Briefs

Adversaries disable crucial scheduled tasks, such as those related to BitLocker, Windows Defender, System Restore and Windows Update, using schtasks.exe to disrupt services and potentially facilitate data destruction or ransomware deployment.

Detection of successful Azure AD authentications to critical applications that only required single-factor authentication, potentially indicating a security lapse or policy violation leading to unauthorized access.

Detection of a temporary access pass (TAP) being added to an Azure AD account, which could indicate potential privilege escalation, initial access, persistence, or stealth activity.

This rule identifies the use of bcdedit.exe to modify boot configuration data, which may be indicative of a destructive attack or ransomware activity aimed at inhibiting system recovery by disabling error recovery or ignoring boot failures.

This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.

This alert identifies when an application is deleted within an Azure environment, which could indicate malicious activity or unintended misconfiguration leading to service disruption.

Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.

This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.

Detects suspicious command execution via WMI on a Windows host, potentially indicating lateral movement by an adversary using cmd.exe to execute commands remotely.

An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.

Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.

This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.

This rule detects attempts to execute content from remote WebDAV shares, where attackers may abuse WebDAV paths, public tunnels, or host@port UNC paths to execute tools or scripts, reducing local staging on the victim's file system.

This threat brief covers the detection of suspicious processes modifying sensitive files on Linux systems, potentially indicating malicious attempts to persist, escalate privileges, or disrupt system operations.

The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.

Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.

Detection of network connections initiated by unusual Windows system binaries, often leveraged by adversaries to proxy execution of malicious code and evade detection, indicating potential defense evasion and command and control activity.

An Elastic machine learning rule detects unusual remote file transfers with rare extensions, potentially indicating lateral movement activity on a host and suggesting adversaries bypassing security measures.

Attackers may use auditpol.exe with the /restore argument to replace the existing audit policy with a malicious one, disabling auditing to evade detection, potentially leading to full machine compromise or lateral movement.

Attackers may disable AutoLogger sessions by modifying specific registry values to evade detection and prevent security monitoring of early boot activities and system events, a technique observed in intrusions involving IcedID and XingLocker ransomware.

Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.

Detects the execution of a binary from archive-related paths within a user's Temp directory, potentially indicating attempts to bypass Mark-of-the-Web (MOTW) or exploit vulnerabilities like CVE-2025-0411.

Detects modifications to a Windows computer account's User Account Control flags, specifically the `SERVER_TRUST_ACCOUNT` flag, potentially indicating unauthorized domain controller promotion or privilege escalation within Active Directory.

Attackers modify Windows Registry keys associated with Windows Defender to disable real-time behavior monitoring, a common tactic used by malware to evade detection and persist on compromised systems.

Detection of attempts to mount the EFI volume on Windows systems using mountvol.exe, potentially leading to system compromise.

Attackers modify the Windows registry to disable the Folder Options feature, preventing users from showing hidden files and file extensions, commonly used by malware to conceal malicious files and deceive users with fake file extensions.

Adversaries may modify service security descriptors to deny access to specific groups, potentially escalating privileges and hindering security services, by using sc.exe to set new deny ACEs (Access Control Entries) on Windows services.

Detection of command-line tools executing from the IIS installation directory on Windows systems, potentially indicating exploitation of IIS-reliant software like Microsoft Exchange.

Detects the creation of Windows theme files in unusual locations, such as Desktop, Documents, Downloads, or Temp directories, which can be indicative of remote code execution or NTLM coercion attacks.

Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.