Briefs

This rule detects suspicious sequences where a non-root user launches a high-risk parent process and then executes a common privilege elevation helper gaining an effective UID of 0 while the real UID remains non-root, potentially indicating misuse of SUID/SGID helpers or privilege escalation attempts.

Detects potential execution of Windows commands or downloaded files via the browser's dialog box, where adversaries may use phishing to instruct victims to copy and paste malicious commands for execution.

The Atypical Travel detection in Azure Identity Protection identifies potentially compromised user accounts by detecting geographically improbable sign-in activity, indicative of account compromise or misuse.

Attackers can modify PowerShell profiles to inject malicious code that executes each time PowerShell starts, establishing persistence on a Windows system.

A critical RCE vulnerability in OpenLearnX allows for sandbox escape and arbitrary command execution in versions prior to 2.0.3.

This rule detects PowerShell script block content containing PSReflect-style helper indicators, such as Add-Win32Type, New-InMemoryModule, or DllImport patterns, that may support dynamic Win32 API invocation from PowerShell.

The rule detects attempts to reset potentially privileged account passwords remotely, a tactic used by adversaries to maintain access, evade password policies, and preserve compromised credentials.

Detection of Azure Active Directory accounts that are created and deleted within a short timeframe, potentially indicating malicious activity such as privilege escalation or persistence attempts.

Detection of a user being added to a privileged role in Azure AD, potentially indicating privilege escalation or persistence by an attacker.

Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.

Adversaries may abuse control.exe to proxy execution of malicious code by using the Control Panel process to execute payloads from unusual locations, detected by identifying suspicious keywords or paths in the process command line.

The Csc.exe (C# compiler) process is being launched by unusual parent processes or from suspicious locations, indicating potential malware execution or defense evasion.

A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity associated with compromised accounts or insider threats.

A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations on Windows systems, potentially indicating privileged access activity and requiring investigation for privilege escalation or account manipulation.

A machine learning job detected a user performing privileged operations in Windows from an uncommon source IP, potentially indicating account compromise or privilege escalation.

The AWS root account, which grants unrestricted access to all resources within an AWS account, was used, potentially indicating unauthorized activity, privilege escalation, or a breach of security best practices.

This brief focuses on detecting malicious inbox manipulation rules set within a user's Azure environment, often indicative of account compromise or insider threats aiming to conceal illicit activities.

This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.

An AWS S3 bucket deletion event was detected via CloudTrail logs, potentially indicating data loss or unauthorized access attempts.

Attackers may use compression utilities like zip, tar, and gzip on Linux systems to collect and archive sensitive files containing credentials and system configurations for credential access and data exfiltration.

This rule detects network events indicating the use of Windows file sharing (SMB or CIFS) traffic to the Internet, which is commonly exploited for initial access, backdoor deployment, or data exfiltration.

Detection of newly seen removable devices via Windows registry modification events can indicate data exfiltration attempts or initial access via malicious USB drives.

MikroTik RouterOS 6.49.8 is vulnerable to an out-of-bounds read in the SCEP endpoint component, triggered by remote manipulation of the transactionID/messageType argument, potentially leading to denial of service or information disclosure.

Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.

The following analytic detects modification of the Windows registry to disable the Run application in the Start menu by monitoring changes to the registry path '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun' with a value of '0x00000001', potentially hindering system cleaning and aiding malware persistence.

Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.

The analytic identifies the use of taskkill.exe to forcibly terminate processes, focusing on command-line executions that include specific taskkill parameters, which can indicate attempts to disable security tools or disrupt legitimate applications.

Detection of rapid creation and deletion of scheduled tasks on Windows, indicating potential malicious activity abusing the task scheduler for execution and cleanup.

The WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.

A stored XSS vulnerability in YAFNET.Core allows an attacker to inject arbitrary JavaScript into forum posts, which executes in the browsers of other users viewing the thread, potentially leading to account compromise and malware delivery.