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- Potential PsExec Remote Execution
- Command Executed Via Run Dialog Box - Registry
- HTTP Logging Disabled On IIS Server
- KDC RC4-HMAC Downgrade CVE-2022-37966
- Suspicious Windows Service Tampering
- New Module Module Added To IIS Server
- Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
- Visual Studio Code Tunnel Execution
- Renamed Visual Studio Code Tunnel Execution
- Unusual File Download From File Sharing Websites - File Stream
- Suspicious File Download From File Sharing Domain Via Wget.EXE
- Potentially Suspicious Execution From Tmp Folder
- Access To Browser Credential Files By Uncommon Applications - Security
- No Suitable Encryption Key Found For Generating Kerberos Ticket
Splunk
- Azure AD Multi-Source Failed Authentications Spike
- Internal Vertical Port Scan
- Windows Driver Load Non-Standard Path
- Cisco Secure Firewall - Intrusion Events by Threat Activity
2025.09.22
Summary of Changes
Totals: 202 added / 19 modified
Intelligence: 0 added / 0 modified
Detections: 197 added / 18 modified
Threats: 4 added / 0 modified
Attack Scripts: 0 added / 0 modified
Collections: 1 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Linux EFI Bootloader Created
- Linux EFI Bootloader File Deletion
- Possible Bootloader Modifications
- CVE-2024-7344 - Linux Bootloader Modifications
- Possible Bootloader Modification
- Suspicious File in EFI Volume
- Possible Bootkit Manipulation
- CVE-2024-7344
- Outlook Dialogs Disabled from Unusual Process
- NotDoor Malware
- HTTP Request Smuggling
- Hunt - Possibly Malicious User Agents
- Rapid POST with Mixed Response
- HTTP Request Smuggling
- Duplicated HTTP Headers
- Unusual HTTP Method
- Possible Request Smuggling with Zero Content-Length
- Possible CL-TE or TE-CL Request Smuggling
- AutomaticDestinations File Deletion
- RDP Server Registry Deletion
- RDP Client Launched with Admin Session
- RDP Cache File Deletion
- RDP Bitmap Cache File Creation
Atomic Red Team
Microsoft Sentinel
- Lumen TI IPAddress in SecurityEvents
- Lumen TI IPAddress in OfficeActivity
- Lumen TI IPAddress in DeviceEvents
- Lumen TI domain in DnsEvents
- Lumen TI IPAddress indicator in CommonSecurityLog
- Lumen TI IPAddress in SigninLogs
- Lumen TI IPAddress in WindowsEvents
- Lumen TI IPAddress in IdentityLogonEvents
- Lumen TI IPAddress in CommonSecurityLog
- Contrast ADR - Security Incident Alert
- Contrast ADR - EDR Alert Correlation
- Contrast ADR - Exploited Attack in Production
- Contrast ADR - Exploited Attack Event
- Contrast ADR - WAF Alert Correlation
- Contrast ADR - DLP SQL Injection Correlation
- Backup Repository Deleted
- Failover Plan Failed
- Configuration Backup Job Settings Updated
- Failover Plan Started
- Objects Added to Malware Detection Exclusions
- Protection Group Deleted
- Objects for Protection Group Deleted
- Configuration Backup Failed
- WAN Accelerator Deleted
- Recovery Token Deleted
- Tape Server Deleted
- Failover Plan Stopped
- Veeam ONE Unusual Job Duration (Veeam Backup for Microsoft 365)
- Storage Deleted
- Archive Repository Deleted
- Global Network Traffic Rules Deleted
- Storage Settings Updated
- Adding User or Group Failed
- External Repository Settings Updated
- Veeam ONE VM with No Replica (Hyper-V)
- Subtenant Deleted
- Veeam ONE Possible Ransomware Activity (vSphere)
- Tape Erase Job Started
- Protection Group Settings Updated
- SureBackup Job Failed
- Credential Record Deleted
- Malware Detection Session Finished
- Host Deleted
- Veeam ONE Application with No Recent Data Backup Sessions
- License Limit Exceeded
- KMS Server Settings Updated
- Veeam ONE Backup Server Security and Compliance State
- Malware Event Detected
- Tape Media Vault Deleted
- User or Group Added
- Cloud Gateway Deleted
- Veeam ONE VM with No Replica
- Cloud Gateway Pool Settings Updated
- Veeam ONE Job Disabled (Veeam Backup for Microsoft 365)
- Virtual Lab Settings Updated
- License Grace Period Started
- Service Provider Updated
- Failover Plan Settings Updated
- File Server Settings Updated
- Object Storage Settings Updated
- Multi-Factor Authentication for User Disabled
- Tenant Replica Started
- Veeam ONE Malware Detection Change Tracking
- Global VM Exclusions Added
- Veeam ONE Unusual Job Duration
- Encryption Password Deleted
- Malware Detection Settings Updated
- Virtual Lab Deleted
- Coveware Security Finding Detected
- User or Group Deleted
- Multi-Factor Authentication Disabled
- Malware Activity Detected
- Job Deleted
- Four-Eyes Authorization Request Created
- Scale-Out Backup Repository Deleted
- Four-Eyes Authorization Disabled
- Objects for Job Deleted
- Multi-Factor Authentication User Locked
- License Support Expired
- License Removed
- Four-Eyes Authorization Request Rejected
- Tenant Password Changed
- Service Provider Deleted
- File Server Deleted
- License Support Expiring
- Invalid Code for Multi-Factor Authentication Entered
- Backup Proxy Deleted
- Failover Plan Deleted
- Global VM Exclusions Deleted
- Multi-Factor Authentication Token Revoked
- Hypervisor Host Deleted
- Object Storage Deleted
- Attempt to Update Security Object Failed
- Tenant Quota Deleted
- Veeam ONE Job Disabled
- SSH Credentials Changed
- Restore Point Marked as Clean
- Job No Longer Used as Second Destination
- NDMP Server Deleted
- Object Marked as Clean
- File Share Deleted
- KMS Key Rotation Job Finished
- Veeam ONE Computer with No Backup
- Tape Library Deleted
- Four-Eyes Authorization Request Expired
- Veeam ONE VM with No Backup
- Backup Repository Settings Updated
- External Repository Deleted
- Application Group Settings Updated
- KMS Server Deleted
- Veeam ONE Suspicious Incremental Backup Size
- Scale-Out Backup Repository Settings Updated
- Encryption Password Added
- Best Practice Compliance Check Not Passed
- Encryption Password Changed
- General Settings Updated
- Detaching Backups Started
- Veeam ONE Immutability State
- Archive Repository Settings Updated
- License Expiring
- Host Settings Updated
- Hypervisor Host Settings Updated
- Objects Deleted from Malware Detection Exclusions
- Configuration Backup Job Failed
- Global VM Exclusions Changed
- Tape Media Pool Deleted
- Cloud Replica Permanent Failover Performed by Tenant
- Tenant State Changed
- Tape Medium Deleted
- License Expired
- Cloud Gateway Pool Deleted
- Credential Record Updated
- Application Group Deleted
- Attempt to Delete Backup Failed
- Veeam ONE Possible Ransomware Activity (Hyper-V)
- Preferred Networks Deleted
- Subtenant Updated
- Objects for Protection Group Changed
- Tenant Quota Changed
- Restore Point Marked as Infected
- Veeam ONE VM with No Backup (Hyper-V)
- Cloud Gateway Settings Updated
- Malware Detection Exclusions List Updated
- WAN Accelerator Settings Updated
- Veeam ONE Backup Copy RPO
- Tenant Replica Stopped
- Veeam ONE Immutability Change Tracking
- Connection to Backup Repository Lost
- AWS Security Hub - Detect IAM Policies allowing full administrative privileges
- AWS Security Hub - Detect IAM root user Access Key existence
- AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
- AWS Security Hub - Detect SQS Queue policy allowing public access
- AWS Security Hub - Detect CloudTrail trails lacking KMS encryption
- AWS Security Hub - Detect SSM documents public sharing enabled
- AWS Security Hub - CloudTrail trails without log file validation
- AWS Security Hub - IAM users with console password and no MFA
- AWS Security Hub - Detect SQS Queue lacking encryption at rest
- AWS Security Hub - EC2 instances with public IPv4 address
- AWS Security Hub - Detect root user lacking MFA
Splunk
- Windows Outlook Dialogs Disabled from Unusual Process
- Windows Outlook LoadMacroProviderOnBoot Persistence
- Windows Outlook Macro Created by Suspicious Process
- Windows Outlook Macro Security Modified
- Windows Wmic Network Discovery
- Windows Wmic DiskDrive Discovery
- Windows Set Private Network Profile via Registry
- Windows Wmic Systeminfo Discovery
- Windows Net System Service Discovery
- Windows File Collection Via Copy Utilities
- Windows Certutil Root Certificate Addition
- Windows Wmic Memory Chip Discovery
- Windows Wmic CPU Discovery
- Windows AI Platform DNS Query
- Linux Magic SysRq Key Abuse
- Windows SpeechRuntime Suspicious Child Process
- Windows SpeechRuntime COM Hijacking DLL Load
- Windows Excel ActiveMicrosoftApp Child Process
- Windows DLL Module Loaded in Temp Dir
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Microsoft Sentinel
Splunk
- Linux Auditd Service Started
- Windows InstallUtil URL in Command Line
- Windows MSIExec Remote Download
- Cisco NVM - Suspicious File Download via Headless Browser
- Cisco NVM - Outbound Connection to Suspicious Port
- WMIC XSL Execution via URL
- Detect RClone Command-Line Usage
- Cisco NVM - Suspicious Network Connection From Process With No Args
- Windows Curl Download to Suspicious Path
- Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
- Windows InstallUtil Remote Network Connection
- Cisco NVM - Suspicious Network Connection to IP Lookup Service API
- Cisco NVM - Curl Execution With Insecure Flags
- Cisco NVM - Non-Network Binary Making Network Connection
- Cisco Smart Install Oversized Packet Detection
2025.09.08
Summary of Changes
Totals: 6 added / 281 modified
Intelligence: 0 added / 0 modified
Detections: 5 added / 268 modified
Threats: 0 added / 1 modified
Attack Scripts: 1 added / 10 modified
Collections: 0 added / 2 modified
Content Added
SnapAttack Subscribers (subscribers only)
- PowerShell Script From WindowsApps Directory
- PowerShell MSIX Package Installation
- Default RDP File Unhidden
- Default RDP File Deleted
- Default RDP File Created
Atomic Red Team
Content Updated
SnapAttack Subscribers (subscribers only)
- NotDoor Malware
- HTTP Request Smuggling
- Hunt - Possibly Malicious User Agents
- Possible CL-TE or TE-CL Request Smuggling
- Rapid POST with Mixed Response
- HTTP Request Smuggling
- Duplicated HTTP Headers
- Unusual HTTP Method
- Possible Request Smuggling with Zero Content-Length
- AutomaticDestinations File Deletion
- RDP Server Registry Deletion
- RDP Client Launched with Admin Session
- RDP Cache File Deletion
- RDP Bitmap Cache File Creation
SnapAttack Community
Atomic Red Team
- WinPwn - winPEAS
- WinPwn - itm4nprivesc
- WinPwn - PowerSharpPack - Seatbelt
- WinPwn - Powersploits privesc checks
- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- WinPwn - General privesc checks
- WinPwn - PowerSharpPack - Watson searching for missing windows patches
- WinPwn - GeneralRecon
- WinPwn - Morerecon
- WinPwn - RBCD-Check
LOLDrivers
- Vulnerable Driver Load Despite HVCI (sha1)
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load By Name
- Malicious Driver Load (md5)
- Malicious Driver Load By Name
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load Despite HVCI (sha256)
- Malicious Driver Load Despite HVCI (sha1)
- Malicious Driver Load (sha256)
- Malicious Driver Load (sha1)
- Vulnerable Driver Load (sha1)
- Vulnerable Driver Load Despite HVCI (md5)
- Vulnerable Driver Load (md5)
- Vulnerable Driver Load (sha256)
Microsoft Sentinel
- Backup Repository Deleted
- Failover Plan Failed
- Configuration Backup Job Settings Updated
- Failover Plan Started
- Objects Added to Malware Detection Exclusions
- Protection Group Deleted
- Objects for Protection Group Deleted
- Configuration Backup Failed
- WAN Accelerator Deleted
- Recovery Token Deleted
- Tape Server Deleted
- Failover Plan Stopped
- Veeam ONE Unusual Job Duration (Veeam Backup for Microsoft 365)
- Storage Deleted
- Archive Repository Deleted
- Global Network Traffic Rules Deleted
- Storage Settings Updated
- Adding User or Group Failed
- External Repository Settings Updated
- Veeam ONE VM with No Replica (Hyper-V)
- Subtenant Deleted
- Veeam ONE Possible Ransomware Activity (vSphere)
- Tape Erase Job Started
- Protection Group Settings Updated
- SureBackup Job Failed
- Credential Record Deleted
- Malware Detection Session Finished
- Host Deleted
- Veeam ONE Application with No Recent Data Backup Sessions
- License Limit Exceeded
- KMS Server Settings Updated
- Veeam ONE Backup Server Security and Compliance State
- Malware Event Detected
- Tape Media Vault Deleted
- User or Group Added
- Cloud Gateway Deleted
- Veeam ONE VM with No Replica
- Cloud Gateway Pool Settings Updated
- Veeam ONE Job Disabled (Veeam Backup for Microsoft 365)
- Virtual Lab Settings Updated
- License Grace Period Started
- Service Provider Updated
- Failover Plan Settings Updated
- File Server Settings Updated
- Object Storage Settings Updated
- Multi-Factor Authentication for User Disabled
- Tenant Replica Started
- Veeam ONE Malware Detection Change Tracking
- Global VM Exclusions Added
- Veeam ONE Unusual Job Duration
- Encryption Password Deleted
- Malware Detection Settings Updated
- Virtual Lab Deleted
- Coveware Security Finding Detected
- User or Group Deleted
- Multi-Factor Authentication Disabled
- Malware Activity Detected
- Job Deleted
- Four-Eyes Authorization Request Created
- Scale-Out Backup Repository Deleted
- Four-Eyes Authorization Disabled
- Objects for Job Deleted
- Multi-Factor Authentication User Locked
- License Support Expired
- License Removed
- Four-Eyes Authorization Request Rejected
- Tenant Password Changed
- Service Provider Deleted
- File Server Deleted
- License Support Expiring
- Invalid Code for Multi-Factor Authentication Entered
- Backup Proxy Deleted
- Failover Plan Deleted
- Global VM Exclusions Deleted
- Multi-Factor Authentication Token Revoked
- Hypervisor Host Deleted
- Object Storage Deleted
- Attempt to Update Security Object Failed
- Tenant Quota Deleted
- Veeam ONE Job Disabled
- SSH Credentials Changed
- Restore Point Marked as Clean
- Job No Longer Used as Second Destination
- NDMP Server Deleted
- Object Marked as Clean
- File Share Deleted
- KMS Key Rotation Job Finished
- Veeam ONE Computer with No Backup
- Tape Library Deleted
- Four-Eyes Authorization Request Expired
- Veeam ONE VM with No Backup
- Backup Repository Settings Updated
- External Repository Deleted
- Application Group Settings Updated
- KMS Server Deleted
- Veeam ONE Suspicious Incremental Backup Size
- Scale-Out Backup Repository Settings Updated
- Encryption Password Added
- Best Practice Compliance Check Not Passed
- Encryption Password Changed
- General Settings Updated
- Detaching Backups Started
- Veeam ONE Immutability State
- Archive Repository Settings Updated
- License Expiring
- Host Settings Updated
- Hypervisor Host Settings Updated
- Objects Deleted from Malware Detection Exclusions
- Configuration Backup Job Failed
- Global VM Exclusions Changed
- Tape Media Pool Deleted
- Cloud Replica Permanent Failover Performed by Tenant
- Tenant State Changed
- Tape Medium Deleted
- License Expired
- Cloud Gateway Pool Deleted
- Credential Record Updated
- Application Group Deleted
- Attempt to Delete Backup Failed
- Veeam ONE Possible Ransomware Activity (Hyper-V)
- Preferred Networks Deleted
- Subtenant Updated
- Objects for Protection Group Changed
- Tenant Quota Changed
- Restore Point Marked as Infected
- Veeam ONE VM with No Backup (Hyper-V)
- Cloud Gateway Settings Updated
- Malware Detection Exclusions List Updated
- WAN Accelerator Settings Updated
- Veeam ONE Backup Copy RPO
- Tenant Replica Stopped
- Veeam ONE Immutability Change Tracking
- Connection to Backup Repository Lost
- AWS Security Hub - Detect IAM Policies allowing full administrative privileges
- AWS Security Hub - Detect IAM root user Access Key existence
- AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
- AWS Security Hub - Detect SQS Queue policy allowing public access
- AWS Security Hub - Detect CloudTrail trails lacking KMS encryption
- AWS Security Hub - Detect SSM documents public sharing enabled
- AWS Security Hub - CloudTrail trails without log file validation
- AWS Security Hub - IAM users with console password and no MFA
- AWS Security Hub - Detect SQS Queue lacking encryption at rest
- AWS Security Hub - EC2 instances with public IPv4 address
- AWS Security Hub - Detect root user lacking MFA
- Abnormal Port to Protocol
Sigma Community Rules
- IIS Native-Code Module Command Line Installation
- Windows Recovery Environment Disabled Via Reagentc
- Potential Execution of Sysinternals Tools
- Suspicious Msiexec Quiet Install From Remote Location
- Potentially Suspicious Ping/Copy Command Combination
- Uninstall Sysinternals Sysmon
- Potential Arbitrary Command Execution Using Msdt.EXE
- Diskshadow Script Mode Execution
- Diskshadow Script Mode - Uncommon Script Extension Execution
- New Root Certificate Installed Via Certutil.EXE
- File And SubFolder Enumeration Via Dir Command
- File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- Explorer Process Tree Break
- Esentutl Steals Browser Information
- Forfiles Command Execution
- Msiexec Quiet Installation
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- Console CodePage Lookup Via CHCP
- Capture Credentials with Rpcping.exe
- Suspicious Msiexec Execute Arbitrary DLL
- Suspicious File Encoded To Base64 Via Certutil.EXE
- PsExec/PAExec Escalation to LOCAL SYSTEM
- New Generic Credentials Added Via Cmdkey.EXE
- LSASS Process Reconnaissance Via Findstr.EXE
- Capabilities Discovery - Linux
- Copying Sensitive Files with Credential Data
- Potential Privilege Escalation To LOCAL SYSTEM
- Suspicious DLL Loaded via CertOC.EXE
- Process Terminated Via Taskkill
- Imports Registry Key From an ADS
- File Deletion Via Del
- Loaded Module Enumeration Via Tasklist.EXE
- Remote File Download Via Findstr.EXE
- Suspicious Use of PsLogList
- Curl Download And Execute Combination
- Potential Regsvr32 Commandline Flag Anomaly
- Suspicious Service Installation Script
- Enumerate All Information With Whoami.EXE
- File Decoded From Base64/Hex Via Certutil.EXE
- Suspicious Ping/Del Command Combination
- Suspicious Cabinet File Execution Via Msdt.EXE
- Suspicious Response File Execution Via Odbcconf.EXE
- DLL Loaded via CertOC.EXE
- Changing Existing Service ImagePath Value Via Reg.EXE
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- File Encoded To Base64 Via Certutil.EXE
- Raspberry Robin Subsequent Execution of Commands
- Port Forwarding Activity Via SSH.EXE
- Raspberry Robin Initial Execution From External Drive
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- Exports Critical Registry Keys To a File
- Insensitive Subfolder Search Via Findstr.EXE
- Wlrmdr.EXE Uncommon Argument Or Child Process
- DllUnregisterServer Function Call Via Msiexec.EXE
- Process Memory Dump via RdrLeakDiag.EXE
- Potentially Suspicious Cabinet File Expansion
- System Information Discovery via Registry Queries
- Kernel Memory Dump Via LiveKD
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- Qakbot Regsvr32 Calc Pattern
- Renamed ProcDump Execution
- XSL Script Execution Via WMIC.EXE
- Exports Registry Key To a File
- Rebuild Performance Counter Values Via Lodctr.EXE
- Certificate Exported Via Certutil.EXE
- Lolbin Unregmp2.exe Use As Proxy
- Sysmon Configuration Update
- Response File Execution Via Odbcconf.EXE
- Potential Arbitrary Command Execution Via FTP.EXE
- Imports Registry Key From a File
- Replace.exe Usage
- Potential LSASS Process Dump Via Procdump
Splunk
- Windows Wmic Network Discovery
- Windows Wmic DiskDrive Discovery
- Windows Set Private Network Profile via Registry
- Windows Wmic Systeminfo Discovery
- Windows Net System Service Discovery
- Windows File Collection Via Copy Utilities
- Windows Certutil Root Certificate Addition
- Windows Wmic Memory Chip Discovery
- Windows Wmic CPU Discovery
- Windows AI Platform DNS Query
- Azure Automation Runbook Created
- Azure Runbook Webhook Created
- Azure Automation Account Created
- Linux Magic SysRq Key Abuse
- Windows SQL Server Configuration Option Hunt
- Windows SQL Server xp_cmdshell Config Change
- Windows SQL Server Critical Procedures Enabled
- Windows SpeechRuntime Suspicious Child Process
- Windows SpeechRuntime COM Hijacking DLL Load
- AWS Defense Evasion Impair Security Services
- Windows Excel ActiveMicrosoftApp Child Process
- Windows DLL Module Loaded in Temp Dir
- Windows Rundll32 Load DLL in Temp Dir
- Disabling Windows Local Security Authority Defences via Registry
- Windows WMI Process And Service List
2025.08.25
Summary of Changes
Totals: 115 added / 62 modified
Intelligence: 0 added / 0 modified
Detections: 111 added / 59 modified
Threats: 1 added / 0 modified
Attack Scripts: 3 added / 2 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Possible SpeechRuntime Lateral Movement
- Supicious Child of SpeechRuntime
- SpeechRuntimeMove DCOM Trigger Lateral Movement
Atomic Red Team
- Masquerading cmd.exe as VEDetector.exe
- Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
- Copy and Compress AppData Folder
Microsoft Sentinel
- Keeper Security - User MFA Changed
- Keeper Security - Password Changed
- CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware
- CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule
- CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule
- CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule
- CYFIRMA - Customer Accounts Leaks Detection Rule
- CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
- CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule
- CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule
- CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule
- CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule
- CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule
- CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule
- CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule
- CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule
- CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule
- CYFIRMA - High severity File Hash Indicators with Block Action Rule
- CYFIRMA - Attack Surface - Open Ports High Rule
- CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule
- CYFIRMA - High severity File Hash Indicators with Monitor Action Rule
- CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule
- CYFIRMA - Public Accounts Leaks Detection Rule
- CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
- CYFIRMA - Medium severity File Hash Indicators with Block Action Rule
- CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule
- CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule
- CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert
- CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
- CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule
- CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
- CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert
- CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule
- CYFIRMA - Brand Intelligence - Domain Impersonation High Rule
- CYFIRMA - High severity Malicious Network Indicators with Block Action Rule
- CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule
- CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule
- CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
- CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule
- CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
- CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware
- CYFIRMA - Compromised Employees Detection Rule
- CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule
- CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule
- CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule
- CYFIRMA - Brand Intelligence - Product/Solution High Rule
- CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule
- CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule
- CYFIRMA - Attack Surface - Configuration Medium Rule
- CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule
- CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
- CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule
- CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule
- CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule
- CYFIRMA - Brand Intelligence - Executive/People Impersonation High Rule
- CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
- CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware
- CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
- CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert
- CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule
- CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule
- CYFIRMA - Attack Surface - Cloud Weakness High Rule
- CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule
- CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule
- CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule
- CYFIRMA - Attack Surface - Cloud Weakness Medium Rule
- CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule
- CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule
- CYFIRMA - Attack Surface - Open Ports Medium Rule
- CYFIRMA - Attack Surface - Configuration High Rule
- CYFIRMA - High severity File Hash Indicators with Block Action and Malware
- CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium Rule
- CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule
- CYFIRMA - Brand Intelligence - Product/Solution Medium Rule
- CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule
- CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule
- CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
Sigma Community Rules
Splunk
- Cisco Configuration Archive Logging Analysis
- Cisco Network Interface Modifications
- Cisco Smart Install Port Discovery and Status
- Cisco Secure Firewall - Static Tundra Smart Install Abuse
- Cisco SNMP Community String Configuration Changes
- Cisco TFTP Server Configuration for Data Exfiltration
- Cisco Smart Install Oversized Packet Detection
- Cisco IOS Suspicious Privileged Account Creation
- Windows RDP Server Registry Entry Created
- Windows RDP Bitmap Cache File Creation
- Windows RDP Client Launched with Admin Session
- Windows Advanced Installer MSIX with AI_STUBS Execution
- Windows RDP Server Registry Deletion
- Windows Default RDP File Creation
- Windows Default Rdp File Unhidden
- Windows PowerShell Script From WindowsApps Directory
- Windows Default Rdp File Deletion
- Windows Rdp AutomaticDestinations Deletion
- Windows RDP Cache File Deletion
- Windows Developer-Signed MSIX Package Installation
- Windows AppX Deployment Unsigned Package Installation
- Windows MSIX Package Interaction
- Windows AppX Deployment Full Trust Package Installation
- Windows PowerShell MSIX Package Installation
- Windows RDP Login Session Was Established
- Windows AppX Deployment Package Installation Success
- Windows Suspicious VMWare Tools Child Process
- Linux Medusa Rootkit
- Windows Gdrive Binary Activity
- Linux Gdrive Binary Activity
Content Updated
SnapAttack Community
Atomic Red Team
- abuse of linux magic system request key for reboot
- Execute a process from a directory masquerading as the current parent directory
LOLDrivers
- Malicious Driver Load (sha1)
- Malicious Driver Load (md5)
- Malicious Driver Load Despite HVCI (md5)
- Malicious Driver Load By Name
- Vulnerable Driver Load By Name
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load (sha256)
- Vulnerable Driver Load (md5)
- Malicious Driver Load (sha256)
- Vulnerable Driver Load (sha1)
- Vulnerable Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load Despite HVCI (md5)
Microsoft Sentinel
Sigma Community Rules
- Potential WerFault ReflectDebugger Registry Value Abuse
- DNS Query To Devtunnels Domain
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- New BgInfo.EXE Custom VBScript Registry Configuration
- Active Directory Database Snapshot Via ADExplorer
- New BgInfo.EXE Custom WMI Query Registry Configuration
- New Federated Domain Added
- New Network Route Added
- Windows Binaries Write Suspicious Extensions
- AWS CloudTrail Important Change
- Create Volume Shadow Copy with Powershell
- Potential PendingFileRenameOperations Tampering
- New Network ACL Entry Added
- Browser Execution In Headless Mode
- Hiding User Account Via SpecialAccounts Registry Key
- Disabling Multi Factor Authentication
- Cloudflared Tunnels Related DNS Requests
- New BgInfo.EXE Custom DB Path Registry Configuration
- Virtualbox Driver Installation or Starting of VMs
- Suspicious Active Directory Database Snapshot Via ADExplorer
- File Download with Headless Browser
- Potential Bucket Enumeration on AWS
- Potential Data Stealing Via Chromium Headless Debugging
- Suspicious Inbox Forwarding Identity Protection
- AWS Config Disabling Channel/Recorder
- File or Folder Permissions Modifications
- Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- Suspicious Chromium Browser Instance Executed With Custom Extension
- ADExplorer Writing Complete AD Snapshot Into .dat File
- Powershell Executed From Headless ConHost Process
- Chromium Browser Instance Executed With Custom Extension
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Startup/Logon Script Added to Group Policy Object
- Network Connection Initiated To BTunnels Domains
Splunk
- Cisco Secure Firewall - Intrusion Events by Threat Activity
- Windows Phishing Recent ISO Exec Registry
- Splunk AppDynamics Secure Application Alerts
- Remcos client registry install entry
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Rundll32 Load DLL in Temp Dir
- Windows Audit Policy Auditing Option Modified - Registry
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows AD Replication Request Initiated by User Account
2025.08.11
Summary of Changes
Totals: 217 added / 67 modified
Intelligence: 0 added / 0 modified
Detections: 217 added / 66 modified
Threats: 0 added / 0 modified
Attack Scripts: 0 added / 0 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Unusual Process Load Mozilla NSS-Mozglue Module
- Unusual Intelliform Storage Registry Access
- Medusa Rootkit
- Unusual FileZilla XML Config Access
- SharePoint ToolPane Endpoint Exploitation Attempt
- SharePoint Spinstall0 Webshell File Creation
- SharePoint Spinstall0 GET Request
- Potential CitrixBleed 2 Memory Disclosure
Microsoft Sentinel
- Rubrik Critical Anomaly
- Rubrik Threat Monitoring
- Digital Content Theft (High)
- Suspicious Email (Low)
- User Credentials Web App (High)
- Phish Redirector (Low)
- Targeted Malware (Low)
- Employee Credentials 3Rd Party (Informational)
- Attack Indication (Low)
- Data Leakage (Low)
- Trap 10 (Informational)
- Pharming (Medium)
- Unauthorized Association (Informational)
- Spam (Informational)
- Leaked Credential (Low)
- Breached Credential (Low)
- Exposed Email Address (Informational)
- Doorway Page (Medium)
- Domain Infringement (Informational)
- Employee Credentials Internal (Informational)
- Money Mule Account (High)
- Spam (Low)
- Phishing (Medium)
- Unauthorized Association (Medium)
- Leaked Credential (Medium)
- Malware (Informational)
- Malware (High)
- Compromised Cards (Medium)
- Vishing (High)
- User Credentials Mobile App (Low)
- Attack Indication (High)
- Subdomain Infringement (Low)
- Malicious Ip (Informational)
- User Credentials Web App (Informational)
- Employee Credentials Internal (Medium)
- Data Leakage (High)
- Survey Scam (High)
- Brand Harassment (High)
- Spam (Medium)
- Dark Web (Medium)
- Employee Credentials 3Rd Party (High)
- Brand Harassment (Medium)
- Social Engineering Vulnerability (Informational)
- Malicious Redirector (Low)
- Employee Credentials Internal (High)
- Brand Abuse (Low)
- Compromised Cards (Informational)
- Pharming (Informational)
- Data Leakage (Informational)
- Apt (Low)
- Code Repo (Informational)
- Exposed Email Address (Medium)
- Hacker Chatter (Informational)
- Data Leakage (Medium)
- Compromised Cards (Low)
- Pharming (Low)
- Brand Harassment (Low)
- Vip Credential (High)
- Vip Credential (Low)
- Vishing (Low)
- Code Repository (Low)
- Trap 10 (High)
- Phishing (Low)
- Inaccurate Content (High)
- Trap 10 (Medium)
- Suspicious Email (Informational)
- Subdomain Infringement (Informational)
- Malicious Redirector (High)
- Suspicious Mobile App (Medium)
- Code Repository (High)
- Exposed Misconfiguration (Informational)
- Suspicious Email (High)
- Smshing (High)
- Malicious Ip (Medium)
- Executive Leaks (High)
- Smshing (Medium)
- Social Engineering Vulnerability (High)
- Apt (High)
- Malicious Domain (Medium)
- Leaked Credential (Informational)
- Breached Credential (High)
- Hacker Chatter (High)
- Employee Credentials 3Rd Party (Medium)
- Brand Abuse (High)
- Attack Indication (Medium)
- Baiting News Site (Medium)
- Subdomain Infringement (High)
- Executive Leaks (Medium)
- Baiting News Site (Low)
- Vishing (Medium)
- Spam (High)
- Malware (Low)
- Phishing (Informational)
- Money Mule Account (Medium)
- Domain Infringement (High)
- Subdomain Infringement (Medium)
- Unauthorized Association (Low)
- Dark Web (Informational)
- Unauthorized Job Posting (Low)
- User Credentials Mobile App (Informational)
- Doorway Page (Informational)
- Baiting News Site (High)
- Phish Redirector (High)
- Breached Credential (Medium)
- Cyber Evil Twin Site (Low)
- Suspicious Documents (Medium)
- Malicious Redirector (Informational)
- Social Engineering Vulnerability (Medium)
- Employee Credentials Internal (Low)
- Suspicious Email (Medium)
- Apt (Informational)
- Targeted Malware (Informational)
- Domain Infringement (Low)
- User Credentials Mobile App (High)
- Suspicious Documents (Low)
- Compromised Cards (High)
- Exposed Misconfiguration (High)
- Auto Generated Page (Informational)
- User Credentials Web App (Low)
- Code Repo (High)
- Suspicious Documents (High)
- Domain Infringement (Medium)
- Dark Web (Low)
- Code Repository (Medium)
- Smshing (Low)
- Vip Credential (Medium)
- Malicious Domain (High)
- Survey Scam (Low)
- Inaccurate Content (Informational)
- Malicious Ip (High)
- Apt (Medium)
- Suspicious Documents (Informational)
- Phish Redirector (Informational)
- Targeted Malware (Medium)
- Targeted Malware (High)
- Suspicious Mobile App (Low)
- Unauthorized Job Posting (Informational)
- Dark Web (High)
- Exposed Email Address (Low)
- Social Engineering Vulnerability (Low)
- Survey Scam (Informational)
- Employee Credentials 3Rd Party (Low)
- Vip Credential (Informational)
- Executive Leaks (Low)
- Auto Generated Page (Medium)
- Pharming (High)
- Malicious Domain (Low)
- Malicious Domain (Informational)
- Code Repo (Medium)
- Money Mule Account (Informational)
- Smshing (Informational)
- Phish Redirector (Medium)
- Unauthorized Job Posting (High)
- Executive Leaks (Informational)
- Inaccurate Content (Medium)
- Vishing (Informational)
- Money Mule Account (Low)
- Doorway Page (Low)
- User Credentials Mobile App (Medium)
- Unauthorized Association (High)
- Brand Abuse (Medium)
- Hacker Chatter (Medium)
- Cyber Evil Twin Site (High)
- Hacker Chatter (Low)
- Brand Harassment (Informational)
- Code Repo (Low)
- Inaccurate Content (Low)
- Exposed Misconfiguration (Low)
- Brand Abuse (Informational)
- Cyber Evil Twin Site (Informational)
- Unauthorized Job Posting (Medium)
- Digital Content Theft (Informational)
- Attack Indication (Informational)
- User Credentials Web App (Medium)
- Survey Scam (Medium)
- Auto Generated Page (High)
- Digital Content Theft (Medium)
- Malware (Medium)
- Malicious Ip (Low)
- Trap 10 (Low)
- Digital Content Theft (Low)
- Doorway Page (High)
- Malicious Redirector (Medium)
- Breached Credential (Informational)
- Cyber Evil Twin Site (Medium)
- Baiting News Site (Informational)
- Exposed Misconfiguration (Medium)
- User IAM Enumeration
- Unauthorized EC2 Instance Setup Attempt
- Anvilogic Alert
- Conditional Access - Dynamic Group Exclusion Changes
- Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
- Conditional Access - A Conditional Access policy was deleted
- Conditional Access - A Conditional Access app exclusion has changed
- Conditional Access - A Conditional Access policy was put into report-only mode
- Conditional Access - A Conditional Access policy was disabled
- Conditional Access - A Conditional Access user/group/role exclusion has changed
- Conditional Access - A new Conditional Access policy was created
- Conditional Access - A Conditional Access policy was updated
Sigma Community Rules
- Password Set to Never Expire via WMI
- Suspicious File Created in Outlook Temporary Directory
- Suspicious File Write to SharePoint Layouts Directory
- Windows Defender Context Menu Removed
- Windows Defender Threat Severity Default Action Modified
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
- Delete Defender Scan ShellEx Context Menu Registry Key
- Disabling Windows Defender WMI Autologger Session via Reg.exe
Splunk
Content Updated
SnapAttack Community
Chronicle Detection Rules
Microsoft Sentinel
- Leaked Credential
- Subdomain Infringement
- Brand Impersonation - HIGH
- Suspicious Mobile App High
- Header: X-Frame-Options Missing - Low
- Executive Impersonation
- Domain Infringement
- Exposed Email Address
- Header: X-Frame-Options Missing - Informational
- SPF Policy Set to Soft Fail
- SPF Not Configured
- Phishing
- Auto Generated Page
- Brand Abuse
- Suspicious Mobile App INFO
- Brand Impersonation - INFO
- Compromised Cards
- Code Repository
- Cisco Cloud Security - 'Blocked' User-Agents.
- Cisco Cloud Security - High values of Uploaded Data
- Cisco Cloud Security - Anomalous FQDNs for domain
- Creation of Access Key for IAM User
- Cisco Cloud Security - Request Allowed to harmful/malicious URI category
- Cisco Cloud Security - Crypto Miner User-Agent Detected
- Cisco Cloud Security - DNS requests to unreliable categories.
- Cisco Cloud Security - URI contains IP address
- Cisco Cloud Security - Possible data exfiltration
- Cisco Cloud Security - DNS Errors.
- Cisco Cloud Security - Empty User Agent Detected
- Cisco Cloud Security - Rare User Agent Detected
- Cisco Cloud Security - Hack Tool User-Agent Detected
- Cisco Cloud Security - Proxy 'Allowed' to unreliable categories.
- Cisco Cloud Security - Higher values of count of the Same BytesIn size
- Cisco Cloud Security - Windows PowerShell User-Agent Detected
- Cisco Cloud Security - Request to blocklisted file type
- Cisco Cloud Security - Possible connection to C2.
- Cisco Cloud Security - Connection to Unpopular Website Detected
- Cisco Cloud Security - Requests to uncategorized resources
- Cisco Cloud Security - Connection to non-corporate private network
- Microsoft Entra ID UserAgent OS Missmatch
- Changes to Amazon VPC settings
Sigma Community Rules
- Windows Event Log Access Tampering Via Registry
- Suspicious Dropbox API Usage
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Network Connection Initiated To Cloudflared Tunnels Domains
- Suspicious Non-Browser Network Communication With Telegram API
- Network Connection Initiated To BTunnels Domains
- Process Initiated Network Connection To Ngrok Domain
- Suspicious Double Extension Files
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
- Usage Of Web Request Commands And Cmdlets - ScriptBlock
- Suspicious Invoke-WebRequest Execution
- Usage Of Web Request Commands And Cmdlets
- PowerShell Script With File Upload Capabilities
- Potential Data Exfiltration Activity Via CommandLine Tools
- Suspicious Invoke-WebRequest Execution With DirectIP
- Change User Agents with WebRequest
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- PowerShell Download and Execution Cradles
- Suspicious PowerShell In Registry Run Keys
- Obfuscated IP Download Activity
Splunk
2025.07.28
Summary of Changes
Totals: 61 added / 29 modified
Intelligence: 0 added / 0 modified
Detections: 56 added / 26 modified
Threats: 0 added / 0 modified
Attack Scripts: 3 added / 2 modified
Collections: 2 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- Decrypt Eicar File and Write to File
- ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
- T1027.013 Encrypted/Encoded File
Chronicle Detection Rules
- Ttp Windows W3Wp Launching Encoded Powershell
- Ttp Windows Suspicious Filewrites To Sharepoint Layouts
- Ttp Sharepoint Cve 2025 49706 Exploitation
- Ttp Windows Sharepoint Cve 2025 53770 Webshell Attempted
- Ttp Windows Sharepoint Cve 2025 53770 Webshell Succeeded
- Ttp Windows Potential Sharpyshell Webshell Execution
Microsoft Sentinel
Sigma Community Rules
- SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
- Potential SSH Tunnel Persistence Install Using A Scheduled Task
- ADExplorer Writing Complete AD Snapshot Into .dat File
Splunk
- Cisco Duo Admin Login Unusual Browser
- Cisco Duo Policy Allow Old Java
- Cisco Duo Policy Bypass 2FA
- Windows SharePoint Spinstall0 Webshell File Creation
- Cisco Duo Bulk Policy Deletion
- Cisco Duo Policy Allow Devices Without Screen Lock
- Cisco Duo Bypass Code Generation
- Cisco Duo Policy Allow Old Flash
- Windows SharePoint ToolPane Endpoint Exploitation Attempt
- Cisco Duo Policy Allow Tampered Devices
- Cisco Duo Policy Allow Network Bypass 2FA
- Cisco Duo Admin Login Unusual Country
- Cisco Duo Policy Deny Access
- Cisco Duo Set User Status to Bypass 2FA
- Cisco Duo Admin Login Unusual Os
- Cisco Duo Policy Skip 2FA for Other Countries
- Windows SharePoint Spinstall0 GET Request
- Windows Unusual Process Load Mozilla NSS-Mozglue Module
- Windows Unusual FileZilla XML Config Access
- Windows Unusual Intelliform Storage Registry Access
- ESXi Reverse Shell Patterns
- ESXi Syslog Config Change
- ESXi Audit Tampering
- ESXi Sensitive Files Accessed
- ESXi System Clock Manipulation
- ESXi Loghost Config Tampering
- ESXi SSH Enabled
- ESXi Account Modified
- ESXi System Information Discovery
- ESXi Encryption Settings Modified
- Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
- ESXi Download Errors
- Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
- ESXi SSH Brute Force
- ESXi Shared or Stolen Root Account
- ESXi User Granted Admin Role
- ESXi External Root Login Activity
- ESXi VM Exported via Remote Tool
- ESXi Firewall Disabled
- ESXi VIB Acceptance Level Tampering
- ESXi Shell Access Enabled
- ESXi Lockdown Mode Disabled
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- HKCU - Policy Settings Explorer Run Key
- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
Microsoft Sentinel
- TI map IP entity to DNS Events (ASIM DNS schema)
- TI map Domain entity to Web Session Events (ASIM Web Session schema)
- TI map IP entity to Web Session Events (ASIM Web Session schema)
- New User Assigned to Privileged Role
- Multiple admin membership removals from newly created admin.
- New External User Granted Admin Role
- Threat Essentials - Multiple admin membership removals from newly created admin.
- NRT User added to Microsoft Entra ID Privileged Groups
- NRT Privileged Role Assigned Outside PIM
- Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups
- User Assigned New Privileged Role
- Power Platform - Account added to privileged Microsoft Entra roles
- User added to Microsoft Entra ID Privileged Groups
Sigma Community Rules
- Added Credentials to Existing Application
- Potential Defense Evasion Via Binary Rename
- Unsigned DLL Loaded by Windows Utility
- Suspicious Volume Shadow Copy VSS_PS.dll Load
- Active Directory Database Snapshot Via ADExplorer
- System File Execution Location Anomaly
- Transferring Files with Credential Data via Network Shares
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Removal of Potential COM Hijacking Registry Keys
- COM Hijacking via TreatAs
Splunk
2025.07.14
Summary of Changes
Totals: 35 added / 164 modified
Intelligence: 0 added / 0 modified
Detections: 35 added / 161 modified
Threats: 0 added / 0 modified
Attack Scripts: 0 added / 2 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Auditd Daemon Abort
- Suspicious Network Connection Initiated via MsXsl
- Non-Network Binary Making Network Connection
- MSHTML or MSHTA Without URL in CLI
- Bulk System Reconnaissance
- Linux FTP Activity
Microsoft Sentinel
Sigma Community Rules
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
- Proxy Execution via Vshadow
- HackTool - Doppelanger LSASS Dumper Execution
- HackTool - HollowReaper Execution
- Potential Notepad++ CVE-2025-49144 Exploitation
Splunk
- Cisco NVM - Non-Network Binary Making Network Connection
- Cisco NVM - Suspicious File Download via Headless Browser
- Cisco NVM - Suspicious Download From File Sharing Website
- Cisco NVM - Suspicious Network Connection to IP Lookup Service API
- Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
- Cisco NVM - Suspicious Network Connection From Process With No Args
- Cisco NVM - Webserver Download From File Sharing Website
- Windows File Download Via PowerShell
- Cisco NVM - Outbound Connection to Suspicious Port
- Cisco NVM - Curl Execution With Insecure Flags
- Cisco NVM - Rclone Execution With Network Activity
- CrowdStrike Falcon Stream Alerts
- Cisco NVM - Susp Script From Archive Triggering Network Activity
- Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
- Cisco NVM - Installation of Typosquatted Python Package
- Cisco NVM - Suspicious Network Connection Initiated via MsXsl
- Linux Auditd Auditd Daemon Abort
- Linux Auditd Auditd Daemon Shutdown
- Linux Auditd Auditd Daemon Start
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token
- Azure - Functions code upload - Functions code injection via Blob upload
LOLDrivers
- Vulnerable Driver Load (sha256)
- Malicious Driver Load By Name
- Malicious Driver Load (sha1)
- Vulnerable Driver Load By Name
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load Despite HVCI (sha1)
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (md5)
- Malicious Driver Load (md5)
- Malicious Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load Despite HVCI (md5)
- Vulnerable Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (sha1)
- Malicious Driver Load (sha256)
Microsoft Sentinel
- User added to Microsoft Entra ID Privileged Groups
- NRT User added to Microsoft Entra ID Privileged Groups
- TI Map IP Entity to CommonSecurityLog
- TI map IP entity to AzureFirewall
- TI map Domain entity to Dns Events (ASIM DNS Schema)
- TI Map IP Entity to Duo Security
- TI map Domain entity to EmailEvents
- TI map Domain entity to Cloud App Events
- TI map IP entity to Cloud App Events
- TI map File Hash to DeviceFileEvents Event
- TI Map URL Entity to EmailUrlInfo
- TI map Email entity to SecurityEvent
- TI map IP entity to Web Session Events (ASIM Web Session schema)
- TI map Email entity to OfficeActivity
- TI map Email entity to EmailEvents
- TI Map URL Entity to PaloAlto Data
- TI Map IP Entity to VMConnection
- TI map IP entity to AppServiceHTTPLogs
- TI map Email entity to SecurityAlert
- TI Map URL Entity to AuditLogs
- TI map Domain entity to DnsEvents
- TI map IP entity to GitHub_CL
- TI Map IP Entity to DnsEvents
- TI Map IP Entity to AzureActivity
- TI map IP entity to OfficeActivity
- TI map IP entity to Azure Key Vault logs
- TI Map IP Entity to Azure SQL Security Audit Events
- TI map IP entity to AWSCloudTrail
- TI Map Domain Entity to DeviceNetworkEvents
- TI Map URL Entity to SecurityAlert Data
- TI Map URL Entity to Syslog Data
- TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)
- TI map Email entity to AzureActivity
- TI Map IP Entity to SigninLogs
- TI map Domain entity to PaloAlto CommonSecurityLog
- TI map IP entity to Workday(ASimAuditEventLogs)
- TI map Email entity to Cloud App Events
- TI map Domain entity to SecurityAlert
- TI map Domain entity to EmailUrlInfo
- TI map Domain entity to Syslog
- TI Map IP Entity to DeviceNetworkEvents
- TI map Email entity to SigninLogs
- TI Map URL Entity to DeviceNetworkEvents
- TI map IP entity to Network Session Events (ASIM Network Session schema)
- TI map File Hash to Security Event
- TI map IP entity to DNS Events (ASIM DNS schema)
- TI map Domain entity to Web Session Events (ASIM Web Session schema)
- TI map File Hash to CommonSecurityLog Event
- TI map Domain entity to PaloAlto
- TI map Email entity to PaloAlto CommonSecurityLog
- TI map URL entity to Cloud App Events
- TI Map URL Entity to UrlClickEvents
- TI Map IP Entity to W3CIISLog
- NRT Authentication Methods Changed for VIP Users
- TI Map IP Entity to CommonSecurityLog
Sigma Community Rules
- Remote Thread Creation In Uncommon Target Image
- Scheduled TaskCache Change by Uncommon Program
- Remote Thread Creation By Uncommon Source Image
- Potential Binary Or Script Dropper Via PowerShell
- Suspicious Sysmon as Execution Parent
- Remote Thread Created In Shell Application
- Use Short Name Path in Command Line
- CurrentVersion NT Autorun Keys Modification
- Modification of IE Registry Settings
- Rare Remote Thread Creation By Uncommon Source Image
- Suspicious Userinit Child Process
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- ADS Zone.Identifier Deleted By Uncommon Application
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Scripts - PoshModule
- Potential AS-REP Roasting via Kerberos TGT Requests
- Malicious PowerShell Commandlets - ScriptBlock
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Scripts - FileCreation
- Suspicious SignIns From A Non Registered Device
- Program Executed Using Proxy/Local Command Via SSH.EXE
- Uncommon New Firewall Rule Added In Windows Firewall Exception List
- Emotet Loader Execution Via .LNK File
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Manual Execution of Script Inside of a Compressed File
- Disk Image Creation Via Hdiutil - MacOS
- Driver Added To Disallowed Images In HVCI - Registry
- Shell Invocation via Env Command - Linux
- Shell Execution via Nice - Linux
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- Shell Execution via Git - Linux
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- Shell Execution via Flock - Linux
- Process Deletion of Its Own Executable
- Disk Image Mounting Via Hdiutil - MacOS
- Suspicious Remote AppX Package Locations
- Shell Invocation Via Ssh - Linux
- Potential File Override/Append Via SET Command
- FakeUpdates/SocGholish Activity
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Multi Factor Authentication Disabled For User Account
- Group Policy Abuse for Privilege Addition
- Suspicious Child Process Of Wermgr.EXE
- Inline Python Execution - Spawn Shell Via OS System Library
- Antivirus Filter Driver Disallowed On Dev Drive - Registry
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- FileFix - Suspicious Child Process from Browser File Upload Abuse
- Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
- HackTool - SharpWSUS/WSUSpendu Execution
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Shell Execution via Find - Linux
- Suspicious Process Masquerading As SvcHost.EXE
- DNS Query To Put.io - DNS Client
- Suspicious Invocation of Shell via AWK - Linux
- Shell Execution GCC - Linux
- User Risk and MFA Registration Policy Updated
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- Capsh Shell Invocation - Linux
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Data Export From MSSQL Table Via BCP.EXE
Splunk
- Cisco Secure Firewall - Connection to File Sharing Domain
- Cisco Secure Firewall - Bits Network Activity
- Cisco Secure Firewall - Repeated Blocked Connections
- Cisco Secure Firewall - Wget or Curl Download
- Cisco Secure Firewall - Blocked Connection
- WMIC XSL Execution via URL
- Windows Ingress Tool Transfer Using Explorer
- Windows Office Product Spawned Child Process For Download
- Detect RClone Command-Line Usage
- DLLHost with no Command Line Arguments with Network
- Attacker Tools On Endpoint
- Cisco Secure Firewall - Repeated Malware Downloads
- Windows Curl Download to Suspicious Path
- Windows InstallUtil URL in Command Line
- Windows MSIExec Remote Download
- Windows InstallUtil Remote Network Connection
- Cisco Secure Firewall - Intrusion Events by Threat Activity
- Linux Auditd Possible Access Or Modification Of Sshd Config File
- Linux Auditd Doas Conf File Creation
- Linux Auditd Stop Services
- Linux Auditd Possible Access To Sudoers File
- Linux Auditd Add User Account Type
- Linux Auditd Osquery Service Stop
- Linux Auditd Disable Or Modify System Firewall
- Linux Auditd Preload Hijack Via Preload File
- Linux Auditd Sysmon Service Stop
- Linux Auditd Auditd Service Stop
- Linux Auditd Unix Shell Configuration Modification
- Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
2025.06.30
Summary of Changes
Totals: 55 added / 139 modified
Intelligence: 0 added / 0 modified
Detections: 55 added / 135 modified
Threats: 0 added / 0 modified
Attack Scripts: 0 added / 3 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Disable Internet Explorer Addons
- Chromium Browser with Custom User Data Directory
- Chromium Browser No Security Sandbox Process
- Windows Firewall Rule Deletion
- Windows Firewall Rule Added
- ConsoleHost History File Deletion
- Tomcat Session File Upload Attempt
- Tomcat Session Deserialization Attempt
- PowerShell Invoke-RestMethod IP Information Collection
- MSC EvilTwin Directory Path Manipulation
- AWS Bedrock Invoke Model Access Denied
- AWS Bedrock Delete Model Invocation Logging Configuration
- AWS Bedrock Delete Knowledge Base
- AWS Bedrock Delete GuardRails
- EventLog Recon Activity Using Log Query Utilities
- SAP NetWeaver Visual Composer Exploitation Attempt
- Renamed Powershell Execution
Chronicle Detection Rules
- Currentcontrolset Autorun Keys Modification
- Direct Autorun Keys Modification
- New Run Key Pointing To Suspicious Folder
- Shimcache Flush
- Disable Internal Tools Or Feature In Registry
- Rdp Sensitive Settings Changed
- Suspicious Powershell In Registry Run Keys
- Blackbyte Ransomware Registry
- Rdp Sensitive Settings Changed To Zero
- Currentversion Autorun Keys Modification
- Potential Suspicious Activity Using Secedit
- Wdigest Enable Uselogoncredential
- Session Manager Autorun Keys Modification
- Reg Add Suspicious Paths
- Modify User Shell Folders Startup Value
- Default Rdp Port Changed To Non Standard Port
- Restrictedadminmode Registry Value Tampering
Microsoft Sentinel
- SAP ETD - Execution of Sensitive Function Module
- SAP LogServ - HANA DB - Deactivation of Audit Trail
- SAP LogServ - HANA DB - Audit Trail Policy Changes
- SAP LogServ - HANA DB - User Admin actions
- SAP LogServ - HANA DB - Assign Admin Authorizations
Sigma Community Rules
- FileFix - Suspicious Child Process from Browser File Upload Abuse
- Suspicious Download and Execute Pattern via Curl/Wget
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Remote Access Tool - Renamed MeshAgent Execution - MacOS
- Remote Access Tool - Potential MeshAgent Execution - MacOS
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Trusted Path Bypass via Windows Directory Spoofing
Splunk
- Windows Chromium Browser No Security Sandbox Process
- Windows Chromium Browser with Custom User Data Directory
- Windows DNS Query Request To TinyUrl
- Okta Non-Standard VPN Usage
- Zoom Rare Video Devices
- Zoom Rare Audio Devices
- Zoom High Video Latency
- Zoom Rare Input Devices
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- Azure - Enumerate Azure Blobs with MicroBurst
- Modify Fax service to run PowerShell
- Elevated group enumeration using net group (Domain)
Microsoft Sentinel
- SAP ETD - Login from unexpected network
- Infoblox - SOC Insight Detected - API Source
- Detect port misuse by static threshold (ASIM Network Session schema)
- Detect port misuse by anomaly based detection (ASIM Network Session schema)
- Anomaly found in Network Session Traffic (ASIM Network Session schema)
- RecordedFuture Threat Hunting IP All Actors
- RecordedFuture Threat Hunting Hash All Actors
- RecordedFuture Threat Hunting URL All Actors
- RecordedFuture Threat Hunting Domain All Actors
Sigma Community Rules
- Hidden Files and Directories
- Commands to Clear or Remove the Syslog
- TrustedPath UAC Bypass Pattern
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Remote Thread Created In Shell Application
- Uncommon AppX Package Locations
- Remote Thread Creation By Uncommon Source Image
- Rare Remote Thread Creation By Uncommon Source Image
- CurrentVersion Autorun Keys Modification
- Common Autorun Keys Modification
Splunk
- Kubernetes newly seen UDP edge
- Kubernetes Anomalous Traffic on Network Edge
- Azure AD Service Principal Enumeration
- Azure AD Service Principal Privilege Escalation
- Kubernetes newly seen TCP edge
- Windows Exchange Autodiscover SSRF Abuse
- Azure AD AzureHound UserAgent Detected
- Windows Admon Group Policy Object Created
- Windows IIS Components Get-WebGlobalModule Module Query
- Kubernetes Anomalous Outbound Network Activity from Process
- Kubernetes Anomalous Inbound Network Activity from Process
- Windows Admon Default Group Policy Object Modified
- GitHub Organizations Disable Classic Branch Protection Rule
- GitHub Organizations Repository Archived
- AWS Exfiltration via Anomalous GetObject API Activity
- GitHub Organizations Repository Deleted
- GitHub Organizations Disable 2FA Requirement
- GitHub Organizations Delete Branch Ruleset
- GitHub Organizations Disable Dependabot
- Windows Archive Collected Data via Powershell
- Windows Exfiltration Over C2 Via Powershell UploadString
- Recon Using WMI Class
- Windows Account Discovery for Sam Account Name
- Windows Powershell History File Deletion
- Detect Copy of ShadowCopy with Script Block Logging
- Windows File Share Discovery With Powerview
- GetWmiObject User Account with PowerShell Script Block
- Powershell Remote Services Add TrustedHost
- Remote Process Instantiation via DCOM and PowerShell Script Block
- GetWmiObject Ds Group with PowerShell Script Block
- Powershell Fileless Script Contains Base64 Encoded Content
- Windows PowerView AD Access Control List Enumeration
- PowerShell Domain Enumeration
- Windows PowerShell Get CIMInstance Remote Computer
- GetDomainController with PowerShell Script Block
- Powershell Remove Windows Defender Directory
- Windows Powershell Cryptography Namespace
- Get-DomainTrust with PowerShell Script Block
- Windows PowerShell IIS Components WebGlobalModule Usage
- PowerShell Start or Stop Service
- GetAdComputer with PowerShell Script Block
- Windows PowerShell WMI Win32 ScheduledJob
- Windows Screen Capture Via Powershell
- PowerShell Invoke WmiExec Usage
- PowerShell Invoke CIMMethod CIMSession
- Windows Exfiltration Over C2 Via Invoke RestMethod
- WMI Recon Running Process Or Services
- PowerShell 4104 Hunting
- Windows PowerShell Export PfxCertificate
- Remote Process Instantiation via WMI and PowerShell Script Block
- Windows Enable PowerShell Web Access
- GetCurrent User with PowerShell Script Block
- Powershell Processing Stream Of Data
- Detect Certify With PowerShell Script Block Logging
- Detect Empire with PowerShell Script Block Logging
- Powershell Get LocalGroup Discovery with Script Block Logging
- Elevated Group Discovery with PowerView
- Domain Group Discovery with Adsisearcher
- Windows PowerShell Export Certificate
- Detect Mimikatz With PowerShell Script Block Logging
- Windows PowerShell ScheduleTask
- Powershell Using memory As Backing Store
- GetDomainGroup with PowerShell Script Block
- Interactive Session on Remote Endpoint with PowerShell
- GetAdGroup with PowerShell Script Block
- Remote Process Instantiation via WinRM and PowerShell Script Block
- Powershell Fileless Process Injection via GetProcAddress
- Disabled Kerberos Pre-Authentication Discovery With PowerView
- GetWmiObject Ds Computer with PowerShell Script Block
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- Recon AVProduct Through Pwh or WMI
- Windows Gather Victim Host Information Camera
- Windows Domain Account Discovery Via Get-NetComputer
- PowerShell Enable PowerShell Remoting
- Exchange PowerShell Module Usage
- PowerShell Loading DotNET into Memory via Reflection
- Windows PowerShell Disable HTTP Logging
- Get WMIObject Group Discovery with Script Block Logging
- Windows PowerShell Add Module to Global Assembly Cache
- Windows Powershell Import Applocker Policy
- Get-ForestTrust with PowerShell Script Block
- User Discovery With Env Vars PowerShell Script Block
- ServicePrincipalNames Discovery with PowerShell
- Unloading AMSI via Reflection
- Windows PowerShell Invoke-RestMethod IP Information Collection
- Powershell Creating Thread Mutex
- GetLocalUser with PowerShell Script Block
- GetNetTcpconnection with PowerShell Script Block
- Windows ClipBoard Data via Get-ClipBoard
- Remote System Discovery with Adsisearcher
- Kerberos Pre-Authentication Flag Disabled with PowerShell
- Windows Account Discovery With NetUser PreauthNotRequire
- Windows Account Discovery for None Disable User Account
- Windows PowerSploit GPP Discovery
- GetDomainComputer with PowerShell Script Block
- Network Traffic to Active Directory Web Services Protocol
- Microsoft Intune Mobile Apps
- Gsuite Drive Share In External Email
- Excessive Usage Of Cacls App
- Gsuite Suspicious Shared File Name
- Gdrive suspicious file sharing
- Windows Rundll32 WebDav With Network Connection
- ICACLS Grant Command
- Windows WinLogon with Public Network Connection
- Icacls Deny Command
- Modify ACL permission To Files Or Folder
- DLLHost with no Command Line Arguments with Network
- Suspicious Copy on System32
- Detect Renamed WinRAR
- Windows MOVEit Transfer Writing ASPX
- Detect Outbound SMB Traffic
- Windows Files and Dirs Access Rights Modification Via Icacls
- Cobalt Strike Named Pipes
- Windows Hidden Schedule Task Settings
- Non Chrome Process Accessing Chrome Default Dir
2025.06.16
Summary of Changes
Totals: 56 added / 292 modified
Intelligence: 0 added / 0 modified
Detections: 56 added / 291 modified
Threats: 0 added / 0 modified
Attack Scripts: 0 added / 0 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- PowerShell FakeCAPTCHA Clipboard Execution
- Cleartext Authentication Protocol Usage
- AWS Defense Evasion Impair Security Services
Chronicle Detection Rules
- Lsass Memory Access By Tool Dump Keyword Name
- Credential Dumping Attempt Via Werfault
- Potential Credential Dumping Activity Via Lsass
- Base64 Encoded Powershell Command Detected
- Finger Exe Execution
- File Download Via Windows Defender Mpcmdrun Exe
- Create Dump Process Dump
- Hacktool Sharp Successor Execution
- Printbrm Zip Creation Or Extraction
- Convertto Securestring Cmdlet Usage Via Commandline
- Lsass Process Memory Dump File Creation Taskmgr
- Potential Lsass Process Dump Via Procdump
- Hacktool Generic Process Access
- Suspicious Invoke Webrequest Execution
- Potential Tampering With Rdp Related Registry Keys Via Reg Exe
- Hacktool Dumpert Process Dumper Default File
- New User Created Via Net Exe
- Pua Nimgrab Execution
- Suspicious Certreq Command To Download
- Lsass Memory Dump Comsvcs Dll
- Hacktool Dumpert Process Dumper Exec
- Powershell Downloadfile
- Hacktool Mimikatz Execution
- Process Memory Dump Via Rdrleakdiag
- Suspicious Download Via Certutil Exe
- Lsass Process Memory Dump File Creation
- Suspicious Curl Exe Download
- Cred Dump Tools Dropped Files
- Potential Cred Dumping Via Lsass Silentprocessexit Technique
- Renamed Createdump Utility Execution
- Potential Remote Powershell Session Initiated
- File Download Using Notepad Plus Plus Gup Utility
- Local Accounts Discovery
- Powershell Web Download
- Suspicious File Downloaded From File Sharing Website Via Certutil Exe
- Lsass Dump Keyword Command Line
- Copy From Or To Admin Share Or Sysvol Folder
- Process Memory Dump Via Comsvcs Dll
Sigma Community Rules
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
- Process Execution From WebDAV Share
- Potential Exploitation of RCE Vulnerability CVE-2025-33053
- DNS Query To Common Malware Hosting and Shortener Services
- System Information Discovery via Registry Queries
- HKTL - SharpSuccessor Privilege Escalation Tool Execution
- BITS Client BitsProxy DLL Loaded By Uncommon Process
- Potential Java WebShell Upload in SAP NetViewer Server
- Potential SAP NetViewer Webshell Command Execution
- MSSQL Destructive Query
- RegAsm.EXE Execution Without CommandLine Flags or Files
- System Info Discovery via Sysinfo Syscall
- Special File Creation via Mknod Syscall
- Obfuscated PowerShell MSI Install via WindowsInstaller COM
Content Updated
SnapAttack Community
Chronicle Detection Rules
- Win Short Term Account Use
- Mitre Attack T1021 002 Windows Admin Share With Asset Entity
- Mitre Attack T1021 002 Windows Admin Share Basic
- Google Safebrowsing File Process Creation
- Network Connection First Seen In Past Day
- Gcti Remote Access Tools
- Ip Target Prevalence
- Rw Utilities Associated With Ntdsdit T1003 003
- Vt Relationships File Contacts Ip
- High Risk User Download Executable From Macro
- Vt Relationships File Downloaded From Url
- Win Repeatedauthfailure Thensuccess T1110 001 User Asset Entity
- Recon Environment Enumeration System Cisa Report
- Recon Environment Enumeration Network Cisa Report
- Vt Relationships File Downloaded From Ip
- Gcti Tor Exit Nodes
- Process Launch Vt Enrichment
- Whois Expired Domain Accessed
- O365 Add User To Admin Role
- Recon Environment Enumeration Active Directory Cisa Report
- Hash Prevalence
- Vt Relationships File Contacts Tor Ip
- Vt Relationships File Contacts Domain
- Safebrowsing Process Creation Hashes Seen More Than 7 Days
- Wmic Ntds Dit T1003 003 Cisa Report
- Mitre Attack T1140 Encoded Powershell Command
- Google Safebrowsing File Contacts Tor Exit Node
- Ioc Ip Target
- Mitre Attack T1570 Suspicious Command Psexec
- Recon Successful Logon Enumeration Powershell T1033 Cisa Report
- Rw Mimikatz T1003
- Impacket Wmiexec Cisa Report
- Rw Windows Password Spray T1110 003
- Port Proxy Forwarding T1090 Cisa Report
- Ioc Sha256 Hash
- Google Safebrowsing With Prevalence
- Ioc Hash Prevalence
- Windows Event Log Cleared
- Ioc Sha256 Hash Vt
- Whois Recently Created Domain Access
- Network Http Low Prevalence Domain Access
- Vt Relationships File Executes File
- Win Repeatedauthfailure Thensuccess T1110 001
- Adfs Dkm Key Access
- Geoip User Login From Multiple States Or Countries
- Recon Suspicious Commands Cisa Report
- Ioc Domain Internal Policy
- Ioc Domain C2
- Whoami Execution
- Logins From Terminated Employees
- Mitre Attack T1053 005 Windows Creation Of Scheduled Task
- Gcti Benign Binaries Contacts Tor Exit Node
- Whois Expired Domain Executable Downloaded
- O365 Adpowershell App Login Subsequent Activity
- Mitre Attack T1021 002 Windows Admin Share With User Enrichment
- Recon Credential Theft Cisa Report
- Mitre Attack T1021 002 Windows Admin Share With User Entity
Sigma Community Rules
- Remote Access Tool - AnyDesk Silent Installation
- Remote Access Tool - AnyDesk Incoming Connection
- Potential Amazon SSM Agent Hijacking
- Remote Access Tool - GoToAssist Execution
- Potential SocGholish Second Stage C2 DNS Query
- GoToAssist Temporary Installation Artefact
- Hijack Legit RDP Session to Move Laterally
- Remote Access Tool - NetSupport Execution
- Installation of TeamViewer Desktop
- Potential CSharp Streamer RAT Loading .NET Executable Image
- QuickAssist Execution
- Use of UltraVNC Remote Access Software
- Potential Linux Amazon SSM Agent Hijacking
- Atera Agent Installation
- TeamViewer Remote Session
- DNS Query To Remote Access Software Domain From Non-Browser App
- Remote Access Tool - UltraViewer Execution
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Suspicious Mstsc.EXE Execution With Local RDP File
- Remote Access Tool - ScreenConnect Execution
- Anydesk Temporary Artefact
- Potential Remote Desktop Connection to Non-Domain Host
- Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
- TacticalRMM Service Installation
- Antivirus Exploitation Framework Detection
- Mstsc.EXE Execution With Local RDP File
- HackTool - Inveigh Execution Artefacts
- Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
- Suspicious Binary Writes Via AnyDesk
- DNS Query To AzureWebsites.NET By Non-Browser Process
- TeamViewer Domain Query By Non-TeamViewer Application
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- Mesh Agent Service Installation
- Remote Access Tool - Simple Help Execution
- Remote Access Tool - AnyDesk Piped Password Via CLI
- Suspicious TSCON Start as SYSTEM
- Remote Access Tool - LogMeIn Execution
- ScreenConnect Temporary Installation Artefact
- Remote Access Tool - AnyDesk Execution
- Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- APT40 Dropbox Tool User Agent
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
- LSASS Access From Program In Potentially Suspicious Folder
- Ursnif Malware C2 URL Pattern
- Headless Process Launched Via Conhost.EXE
- Potential BOINC Software Execution (UC-Berkeley Signature)
- Ursnif Malware Download URL Pattern
- Malicious PowerShell Scripts - FileCreation
- Chafer Malware URL Pattern
- FlowCloud Registry Markers
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- Dfsvc.EXE Initiated Network Connection Over Uncommon Port
- ComRAT Network Communication
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Scripts - PoshModule
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- Disable Internal Tools or Feature in Registry
- HackTool - LaZagne Execution
- MSHTA Execution with Suspicious File Extensions
- System Owner or User Discovery - Linux
- Suspicious Double Extension File Execution
- Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
- Suspicious Double Extension Files
- Local Groups Discovery - Linux
- Webshell Remote Command Execution
- Disable ASLR Via Personality Syscall - Linux
- Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
- Audio Capture
- Access of Sudoers File Content
- Remote DCOM/WMI Lateral Movement
- F5 BIG-IP iControl Rest API Command Execution - Webserver
- Remote Access Tool Services Have Been Installed - Security
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- PowerShell Web Access Installation - PsScript
- Deployment Deleted From Kubernetes Cluster
- DNS Query Request By QuickAssist.EXE
- PUA - Crassus Execution
- Suspicious External WebDAV Execution
- Credential Dumping Attempt Via Svchost
- Base64 Encoded PowerShell Command Detected
- DPAPI Backup Keys And Certificate Export Activity IOC
- Suspicious Download from Office Domain
- Rare Subscription-level Operations In Azure
- Remote Server Service Abuse for Lateral Movement
- Creation of an Executable by an Executable
- MMC20 Lateral Movement
- PowerShell Core DLL Loaded By Non PowerShell Process
- Renamed Powershell Under Powershell Channel
- Kubernetes Secrets Enumeration
- AspNetCompiler Execution
- Remote Schedule Task Lateral Movement via ATSvc
- Container With A hostPath Mount Created
- Github Repository/Organization Transferred
- AddinUtil.EXE Execution From Uncommon Directory
- Suspicious WSMAN Provider Image Loads
- Privileged Container Deployed
- Amsi.DLL Load By Uncommon Process
- Potential System DLL Sideloading From Non System Locations
- Antivirus Ransomware Detection
- Potential PowerShell Obfuscation Via WCHAR/CHAR
- Writing Of Malicious Files To The Fonts Folder
- Potential Remote Command Execution In Pod Container
- AWS SAML Provider Deletion Activity
- Remote Registry Lateral Movement
- Setuid and Setgid
- Potential Sidecar Injection Into Running Deployment
- Remote Schedule Task Lateral Movement via SASec
- HackTool - Impacket Tools Execution
- Data Export From MSSQL Table Via BCP.EXE
- HackTool - LittleCorporal Generated Maldoc Injection
- WMI Module Loaded By Uncommon Process
- Potential DLL Sideloading Of MsCorSvc.DLL
- Octopus Scanner Malware
- Live Memory Dump Using Powershell
- Suspicious Process By Web Server Process
- Rundll32 UNC Path Execution
- Potential Malicious Usage of CloudTrail System Manager
- OpenCanary - FTP Login Attempt
- Github Fork Private Repositories Setting Enabled/Cleared
- Bitbucket User Login Failure Via SSH
- File Decoded From Base64/Hex Via Certutil.EXE
- Loaded Module Enumeration Via Tasklist.EXE
- Interesting Service Enumeration Via Sc.EXE
- Hacktool Execution - Imphash
- Potentially Suspicious ODBC Driver Registered
- Wmiexec Default Output File
- PUA - Advanced IP/Port Scanner Update Check
- Psexec Execution
- Node Process Executions
- RBAC Permission Enumeration Attempt
- Remote PowerShell Session Host Process (WinRM)
- Portable Gpg.EXE Execution
- Remote Schedule Task Recon via ITaskSchedulerService
- Uncommon Connection to Active Directory Web Services
- Azure Kubernetes Sensitive Role Access
- HackTool - TruffleSnout Execution
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- Important Windows Event Auditing Disabled
- Buffer Overflow Attempts
- Cisco Modify Configuration
- MSI Installation From Web
- PetitPotam Suspicious Kerberos TGT Request
- Azure Container Registry Created or Deleted
- Okta Suspicious Activity Reported by End-user
- Start of NT Virtual DOS Machine
- Recon Activity via SASec
- Remote Encrypting File System Abuse
- Azure Kubernetes Network Policy Change
- Remote Event Log Recon
- Remote Printing Abuse for Lateral Movement
- Publicly Accessible RDP Service
- Azure Kubernetes Secret or Config Object Access
- Connection Proxy
- Turla Group Named Pipes
- PaperCut MF/NG Potential Exploitation
- Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
- Suspicious Log Entries
- Possible DCSync Attack
- Mstsc.EXE Execution From Uncommon Parent
- Remote Registry Recon
- Space After Filename
- HackTool - SharpView Execution
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- Remote File Copy
- Azure Kubernetes Cluster Created or Deleted
- Win Susp Computer Name Containing Samtheadmin
- Suspicious Microsoft Office Child Process
- Potential CVE-2021-26084 Exploitation Attempt
- SharpHound Recon Sessions
- SharpHound Recon Account Discovery
- HackTool - SysmonEnte Execution
- Remote Server Service Abuse
- MSSQL Extended Stored Procedure Backdoor Maggie
- Potential CVE-2023-23397 Exploitation Attempt - SMB
- Cscript/Wscript Potentially Suspicious Child Process
- Esentutl Gather Credentials
- Azure Kubernetes Service Account Modified or Deleted
- Remote Schedule Task Recon via AtScv
- Remote Schedule Task Lateral Movement via ITaskSchedulerService
- Potential DLL Sideloading Of DbgModel.DLL
- Potential Raspberry Robin Aclui Dll SideLoading
- Kubernetes CronJob/Job Modification
- PDF File Created By RegEdit.EXE
- Remote Thread Creation By Uncommon Source Image
- BitLockerTogo.EXE Execution
- Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
- Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
- Rare Remote Thread Creation By Uncommon Source Image
- Access To Windows Credential History File By Uncommon Applications
- Process Launched Without Image Name
- Microsoft Word Add-In Loaded
- Kubernetes Rolebinding Modification
- Potential Raspberry Robin Registry Set Internet Settings ZoneMap
- Renamed Microsoft Teams Execution
- Forest Blizzard APT - File Creation Activity
- Clipboard Data Collection Via Pbpaste
- Kubernetes Admission Controller Modification
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
- Potential APT FIN7 Exploitation Activity
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Microsoft Teams Sensitive File Access By Uncommon Applications
- Access To Potentially Sensitive Sysvol Files By Uncommon Applications
- Remote Thread Created In Shell Application
- Credential Manager Access By Uncommon Applications
- Access To Chromium Browsers Sensitive Files By Uncommon Applications
- Potential DLL Sideloading Of MpSvc.DLL
- Access To .Reg/.Hive Files By Uncommon Applications
- Github Secret Scanning Feature Disabled
- Access To Windows Outlook Mail Files By Uncommon Applications
- Access To Crypto Currency Wallets By Uncommon Applications
- Remote Thread Creation In Uncommon Target Image
- Remote Access Tool - Cmd.EXE Execution via AnyViewer
- Access To Browser Credential Files By Uncommon Applications
- Powershell Executed From Headless ConHost Process
- Renamed BOINC Client Execution
- Kubernetes Secrets Modified or Deleted
- Remote Access Tool - Ammy Admin Agent Execution
- Access To Windows DPAPI Master Keys By Uncommon Applications
- Unattend.XML File Access Attempt
- Github SSH Certificate Configuration Changed
- System File Execution Location Anomaly
- Directory Service Restore Mode(DSRM) Registry Value Tampering
Splunk
- Protocols passing authentication in cleartext
- O365 Concurrent Sessions From Different Ips
- Protocol or Port Mismatch
- Detect Outbound SMB Traffic
- TOR Traffic
- Detect Outbound LDAP Traffic
- Windows Sensitive Registry Hive Dump Via CommandLine
- Internal Horizontal Port Scan
- Internal Vertical Port Scan
- Internal Horizontal Port Scan NMAP Top 20
2025.06.02
Summary of Changes
Totals: 24 added / 96 modified
Intelligence: 0 added / 0 modified
Detections: 24 added / 95 modified
Threats: 0 added / 0 modified
Attack Scripts: 0 added / 0 modified
Collections: 0 added / 1 modified
Content Added
Chronicle Detection Rules
Sigma Community Rules
- Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
- Potential Abuse of Linux Magic System Request Key
- Disable ASLR Via Personality Syscall - Linux
- HackTool - Impacket File Indicators
- Suspicious Deno File Written from Remote Source
- Suspicious File Access to Browser Credential Storage
- Registry Export of Third-Party Credentials
- DNS Query To Katz Stealer Domains
- Katz Stealer DLL Loaded
- DNS Query To Katz Stealer Domains - Network
- Katz Stealer Suspicious User-Agent
- Potential AS-REP Roasting via Kerberos TGT Requests
- Crash Dump Created By Operating System
- PUA - AdFind.EXE Execution
- Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
Splunk
- Windows PowerShell FakeCAPTCHA Clipboard Execution
- Cisco Secure Firewall - High Priority Intrusion Classification
- Cisco Secure Firewall - Intrusion Events by Threat Activity
- Cisco Secure Firewall - Lumma Stealer Activity
- Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
- Cisco Secure Firewall - Lumma Stealer Download Attempt
- Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
Content Updated
SnapAttack Community
Sigma Community Rules
- MSSQL Server Failed Logon From External Network
- Enumeration for 3rd Party Creds From CLI
- ESXi VM List Discovery Via ESXCLI
- Audio Capture
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- ESXi Account Creation Via ESXCLI
- ESXi VM Kill Via ESXCLI
- ESXi Admin Permission Assigned To Account Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi Syslog Configuration Change Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- Data Compressed
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Suspicious Windows Service Tampering
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- DNS Query Request By QuickAssist.EXE
- Powershell Executed From Headless ConHost Process
- Periodic Backup For System Registry Hives Enabled
- Renamed AdFind Execution
- MSSQL Server Failed Logon
- Kapeka Backdoor Loaded Via Rundll32.EXE
- Creation Of Pod In System Namespace
- Blue Mockingbird - Registry
- Potential Kapeka Decrypted Backdoor Indicator
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Atera Agent Installation
- Potential Malicious Usage of CloudTrail System Manager
- Browser Started with Remote Debugging
- Potential SMB Relay Attack Tool Execution
- Kapeka Backdoor Autorun Persistence
- Suspicious Remote Child Process From Outlook
- DSInternals Suspicious PowerShell Cmdlets
- Remote Access Tool Services Have Been Installed - System
- Renamed BrowserCore.EXE Execution
- Possible DC Shadow Attack
- HTTP Logging Disabled On IIS Server
- Kapeka Backdoor Scheduled Task Creation
- Hypervisor Enforced Paging Translation Disabled
- OpenCanary - HTTPPROXY Login Attempt
- HackTool - SharpDPAPI Execution
- Active Directory Certificate Services Denied Certificate Enrollment Request
- HackTool - CrackMapExec File Indicators
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
- Local Privilege Escalation Indicator TabTip
- Disk Image Mounting Via Hdiutil - MacOS
- CrashControl CrashDump Disabled
- Kapeka Backdoor Execution Via RunDLL32.EXE
- DPAPI Backup Keys And Certificate Export Activity IOC
- Communication To LocaltoNet Tunneling Service Initiated
- Hacktool Ruler
- Potential Data Stealing Via Chromium Headless Debugging
- Suspicious Curl File Upload - Linux
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- Connection Proxy
- Silenttrinity Stager Msbuild Activity
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- Kapeka Backdoor Persistence Activity
- Potential CSharp Streamer RAT Loading .NET Executable Image
- Okta New Admin Console Behaviours
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- Insensitive Subfolder Search Via Findstr.EXE
- Suspicious SQL Query
- DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
- Kapeka Backdoor Configuration Persistence
- Potential Discovery Activity Via Dnscmd.EXE
- HackTool - RemoteKrbRelay Execution
- Potential Windows Defender Tampering Via Wmic.EXE
- Hypervisor Enforced Code Integrity Disabled
- Windows Event Log Access Tampering Via Registry
- Kubernetes Events Deleted
- Windows LAPS Credential Dump From Entra ID
- CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
- Potential PetitPotam Attack Via EFS RPC Calls
- Uncommon Outbound Kerberos Connection - Security
- Mount Execution With Hidepid Parameter
- Remote File Download Via Findstr.EXE
- New Kubernetes Service Account Created
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Registry Entries For Azorult Malware
- Outbound Network Connection Initiated By Microsoft Dialer
- Suspicious Use of CSharp Interactive Console
- ETW Logging/Processing Option Disabled On IIS Server
- DNS Query To AzureWebsites.NET By Non-Browser Process
- Hacktool Execution - PE Metadata
- Office Application Initiated Network Connection Over Uncommon Ports
- Admin User Remote Logon
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Recon Command Output Piped To Findstr.EXE
Splunk
- Windows Renamed Powershell Execution
- Windows Process Commandline Discovery
- Schtasks scheduling job on remote system
- Ping Sleep Batch Command
- Windows MSIExec DLLRegisterServer
2025.05.19
Summary of Changes
Totals: 7 added / 148 modified
Intelligence: 0 added / 0 modified
Detections: 7 added / 147 modified
Threats: 0 added / 0 modified
Attack Scripts: 0 added / 0 modified
Collections: 0 added / 1 modified
Content Added
Chronicle Detection Rules
Microsoft Sentinel
Sigma Community Rules
Splunk
- Windows Renamed Powershell Execution
- First Time Seen Child Process of Zoom
- MacOS AMOS Stealer - Virtual Machine Check Activity
- Windows AD Replication Request Initiated from Unsanctioned Location
Content Updated
SnapAttack Community
LOLDrivers
- Malicious Driver Load By Name
- Vulnerable Driver Load (sha1)
- Malicious Driver Load Despite HVCI (sha256)
- Malicious Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load (sha256)
- Vulnerable Driver Load (md5)
- Malicious Driver Load (sha1)
- Malicious Driver Load (md5)
- Vulnerable Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load By Name
- Vulnerable Driver Load Despite HVCI (md5)
- Malicious Driver Load (sha256)
Microsoft Sentinel
- Multiple Teams deleted by a single user
- Files uploaded to teams and access summary
- Mail redirect via ExO transport rule
- Anomalous access to other users' mailboxes
- SharePointFileOperation via clientIP with previously unseen user agents
- SharePointFileOperation via devices with previously unseen user agents
- User made Owner of multiple teams
- Office Mail Forwarding - Hunting Version
- Bots added to multiple teams
- Exes with double file extension and access summary
- External user from a new organisation added to Teams
- Windows Reserved Filenames staged on Office file services
- Previously unseen bot or application added to Teams
- New Windows Reserved Filenames staged on Office file services
- User added to Teams and immediately uploads file
- Multiple users email forwarded to same destination
- PowerShell or non-browser mailbox login activity
- New Admin account activity seen which was not seen historically
- External user added and removed in a short timeframe
- SharePointFileOperation via previously unseen IPs
- Non-owner mailbox login activity
- TI map Domain entity to Dns Events (ASIM DNS Schema)
- TI map IP entity to Web Session Events (ASIM Web Session schema)
Sigma Community Rules
- VMMap Unsigned Dbghelp.DLL Potential Sideloading
- DLL Names Used By SVR For GraphicalProton Backdoor
- Potential ShellDispatch.DLL Sideloading
- Potential Antivirus Software DLL Sideloading
- Potential Python DLL SideLoading
- Potential DLL Sideloading Via JsSchHlp
- Potential Wazuh Security Platform DLL Sideloading
- Potential PlugX Activity
- UAC Bypass With Fake DLL
- Potential SolidPDFCreator.DLL Sideloading
- Diamond Sleet APT DLL Sideloading Indicators
- Suspicious Unsigned Thor Scanner Execution
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Potential Vivaldi_elf.DLL Sideloading
- Microsoft Defender Blocked from Loading Unsigned DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Potential CCleanerReactivator.DLL Sideloading
- New DNS ServerLevelPluginDll Installed
- Potential DLL Sideloading Of DBGHELP.DLL
- Third Party Software DLL Sideloading
- DHCP Server Error Failed Loading the CallOut DLL
- DNS Server Error Failed Loading the ServerLevelPluginDLL
- Renamed Vmnat.exe Execution
- Tasks Folder Evasion
- Potential WWlib.DLL Sideloading
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Potential EACore.DLL Sideloading
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Potential Mpclient.DLL Sideloading
- Aruba Network Service Potential DLL Sideloading
- VMMap Signed Dbghelp.DLL Potential Sideloading
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Potential AVKkid.DLL Sideloading
- Potential DLL Sideloading Via VMware Xfer
- DHCP Callout DLL Installation
- APT27 - Emissary Panda Activity
- Potential 7za.DLL Sideloading
- Potential Iviewers.DLL Sideloading
- Unsigned Module Loaded by ClickOnce Application
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Potential Edputil.DLL Sideloading
- Potential Chrome Frame Helper DLL Sideloading
- Microsoft Office DLL Sideload
- Potential Mfdetours.DLL Sideloading
- DHCP Server Loaded the CallOut DLL
- Unsigned Mfdetours.DLL Sideloading
- Potential Rcdll.DLL Sideloading
- Potential Raspberry Robin Aclui Dll SideLoading
- Potential Goopdate.DLL Sideloading
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential System DLL Sideloading From Non System Locations
- Lazarus APT DLL Sideloading Activity
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- VMGuestLib DLL Sideload
- Unsigned Binary Loaded From Suspicious Location
- Potential DLL Sideloading Of MpSvc.DLL
- Potential RoboForm.DLL Sideloading
- DLL Sideloading by VMware Xfer Utility
- Potential DLL Sideloading Of MsCorSvc.DLL
- Potential Libvlc.DLL Sideloading
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential CCleanerDU.DLL Sideloading
- Potential DLL Sideloading Via comctl32.dll
- Winnti Malware HK University Campaign
- Potential Azure Browser SSO Abuse
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Fax Service DLL Search Order Hijack
- Winnti Pipemon Characteristics
- Potential appverifUI.DLL Sideloading
- Xwizard.EXE Execution From Non-Default Location
- DLL Search Order Hijackig Via Additional Space in Path
- Potentially Suspicious Child Process of KeyScrambler.exe
- Creation Of Non-Existent System DLL
- Potential SmadHook.DLL Sideloading
- Suspicious GUP Usage
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Of DbgModel.DLL
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential Waveedit.DLL Sideloading
- Suspicious Powershell In Registry Run Keys
- Suspicious Run Key from Download
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Potentially Suspicious WDAC Policy File Creation
- New RUN Key Pointing to Suspicious Folder
- Suspicious PowerShell Invocations - Specific
- Direct Autorun Keys Modification
- Suspicious PowerShell Invocations - Specific - PowerShell Module
Splunk
- Suspicious mshta child process
- Executables Or Script Creation In Temp Path
- CMD Carry Out String Command Parameter
- Windows Cmdline Tool Execution From Non-Shell Process
- Executables Or Script Creation In Suspicious Path
- Windows Replication Through Removable Media
- PowerShell Loading DotNET into Memory via Reflection
- SAP NetWeaver Visual Composer Exploitation Attempt
- Windows Eventlog Cleared Via Wevtutil
- Windows EventLog Recon Activity Using Log Query Utilities
- Fsutil Zeroing File
- Windows File Download Via CertUtil
- MacOS - Re-opened Applications
- Linux Auditd System Network Configuration Discovery
- Linux Auditd Data Transfer Size Limits Via Split Syscall
- Linux Auditd Kernel Module Enumeration
- Linux Auditd Whoami User Discovery
- Linux Auditd At Application Execution
- Linux Auditd Doas Tool Execution
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Kernel Module Using Rmmod Utility
- Linux Auditd Edit Cron Table Parameter
- Linux Auditd Install Kernel Module Using Modprobe Utility
2025.05.05
Summary of Changes
Totals: 16 added / 136 modified
Intelligence: 0 added / 0 modified
Detections: 12 added / 131 modified
Threats: 0 added / 0 modified
Attack Scripts: 4 added / 4 modified
Collections: 0 added / 1 modified
Content Added
Atomic Red Team
- Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
- Azure - Create Snapshot from Managed Disk
- AWS - Create Snapshot from EBS Volume
- GCP - Create Snapshot from Persistent Disk
Chronicle Detection Rules
- Hacktool Ironsharp Pack Execution
- Win Pua Detection Of Uncommon Rmm
- Hacktool Winpeas Execution Patterns
- Hacktool Purpleknight Execution
- Win Susp Or Malicious Service Created
Splunk
- Windows Eventlog Cleared Via Wevtutil
- Windows File Download Via CertUtil
- Windows EventLog Recon Activity Using Log Query Utilities
- SAP NetWeaver Visual Composer Exploitation Attempt
- Detect Outlook exe writing a zip file
- Windows MSC EvilTwin Directory Path Manipulation
- Windows PowerShell Invoke-RestMethod IP Information Collection
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- DLL Side-Loading using the dotnet startup hook environment variable
- DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- DLL Side-Loading using the Notepad++ GUP.exe binary
- New-Inbox Rule to Hide E-mail in M365
Microsoft Sentinel
- TI map IP entity to Azure Key Vault logs
- TI Map IP Entity to DnsEvents
- TI Map IP Entity to Azure SQL Security Audit Events
- TI Map URL Entity to SecurityAlert Data
- TI map Domain entity to Cloud App Events
- TI map Email entity to Cloud App Events
- TI map IP entity to AppServiceHTTPLogs
- TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)
- TI map Email entity to SecurityEvent
- TI map IP entity to AzureFirewall
- TI Map IP Entity to Duo Security
- TI map Email entity to AzureActivity
- TI Map Domain Entity to DeviceNetworkEvents
- TI map URL entity to Cloud App Events
- TI map IP entity to Workday(ASimAuditEventLogs)
- TI Map URL Entity to UrlClickEvents
- TI map IP entity to OfficeActivity
- TI map Email entity to EmailEvents
- TI Map IP Entity to SigninLogs
- TI Map IP Entity to AzureActivity
- TI map IP entity to Cloud App Events
- TI map Domain entity to Dns Events (ASIM DNS Schema)
- TI Map IP Entity to VMConnection
- TI map Email entity to OfficeActivity
- TI Map IP Entity to DeviceNetworkEvents
- TI map Email entity to SigninLogs
- TI Map IP Entity to W3CIISLog
- TI map IP entity to AWSCloudTrail
- TI Map URL Entity to DeviceNetworkEvents
- TI Map IP Entity to CommonSecurityLog
- TI map IP entity to GitHub_CL
- TI map File Hash to CommonSecurityLog Event
- TI map Domain entity to Syslog
- TI map Domain entity to DnsEvents
- TI map Email entity to PaloAlto CommonSecurityLog
- TI map Domain entity to Web Session Events (ASIM Web Session schema)
- TI map Email entity to SecurityAlert
- TI map File Hash to Security Event
- Semperis DSP Operations Critical Notifications
- Samsung Knox - Application Privilege Escalation or Change Events
- Samsung Knox - Password Lockout Events
- Samsung Knox - Security Log Full Events
- Samsung Knox - Peripheral Access Detection with Camera Events
- Samsung Knox - Suspicious URL Accessed Events
- Samsung Knox - Peripheral Access Detection with Mic Events
Sigma Community Rules
- Chopper Webshell Process Pattern
- Suspicious DumpMinitool Execution
- HackTool - XORDump Execution
- Bitbucket User Permissions Export Attempt
- SharpHound Recon Sessions
- HackTool - winPEAS Execution
- Exports Critical Registry Keys To a File
- DumpMinitool Execution
- HackTool - HandleKatz Duplicating LSASS Handle
- Webshell Hacking Activity Patterns
- Webshell Detection With Command Line Keywords
- Procdump Execution
- Exports Registry Key To a File
- CreateDump Process Dump
- HackTool - SharpUp PrivEsc Tool Execution
- Potential SysInternals ProcDump Evasion
- Renamed CreateDump Utility Execution
Splunk
- Detection of tools built by NirSoft
- Windows User Execution Malicious URL Shortcut File
- CHCP Command Execution
- Windows Process With NamedPipe CommandLine
- Suspicious wevtutil Usage
- Protocols passing authentication in cleartext
- System Processes Run From Unexpected Locations
- Check Elevated CMD using whoami
- Windows Query Registry Browser List Application
- Excessive number of taskhost processes
- Windows AdFind Exe
- Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
- Cisco Secure Firewall - High Volume of Intrusion Events Per Host
- Cisco Secure Firewall - Potential Data Exfiltration
- Cisco Secure Firewall - File Download Over Uncommon Port
- Cisco Secure Firewall - Bits Network Activity
- CrushFTP Authentication Bypass Exploitation
- Cisco Secure Firewall - Wget or Curl Download
- Cisco Secure Firewall - Communication Over Suspicious Ports
- Cisco Secure Firewall - Binary File Type Download
- CrushFTP Max Simultaneous Users From IP
- Cisco Secure Firewall - Blocked Connection
- Cisco Secure Firewall - Possibly Compromised Host
- Cisco Secure Firewall - Malware File Downloaded
- Cisco Secure Firewall - Repeated Malware Downloads
- Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
- Cisco Secure Firewall - Rare Snort Rule Triggered
- Cisco Secure Firewall - Repeated Blocked Connections
- Windows Shell Process from CrushFTP
- Cisco Secure Firewall - Connection to File Sharing Domain
- Cisco Secure Firewall - High EVE Threat Confidence
- Windows WMIC Shadowcopy Delete
- AWS Bedrock Delete Knowledge Base
- AWS Bedrock Invoke Model Access Denied
- AWS Bedrock High Number List Foundation Model Failures
- AWS Bedrock Delete Model Invocation Logging Configuration
- AWS Bedrock Delete GuardRails
- DLLHost with no Command Line Arguments with Network
- Windows Masquerading Explorer As Child Process
- Outbound Network Connection from Java Using Default Ports
- Windows Office Product Dropped Cab or Inf File
- Windows HTTP Network Communication From MSIExec
- Windows InstallUtil Remote Network Connection
- Windows DLL Side-Loading Process Child Of Calc
- Suspicious WAV file in Appdata Folder
- Windows WinLogon with Public Network Connection
- GPUpdate with no Command Line Arguments with Network
- Msmpeng Application DLL Side Loading
- Suspicious Image Creation In Appdata Folder
- Windows Deleted Registry By A Non Critical Process File Path
- Spoolsv Writing a DLL
- Java Writing JSP File
- Suspicious writes to windows Recycle Bin
- Unknown Process Using The Kerberos Protocol
- Windows InstallUtil Uninstall Option with Network
- SearchProtocolHost with no Command Line with Network
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Office Product Dropped Uncommon File
- Rundll32 with no Command Line Arguments with Network
- Windows Defacement Modify Transcodedwallpaper File
- MSI Module Loaded by Non-System Binary
- Windows Unsigned DLL Side-Loading
- Windows Unsigned DLL Side-Loading In Same Process Path
- Windows DLL Side-Loading In Calc
- Windows Unsigned MS DLL Side-Loading
- Windows SqlWriter SQLDumper DLL Sideload
- Windows Known GraphicalProton Loaded Modules
2025.04.21
Summary of Changes
Totals: 36 added / 148 modified
Intelligence: 0 added / 0 modified
Detections: 30 added / 144 modified
Threats: 0 added / 0 modified
Attack Scripts: 6 added / 3 modified
Collections: 0 added / 1 modified
Content Added
Atomic Red Team
- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token
- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI
- Azure - Dump Azure Storage Account Objects via Azure CLI
- Azure - Functions code upload - Functions code injection via Blob upload
- Replace Magnify.exe (Magnifier binary) with cmd.exe
- Replace Narrator.exe (Narrator binary) with cmd.exe
Sigma Community Rules
- Suspicious CrushFTP Child Process
- Suspicious Process Spawned by CentreStack Portal AppPool
- Suspicious LNK Command-Line Padding with Whitespace Characters
- Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Splunk
- Windows WMIC Shadowcopy Delete
- CrushFTP Max Simultaneous Users From IP
- Windows Shell Process from CrushFTP
- CrushFTP Authentication Bypass Exploitation
- AWS Bedrock High Number List Foundation Model Failures
- AWS Bedrock Delete GuardRails
- AWS Bedrock Delete Model Invocation Logging Configuration
- AWS Bedrock Delete Knowledge Base
- AWS Bedrock Invoke Model Access Denied
- Cisco Secure Firewall - Malware File Downloaded
- Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
- Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
- Cisco Secure Firewall - File Download Over Uncommon Port
- Cisco Secure Firewall - Wget or Curl Download
- Cisco Secure Firewall - Connection to File Sharing Domain
- Cisco Secure Firewall - Blocked Connection
- Cisco Secure Firewall - High Volume of Intrusion Events Per Host
- Cisco Secure Firewall - High EVE Threat Confidence
- Cisco Secure Firewall - Potential Data Exfiltration
- Cisco Secure Firewall - Possibly Compromised Host
- Cisco Secure Firewall - Communication Over Suspicious Ports
- Cisco Secure Firewall - Rare Snort Rule Triggered
- Cisco Secure Firewall - Repeated Blocked Connections
- Cisco Secure Firewall - Repeated Malware Downloads
- Cisco Secure Firewall - Binary File Type Download
- Cisco Secure Firewall - Bits Network Activity
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- Mshta Executes Remote HTML Application (HTA)
- Use PsExec to execute a command on a remote host
- Install root CA on Debian/Ubuntu
Microsoft Sentinel
- Network Port Sweep from External Network (ASIM Network Session schema)
- TI map IP entity to Web Session Events (ASIM Web Session schema)
- SAP ETD - Login from unexpected network
- SAP ETD - Synch alerts
- Azure DevOps Agent Pool Created Then Deleted
- Azure DevOps Retention Reduced
- Azure DevOps - Build Deleted After Pipeline Modification
- NRT Azure DevOps Audit Stream Disabled
- Azure DevOps - New Package Feed Created
- Azure DevOps - New Release Pipeline Created
- Azure DevOps - New PAT Operation
- Azure DevOps- Guest users access enabled
- Azure DevOps Pipeline modified by a new user
- New PA, PCA, or PCAS added to Azure DevOps
- Azure DevOps Display Name Changes
- Azure DevOps- Project visibility changed to public
- Azure DevOps- Public project enabled by admin
- Azure DevOps - Build Check Deleted
- Azure DevOps - New Agent Pool Created
- Azure DevOps Pull Request Policy Bypassing - Historic allow list
- Dataverse - Audit logging disabled
- Azure DevOps Audit Detection for known malicious tooling
- Azure DevOps Audit Stream Disabled
- Azure DevOps Variable Secret Not Secured
- New Agent Added to Pool by New User or Added to a New OS Type
- Azure DevOps Build Variable Modified by New User
- Azure DevOps Pipeline Created and Deleted on the Same Day
- Azure DevOps- Microsoft Entra ID Protection Conditional Access Disabled
- Azure DevOps Service Connection Abuse
- Azure DevOps Administrator Group Monitoring
- Azure DevOps Personal Access Token (PAT) misuse
- Azure DevOps Service Connection Addition/Abuse - Historic allow list
- Azure DevOps PAT used with Browser
- Azure DevOps New Extension Added
- Azure DevOps- Addtional Org Admin added
- Azure DevOps - Variable Created and Deleted
- Azure DevOps- Public project created
- External Upstream Source Added to Azure DevOps Feed
- Azure DevOps - Internal Upstream Package Feed Added
- Azure DevOps - New Release Approver
- Azure DevOps Pull Request Policy Bypassing
- Anomalous sign-in location by user account and authenticating application
Sigma Community Rules
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- Obfuscated PowerShell OneLiner Execution
- Scheduled Task Executing Encoded Payload from Registry
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- LSASS Process Reconnaissance Via Findstr.EXE
- Potential Suspicious Browser Launch From Document Reader Process
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- File Download Via Nscurl - MacOS
- Time Machine Backup Disabled Via Tmutil - MacOS
- New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
- DarkGate - Drop DarkGate Loader In C:\Temp Directory
- Windows Recall Feature Enabled Via Reg.EXE
- Potentially Suspicious Malware Callback Communication - Linux
- Windows Recall Feature Enabled - Registry
- Potential Binary Impersonating Sysinternals Tools
- Sensitive File Dump Via Wbadmin.EXE
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
- Uncommon File Creation By Mysql Daemon Process
- Network Connection Initiated To Cloudflared Tunnels Domains
- Potential Product Class Reconnaissance Via Wmic.EXE
- Potentially Suspicious Child Process of KeyScrambler.exe
- System Information Discovery Via Sysctl - MacOS
- Network Communication Initiated To Portmap.IO Domain
- New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
- Launch Agent/Daemon Execution Via Launchctl
- Uncommon Process Access Rights For Target Image
- Suspicious Eventlog Clear
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Potentially Suspicious Usage Of Qemu
- UAC Secure Desktop Prompt Disabled
- Potential Adplus.EXE Abuse
- File Recovery From Backup Via Wbadmin.EXE
- Suspicious Eventlog Clearing or Configuration Change Activity
- Suspicious External WebDAV Execution
- Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Potential Browser Data Stealing
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- UAC Notification Disabled
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- Potential CVE-2023-23397 Exploitation Attempt - SMB
- AWS New Lambda Layer Attached
- Potential Binary Or Script Dropper Via PowerShell
- Whoami.EXE Execution Anomaly
- Python Initiated Connection
- Potential WinAPI Calls Via CommandLine
- Conhost Spawned By Uncommon Parent Process
- Elevated System Shell Spawned From Uncommon Parent Location
- Buffer Overflow Attempts
- Elevated System Shell Spawned
- Windows Processes Suspicious Parent Directory
Splunk
- Windows Registry Payload Injection
- Windows RunMRU Command Execution
- Windows Explorer LNK Exploit Process Launch With Padding
- Detect Large ICMP Traffic
- Tomcat Session File Upload Attempt
- Windows MSTSC RDP Commandline
- Windows Remote Host Computer Management Access
- Web Servers Executing Suspicious Processes
- 3CX Supply Chain Attack Network Indicators
- Tomcat Session Deserialization Attempt
- Detect HTML Help Spawn Child Process
- Windows SSH Proxy Command
- Windows Explorer.exe Spawning PowerShell or Cmd
- Wermgr Process Connecting To IP Check Web Services
- Windows ConsoleHost History File Deletion
- Windows Process Injection into Commonly Abused Processes
- Windows Gather Victim Network Info Through Ip Check Web Services
- Windows Multi hop Proxy TOR Website Query
- Rundll32 DNSQuery
- Suspicious Process With Discord DNS Query
- Windows DNS Query Request by Telegram Bot API
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Abused Web Services
- Suspicious Process DNS Query Known Abuse Web Services
- Windows AD Self DACL Assignment
- Windows AD Dangerous Group ACL Modification
- Windows AD Suspicious Attribute Modification
- Windows AD GPO Deleted
- Windows AD add Self to Group
- Windows Firewall Rule Added
- Windows AD Dangerous User ACL Modification
- Windows AD Dangerous Deny ACL Modification
- Windows AD Hidden OU Creation
- Windows AD DCShadow Privileges ACL Addition
- Windows Powershell History File Deletion
- Windows Firewall Rule Modification
- Windows AD Object Owner Updated
- Windows AD Domain Root ACL Deletion
- Windows AD Suspicious GPO Modification
- Windows AD GPO Disabled
- Windows Firewall Rule Deletion
- Windows AD Domain Root ACL Modification
- Windows Increase in User Modification Activity
- Windows AD GPO New CSE Addition
- Windows Increase in Group or Object Modification Activity
2025.04.07
Summary of Changes
Totals: 143 added / 1197 modified
Intelligence: 0 added / 0 modified
Detections: 142 added / 1196 modified
Threats: 1 added / 0 modified
Attack Scripts: 0 added / 0 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
Chronicle Detection Rules
- O365 Onedrive Anonymous File Accessed
- Gcp Kms Decryption By Unexpected Service Account
- Gcp Identity Low And Medium Severity Alert Escalation
Leonidas
- Get GuardDuty Detector
- Delete login profile for existing user
- Cloudtrail change destination bucket
- Cloudtrail delete trail
- Cloudtrail remove SNS topic
- Add a policy to a group
- Add an entity to an IAM role assumption policy
- Create service account
- Change default policy version
- Create Secret in Secrets Manager
- Cloudtrail disable global event logging
- Add an IAM User to a Group
- Add an existing role to a new EC2 instance
- Exec into Container
- Privileged Container
- Add a policy to a role
- Add an IAM User
- Access Application Credentials from ConfigMaps
- Access Secret in Secrets Manager
- Create Policy
- Delete Secret in Secrets Manager
- Delete IAM Role
- Cloudtrail disable multi-region logging
- Add a policy to a user
- Change Password for Current User
- Enumerate WAF Rules
- Delete service account
- List Secrets in Secrets Manager
- Enumerate IAM groups
- Enumerate VPC Flow Logs
- Access Secrets from API Server
- STS Get Caller Identity
- Delete deployment
- Enumerate nodes
- Delete Events
- Add API key to existing IAM user
- Delete IAM group
- Enumerate IAM Permissions with GetAccountAuthorizationDetails
- Cloudtrail disable log file validation
- Add new guardduty ip set
- Create login profile for existing user
- Modify Lambda Function Code
- Writeable hostPath Mount
- List GuardDuty Detectors
- Create New Policy Version
- Application Credentials from Environment Variables
- Update Inline Policy for User
- Update login profile for existing user
- Delete pod
- Cloudtrail alter encryption configuration
- Create pod
- Enumerate IAM users
- Enumerate Cloudtrails for a Given Region
- Pod Name Similarity
- Attach a Malicious Lambda Layer
- Enumerate pods
- Create IAM group
- List Own Permissions
- Access Secrets from Pod
- Update guardduty ip set
- Sidecar Injection
- Delete IAM Policy
- Delete IAM user
- Delete AWS Config Rule
Microsoft Sentinel
- TI map Domain entity to Web Session Events (ASIM Web Session schema)
- TI map Email entity to EmailEvents
- TI Map File Entity to Security Event
- TI map File Hash to CommonSecurityLog Event
- TI Map URL Entity to EmailUrlInfo
- TI map Domain entity to PaloAlto
- TI Map File Entity to Syslog Event
- TI Map URL Entity to OfficeActivity Data [Deprecated]
- TI map Email entity to SecurityAlert
- TI map Email entity to SecurityEvent
- TI map Email entity to AzureActivity
- TI Map URL Entity to AuditLogs
- TI map Email entity to SigninLogs
- TI map Domain entity to Dns Events (ASIM DNS Schema)
- TI Map URL Entity to UrlClickEvents
- TI Map URL Entity to PaloAlto Data
- TI map Domain entity to Syslog
- TI map IP entity to AWSCloudTrail
- TI map File Hash to Security Event
- TI map IP entity to DNS Events (ASIM DNS schema)
- Preview - TI map Domain entity to Cloud App Events
- TI map IP entity to GitHub_CL
- TI map File Hash to DeviceFileEvents Event
- TI Map IP Entity to SigninLogs
- TI Map IP Entity to W3CIISLog
- TI Map IP Entity to VMConnection
- TI Map Domain Entity to DeviceNetworkEvents
- TI map IP entity to Network Session Events (ASIM Network Session schema)
- TI Map File Entity to VMConnection Event
- TI map Domain entity to PaloAlto CommonSecurityLog
- TI map IP entity to Web Session Events (ASIM Web Session schema)
- TI map Domain entity to EmailEvents
- TI map IP entity to Azure Key Vault logs
- TI map Domain entity to EmailUrlInfo
- TI Map IP Entity to Duo Security
- TI Map IP Entity to Azure SQL Security Audit Events
- TI map IP entity to AzureFirewall
- TI Map File Entity to OfficeActivity Event
- TI map Email entity to OfficeActivity
- TI Map URL Entity to DeviceNetworkEvents
- TI Map URL Entity to Syslog Data
- TI map IP entity to AppServiceHTTPLogs
- Preview - TI map File Hash entity to Cloud App Events
- TI Map URL Entity to SecurityAlert Data
- TI map IP entity to OfficeActivity
- TI map Email entity to PaloAlto CommonSecurityLog
- Preview - TI map URL entity to Cloud App Events
- TI Map IP Entity to DeviceNetworkEvents
- TI Map IP Entity to CommonSecurityLog
- TI Map IP Entity to DnsEvents
- TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)
- TI Map IP Entity to AzureActivity
- TI Map File Entity to WireData Event
- TI map IP entity to Workday(ASimAuditEventLogs)
- TI map Domain entity to DnsEvents
- Preview - TI map Email entity to Cloud App Events
- Preview - TI map IP entity to Cloud App Events
- TI map Domain entity to SecurityAlert
Splunk
- Windows MSTSC RDP Commandline
- Windows Remote Host Computer Management Access
- Windows ConsoleHost History File Deletion
- Windows Firewall Rule Modification
- Windows Firewall Rule Added
- Windows Powershell History File Deletion
- Windows Firewall Rule Deletion
- IcedID Exfiltrated Archived File Creation
- Excessive Usage of NSLOOKUP App
- Excessive Usage Of SC Service Utility
- Tomcat Session File Upload Attempt
- Windows Explorer.exe Spawning PowerShell or Cmd
- Windows Explorer LNK Exploit Process Launch With Padding
- Tomcat Session Deserialization Attempt
- Windows SSH Proxy Command
- Detect Large ICMP Traffic
- Windows Process Injection into Commonly Abused Processes
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Chronicle Detection Rules
- O365 Login Activity To Azure Ad Powershell App
- Entra Id Expired Refresh Token Use
- Entra Id Add User To Admin Role
- O365 File Download
- O365 Onedrive Anonymous Link Accessed
- Entra Id Secret Added To App
- O365 Admin Login Activity To Uncommon Mscloud Apps
- Entra Id Admin Login Activity To Uncommon Mscloud Apps
- O365 Persistent Login Activity To Azure Adpowershell App
- O365 Recently Created Entra Id User Assigned Roles
- Entra Id Add User Outside Pim
- O365 Logging Enabled
- O365 Entra Id Client Secret Add Update Delete In App
- O365 Onedrive Anonymous Filedownload
- O365 Logging Disabled
- Entra Id Conditional Access Policy Modification
- Entra Id Login Activity To Uncommon Mscloud Apps
- Entra Id Recently Created User Assigned Entra Id Roles
- O365 Onedrive Anonymous Link Created Updated
- O365 Login Activity To Uncommon Mscloud Apps
LOLDrivers
- Malicious Driver Load By Name
- Vulnerable Driver Load (sha1)
- Malicious Driver Load (md5)
- Vulnerable Driver Load (md5)
- Malicious Driver Load Despite HVCI (sha1)
- Malicious Driver Load (sha256)
- Vulnerable Driver Load Despite HVCI (md5)
- Malicious Driver Load Despite HVCI (md5)
- Malicious Driver Load (sha1)
- Vulnerable Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load By Name
- Vulnerable Driver Load (sha256)
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load Despite HVCI (sha256)
Microsoft Sentinel
- Generate alerts based on ExtraHop detections recommended for triage
- Jamf Protect - Alerts
- Jamf Protect - Unified Logs
- Jamf Protect - Network Threats
- User Sign in from different countries
- Potential Password Spray Attack
Splunk
- Ransomware Notes bulk creation
- WMIC XSL Execution via URL
- Windows Modify Registry DisAllow Windows App
- Linux OpenVPN Privilege Escalation
- Linux Possible Append Command To At Allow Config File
- Linux Iptables Firewall Modification
- Linux GDB Privilege Escalation
- Windows Impair Defense Define Win Defender Threat Action
- Windows MSIExec Spawn Discovery Command
- Windows Information Discovery Fsutil
- Windows Privilege Escalation User Process Spawn System Process
- Windows Impair Defense Deny Security Software With Applocker
- Windows MsiExec HideWindow Rundll32 Execution
- Linux System Network Discovery
- Windows Screen Capture in TEMP folder
- Remote System Discovery with Dsquery
- Windows Impair Defense Disable PUA Protection
- Suspicious mshta child process
- Rundll32 Shimcache Flush
- SLUI RunAs Elevated
- Suspicious MSBuild Rename
- Unknown Process Using The Kerberos Protocol
- Windows Steal Authentication Certificates Export PfxCertificate
- Windows Debugger Tool Execution
- Potential System Network Configuration Discovery Activity
- Windows Disable Notification Center
- Windows DISM Remove Defender
- Screensaver Event Trigger Execution
- Registry Keys for Creating SHIM Databases
- Network Connection Discovery With Arp
- DSQuery Domain Discovery
- Linux Deletion Of Cron Jobs
- PowerShell Start-BitsTransfer
- Windows Snake Malware File Modification Crmlog
- Windows Known Abused DLL Created
- Suspicious Rundll32 no Command Line Arguments
- Windows Proxy Via Registry
- Okta Multiple Users Failing To Authenticate From Ip
- Disable AMSI Through Registry
- WBAdmin Delete System Backups
- Windows Office Product Spawned Control
- Disabling Windows Local Security Authority Defences via Registry
- Detect MSHTA Url in Command Line
- Windows Disable or Modify Tools Via Taskkill
- Windows Impair Defense Disable Defender Protocol Recognition
- Detect Renamed RClone
- Windows Modify Registry ValleyRat PWN Reg Entry
- Windows Global Object Access Audit List Cleared Via Auditpol
- Windows Process Injection In Non-Service SearchIndexer
- Unload Sysmon Filter Driver
- Linux APT Privilege Escalation
- Detect HTML Help URL in Command Line
- Windows Change Default File Association For No File Ext
- Windows Curl Upload to Remote Destination
- LOLBAS With Network Traffic
- Disable ETW Through Registry
- Remote Desktop Network Traffic
- Malicious PowerShell Process With Obfuscation Techniques
- Linux Deletion Of Init Daemon Script
- Disable Defender Submit Samples Consent Feature
- GetDomainGroup with PowerShell
- Linux At Allow Config File Creation
- Hunting 3CXDesktopApp Software
- Internal Vertical Port Scan
- Windows Impair Defenses Disable Win Defender Auto Logging
- Windows Schtasks Create Run As System
- Suspicious SearchProtocolHost no Command Line Arguments
- Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
- Spoolsv Spawning Rundll32
- Windows Modify Registry DontShowUI
- Linux Service File Created In Systemd Directory
- Windows Remote Service Rdpwinst Tool Execution
- Linux Possible Cronjob Modification With Editor
- Windows System Remote Discovery With Query
- Windows Masquerading Explorer As Child Process
- Windows WMI Process And Service List
- Suspicious Rundll32 StartW
- Linux NOPASSWD Entry In Sudoers File
- Windows SubInAcl Execution
- Remote Process Instantiation via WMI
- Windows Archive Collected Data via Rar
- Windows Deleted Registry By A Non Critical Process File Path
- NET Profiler UAC bypass
- Revil Common Exec Parameter
- Windows Scheduled Task with Highest Privileges
- Suspicious microsoft workflow compiler usage
- Linux Account Manipulation Of SSH Config and Keys
- Okta Suspicious Use of a Session Cookie
- Windows Impair Defense Change Win Defender Tracing Level
- Linux Composer Privilege Escalation
- Windows Registry SIP Provider Modification
- Windows Defacement Modify Transcodedwallpaper File
- 7zip CommandLine To SMB Share Path
- Add or Set Windows Defender Exclusion
- Windows Security Account Manager Stopped
- Create or delete windows shares using net exe
- Suspicious IcedID Rundll32 Cmdline
- Windows System User Privilege Discovery
- Linux Obfuscated Files or Information Base64 Decode
- Windows System File on Disk
- Linux Shred Overwrite Command
- Detect RClone Command-Line Usage
- GetNetTcpconnection with PowerShell
- Get ADDefaultDomainPasswordPolicy with Powershell
- Detect hosts connecting to dynamic domain providers
- Windows Mimikatz Binary Execution
- System User Discovery With Query
- Windows Service Stop By Deletion
- Windows Indicator Removal Via Rmdir
- Samsam Test File Write
- Windows Audit Policy Disabled via Legacy Auditpol
- WSReset UAC Bypass
- Windows DisableAntiSpyware Registry
- Disable Defender BlockAtFirstSeen Feature
- Executables Or Script Creation In Temp Path
- Windows BitLocker Suspicious Command Usage
- Windows Ingress Tool Transfer Using Explorer
- Disabling Defender Services
- Windows System Reboot CommandLine
- Windows Diskshadow Proxy Execution
- Windows Office Product Spawned Child Process For Download
- Linux Cpulimit Privilege Escalation
- Windows AdFind Exe
- Detect Regasm with no Command Line Arguments
- Windows Service Create with Tscon
- Remcos RAT File Creation in Remcos Folder
- Windows Password Managers Discovery
- Disable Show Hidden Files
- Windows Rundll32 Apply User Settings Changes
- Excessive number of taskhost processes
- Network Discovery Using Route Windows App
- Linux Curl Upload File
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Modify Registry Disable WinDefender Notifications
- Linux Possible Access To Sudoers File
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Recursive Delete of Directory In Batch CMD
- Suspicious Curl Network Connection
- Process Kill Base On File Path
- Linux File Created In Kernel Driver Directory
- Windows Modify Registry MaxConnectionPerServer
- Windows Indirect Command Execution Via pcalua
- Windows Modify Registry Regedit Silent Reg Import
- Windows Java Spawning Shells
- Windows Modify Registry UpdateServiceUrlAlternate
- Windows Remote Access Software Hunt
- Windows Remote Assistance Spawning Process
- Detect PsExec With accepteula Flag
- Detect Rundll32 Application Control Bypass - syssetup
- Windows User Disabled Via Net
- Windows New Service Security Descriptor Set Via Sc.EXE
- Suspicious Reg exe Process
- Windows MSIExec DLLRegisterServer
- Windows Disable Shutdown Button Through Registry
- Impacket Lateral Movement smbexec CommandLine Parameters
- CHCP Command Execution
- Windows Command Shell DCRat ForkBomb Payload
- Windows Outlook WebView Registry Modification
- Windows Modify Registry Disable Restricted Admin
- Windows System Time Discovery W32tm Delay
- Linux Busybox Privilege Escalation
- GPUpdate with no Command Line Arguments with Network
- Windows Snake Malware Registry Modification wav OpenWithProgIds
- Detect Rundll32 Application Control Bypass - advpack
- System Info Gathering Using Dxdiag Application
- Windows Modify Registry to Add or Modify Firewall Rule
- Get ADUserResultantPasswordPolicy with Powershell
- Rundll32 LockWorkStation
- Windows Modify Registry Disable Windows Security Center Notif
- Windows CertUtil Download With URL Argument
- Web Servers Executing Suspicious Processes
- Detect Regasm Spawning a Process
- Linux MySQL Privilege Escalation
- Windows User Deletion Via Net
- Windows Remote Services Allow Remote Assistance
- Windows Process With NetExec Command Line Parameters
- Windows Odbcconf Hunting
- Monitor Registry Keys for Print Monitors
- Linux Setuid Using Chmod Utility
- Process Execution via WMI
- 3CX Supply Chain Attack Network Indicators
- Ntdsutil Export NTDS
- Get-DomainTrust with PowerShell
- Linux System Reboot Via System Request Key
- Windows Audit Policy Disabled via Auditpol
- Windows Office Product Spawned MSDT
- Windows Group Discovery Via Net
- Windows Privilege Escalation Suspicious Process Elevation
- Linux Decode Base64 to Shell
- Windows Impair Defense Disable Win Defender Gen reports
- Linux Stop Services
- Linux PHP Privilege Escalation
- Detect Password Spray Attack Behavior On User
- Linux GNU Awk Privilege Escalation
- Windows Service Initiation on Remote Endpoint
- Windows Office Product Spawned Rundll32 With No DLL
- Windows Autostart Execution LSASS Driver Registry Modification
- Domain Account Discovery with Dsquery
- Windows Disable LogOff Button Through Registry
- Detection of tools built by NirSoft
- Windows Process Execution in Temp Dir
- Uninstall App Using MsiExec
- Prevent Automatic Repair Mode using Bcdedit
- Linux Sudoers Tmp File Creation
- Windows Registry Entries Exported Via Reg
- Unusually Long Command Line
- Windows Credentials from Password Stores Creation
- Batch File Write to System32
- Network Traffic to Active Directory Web Services Protocol
- Dump LSASS via procdump
- Windows Modify Show Compress Color And Info Tip Registry
- Linux c89 Privilege Escalation
- Add DefaultUser And Password In Registry
- Windows Steal Authentication Certificates CertUtil Backup
- Windows Mshta Execution In Registry
- WinRAR Spawning Shell Application
- Windows Curl Download to Suspicious Path
- Enable RDP In Other Port Number
- Windows Modify Registry DisableSecuritySettings
- Ping Sleep Batch Command
- Windows DNS Gather Network Info
- Disable Security Logs Using MiniNt Registry
- Windows Binary Proxy Execution Mavinject DLL Injection
- Windows System Discovery Using Qwinsta
- Linux apt-get Privilege Escalation
- Executables Or Script Creation In Suspicious Path
- Get-ForestTrust with PowerShell
- Windows Process With NamedPipe CommandLine
- Windows Remote Services Allow Rdp In Firewall
- Disable Defender Enhanced Notification
- Rundll32 Control RunDLL Hunt
- Windows Impair Defense Change Win Defender Health Check Intervals
- Winhlp32 Spawning a Process
- Linux Csvtool Privilege Escalation
- Windows Disable Windows Group Policy Features Through Registry
- Logon Script Event Trigger Execution
- Suspicious MSBuild Spawn
- Windows Boot or Logon Autostart Execution In Startup Folder
- Windows LSA Secrets NoLMhash Registry
- System User Discovery With Whoami
- GetWmiObject Ds Group with PowerShell
- Linux Kernel Module Enumeration
- Windows IIS Components Add New Module
- Windows Modify Registry ProxyEnable
- Linux Preload Hijack Library Calls
- Detect Exchange Web Shell
- Linux Possible Append Command To Profile Config File
- Windows RDP File Execution
- Windows Mimikatz Crypto Export File Extensions
- Domain Account Discovery with Wmic
- Active Setup Registry Autostart
- Detect Renamed 7-Zip
- Rubeus Command Line Parameters
- Windows Time Based Evasion
- Windows Modify Registry LongPathsEnabled
- Schtasks scheduling job on remote system
- Remote Process Instantiation via WinRM and PowerShell
- Detect Rundll32 Inline HTA Execution
- Windows Command and Scripting Interpreter Path Traversal Exec
- Linux DD File Overwrite
- Windows NirSoft Utilities
- Certutil exe certificate extraction
- Windows Excessive Service Stop Attempt
- Spoolsv Writing a DLL
- Okta Suspicious Activity Reported
- Notepad with no Command Line Arguments
- Regsvr32 with Known Silent Switch Cmdline
- Linux Possible Access To Credential Files
- Windows Impair Defenses Disable Auto Logger Session
- Windows System Network Config Discovery Display DNS
- Windows Phishing PDF File Executes URL Link
- Jscript Execution Using Cscript App
- Detect suspicious processnames using pretrained model in DSDL
- Potential Telegram API Request Via CommandLine
- Internal Horizontal Port Scan NMAP Top 20
- Windows Suspect Process With Authentication Traffic
- CertUtil Download With URLCache and Split Arguments
- Disable Windows App Hotkeys
- Windows MOF Event Triggered Execution via WMI
- Domain Controller Discovery with Wmic
- Windows Cached Domain Credentials Reg Query
- Linux Change File Owner To Root
- Windows Registry Payload Injection
- Windows Cmdline Tool Execution From Non-Shell Process
- Suspicious microsoft workflow compiler rename
- Fsutil Zeroing File
- Linux Ingress Tool Transfer with Curl
- Windows Office Product Spawned Uncommon Process
- Windows Findstr GPP Discovery
- Windows LOLBAS Executed As Renamed File
- Get DomainUser with PowerShell
- Clop Common Exec Parameter
- Malicious PowerShell Process - Execution Policy Bypass
- Check Elevated CMD using whoami
- Okta Multiple Accounts Locked Out
- Windows Default Group Policy Object Modified with GPME
- Linux Indicator Removal Clear Cache
- Dump LSASS via comsvcs DLL
- Remcos client registry install entry
- Okta New API Token Created
- Wsmprovhost LOLBAS Execution Process Spawn
- Windows Office Product Dropped Cab or Inf File
- Windows Files and Dirs Access Rights Modification Via Icacls
- Detect RTLO In File Name
- Windows Impair Defense Add Xml Applocker Rules
- Windows MSIExec Unregister DLLRegisterServer
- Execution of File with Multiple Extensions
- Linux Clipboard Data Copy
- Windows Disable Memory Crash Dump
- Windows InstallUtil Remote Network Connection
- Detect RTLO In Process
- Linux Doas Tool Execution
- Suspicious mshta spawn
- Windows Archived Collected Data In TEMP Folder
- Runas Execution in CommandLine
- Linux High Frequency Of File Deletion In Etc Folder
- Schtasks Run Task On Demand
- Windows System Shutdown CommandLine
- Windows ConHost with Headless Argument
- Windows File and Directory Enable ReadOnly Permissions
- Excessive distinct processes from Windows Temp
- Excessive Usage Of Taskkill
- Powershell Disable Security Monitoring
- Scheduled Task Creation on Remote Endpoint using At
- Wmic NonInteractive App Uninstallation
- Bcdedit Command Back To Normal Mode Boot
- Windows Credentials in Registry Reg Query
- Regsvr32 Silent and Install Param Dll Loading
- Windows Time Based Evasion via Choice Exec
- Windows Hide Notification Features Through Registry
- Windows Remote Services Rdp Enable
- Windows Masquerading Msdtc Process
- Detect SharpHound File Modifications
- Windows Registry BootExecute Modification
- Disabling ControlPanel
- Windows Audit Policy Excluded Category via Auditpol
- GetCurrent User with PowerShell
- Linux SSH Authorized Keys Modification
- Windows COM Hijacking InprocServer32 Modification
- Registry Keys Used For Privilege Escalation
- Creation of Shadow Copy with wmic and powershell
- Linux Deletion Of Services
- System Processes Run From Unexpected Locations
- Windows InstallUtil URL in Command Line
- Windows Steal Authentication Certificates Export Certificate
- Ryuk Test Files Detected
- FodHelper UAC Bypass
- Windows Suspicious Child Process Spawned From WebServer
- Windows Unusual SysWOW64 Process Run System32 Executable
- Email files written outside of the Outlook directory
- Windows Service Create Kernel Mode Driver
- Suspicious Rundll32 dllregisterserver
- Reg exe Manipulating Windows Services Registry Keys
- Remote Process Instantiation via DCOM and PowerShell
- Linux Service Started Or Enabled
- Windows Njrat Fileless Storage via Registry
- Windows Registry Delete Task SD
- Linux Java Spawning Shell
- ICACLS Grant Command
- Windows File Without Extension In Critical Folder
- Allow File And Printing Sharing In Firewall
- Local Account Discovery With Wmic
- Get WMIObject Group Discovery
- Windows Compatibility Telemetry Suspicious Child Process
- Detect Certify Command Line Arguments
- Windows Registry Dotnet ETW Disabled Via ENV Variable
- Windows Attempt To Stop Security Service
- Suspicious Image Creation In Appdata Folder
- Windows RunMRU Command Execution
- Okta ThreatInsight Threat Detected
- Attacker Tools On Endpoint
- Detect Password Spray Attempts
- Domain Group Discovery With Dsquery
- Okta Unauthorized Access to Application
- Windows Network Share Interaction Via Net
- Windows Modify Registry NoChangingWallPaper
- Windows DiskCryptor Usage
- Shim Database File Creation
- Malicious PowerShell Process - Encoded Command
- Okta Successful Single Factor Authentication
- Windows Indirect Command Execution Via Series Of Forfiles
- Windows Defender Exclusion Registry Entry
- Windows Remote Desktop Network Bruteforce Attempt
- Linux Sqlite3 Privilege Escalation
- Windows Modify Registry Tamper Protection
- Windows Server Software Component GACUtil Install to GAC
- Remote Desktop Process Running On System
- Disable Logs Using WevtUtil
- Wmiprsve LOLBAS Execution Process Spawn
- Linux RPM Privilege Escalation
- Windows LOLBAS Executed Outside Expected Path
- Process Creating LNK file in Suspicious Location
- Windows Registry Certificate Added
- Windows System LogOff Commandline
- Windows Parent PID Spoofing with Explorer
- Permission Modification using Takeown App
- Windows System Binary Proxy Execution Compiled HTML File Decompile
- Linux Stdout Redirection To Dev Null File
- Windows Modify Registry EnableLinkedConnections
- Windows Audit Policy Restored via Auditpol
- Ryuk Wake on LAN Command
- Excessive Attempt To Disable Services
- Linux Doas Conf File Creation
- Windows Powershell RemoteSigned File
- Windows Sqlservr Spawning Shell
- WinRM Spawning a Process
- Linux Possible Ssh Key File Creation
- Windows Impair Defense Change Win Defender Throttle Rate
- Time Provider Persistence Registry
- Windows SOAPHound Binary Execution
- Windows Service Execution RemCom
- Windows System User Discovery Via Quser
- SilentCleanup UAC Bypass
- Modify ACL permission To Files Or Folder
- Windows Credentials from Web Browsers Saved in TEMP Folder
- Linux Ingress Tool Transfer Hunting
- TOR Traffic
- Common Ransomware Notes
- Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
- DNS Query Length With High Standard Deviation
- Windows Modify System Firewall with Notable Process Path
- GetWmiObject DS User with PowerShell
- Detect Rare Executables
- Windows NirSoft AdvancedRun
- Windows AD DSRM Account Changes
- Java Writing JSP File
- Linux At Application Execution
- Verclsid CLSID Execution
- Resize ShadowStorage volume
- Domain Group Discovery With Wmic
- Linux Edit Cron Table Parameter
- Windows PowerShell Process With Malicious String
- Windows Admin Permission Discovery
- GetAdComputer with PowerShell
- Vbscript Execution Using Wscript App
- Linux Add Files In Known Crontab Directories
- Windows DISM Install PowerShell Web Access
- Suspicious Scheduled Task from Public Directory
- Windows Replication Through Removable Media
- Suspicious Rundll32 PluginInit
- Windows Modify Registry Auto Minor Updates
- Windows Remote Create Service
- Windows InstallUtil Uninstall Option with Network
- Allow Network Discovery In Firewall
- PowerShell - Connect To Internet With Hidden Window
- Windows DLL Side-Loading Process Child Of Calc
- Icacls Deny Command
- Detect Renamed WinRAR
- Detect Regsvr32 Application Control Bypass
- Windows Modify Registry Disable RDP
- Windows Impair Defenses Disable HVCI
- Windows File and Directory Permissions Enable Inheritance
- Script Execution via WMI
- Okta Multiple Failed MFA Requests For User
- Linux Make Privilege Escalation
- Suspicious Linux Discovery Commands
- W3WP Spawning Shell
- Windows Create Local Administrator Account Via Net
- Scheduled Task Deleted Or Created via CMD
- Windows Excessive Usage Of Net App
- ConnectWise ScreenConnect Path Traversal
- Windows Remote Access Software RMS Registry
- Malicious InProcServer32 Modification
- Windows Modify Registry Suppress Win Defender Notif
- Detect HTML Help Using InfoTech Storage Handlers
- BITSAdmin Download File
- Detect HTML Help Renamed
- Windows Modify Registry wuStatusServer
- Detect AzureHound File Modifications
- Windows Modify Registry Qakbot Binary Data Registry
- Suspicious Copy on System32
- File with Samsam Extension
- Suspicious wevtutil Usage
- Linux Node Privilege Escalation
- Allow Inbound Traffic By Firewall Rule Registry
- Linux Data Destruction Command
- Detect Rundll32 Application Control Bypass - setupapi
- Windows Impair Defense Configure App Install Control
- Linux File Creation In Profile Directory
- Disabling Firewall with Netsh
- Windows Impair Defense Disable Defender Firewall And Network
- Suspicious Process Executed From Container File
- Scheduled Task Initiation on Remote Endpoint
- Windows New Deny Permission Set On Service SD Via Sc.EXE
- Windows ScManager Security Descriptor Tampering Via Sc.EXE
- Network Connection Discovery With Netstat
- Common Ransomware Extensions
- Windows MSIExec Spawn WinDBG
- Windows Phishing Recent ISO Exec Registry
- Firewall Allowed Program Enable
- CSC Net On The Fly Compilation
- SearchProtocolHost with no Command Line with Network
- Allow Operation with Consent Admin
- Windows Audit Policy Security Descriptor Tampering via Auditpol
- Rundll32 Control RunDLL World Writable Directory
- GetDomainComputer with PowerShell
- Enable WDigest UseLogonCredential Registry
- Windows USBSTOR Registry Key Modification
- Windows Process Commandline Discovery
- Possible Lateral Movement PowerShell Spawn
- Disabling SystemRestore In Registry
- Disable Registry Tool
- Windows Password Policy Discovery with Net
- Windows Regsvr32 Renamed Binary
- Windows Service Stop Attempt
- GetLocalUser with PowerShell
- Windows Impair Defense Disable Controlled Folder Access
- Windows Registry Entries Restored Via Reg
- Linux Find Privilege Escalation
- Hide User Account From Sign-In Screen
- Windows Impair Defense Delete Win Defender Profile Registry
- Windows System Network Connections Discovery Netsh
- Windows Credential Dumping LSASS Memory Createdump
- Detect mshta renamed
- Hiding Files And Directories With Attrib exe
- Windows Impair Defense Override SmartScreen Prompt
- Windows Security Support Provider Reg Query
- Windows Audit Policy Cleared via Auditpol
- Windows Scheduled Task Service Spawned Shell
- Detect mshta inline hta execution
- Overwriting Accessibility Binaries
- Registry Keys Used For Persistence
- Linux Docker Privilege Escalation
- Credential Dumping via Symlink to Shadow Copy
- CMD Echo Pipe - Escalation
- Detect Regsvcs with No Command Line Arguments
- Windows UAC Bypass Suspicious Escalation Behavior
- Windows Odbcconf Load DLL
- Nishang PowershellTCPOneLine
- System Information Discovery Detection
- MSBuild Suspicious Spawned By Script Process
- Windows Impair Defense Disable Win Defender Report Infection
- Detect Prohibited Applications Spawning cmd exe
- Windows Modify Registry Do Not Connect To Win Update
- Any Powershell DownloadFile
- Windows Process Executed From Removable Media
- Windows Sensitive Group Discovery With Net
- Suspicious Regsvr32 Register Suspicious Path
- Windows System Discovery Using ldap Nslookup
- Linux c99 Privilege Escalation
- Windows Service Creation on Remote Endpoint
- Windows BitLockerToGo Process Execution
- Windows Service Creation Using Registry Entry
- Windows Office Product Dropped Uncommon File
- Linux Proxy Socks Curl
- Windows Impair Defense Disable Win Defender App Guard
- Detect Password Spray Attack Behavior From Source
- Linux Possible Access Or Modification Of sshd Config File
- Remote WMI Command Attempt
- BITS Job Persistence
- Headless Browser Mockbin or Mocky Request
- Windows Protocol Tunneling with Plink
- Disable Defender AntiVirus Registry
- Disabling FolderOptions Windows Feature
- Windows Steal or Forge Kerberos Tickets Klist
- Windows HTTP Network Communication From MSIExec
- Windows InstallUtil in Non Standard Path
- Windows Bypass UAC via Pkgmgr Tool
- Msmpeng Application DLL Side Loading
- Linux Visudo Utility Execution
- Windows Apache Benchmark Binary
- Detect Use of cmd exe to Launch Script Interpreters
- GetWmiObject Ds Computer with PowerShell
- Ngrok Reverse Proxy on Network
- XSL Script Execution With WMIC
- Windows Credentials from Password Stores Query
- Sdelete Application Execution
- Wscript Or Cscript Suspicious Child Process
- Get DomainPolicy with Powershell
- Detect SharpHound Usage
- Process Writing DynamicWrapperX
- Windows Network Connection Discovery Via Net
- Windows Modify Registry With MD5 Reg Key Name
- Windows Rasautou DLL Execution
- CertUtil Download With VerifyCtl and Split Arguments
- BCDEdit Failure Recovery Modification
- Impacket Lateral Movement Commandline Parameters
- Windows Modify Registry USeWuServer
- Linux pkexec Privilege Escalation
- Linux Ngrok Reverse Proxy Usage
- Windows DotNet Binary in Non Standard Path
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows Enable Win32 ScheduledJob via Registry
- Windows Alternate DataStream - Process Execution
- Schtasks used for forcing a reboot
- Credential Dumping via Copy Command from Shadow Copy
- Detect Renamed PSExec
- ETW Registry Disabled
- Linux Gem Privilege Escalation
- Windows Cisco Secure Endpoint Unblock File Via Sfc
- Curl Download and Bash Execution
- Windows WinDBG Spawning AutoIt3
- Esentutl SAM Copy
- GetWmiObject User Account with PowerShell
- Detect Outbound SMB Traffic
- Disable Windows Behavior Monitoring
- Windows Sensitive Registry Hive Dump Via CommandLine
- Domain Controller Discovery with Nltest
- Detect Outbound LDAP Traffic
- DNS Exfiltration Using Nslookup App
- Windows Delete or Modify System Firewall
- Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Linux Insert Kernel Module Using Insmod Utility
- Detect Regsvcs Spawning a Process
- Windows Service Deletion In Registry
- Revil Registry Entry
- Windows Modify Registry Utilize ProgIDs
- Linux Indicator Removal Service File Deletion
- Wermgr Process Spawned CMD Or Powershell Process
- Linux Unix Shell Enable All SysRq Functions
- USN Journal Deletion
- Windows Impair Defense Disable Win Defender Scan On Update
- Windows WMI Process Call Create
- CMD Carry Out String Command Parameter
- Auto Admin Logon Registry Entry
- Windows Modify Registry AuthenticationLevelOverride
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Indirect Command Execution Via forfiles
- Windows Ldifde Directory Object Behavior
- Mimikatz PassTheTicket CommandLine Parameters
- Disabling CMD Application
- Linux Common Process For Elevation Control
- DLLHost with no Command Line Arguments with Network
- Windows Modify Registry Disable Toast Notifications
- Suspicious GPUpdate no Command Line Arguments
- Linux Setuid Using Setcap Utility
- User Discovery With Env Vars PowerShell
- Windows Detect Network Scanner Behavior
- Windows MSIExec Remote Download
- Rundll32 with no Command Line Arguments with Network
- Windows Modify Registry Configure BitLocker
- Wget Download and Bash Execution
- Headless Browser Usage
- Suspicious WAV file in Appdata Folder
- Windows Impair Defenses Disable AV AutoStart via Registry
- Windows Spearphishing Attachment Onenote Spawn Mshta
- SLUI Spawning a Process
- Detect AzureHound Command-Line Arguments
- Remote System Discovery with Wmic
- Windows Registry Modification for Safe Mode Persistence
- Windows Phishing Outlook Drop Dll In FORM Dir
- Print Processor Registry Autostart
- Windows SQL Spawning CertUtil
- Disabling Task Manager
- Remote Process Instantiation via WinRM and Winrs
- Windows Modify Registry No Auto Reboot With Logon User
- Attempt To Add Certificate To Untrusted Store
- Eventvwr UAC Bypass
- Anomalous usage of 7zip
- Detect Path Interception By Creation Of program exe
- Windows List ENV Variables Via SET Command From Uncommon Parent
- Windows New Custom Security Descriptor Set On EventLog Channel
- Any Powershell DownloadString
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows UAC Bypass Suspicious Child Process
- Wmic Group Discovery
- Windows New EventLog ChannelAccess Registry Value Set
- Windows System Script Proxy Execution Syncappvpublishingserver
- Linux Hardware Addition SwapOff
- Windows ESX Admins Group Creation via Net
- Linux AWK Privilege Escalation
- Windows WinLogon with Public Network Connection
- Possible Browser Pass View Parameter
- Windows Impair Defense Delete Win Defender Context Menu
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Impair Defense Disable Web Evaluation
- Detect DNS Query to Decommissioned S3 Bucket
- Windows Modify Registry No Auto Update
- Windows Scheduled Task Created Via XML
- Detect HTML Help Spawn Child Process
- Windows InProcServer32 New Outlook Form
- Windows Odbcconf Load Response File
- Windows Proxy Via Netsh
- Windows Execute Arbitrary Commands with MSDT
- PowerShell Get LocalGroup Discovery
- Deleting Shadow Copies
- Windows Modify Registry Disabling WER Settings
- Windows Modify Registry on Smart Card Group Policy
- CertUtil With Decode Argument
- Windows AutoIt3 Execution
- Windows Disable Change Password Through Registry
- Control Loading from World Writable Directory
- Windows Command and Scripting Interpreter Hunting Path Traversal
- Linux Puppet Privilege Escalation
- Windows Modify Registry ProxyServer
- Windows Audit Policy Auditing Option Modified - Registry
- Okta Multi-Factor Authentication Disabled
- Mmc LOLBAS Execution Process Spawn
- Impacket Lateral Movement WMIExec Commandline Parameters
- Suspicious msbuild path
- Get ADUser with PowerShell
- Disabling NoRun Windows App
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Excessive Usage Of Cacls App
- Windows Process Injection Wermgr Child Process
- Conti Common Exec parameter
- Linux SSH Remote Services Script Execute
- Windows User Execution Malicious URL Shortcut File
- GetAdGroup with PowerShell
- Linux File Creation In Init Boot Directory
- Windows Disable or Stop Browser Process
- Disable UAC Remote Restriction
- Excessive number of service control start as disabled
- Linux Sudo OR Su Execution
- Services Escalate Exe
- Linux Kworker Process In Writable Process Path
- Linux Impair Defenses Process Kill
- Sdclt UAC Bypass
- Windows User Discovery Via Net
- Disable Windows SmartScreen Protection
- Windows Modify Registry Default Icon Setting
- Windows Credentials from Password Stores Chrome Copied in TEMP Dir
- Processes launching netsh
- Windows SnappyBee Create Test Registry
- Linux Install Kernel Module Using Modprobe Utility
- Shim Database Installation With Suspicious Parameters
- Windows Process Execution From ProgramData
- Remote Process Instantiation via WMI and PowerShell
- Disable Schedule Task
- Detect SharpHound Command-Line Arguments
- Child Processes of Spoolsv exe
- ServicePrincipalNames Discovery with SetSPN
- RunDLL Loading DLL By Ordinal
- Windows Compatibility Telemetry Tampering Through Registry
- Windows InstallUtil Uninstall Option
- Suspicious writes to windows Recycle Bin
- Windows Set Account Password Policy To Unlimited Via Net
- Single Letter Process On Endpoint
- Windows File and Directory Permissions Remove Inheritance
- Linux High Frequency Of File Deletion In Boot Folder
- Linux Add User Account
- Linux Ruby Privilege Escalation
- Unusually Long Command Line - MLTK
- Windows Snake Malware Kernel Driver Comadmin
- Windows Suspicious Process File Path
- Linux Deletion of SSL Certificate
- Windows DLL Search Order Hijacking with iscsicpl
- Detect Certipy File Modifications
- Disable Defender MpEngine Registry
- Suspicious DLLHost no Command Line Arguments
- Linux Emacs Privilege Escalation
- Windows Modify Registry Disable Win Defender Raw Write Notif
- Windows Rundll32 WebDAV Request
- Windows Identify Protocol Handlers
- Svchost LOLBAS Execution Process Spawn
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Services LOLBAS Execution Process Spawn
- Linux Disable Services
- Clear Unallocated Sector Using Cipher App
- Linux Octave Privilege Escalation
- Windows Ngrok Reverse Proxy Usage
- Windows Credentials from Password Stores Deletion
- Windows Svchost.exe Parent Process Anomaly
- Disable Defender Spynet Reporting
- NLTest Domain Trust Discovery
- Linux Deleting Critical Directory Using RM Command
- Sc exe Manipulating Windows Services
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Private Keys Discovery
- Internal Horizontal Port Scan
- SecretDumps Offline NTDS Dumping Tool
- Elevated Group Discovery With Wmic
- Windows Audit Policy Auditing Option Disabled via Auditpol
- Windows PaperCut NG Spawn Shell
- Windows WPDBusEnum Registry Key Modification
- Windows CAB File on Disk
- GetDomainController with PowerShell
- Linux Adding Crontab Using List Parameter
- Execute Javascript With Jscript COM CLSID
- Linux Service Restarted
- Disabling Remote User Account Control
- Potentially malicious code on commandline
- Mshta spawning Rundll32 OR Regsvr32 Process
- Suspicious SQLite3 LSQuarantine Behavior
- Change To Safe Mode With Network Config
- Windows Account Access Removal via Logoff Exec
- Linux Possible Append Cronjob Entry on Existing Cronjob File
- Windows Modify Registry ValleyRAT C2 Config
- Creation of Shadow Copy
- Windows Modify Registry WuServer
- Outbound Network Connection from Java Using Default Ports
- Okta New Device Enrolled on Account
- Windows Remote Management Execute Shell
- Windows ISO LNK File Creation
- Windows Disable Lock Workstation Feature Through Registry
- Windows Modify Registry Auto Update Notif
- Windows Raccine Scheduled Task Deletion
- Windows InstallUtil Credential Theft
- Windows Hijack Execution Flow Version Dll Side Load
- Create Remote Thread into LSASS
- Windows Raw Access To Master Boot Record Drive
- Windows MSHTA Writing to World Writable Path
- Windows Scheduled Task DLL Module Loaded
- Windows Obfuscated Files or Information via RAR SFX
- Windows Hunting System Account Targeting Lsass
- Windows Non-System Account Targeting Lsass
- Windows SqlWriter SQLDumper DLL Sideload
- Access LSASS Memory for Dump Creation
- Trickbot Named Pipe
- Windows Credentials Access via VaultCli Module
- Windows Unsigned DLL Side-Loading
- Windows File Transfer Protocol In Non-Common Process Path
- MS Scripting Process Loading WMI Module
- Powershell Remote Thread To Known Windows Process
- Windows App Layer Protocol Qakbot NamedPipe
- Sunburst Correlation DLL and Network Event
- Rundll32 CreateRemoteThread In Browser
- Sqlite Module In Temp Folder
- Suspicious Process With Discord DNS Query
- Windows BitLockerToGo with Network Activity
- Windows DNS Query Request by Telegram Bot API
- Windows Executable in Loaded Modules
- Windows Possible Credential Dumping
- SchCache Change By App Connect And Create ADSI Object
- MS Scripting Process Loading Ldap Module
- Download Files Using Telegram
- Windows Input Capture Using Credential UI Dll
- Windows WMI Impersonate Token
- Process Deleting Its Process File Path
- Wermgr Process Create Executable File
- Rundll32 Process Creating Exe Dll Files
- Windows Mail Protocol In Non-Common Process Path
- UAC Bypass With Colorui COM Object
- Detect Regasm with Network Connection
- Modification Of Wallpaper
- XMRIG Driver Loaded
- Windows Processes Killed By Industroyer2 Malware
- Detect WMI Event Subscription Persistence
- Rundll32 DNSQuery
- WMI Permanent Event Subscription - Sysmon
- Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Windows Process Injection Of Wermgr to Known Browser
- Wbemprox COM Object Execution
- Windows Modify Registry Delete Firewall Rules
- UAC Bypass MMC Load Unsigned Dll
- Spoolsv Suspicious Process Access
- CMLUA Or CMSTPLUA UAC Bypass
- Spoolsv Writing a DLL - Sysmon
- High Process Termination Frequency
- Windows Gather Victim Identity SAM Info
- Wermgr Process Connecting To IP Check Web Services
- Spoolsv Suspicious Loaded Modules
- Windows Privilege Escalation System Process Without System Parent
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Abused Web Services
- Windows Office Product Loading VBE7 DLL
- Windows DLL Side-Loading In Calc
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Known GraphicalProton Loaded Modules
- Rubeus Kerberos Ticket Exports Through Winlogon Access
- MSI Module Loaded by Non-System Binary
- Windows App Layer Protocol Wermgr Connect To NamedPipe
- Windows Vulnerable 3CX Software
- Windows Drivers Loaded by Signature
- Detect Regsvcs with Network Connection
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Windows Office Product Loaded MSHTML Module
- Windows Terminating Lsass Process
- Create Remote Thread In Shell Application
- Windows Unsigned DLL Side-Loading In Same Process Path
- Loading Of Dynwrapx Module
- Suspicious Process DNS Query Known Abuse Web Services
- Windows Process Injection With Public Source Path
- Windows Unsigned MS DLL Side-Loading
- Windows Multi hop Proxy TOR Website Query
- Windows Alternate DataStream - Executable Content
- Creation of lsass Dump with Taskmgr
- Windows Mark Of The Web Bypass
- Windows Known Abused DLL Loaded Suspiciously
- Windows Vulnerable Driver Loaded
- Windows Process Injection Remote Thread
- Windows Alternate DataStream - Base64 Content
- Windows Process Injection into Notepad
- Cobalt Strike Named Pipes
- Windows Gather Victim Network Info Through Ip Check Web Services
- Windows Raw Access To Disk Volume Partition
- Rundll32 Create Remote Thread To A Process
- Detect Credential Dumping through LSASS access
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Suspicious Driver Loaded Path
- Excessive File Deletion In WinDefender Folder
- Windows High File Deletion Frequency
- Windows Application Layer Protocol RMS Radmin Tool Namedpipe
- Windows Office Product Loading Taskschd DLL
- Windows DLL Search Order Hijacking Hunt with Sysmon
- AWS Unusual Number of Failed Authentications From Ip
- GetDomainController with PowerShell Script Block
- Windows Rapid Authentication On Multiple Hosts
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Elevated Group Discovery with PowerView
- Windows Multiple Users Remotely Failed To Authenticate From Host
- Windows Powershell Cryptography Namespace
- Get ADUserResultantPasswordPolicy with Powershell Script Block
- Powershell Execute COM Object
- Powershell Fileless Process Injection via GetProcAddress
- Windows PowerShell Add Module to Global Assembly Cache
- Mailsniper Invoke functions
- Powershell COM Hijacking InprocServer32 Modification
- Windows Root Domain linked policies Discovery
- Powershell Processing Stream Of Data
- Detect Empire with PowerShell Script Block Logging
- Windows PowerShell Export Certificate
- Powershell Remote Services Add TrustedHost
- Allow Inbound Traffic In Firewall Rule
- Windows AD AdminSDHolder ACL Modified
- Windows Linked Policies In ADSI Discovery
- Windows Get-AdComputer Unconstrained Delegation Discovery
- Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
- Windows AD DCShadow Privileges ACL Addition
- Powershell Creating Thread Mutex
- Executable File Written in Administrative SMB Share
- Windows Forest Discovery with GetForestDomain
- Windows Increase in User Modification Activity
- Windows AD Same Domain SID History Addition
- PowerShell Enable PowerShell Remoting
- Domain Group Discovery with Adsisearcher
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows PowerShell ScheduleTask
- Disabled Kerberos Pre-Authentication Discovery With PowerView
- Windows File Share Discovery With Powerview
- Windows Account Discovery for None Disable User Account
- Windows Kerberos Local Successful Logon
- Windows AD GPO New CSE Addition
- Windows AD Hidden OU Creation
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- Windows Domain Account Discovery Via Get-NetComputer
- Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
- Windows ESX Admins Group Creation via PowerShell
- Windows PowerView AD Access Control List Enumeration
- Windows Domain Admin Impersonation Indicator
- Windows PowerView Constrained Delegation Discovery
- Recon AVProduct Through Pwh or WMI
- Windows Account Discovery for Sam Account Name
- Get ADUser with PowerShell Script Block
- GetNetTcpconnection with PowerShell Script Block
- Windows Find Domain Organizational Units with GetDomainOU
- Windows PowerShell Get CIMInstance Remote Computer
- PowerShell Domain Enumeration
- Windows Powershell Logoff User via Quser
- Powershell Remove Windows Defender Directory
- Kerberos User Enumeration
- Powershell Windows Defender Exclusion Commands
- GetWmiObject Ds Group with PowerShell Script Block
- Windows AD GPO Disabled
- Remote Process Instantiation via WinRM and PowerShell Script Block
- Windows AD Replication Request Initiated by User Account
- Get-ForestTrust with PowerShell Script Block
- Windows Group Policy Object Created
- Windows PowerView Kerberos Service Ticket Request
- PowerShell Invoke CIMMethod CIMSession
- Windows Enable PowerShell Web Access
- Windows AD Domain Root ACL Deletion
- Windows Administrative Shares Accessed On Multiple Hosts
- Windows PowerShell Script Block With Malicious String
- Windows AD Cross Domain SID History Addition
- Windows AD Suspicious Attribute Modification
- Windows Local Administrator Credential Stuffing
- Remote Process Instantiation via WMI and PowerShell Script Block
- Windows PowerShell IIS Components WebGlobalModule Usage
- Windows PowerView SPN Discovery
- Powershell Get LocalGroup Discovery with Script Block Logging
- Powershell Fileless Script Contains Base64 Encoded Content
- Windows PowerShell Export PfxCertificate
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Windows AD Self DACL Assignment
- Windows Multiple Users Failed To Authenticate From Host Using NTLM
- GetAdGroup with PowerShell Script Block
- Windows PowerShell Disable HTTP Logging
- Detect Mimikatz With PowerShell Script Block Logging
- Windows Event Log Cleared
- Windows Account Discovery With NetUser PreauthNotRequire
- Powershell Using memory As Backing Store
- Windows AD Short Lived Domain Account ServicePrincipalName
- GetWmiObject DS User with PowerShell Script Block
- Windows Exfiltration Over C2 Via Invoke RestMethod
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- Remote Process Instantiation via DCOM and PowerShell Script Block
- Powershell Enable SMB1Protocol Feature
- GetWmiObject Ds Computer with PowerShell Script Block
- Windows PowerSploit GPP Discovery
- GetLocalUser with PowerShell Script Block
- PowerShell Loading DotNET into Memory via Reflection
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
- Detect Certify With PowerShell Script Block Logging
- Unusual Number of Kerberos Service Tickets Requested
- Get DomainUser with PowerShell Script Block
- Recon Using WMI Class
- GetCurrent User with PowerShell Script Block
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block
- Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows Multiple Accounts Deleted
- Get DomainPolicy with Powershell Script Block
- Kerberos Pre-Authentication Flag Disabled with PowerShell
- Windows AD Domain Root ACL Modification
- PowerShell Invoke WmiExec Usage
- GetAdComputer with PowerShell Script Block
- Windows Get Local Admin with FindLocalAdminAccess
- Windows Multiple Account Passwords Changed
- Windows Increase in Group or Object Modification Activity
- Windows Access Token Manipulation SeDebugPrivilege
- PowerShell WebRequest Using Memory Stream
- Interactive Session on Remote Endpoint with PowerShell
- GetDomainGroup with PowerShell Script Block
- Windows Screen Capture Via Powershell
- Exchange PowerShell Module Usage
- WMI Recon Running Process Or Services
- Windows Event Logging Service Has Shutdown
- Windows AD Short Lived Server Object
- Delete ShadowCopy With PowerShell
- Windows AD GPO Deleted
- Powershell Load Module in Meterpreter
- Windows ClipBoard Data via Get-ClipBoard
- Remote System Discovery with Adsisearcher
- Windows Archive Collected Data via Powershell
- Windows Powershell Import Applocker Policy
- Windows PowerView Unconstrained Delegation Discovery
- Windows Multiple Accounts Disabled
- Windows AD Dangerous Group ACL Modification
- Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
- Windows Large Number of Computer Service Tickets Requested
- Windows PowerShell WMI Win32 ScheduledJob
- Windows Default Group Policy Object Modified
- AdsiSearcher Account Discovery
- Windows AD Suspicious GPO Modification
- Windows Exfiltration Over C2 Via Powershell UploadString
- Windows AD add Self to Group
- Get WMIObject Group Discovery with Script Block Logging
- Unloading AMSI via Reflection
- Windows Multiple Users Failed To Authenticate From Process
- Windows Gather Victim Host Information Camera
- Windows AD Object Owner Updated
- Windows AD Dangerous User ACL Modification
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- User Discovery With Env Vars PowerShell Script Block
- GetDomainComputer with PowerShell Script Block
- Get-DomainTrust with PowerShell Script Block
- Windows Multiple Invalid Users Failed To Authenticate Using NTLM
- PowerShell Script Block With URL Chain
- Detect Copy of ShadowCopy with Script Block Logging
- Windows Find Interesting ACL with FindInterestingDomainAcl
- PowerShell Start or Stop Service
- Windows AD Domain Replication ACL Addition
- ServicePrincipalNames Discovery with PowerShell
- GetWmiObject User Account with PowerShell Script Block
- Windows Multiple Users Failed To Authenticate Using Kerberos
- Windows AD Dangerous Deny ACL Modification
- Windows Service Created with Suspicious Service Name
- Cisco AI Defense Security Alerts by Application Name
- O365 Mailbox Email Forwarding Enabled
- O365 Email Send and Hard Delete Exfiltration Behavior
- O365 Multiple Service Principals Created by SP
- O365 Multiple Mailboxes Accessed via API
- O365 User Consent Denied for OAuth Application
- O365 Tenant Wide Admin Consent Granted
- O365 SharePoint Allowed Domains Policy Changed
- O365 Mailbox Folder Read Permission Granted
- O365 Privileged Graph API Permission Assigned
- O365 Email New Inbox Rule Created
- O365 Multiple AppIDs and UserAgents Authentication Spike
- O365 Application Registration Owner Added
- O365 Elevated Mailbox Permission Assigned
- O365 Privileged Role Assigned To Service Principal
- O365 Multi-Source Failed Authentications Spike
- O365 Email Receive and Hard Delete Takeover Behavior
- O365 Multiple Service Principals Created by User
- O365 PST export alert
- O365 Multiple Users Failing To Authenticate From Ip
- O365 Service Principal New Client Credentials
- O365 External Guest User Invited
- O365 Mailbox Inbox Folder Shared with All Users
- O365 User Consent Blocked for Risky Application
- O365 Compliance Content Search Started
- Windows SQLCMD Execution
- O365 Email Send and Hard Delete Suspicious Behavior
- O365 Email Password and Payroll Compromise Behavior
- O365 DLP Rule Triggered
- O365 Service Principal Privilege Escalation
- O365 Email Reported By Admin Found Malicious
- O365 External Identity Policy Changed
- O365 Threat Intelligence Suspicious File Detected
- O365 Mail Permissioned Application Consent Granted by User
- O365 Advanced Audit Disabled
- O365 ApplicationImpersonation Role Assigned
- O365 High Privilege Role Granted
- O365 Admin Consent Bypassed by Service Principal
- O365 Email Security Feature Changed
- O365 FullAccessAsApp Permission Assigned
- O365 New Email Forwarding Rule Created
- O365 Safe Links Detection
- O365 Excessive SSO logon errors
- O365 Email Hard Delete Excessive Volume
- O365 Excessive Authentication Failures Alert
- O365 Multiple Failed MFA Requests For User
- O365 New Federated Domain Added
- O365 New Forwarding Mailflow Rule Created
- O365 File Permissioned Application Consent Granted by User
- O365 Email Send Attachments Excessive Volume
- O365 Threat Intelligence Suspicious Email Delivered
- O365 Block User Consent For Risky Apps Disabled
- O365 Add App Role Assignment Grant User
- High Number of Login Failures from a single source
- O365 Disable MFA
- O365 Privileged Role Assigned
- O365 Security And Compliance Alert Triggered
- O365 OAuth App Mailbox Access via Graph API
- O365 Mailbox Folder Read Permission Assigned
- O365 High Number Of Failed Authentications for User
- O365 Email Suspicious Search Behavior
- O365 Cross-Tenant Access Change
- O365 Mailbox Read Access Granted to Application
- O365 SharePoint Malware Detection
- O365 Email Reported By User Found Malicious
- O365 Email Transport Rule Changed
- O365 Added Service Principal
- O365 Email Suspicious Behavior Alert
- O365 Bypass MFA via Trusted IP
- O365 Concurrent Sessions From Different Ips
- O365 Compliance Content Search Exported
- O365 New MFA Method Registered
- O365 Email Access By Security Administrator
- O365 New Email Forwarding Rule Enabled
- O365 Application Available To Other Tenants
- O365 Multiple OS Vendors Authenticating From User
- O365 ZAP Activity Detection
- O365 OAuth App Mailbox Access via EWS
- Windows Anonymous Pipe Activity
- GitHub Enterprise Modify Audit Log Event Stream
- GitHub Enterprise Register Self Hosted Runner
- GitHub Organizations Disable Dependabot
- GitHub Enterprise Disable 2FA Requirement
- GitHub Enterprise Disable Dependabot
- GitHub Enterprise Pause Audit Log Event Stream
- GitHub Organizations Repository Archived
- GitHub Enterprise Delete Branch Ruleset
- GitHub Enterprise Remove Organization
- GitHub Enterprise Repository Deleted
- GitHub Enterprise Repository Archived
- GitHub Organizations Repository Deleted
- GitHub Enterprise Disable IP Allow List
- GitHub Organizations Disable 2FA Requirement
- GitHub Enterprise Disable Classic Branch Protection Rule
- GitHub Organizations Disable Classic Branch Protection Rule
- GitHub Organizations Delete Branch Ruleset
- GitHub Enterprise Disable Audit Log Event Stream
- Windows SQL Server Startup Procedure
- Windows Scheduled Task with Suspicious Name
- Windows SQL Server Configuration Option Hunt
- Windows SQL Server Critical Procedures Enabled
- Windows SQL Server xp_cmdshell Config Change
- Windows PowerShell Invoke-Sqlcmd Execution
- Windows Scheduled Task with Suspicious Command
- Windows SQL Server Extended Procedure DLL Loading Hunt
2025.03.24
Summary of Changes
Totals: 49 added / 219 modified
Intelligence: 0 added / 0 modified
Detections: 44 added / 212 modified
Threats: 1 added / 0 modified
Attack Scripts: 4 added / 6 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Explorer.exe Spawning Powershell or Cmd
- ZDI-CAN-25373
- cmd.exe or powershell.exe execution from LNK files
Atomic Red Team
- Replace utilman.exe (Ease of Access Binary) with cmd.exe
- Download a file with OneDrive Standalone Updater
- Microsoft Dev tunnels (Linux/macOS)
- Port Scan using nmap (Port range)
Chronicle Detection Rules
Microsoft Sentinel
- Create alerts based on recommended detections from ExtraHop
- Guardian- Malicious URL Policy Violation Detection
- Guardian- Security Integrity Checks Prompt Injection Policy Violation Detection
- Guardian- URL Detection Policy Violation Detection
- Guardian- Privacy Protection PII Policy Violation Detection
- Guardian- Not Safe For Work Policy Violation Detection
- Guardian- Block Competitor Policy Violation Detection
- Guardian- Input Output Relevance Policy Violation Detection
- Guardian- Special PII Detection Policy Violation Detection
- Guardian- Gender Bias Policy Violation Detection
- Guardian- Content Access Control Blocked List Policy Violation Detection
- Guardian- Regex Policy Violation Detection
- Guardian- Invisible Text Policy Violation Detection
- Guardian- Code Detection Policy Violation Detection
- Guardian- Token Limit Policy Violation Detection
- Guardian- Racial Bias Policy Violation Detection
- Guardian- Ban Topic Policy Violation Detection
- Guardian- URL Reachability Policy Violation Detection
- Guardian- Language Detection Policy Violation Detection
- Guardian- Secrets Policy Violation Detection
- Guardian- Content Access Control Allowed List Policy Violation Detection
- Guardian- BII Detection Policy Violation Detection
- Guardian- Same Input/Output Language Detection Policy Violation Detection
- Guardian- Blocks specific strings of text Policy Violation Detection
- Guardian- Additional check JSON Policy Violation Detection
- Guardian- No LLM Output Policy Violation Detection
- Guardian- Content Safety Toxicity Policy Violation Detection.
- Guardian- Content Safety Profanity Policy Violation Detection
- Guardian- Sentiment Policy Violation Detection
- Guardian- Input Rate Limiter Policy Violation Detection
Splunk
- O365 Email Suspicious Search Behavior
- Executables Or Script Creation In Temp Path
- Windows Svchost.exe Parent Process Anomaly
- Windows Process Execution From ProgramData
- Windows SnappyBee Create Test Registry
- Windows Unusual SysWOW64 Process Run System32 Executable
- AWS Credential Access Failed Login
- Windows Anonymous Pipe Activity
- Windows Scheduled Task with Suspicious Command
- Windows Scheduled Task with Suspicious Name
The DFIR Report
Content Updated
SnapAttack Community
Atomic Red Team
- Windows pull file using sftp.exe
- Store file in Alternate Data Stream (ADS)
- Create Hidden Directory via $index_allocation
- Create ADS PowerShell
- ScreenConnect Application Download and Install on Windows
- Alternate Data Streams (ADS)
Chronicle Detection Rules
- Github Repository Deploy Key Created Or Modified
- Github User Blocked From Accessing Organization Repositories
- Github Personal Access Token Auto Approve Policy Modified
- Github User Unblocked From Accessing Organization Repositories
- Github Enterprise Audit Log Stream Modified
- Github Dependabot Vulnerability Alerts Disabled
- Github High Number Of Non Public Github Repositories Cloned
- Github Repository Visibility Changed To Public
- Github Repository Branch Protection Rules Disabled
- Github Personal Access Token Created From Tor Ip Address
- Github High Number Of Non Public Github Repositories Downloaded
- Github Enterprise Or Organization Recovery Codes Activity
- Github Access Granted To Personal Access Token Followed By High Number Of Cloned Non Public Repositories
- Github Oauth Application Access Restrictions Disabled
- Github Two Factor Authentication Requirement Disabled
- Github Outgoing Repository Transfer Initiated
- Github Enterprise Audit Log Stream Destroyed
- Github Organization Removed From Enterprise
- Github Secret Scanning Alert
- Github Secret Scanning Disabled Or Bypassed
- Github Sso Configuration Modified
- Github Enterprise Deleted
- Github Repository Archived Or Deleted
- Github Application Installed
- Github Invitation Sent To Non Company Email Domain
Microsoft Sentinel
Sigma Community Rules
Splunk
- AWS Defense Evasion Delete Cloudtrail
- AWS CreateAccessKey
- AWS Credential Access GetPasswordData
- AWS Defense Evasion PutBucketLifecycle
- AWS Credential Access RDS Password reset
- AWS Create Policy Version to allow all resources
- AWS Multiple Users Failing To Authenticate From Ip
- AWS Detect Users creating keys with encrypt policy without MFA
- AWS Defense Evasion Impair Security Services
- AWS Password Policy Changes
- AWS Excessive Security Scanning
- AWS ECR Container Upload Outside Business Hours
- AWS SAML Update identity provider
- AWS Lambda UpdateFunctionCode
- AWS Multi-Factor Authentication Disabled
- AWS CreateLoginProfile
- AWS ECR Container Scanning Findings Low Informational Unknown
- AWS High Number Of Failed Authentications For User
- AWS IAM Assume Role Policy Brute Force
- AWS Exfiltration via DataSync Task
- AWS Successful Single-Factor Authentication
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Exfiltration via Bucket Replication
- AWS ECR Container Scanning Findings Medium
- AWS Defense Evasion Delete CloudWatch Log Group
- AWS UpdateLoginProfile
- AWS Exfiltration via Batch Service
- AWS IAM AccessDenied Discovery Events
- AWS IAM Failure Group Deletion
- AWS Network Access Control List Deleted
- AWS High Number Of Failed Authentications From Ip
- AWS EC2 Snapshot Shared Externally
- AWS IAM Successful Group Deletion
- AWS Exfiltration via EC2 Snapshot
- AWS Successful Console Authentication From Multiple IPs
- AWS New MFA Method Registered For User
- AWS Concurrent Sessions From Different Ips
- AWS Disable Bucket Versioning
- AWS ECR Container Upload Unknown User
- AWS Detect Users with KMS keys performing encryption S3
- AWS Defense Evasion Stop Logging Cloudtrail
- AWS Multiple Failed MFA Requests For User
- AWS IAM Delete Policy
- AWS AMI Attribute Modification for Exfiltration
- AWS ECR Container Scanning Findings High
- AWS SetDefaultPolicyVersion
- AWS Console Login Failed During MFA Challenge
- AWS Network Access Control List Created with All Open Ports
- AWS Defense Evasion Update Cloudtrail
- O365 SharePoint Suspicious Search Behavior
- ASL AWS Multi-Factor Authentication Disabled
- AWS Unusual Number of Failed Authentications From Ip
- Azure AD Privileged Role Assigned to Service Principal
- ASL AWS IAM AccessDenied Discovery Events
- Azure AD FullAccessAsApp Permission Assigned
- Azure AD Multiple Denied MFA Requests For User
- Azure Automation Runbook Created
- Azure AD Multiple AppIDs and UserAgents Authentication Spike
- Azure AD User Enabled And Password Reset
- Azure AD Multi-Factor Authentication Disabled
- Azure Automation Account Created
- ASL AWS Create Access Key
- Azure AD User Consent Blocked for Risky Application
- Azure AD Unusual Number of Failed Authentications From Ip
- ASL AWS Defense Evasion Delete Cloudtrail
- Azure AD Successful PowerShell Authentication
- ASL AWS Network Access Control List Deleted
- ASL AWS Defense Evasion PutBucketLifecycle
- ASL AWS SAML Update identity provider
- Azure Active Directory High Risk Sign-in
- Azure AD Service Principal New Client Credentials
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- Azure AD Service Principal Owner Added
- ASL AWS UpdateLoginProfile
- ASL AWS IAM Failure Group Deletion
- ASL AWS EC2 Snapshot Shared Externally
- ASL AWS Credential Access GetPasswordData
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- Azure AD Block User Consent For Risky Apps Disabled
- Azure AD Successful Single-Factor Authentication
- Azure AD Service Principal Enumeration
- ASL AWS Disable Bucket Versioning
- ASL AWS IAM Delete Policy
- Azure AD External Guest User Invited
- Azure AD Service Principal Authentication
- ASL AWS Defense Evasion Update Cloudtrail
- Azure Runbook Webhook Created
- Azure AD Global Administrator Role Assigned
- Azure AD Device Code Authentication
- Azure AD New Custom Domain Added
- ASL AWS Credential Access RDS Password reset
- ASL AWS IAM Assume Role Policy Brute Force
- ASL AWS ECR Container Upload Outside Business Hours
- Azure AD Admin Consent Bypassed by Service Principal
- Azure AD New Federated Domain Added
- Azure AD High Number Of Failed Authentications From Ip
- Azure AD Multiple Service Principals Created by SP
- Azure AD Privileged Graph API Permission Assigned
- Azure AD New MFA Method Registered
- Azure AD Multiple Service Principals Created by User
- Azure AD PIM Role Assignment Activated
- Azure AD Application Administrator Role Assigned
- Azure AD Concurrent Sessions From Different Ips
- ASL AWS Defense Evasion Impair Security Services
- Azure AD Service Principal Privilege Escalation
- Executables Or Script Creation In Suspicious Path
- Azure AD Privileged Role Assigned
- Azure AD Multiple Users Failing To Authenticate From Ip
- ASL AWS Network Access Control List Created with All Open Ports
- ASL AWS IAM Successful Group Deletion
- Azure AD Authentication Failed During MFA Challenge
- Azure AD AzureHound UserAgent Detected
- ASL AWS Detect Users creating keys with encrypt policy without MFA
- Azure AD PIM Role Assigned
- Azure AD Multi-Source Failed Authentications Spike
- Azure AD New MFA Method Registered For User
- Azure AD Privileged Authentication Administrator Role Assigned
- ASL AWS Concurrent Sessions From Different Ips
- Azure AD OAuth Application Consent Granted By User
- Azure AD Multiple Failed MFA Requests For User
- ASL AWS Create Policy Version to allow all resources
- ASL AWS New MFA Method Registered For User
- Azure AD Service Principal Created
- Azure AD High Number Of Failed Authentications For User
- Azure AD Tenant Wide Admin Consent Granted
- Azure AD User ImmutableId Attribute Updated
- Azure AD Successful Authentication From Different Ips
- Azure AD User Consent Denied for OAuth Application
- ASL AWS ECR Container Upload Unknown User
- Windows Unsigned DLL Side-Loading In Same Process Path
The DFIR Report
- Enabling restricted admin mode
- Mshta Executing from Registry
- SplashTop Network
- Suspicious Commands by SQL Server
- Enable WDigest using PowerShell
- Lazagne dumping credentials
- Custom Cobalt Strike Command Execution
- Invoke-ShareFinder Module Load Detection
- Operator Bring Your Own Tools
- Renamed Autohotkey Binary
- FlawedGrace spawning threat injection target
- SplashTop Process
- Deleting Windows Defender scheduled tasks
- Execution of ZeroLogon PoC executable
- Enable WDigest using PowerShell (ps_module)
- Invoke-ShareFinder Script Block Execution
- QBot scheduled task REGSVR32 with C$ image path
- Viewing remote directories
- Conhost Suspicious Command Execution
- Potential Qbot SMB DLL Lateral Movement
- Bumblebee WmiPrvSE execution pattern
- Mimikatz Command Line With Ticket Export
- SSH over port 443 with known Server and Client Strings
- Enabling RDP service via reg.exe command execution
- QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line
- Hiding local user accounts
- Exchange WebShell Creation
- JavaScript Execution Using MSDOS 8.3 File Notation
- AnyDesk Network
- Potential SMB DLL Lateral Movement
- Default Account Usage
- Rclone SMB Share Exfiltration
- Nullsoft Scriptable Installer Script (NSIS) execution
- Emotet Child Process Spawn Pattern
- NetScan Share Enumeration Write Access Check
- CHCP CodePage Locale Lookup
- PSEXEC Custom Named Service Binary
- Uninstall Windows Feature - Defender
- Suspicious Scheduled Task Creation to execute LOLbins
- MOFComp Execution
- Nslookup Local
- Operator Bloopers Cobalt Strike Modules
- Nullsoft Scriptable Installer Script (NSIS) file creation
- AdFind Discovery
- Data Exfiltration via AWS CLI
- System Time Lookup
- Webshell Usage with ManageEngine Product
- List remote processes using tasklist
- Ursnif Loader
- AteraAgent malicious installations
- Driverquery Lookup
- Scheduled task executing powershell encoded payload from registry
- WinEvent Security Query
- NIM Pass The Hash Tooling Detection
2025.03.10
Summary of Changes
Totals: 41 added / 1973 modified
Intelligence: 0 added / 0 modified
Detections: 38 added / 1960 modified
Threats: 1 added / 0 modified
Attack Scripts: 2 added / 12 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Suspicious Child of Regsvr32
- Mavinject Process Injection via RemoteThread
- Mustang Panda Process Injection via MAVInject
Atomic Red Team
Sigma Community Rules
- HTTP Request to Low Reputation TLD or Suspicious File Extension
- Notepad Password Files Discovery
- Potential CVE-2024-35250 Exploitation Activity
Splunk
- Windows SQLCMD Execution
- O365 Email Send Attachments Excessive Volume
- Windows Sqlservr Spawning Shell
- O365 Email Hard Delete Excessive Volume
- O365 Email Password and Payroll Compromise Behavior
- O365 Email Send and Hard Delete Suspicious Behavior
- O365 Email Receive and Hard Delete Takeover Behavior
- O365 Email New Inbox Rule Created
- O365 Email Send and Hard Delete Exfiltration Behavior
- Windows PowerShell Invoke-Sqlcmd Execution
- Windows SQL Server Configuration Option Hunt
- Windows SQL Server Startup Procedure
- Windows SQL Server xp_cmdshell Config Change
- Windows SQL Server Critical Procedures Enabled
- Windows SQL Server Extended Procedure DLL Loading Hunt
- GitHub Enterprise Disable Classic Branch Protection Rule
- GitHub Enterprise Repository Archived
- GitHub Enterprise Disable Dependabot
- GitHub Enterprise Repository Deleted
- GitHub Organizations Disable Dependabot
- GitHub Enterprise Disable Audit Log Event Stream
- GitHub Enterprise Register Self Hosted Runner
- GitHub Enterprise Pause Audit Log Event Stream
- GitHub Enterprise Remove Organization
- GitHub Enterprise Modify Audit Log Event Stream
- GitHub Organizations Repository Deleted
- GitHub Enterprise Disable 2FA Requirement
- GitHub Enterprise Disable IP Allow List
- GitHub Organizations Delete Branch Ruleset
- GitHub Enterprise Delete Branch Ruleset
- GitHub Organizations Repository Archived
- GitHub Organizations Disable 2FA Requirement
- GitHub Organizations Disable Classic Branch Protection Rule
Content Updated
SnapAttack Community
Atomic Red Team
- Disable iptables
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
- Network Share Discovery command prompt
- View available share drives
- Network Share Discovery via dir command
- Network Share Discovery PowerShell
- Compressing data using tarfile in Python (FreeBSD/Linux)
- Check internet connection using ping freebsd, linux or macos
- Run Chrome-password Collector
- Mount an ISO image and run executable from the ISO
- Akira Ransomware drop Files with .akira Extension and Ransomnote
Chronicle Detection Rules
LOLDrivers
- Vulnerable Driver Load Despite HVCI (md5)
- Vulnerable Driver Load (md5)
- Vulnerable Driver Load Despite HVCI (sha1)
- Malicious Driver Load (sha1)
- Malicious Driver Load Despite HVCI (sha1)
- Malicious Driver Load (sha256)
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load (sha256)
- Malicious Driver Load Despite HVCI (sha256)
- Malicious Driver Load (md5)
- Vulnerable Driver Load (sha1)
- Malicious Driver Load By Name
- Vulnerable Driver Load By Name
Microsoft Sentinel
- Commvault Cloud Alert
- Samsung Knox Peripheral Access Detection with Mic
- Samsung Knox Password Lockout
- Samsung Knox Suspicious URL Accessed Events
- Samsung Knox Security Log Full
- Samsung Knox Peripheral Access Detection with Camera
- Samsung Knox Application Privilege Escalation or Change
- Decoy User Account Authentication Attempt
- SUPERNOVA webshell
- Download of New File Using Curl
- Inactive or new account signins
- Detect CoreBackUp Deletion Activity from related Security Alerts
- Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs
- User removed from SQL Server SecurityAdmin Group
- Palo Alto - potential beaconing detected
- Azure secure score role overlap
- Log4j vulnerability exploit aka Log4Shell IP IOC
- Host Exporting Mailbox and Removing Export (Normalized Process Events)
- Creation of expensive computes in Azure
- Failed logon attempts in authpriv
- Privileged role attached to Instance
- Create API Token (Okta)
- Admin privilege granted (Okta)
- Connection from external IP to OMI related Ports
- Failed Logon Attempts on SQL Server
- Azure WAF Log4j CVE-2021-44228 hunting
- Service principal not using client credentials
- Rare domains seen in Cloud Logs
- Windows Print Spooler Service Suspicious File Creation
- Azure secure score role overlap
- Azure secure score integrated apps
- Mass secret retrieval from Azure Key Vault
- Sonrai Ticket Snoozed
- Failed sign-ins into LastPass due to MFA
- Potential IIS code injection attempt
- Detect Disabled Account Sign-in Attempts by Account Name
- High Urgency IONIX Action Items
- Potential IIS brute force
- Microsoft Entra ID Rare UserAgent App Sign-in
- Office365 Sharepoint File transfer above threshold
- Editing Linux scheduled tasks through Crontab
- Suspicious AWS console logins by credential access alerts
- Detect requests for an uncommon resources on the web (ASIM Web Session)
- Vectra AI Detect - Suspected Compromised Account
- Abnormal Deny Rate for Source IP
- Storage Alerts Correlation with CommonSecurityLogs & AuditLogs
- New onmicrosoft domain added to tenant
- Rare Windows Firewall Rule updates using Netsh
- Disable or Modify Windows Defender
- Abnormally Large JPEG Filed Downloaded from New Source
- Service principal not using client credentials
- SMB/Windows Admin Shares
- GSA - Detect Source IP Scanning Multiple Open Ports
- Office365 Sharepoint File transfer Folders above threshold
- Azure storage key enumeration
- VIP account more than 6 failed logons in 10
- Excessive number of failed connections from a single source (ASIM Network Session schema)
- VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)
- Malicious Inbox Rule
- Dev-0322 Command Line Activity November 2021
- Rare Process as a Service
- Third party integrated apps
- Suspicious command line tokens in LolBins or LolScripts
- Azure Secure Score Self Service Password Reset
- Successful AWS Console Login from IP Address Observed Conducting Password Spray
- User Role altered on SQL Server
- Azure secure score block legacy authentication
- NRT Squid proxy events related to mining pools
- Low & slow password attempts with volatile IP addresses
- Ingress Tool Transfer - Certutil
- Port Sweep
- Registry Persistence via AppInit DLLs Modification
- Response rows stateful anomaly on database
- Sonrai Ticket Escalation Executed
- User password reset(Okta)
- Component Object Model Hijacking - Vault7 trick
- Detect Potential kerberoast Activities
- DNS lookups for commonly abused TLDs
- SUNSPOT malware hashes
- Azure Secure Score Self Service Password Reset
- Abnormal Port to Protocol
- High count download from a SAP Privileged account
- Possible exploitation of Apache log4j component detected
- GSA Enriched Office 365 - Windows Reserved Filenames Staged on Office File Services
- GSA - Detect Abnormal Deny Rate for Source to Destination IP
- GSA Enriched Office 365 - Files uploaded to teams and access summary
- Invited Guest User but not redeemed Invite for longer period.
- Summary of user logons by logon type
- Possible Webshell usage attempt related to SpringShell(CVE-2022-22965)
- Identify SysAid Server web shell creation
- User removed from SQL Server Roles
- Sonrai Ticket Updated
- SFTP File transfer folder count above threshold
- Successful Signin From Non-Compliant Device
- Suspicious Data Access to S3 Bucket from Unknown IP
- List all the VScode Extensions which are installed on a user system
- Malicious Connection to LDAP port for CVE-2021-44228 vulnerability
- Anomalous Microsoft Entra ID Account Manipulation
- GitHub Signin Burst from Multiple Locations
- Suspicious access of BEC related documents in AWS S3 buckets
- Azure secure score user risk policy
- Changes made to AWS CloudTrail logs
- Azure DevOps Variable Secret Not Secured
- Azure secure score MFA registration V2
- Sonrai Ticket Reopened
- Suspicious credential token access of valid IAM Roles
- Linux security related process termination activity detected
- Progress MOVEIt File transfer folder count above threshold
- Unusual Volume of Password Updated or Removed
- Registry Persistence via AppCert DLL Modification
- AV detections related to Tarrask malware
- Initiate impersonation session (Okta)
- Vectra AI Detect - Suspected Compromised Host
- Office Policy Tampering
- Successful logon from IP and failure from a different IP
- SCX Execute RunAs Providers
- Rare Audit activity initiated by User
- Possible SpringShell Exploitation Attempt (CVE-2022-22965)
- Azure WAF matching for Log4j vuln(CVE-2021-44228)
- Bitsadmin Activity
- Dev-0322 Command Line Activity November 2021 (ASIM Version)
- VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
- Scheduled Task Hide
- Exploit and Pentest Framework User Agent
- Anomalous sign-in location by user account and authenticating application - with sign-in details
- CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses
- GSA Enriched Office 365 - Office Policy Tampering
- AV detections related to Zinc actors
- Azure secure score PW age policy new
- Azure DevOps New Extension Added
- Process executed from binary hidden in Base64 encoded file
- AV detections related to Ukraine threats
- Anomalous Microsoft Entra ID apps based on authentication location
- GitLab - Personal Access Tokens creation over time
- Permutations on logon attempts by UserPrincipalNames indicating potential brute force
- Anomalous sign-in location by user account and authenticating application
- IAM Privilege Escalation by Instance Profile attachment
- NRT Creation of expensive computes in Azure
- Azure secure score PW age policy new
- SSH - Potential Brute Force
- Shadow Copy Deletions
- Failed Login Attempt by Expired account
- Port Scan
- Potential Exploitation of MS-RPRN printer bug
- Sonrai Ticket Risk Accepted
- Anomalous Azure Operation Hunting Model
- Rename System Utilities
- Changes to AWS Elastic Load Balancer security groups
- Changes to AWS Security Group ingress and egress settings
- External Upstream Source Added to Azure DevOps Feed
- Masquerading files
- Host Exporting Mailbox and Removing Export
- User agent search for log4j exploitation attempt
- Suspicious access of BEC related documents
- Password Spraying
- Tracking Password Changes
- SFTP File transfer above threshold
- Administrators Authenticating to Another Microsoft Entra ID Tenant
- New User created on SQL Server
- Login attempt by Blocked MFA user
- GSA Enriched Office 365 - Office Mail Forwarding - Hunting Version
- Azure DevOps Pipeline modified by a new user
- [Deprecated] Explicit MFA Deny
- Suspected Brute force attack Investigation
- Potential SSH Tunnel to AAD Connect Host
- Windows Binaries Executed from Non-Default Directory
- Large Scale Malware Deployment via GPO Scheduled Task Modification
- GSA Enriched Office 365 - Non-owner mailbox login activity
- GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination
- User Added to Admin Role
- Credential added after admin consented to Application
- Azure DevOps PAT used with Browser
- Changes to Amazon VPC settings
- Potential Impacket Execution
- Multiple Sources Affected by the Same TI Destination
- Vectra AI Detect - Detections with High Severity
- Exes with double file extension and access summary
- Squid proxy events related to mining pools
- Azure Resources Assigned Public IP Addresses
- Progress MOVEIt File transfer above threshold
- Storage Account Key Enumeration
- Remote Scheduled Task Creation or Update using ATSVC Named Pipe
- Squid commonly abused TLDs
- Dormant Service Principal Update Creds and Logs In
- Tampering to AWS CloudTrail logs
- DCOM Lateral Movement
- Remote Task Creation/Update using Schtasks Process
- Azure secure score one admin
- Possible Phishing with CSL and Network Sessions
- Azure secure score block legacy authentication
- Azure DevOps Pipeline Created and Deleted on the Same Day
- Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access
- Azure secure score sign in risk policy
- Dataverse - Honeypot instance activity
- Azure secure score sign in risk policy
- External IP address in Command Line
- Windows Binaries Lolbins Renamed
- Rare firewall rule changes using netsh
- Azure secure score admin MFA V2
- Account Elevated to New Role
- Multiple Explicit Credential Usage - 4648 events
- Commands executed by WMI on new hosts - potential Impacket
- Rare MFA Operations (Okta)
- Logins originating from VPS Providers
- Potential beaconing activity (ASIM Network Session schema)
- Cobalt Strike DNS Beaconing
- VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure
- Multiple users email forwarded to same destination
- Possible command injection attempts against Azure Integration Runtimes
- Office ASR rule triggered from browser spawned office process.
- Sign-ins from Nord VPN Providers
- Web Shell Activity
- Dev-0322 File Drop Activity November 2021 (ASIM Version)
- Monitor AWS Credential abuse or hijacking
- The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session)
- Vectra AI Detect - Suspicious Behaviors by Category
- Webshell Detection
- URI requests from single client
- Successful Sign-In From Non-Compliant Device with bulk download activity
- Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains
- SQL Alert Correlation with CommonSecurityLogs and AuditLogs
- Vulnerable Machines related to log4j CVE-2021-44228
- Sonrai Ticket Assigned
- Access Token Manipulation - Create Process with Token
- Sonrai Ticket Escalation Executed
- Malicious BEC Inbox Rule
- Multiple admin membership removals from newly created admin.
- Changes made to AWS IAM policy
- Rare Custom Script Extension
- Dev-0056 Command Line Activity November 2021 (ASIM Version)
- Dev-0322 File Drop Activity November 2021
- VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)
- Establishing internal proxies
- GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity
- Full Admin policy created and then attached to Roles, Users or Groups
- New Sonrai Ticket
- MFA Rejected by User
- Storage Alert Correlation with CommonSecurityLogs and StorageLogs
- New Agent Added to Pool by New User or Added to a New OS Type
- Changes to internet facing AWS RDS Database instances
- Threat Essentials - Multiple admin membership removals from newly created admin.
- MFA Fatigue (OKTA)
- Rare process running on a Linux host
- Starting or Stopping HealthService to Avoid Detection
- Unicode Obfuscation in Command Line
- Remote Task Creation/Update using Schtasks Process
- GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination
- Azure secure score user risk policy
- Users Authenticating to Other Microsoft Entra ID Tenants
- Sonrai Ticket Closed
- SonicWall - Capture ATP Malicious File Detection
- New PA, PCA, or PCAS added to Azure DevOps
- Users Opening and Reading the Local Device Identity Key
- Fake computer account authentication attempt
- Execution of File with One Character in the Name
- AV detections related to SpringShell Vulnerability
- SAP ETD - Login from unexpected network
- VMware SD-WAN Edge - IDS/IPS Signature Update Failed
- TI Map File Entity to WireData Event
- Uncommon processes - bottom 5% (Normalized Process Events)
- TI Map File Entity to VMConnection Event
- TI Map File Entity to Syslog Event
- First Time Source IP to Destination Using Port
- Uncommon processes - bottom 5%
- TI Map File Entity to Security Event
- TI Map File Entity to OfficeActivity Event
- Forescout-DNS_Sniff_Event_Monitor
Sigma Community Rules
- Nslookup PowerShell Download Cradle
- Service Reload or Start - Linux
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Scripts - PoshModule
- PUA - SoftPerfect Netscan Execution
- Cisco Duo Successful MFA Authentication Via Bypass Code
- Remote Access Tool - AnyDesk Execution
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
- Python Path Configuration File Creation - Windows
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Python Path Configuration File Creation - MacOS
- Python Path Configuration File Creation - Linux
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- Malicious PowerShell Commandlets - PoshModule
- Pnscan Binary Data Transmission Activity
- ADS Zone.Identifier Deleted By Uncommon Application
- Forest Blizzard APT - JavaScript Constrained File Creation
- Suspicious Binary Writes Via AnyDesk
- Malicious PowerShell Scripts - FileCreation
- RegAsm.EXE Initiating Network Connection To Public IP
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
- Remote Access Tool - AnyDesk Incoming Connection
- Anydesk Remote Access Software Service Installation
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Forest Blizzard APT - Custom Protocol Handler Creation
- Kubernetes Unauthorized or Unauthenticated Access
- Outbound Network Connection Initiated By Microsoft Dialer
- File Deleted Via Sysinternals SDelete
- Backup Files Deleted
- Potential Obfuscated Ordinal Call Via Rundll32
- Process Memory Dump Via Comsvcs.DLL
Splunk
- Windows Process With NetExec Command Line Parameters
- Windows Command and Scripting Interpreter Path Traversal Exec
- Linux Auditd Shred Overwrite Command
- Linux Auditd Doas Conf File Creation
- Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
- Linux Auditd Find Ssh Private Keys
- Linux Auditd Preload Hijack Via Preload File
- Linux Auditd Data Transfer Size Limits Via Split Syscall
- Linux Auditd Find Credentials From Password Stores
- Linux Auditd Possible Access To Credential Files
- Linux Auditd Kernel Module Using Rmmod Utility
- Linux Auditd Install Kernel Module Using Modprobe Utility
- Linux Auditd At Application Execution
- Linux Auditd Setuid Using Setcap Utility
- Linux Auditd Unload Module Via Modprobe
- Linux Auditd Hardware Addition Swapoff
- Linux Auditd Add User Account Type
- Linux Auditd Possible Access To Sudoers File
- Linux Auditd Add User Account
- Linux Auditd Virtual Disk File And Directory Discovery
- Linux Auditd Dd File Overwrite
- Linux Auditd Doas Tool Execution
- Linux Auditd Find Credentials From Password Managers
- Linux Auditd Edit Cron Table Parameter
- Linux Auditd Database File And Directory Discovery
- Linux Auditd Stop Services
- Linux Auditd System Network Configuration Discovery
- Linux Auditd Setuid Using Chmod Utility
- Linux Auditd Private Keys and Certificate Enumeration
- Linux Auditd Data Destruction Command
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Preload Hijack Library Calls
- Linux Auditd Hidden Files And Directories Creation
- Linux Auditd File Permission Modification Via Chmod
- Linux Auditd Kernel Module Enumeration
- Linux Auditd Osquery Service Stop
- Linux Auditd Sysmon Service Stop
- Linux Auditd File And Directory Discovery
- Linux Auditd Unix Shell Configuration Modification
- Linux Auditd Disable Or Modify System Firewall
- Linux Auditd Auditd Service Stop
- Linux Auditd Service Restarted
- Linux Auditd Service Started
- Linux Auditd Possible Access Or Modification Of Sshd Config File
- Linux Auditd File Permissions Modification Via Chattr
- Linux Auditd Change File Owner To Root
- Linux Auditd Data Transfer Size Limits Via Split
- Linux Auditd Clipboard Data Copy
- Linux Auditd Sudo Or Su Execution
- Linux Auditd Base64 Decode Files
- Linux Auditd Nopasswd Entry In Sudoers File
- Linux Auditd Whoami User Discovery
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Diskshadow Proxy Execution
- Windows Command and Scripting Interpreter Hunting Path Traversal
- Gsuite Email With Known Abuse Web Service Link
- Suspicious Java Classes
- Windows Detect Network Scanner Behavior
- Linux System Network Discovery
- Windows Indirect Command Execution Via Series Of Forfiles
- Suspicious Reg exe Process
- Detect Regasm Spawning a Process
- Windows Impair Defenses Disable Win Defender Auto Logging
- Windows Set Account Password Policy To Unlimited Via Net
- Windows AD Replication Service Traffic
- Windows ISO LNK File Creation
- Batch File Write to System32
- Adobe ColdFusion Unauthenticated Arbitrary File Read
- Citrix ShareFile Exploitation CVE-2023-24489
- Windows Disable Shutdown Button Through Registry
- Windows Modify Registry Tamper Protection
- Linux Decode Base64 to Shell
- Disable Windows SmartScreen Protection
- Spoolsv Writing a DLL
- Wmic Group Discovery
- Suspicious microsoft workflow compiler usage
- Windows Office Product Spawned Uncommon Process
- O365 Concurrent Sessions From Different Ips
- Cloud Compute Instance Created With Previously Unseen Instance Type
- O365 Service Principal Privilege Escalation
- Juniper Networks Remote Code Execution Exploit Detection
- Detect HTML Help Renamed
- Linux At Application Execution
- Windows Privilege Escalation Suspicious Process Elevation
- Windows InProcServer32 New Outlook Form
- Windows Service Execution RemCom
- Nishang PowershellTCPOneLine
- Dump LSASS via comsvcs DLL
- Windows Indirect Command Execution Via pcalua
- Windows Unusual NTLM Authentication Destinations By Source
- Windows Execute Arbitrary Commands with MSDT
- Windows Impair Defense Override SmartScreen Prompt
- Windows BootLoader Inventory
- DNS Exfiltration Using Nslookup App
- Windows InstallUtil Uninstall Option
- Wermgr Process Spawned CMD Or Powershell Process
- Suspicious Copy on System32
- Suspicious wevtutil Usage
- Windows Group Discovery Via Net
- Windows Registry BootExecute Modification
- Windows Rundll32 Apply User Settings Changes
- Windows LSA Secrets NoLMhash Registry
- Modify ACL permission To Files Or Folder
- NLTest Domain Trust Discovery
- Detect Use of cmd exe to Launch Script Interpreters
- Windows Modify Registry Disable Toast Notifications
- Linux PHP Privilege Escalation
- O365 Mailbox Email Forwarding Enabled
- Get ADUserResultantPasswordPolicy with Powershell
- Domain Group Discovery With Wmic
- Notepad with no Command Line Arguments
- O365 Multiple Users Failing To Authenticate From Ip
- Detect PsExec With accepteula Flag
- CMD Echo Pipe - Escalation
- Linux Adding Crontab Using List Parameter
- Windows Impair Defense Disable Win Defender Signature Retirement
- O365 Compliance Content Search Exported
- Remote Process Instantiation via WinRM and PowerShell
- Windows Odbcconf Hunting
- Windows Modify Registry MaxConnectionPerServer
- Windows Service Stop Attempt
- Windows BitLocker Suspicious Command Usage
- BITS Job Persistence
- GCP Authentication Failed During MFA Challenge
- Windows New Custom Security Descriptor Set On EventLog Channel
- Windows Credentials from Password Stores Chrome Copied in TEMP Dir
- Windows Impair Defenses Disable AV AutoStart via Registry
- Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
- Microsoft Intune Manual Device Management
- Windows Powershell RemoteSigned File
- Azure AD Admin Consent Bypassed by Service Principal
- Windows System Network Connections Discovery Netsh
- Windows InstallUtil Remote Network Connection
- Microsoft Intune Device Health Scripts
- Detect Password Spray Attack Behavior On User
- Windows Ingress Tool Transfer Using Explorer
- Suspicious Rundll32 PluginInit
- Windows InstallUtil URL in Command Line
- Linux Hardware Addition SwapOff
- Windows System Binary Proxy Execution Compiled HTML File Decompile
- Potential System Network Configuration Discovery Activity
- GetWmiObject User Account with PowerShell
- WSReset UAC Bypass
- Windows Modify Registry AuthenticationLevelOverride
- F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
- Scheduled Task Initiation on Remote Endpoint
- Windows MSIExec Spawn Discovery Command
- Windows Global Object Access Audit List Cleared Via Auditpol
- Windows UAC Bypass Suspicious Escalation Behavior
- O365 Mail Permissioned Application Consent Granted by User
- O365 Tenant Wide Admin Consent Granted
- Windows Audit Policy Security Descriptor Tampering via Auditpol
- Windows WMI Process Call Create
- Impacket Lateral Movement WMIExec Commandline Parameters
- Recursive Delete of Directory In Batch CMD
- Network Traffic to Active Directory Web Services Protocol
- Windows Impair Defenses Disable Auto Logger Session
- Malicious PowerShell Process - Encoded Command
- Windows WMI Process And Service List
- Detect Rare Executables
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- Detect Outbound LDAP Traffic
- Regsvr32 with Known Silent Switch Cmdline
- Windows Indirect Command Execution Via forfiles
- Okta ThreatInsight Threat Detected
- Wmic NonInteractive App Uninstallation
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows Apache Benchmark Binary
- Azure AD Service Principal Enumeration
- ASL AWS Credential Access RDS Password reset
- Impacket Lateral Movement Commandline Parameters
- Bcdedit Command Back To Normal Mode Boot
- Detect RTLO In Process
- Attempt To Add Certificate To Untrusted Store
- Svchost LOLBAS Execution Process Spawn
- Gdrive suspicious file sharing
- Azure AD Multiple Service Principals Created by User
- Disabling Task Manager
- O365 New Forwarding Mailflow Rule Created
- Windows Sensitive Registry Hive Dump Via CommandLine
- Windows System Shutdown CommandLine
- Vbscript Execution Using Wscript App
- Windows Remote Assistance Spawning Process
- Excessive Usage Of Cacls App
- Gsuite Suspicious Shared File Name
- Linux Setuid Using Chmod Utility
- RunDLL Loading DLL By Ordinal
- Zscaler Exploit Threat Blocked
- Detect Certify Command Line Arguments
- Windows Registry Certificate Added
- Windows Impair Defense Disable Controlled Folder Access
- Windows Defender ASR Audit Events
- Detect Baron Samedit CVE-2021-3156 Segfault
- O365 Bypass MFA via Trusted IP
- Windows RDP File Execution
- Windows Delete or Modify System Firewall
- Azure AD Successful Authentication From Different Ips
- Windows System LogOff Commandline