Splunk Enterprise Security

The analytic detects ACL deletion on the domain root object in Active Directory by monitoring Windows Event Log Security event ID 5136, identifying significant AD changes with potentially high impact.

This analytic identifies ICMP traffic to external IP addresses with total bytes greater than 1,000 bytes, leveraging the Network_Traffic data model to detect potential information smuggling, covert communication, or command-and-control (C2) activities.

Detection of changes to the xp_cmdshell configuration in SQL Server, a feature often abused by attackers for privilege escalation and lateral movement by enabling execution of operating system commands.

Modification of critical SQL Server configuration options, such as 'Ad Hoc Distributed Queries', 'external scripts enabled', 'Ole Automation Procedures', 'clr enabled', and 'clr strict security', can enable attackers to perform Active Directory reconnaissance and execute arbitrary code, potentially leading to code execution or reconnaissance activities.

Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.

Detection of the Microsoft Software Licensing User Interface Tool (`slui.exe`) being executed with elevated privileges using the `-verb runas` parameter, indicating a potential privilege escalation attempt.

This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user, which bypasses role-based access controls and may indicate risky behavior or unauthorized activity.

This analytic detects the issuance of a suspicious certificate with a Subject Alternative Name (SAN) using Active Directory Certificate Services (AD CS) and its immediate use for authentication, indicating potential exploitation of improperly configured certificate templates for privilege escalation.

This analytic detects when a process running with low or medium integrity spawns an elevated process with high or system integrity in suspicious locations, potentially indicating successful privilege escalation by a threat actor.

This Splunk analytic detects the addition of a Service Principal Name (SPN) to a domain account by monitoring Windows Event Code 5136 and changes to the servicePrincipalName attribute, potentially indicating Kerberoasting attempts leading to unauthorized access.

This analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain using Windows Security Event Codes 4738 and 4742, which can be abused by adversaries to gain unauthorized access, maintain persistence, or escalate privileges by inheriting permissions from another account.

This Splunk search detects when the owner of an Active Directory object is updated, potentially granting full control privileges and enabling object hiding, focusing on Windows Event Log ID 5136, and includes lookups for SID resolution.

This analytic detects when an ACL is applied to an organizational unit (OU) to deny listing the objects residing in it; this activity, combined with modifying the owner of the OU, can hide Active Directory objects, even from domain administrators.

Modification of Access Control Lists (ACLs) on the Active Directory domain root object can grant attackers persistent and escalated privileges.

This analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set, leveraging Windows Security Event Log 5136 to identify when these permissions are granted, which indicates potential preparation for replicating AD objects and exfiltrating sensitive data.

This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack by modifying permissions on the domainDNS object.

Detection of Active Directory user object ACL modifications that grant dangerous permissions, such as full control or the ability to modify permissions, potentially indicating privilege escalation or malicious activity.

This analytic detects instances where prohibited network traffic is allowed, highlighting potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration, ultimately allowing attackers to bypass network defenses.

This analytic identifies potentially unauthorized devices attempting to connect to an organization's network by inspecting DHCP request packets and comparing MAC addresses against a list of known authorized devices.

The following analytic identifies modifications to the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user, which is a step in setting up an Azure AD identity federation backdoor that allows an attacker to impersonate any user and bypass MFA.

This analytic identifies emails claiming to originate from domains similar to those being monitored for abuse by cross-referencing sender addresses with a lookup table of domain permutations, indicating potential phishing or brand impersonation.

This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns, indicating persistence establishment following initial compromise.

This analytic identifies potential post-exploitation behaviors on a Windows system by monitoring multiple risk events and their associated MITRE ATT&CK tactics, indicating potential malicious actions following an initial compromise.

This analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected, leveraging Splunk's Risk data model to detect persistence, hiding malicious configurations, or erasing forensic evidence.

The analytic identifies potential threats related to the theft or forgery of authentication certificates by detecting when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe, indicating an ongoing attack aimed at compromising authentication mechanisms that could grant unauthorized access to sensitive systems and data.

This correlation search identifies multiple risk events associated with 'Living Off The Land' activity, leveraging the Risk data model to aggregate events, focusing on systems with a high count of distinct sources, potentially enabling attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.

A Splunk correlation search identifies potential Linux persistence and privilege escalation activities based on risk scores and event counts from various Linux-related data sources, highlighting behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system.

This correlation analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame, helping identify coordinated attempts to gain elevated privileges which could lead to unauthorized access to sensitive systems and data.

This correlation identifies potential lateral movement activities within an Active Directory environment by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame, potentially leading to privilege escalation, access to sensitive information, and persistence within the environment.

This analytic identifies high-risk activities within repositories by correlating repository data with risk scores in DevSecOps environments, focusing on scores above 100 and sources with more than three occurrences to highlight potential vulnerabilities leading to data breaches or infrastructure compromise.

This analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques, leveraging AWS sources and focusing on instances where multiple unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object.

This correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities by aggregating risk events from 'Suspicious Okta Activity,' 'Okta Account Takeover,' and 'Okta MFA Exhaustion' analytic stories, highlighting potentially compromised user accounts exhibiting multiple TTPs that could lead to unauthorized access, privilege escalation, or persistence.

This analytic identifies web requests to domains that closely resemble a monitored brand's domain, indicating potential brand abuse indicative of phishing or malware distribution attempts.

This analytic detects the creation of suspicious mailbox rules in Office 365, a common technique used in Business Email Compromise (BEC) to hide emails by identifying rules with short or nonsensical names, marking emails as read, or moving them to specific folders.

This analytic detects internal systems generating an unusually high volume of intrusion detections within a 30-minute window using Cisco Secure Firewall Threat Defense logs, identifying hosts triggering more than 15 Snort-based signatures, which may indicate suspicious activity like malware execution, command-and-control communication, vulnerability scanning, or lateral movement.

A process writing to critical EFI bootloader files (bootmgfw.efi or bootx64.efi) within the \EFI\Boot\ directory may indicate a bootkit installation, malicious code persistence at the firmware level, or tampering with the system boot process.

Detection of a rollback script (.rbs) file deletion under C:\Config.Msi by a non-msiexec.exe process, indicating a potential MSI rollback privilege escalation attack.

Detection of PowerShell execution initiated via Crowdstrike Real Time Response (RTR) 'runscript' command, potentially indicating malicious actors leveraging compromised Crowdstrike Dashboard access to execute commands on remote hosts using encoded commands.

This analytic detects instances where a process loads a file from a remote share path, potentially indicating execution, defense evasion, or lateral movement by attackers loading code from attacker-controlled infrastructure.

Detection of a user pausing audit log event streaming in GitHub Enterprise, potentially indicating an attempt to evade detection by disabling the audit trail.

Detection of adversaries disabling HTTP logging on IIS servers using AppCmd.exe, potentially evading detection by removing evidence of their actions.

The analytic identifies instances where wmiprvse.exe spawns msbuild.exe, an unusual process relationship indicative of potential COM object misuse and unauthorized code execution on Windows systems.

This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.

Detection of the 'wevtutil.exe' command-line utility being used to disable event logs, a common tactic employed by ransomware actors to evade detection and hinder forensic analysis on compromised Windows systems.

Detection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.

Detection of 'no logging message' command usage on Cisco ASA devices, potentially indicating an adversary suppressing security-critical log events to evade detection.

This brief covers the detection of adversaries disabling Windows Defender services by modifying specific registry keys to set the 'Start' value to '0x00000004', indicating an attempt to evade detection and maintain persistence.

Attackers disable Windows Defender SpyNet reporting by modifying specific registry keys, preventing telemetry data from being sent and allowing malicious activities to go undetected.

This analytic detects modifications to the Windows registry that disable the display of hidden files, a technique commonly used by malware to evade detection and conceal malicious activities.

This analytic detects modifications to the Windows registry, specifically targeting the 'DisableRegistryTools' key, which is a common tactic used by malware for persistence and defense evasion by preventing the removal of malicious entries.

Detection of O365 advanced audit being disabled for a specific user, potentially allowing attackers to operate with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.

The Windows Downdate attack involves modifying specific registry keys to force a Windows downgrade, enabling exploitation of older, vulnerable versions, which this detection identifies through monitoring for the creation or modification of the pending.xml file in unusual locations.

The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.

This detection identifies PowerShell scripts that directly call the TabExpansion internal function, which is uncommon and may indicate malicious activity, such as TabShell, potentially bypassing sandboxes by loading PowerShell functions via directory traversal.

This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.

Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.

Detects the creation of Windows theme files in unusual locations, such as Desktop, Documents, Downloads, or Temp directories, which can be indicative of remote code execution or NTLM coercion attacks.

Detection of command-line tools executing from the IIS installation directory on Windows systems, potentially indicating exploitation of IIS-reliant software like Microsoft Exchange.

Adversaries may modify service security descriptors to deny access to specific groups, potentially escalating privileges and hindering security services, by using sc.exe to set new deny ACEs (Access Control Entries) on Windows services.

Attackers modify the Windows registry to disable the Folder Options feature, preventing users from showing hidden files and file extensions, commonly used by malware to conceal malicious files and deceive users with fake file extensions.

Detection of attempts to mount the EFI volume on Windows systems using mountvol.exe, potentially leading to system compromise.

Attackers modify Windows Registry keys associated with Windows Defender to disable real-time behavior monitoring, a common tactic used by malware to evade detection and persist on compromised systems.

Detects modifications to a Windows computer account's User Account Control flags, specifically the `SERVER_TRUST_ACCOUNT` flag, potentially indicating unauthorized domain controller promotion or privilege escalation within Active Directory.

Detects the execution of a binary from archive-related paths within a user's Temp directory, potentially indicating attempts to bypass Mark-of-the-Web (MOTW) or exploit vulnerabilities like CVE-2025-0411.

Attackers may use auditpol.exe with the /restore argument to replace the existing audit policy with a malicious one, disabling auditing to evade detection, potentially leading to full machine compromise or lateral movement.

The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.

Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.

This analytic detects the usage of the Azure CLI to interact with user accounts, such as creating or deleting a user, potentially indicating malicious activity aimed at maintaining persistence and evading detection within an Entra ID environment.

Detection of attrib.exe being used with the +h flag to hide files and directories on Windows systems, a technique used by attackers for defense evasion and persistence.

Adversaries may clear Windows event logs using `wevtutil.exe` to remove evidence of their activity and hinder forensic investigations.

An attacker modifies the Windows registry to disable Windows Defender Controlled Folder Access, a defense evasion technique that weakens protections against unauthorized access and ransomware.

Detection of msiexec.exe spawning discovery commands indicating potential reconnaissance activity by attackers for system information gathering and lateral movement.

A PowerShell command attempting to remove the Windows Defender directory is detected via PowerShell Script Block Logging, potentially indicating an attacker's attempt to disable endpoint protection for further malicious activities.

The analytic detects the use of `dism.exe` to remove Windows Defender, potentially allowing adversaries to evade detection and carry out further malicious actions.

Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.

Attackers may disable Event Tracing for Windows (ETW) for the .NET Framework by modifying the ETWEnabled registry value, allowing them to evade endpoint detection and response (EDR) tools and hide malicious activity.

This brief documents the detection of the WinPEAS PowerShell script execution on Windows systems, a tool commonly used for identifying privilege escalation paths by identifying specific function names used within the script.

Attackers use PowerShell to query the Windows registry's Uninstall key to discover installed software and identify potential vulnerabilities for exploitation.

Detection of a Windows service being disabled via Event ID 7040, a common tactic used by adversaries to evade defenses and maintain control over compromised systems.

This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.

Attackers modify the Windows registry to disable Task Manager, preventing users from terminating malicious processes and allowing persistence.

Attackers may delete a scheduled task's Security Descriptor (SD) from the registry to remove evidence of the task for defense evasion.

Adversaries may use PowerShell with specific commands to disable HTTP logging on Windows systems to evade detection and hinder forensic investigations.

Detects the execution of known Potato-family privilege escalation tools on Windows systems, which are used to escalate privileges from restricted contexts to SYSTEM by exploiting Windows token impersonation and privilege abuse.

The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.

The Windows guest account, typically restricted, can be enabled via `net.exe` for malicious activities like malware installation or data theft, potentially indicating persistence, defense evasion, privilege escalation or initial access.

This detection identifies instances where a Windows Firewall rule has been modified, potentially indicating an attempt to weaken security policies and allow malicious traffic or prevent legitimate communications.

Detection of Windows Firewall rule deletion events (Event ID 4948) indicating potential attacker attempts to bypass security controls or malware disabling protections for persistence and command-and-control.

This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log, potentially indicating unauthorized changes or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms.

This analytic detects suspicious modifications to system firewall rules to allow execution of applications from notable and potentially malicious file paths, indicating an attempt to bypass firewall restrictions for malicious code execution.

Detection of icacls.exe, cacls.exe, or xcacls.exe being used to modify file or directory permissions, often used by APTs and coinminers for defense evasion and persistence.

This analytic detects suspicious modifications to the EventLog security descriptor registry value, specifically the 'CustomSD' value, within the registry path 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD', which can be used for defense evasion by attackers.

Detection of the Windows Event Log service shutdown, indicated by Event ID 1100, which can signify attempts to evade detection by disabling logging.

An attacker modifies the Windows registry to disable Windows Defender web content evaluation, potentially allowing malicious web content to bypass security checks and compromise the system.

The following analytic detects modifications to the Windows registry specifically targeting the 'WppTracingLevel' setting within Windows Defender, potentially impairing its diagnostic capabilities and allowing attackers to evade detection.

An attacker modifies the Windows Defender ThrottleDetectionEventsRate registry setting to reduce the frequency of logged detection events, potentially evading detection.

An attacker modifies the Windows Defender ThreatSeverityDefaultAction registry setting to weaken defenses, potentially leading to unaddressed threats and system compromise.

Attackers modify the Windows registry to disable SmartScreen prompt overrides, potentially allowing users to bypass security warnings and execute harmful content, leading to system compromise.

Attackers modify the Windows Registry to disable Windows Defender SmartScreen App Install Control, potentially allowing the installation of malicious web-based applications without restrictions, leading to system compromise and sensitive information exposure.

An attacker disables Windows Defender's signature retirement feature by modifying a registry key, potentially reducing its effectiveness in detecting threats by allowing older, less relevant signatures to persist.

An attacker modifies the Windows registry to disable the Windows Defender Scan On Update feature, potentially evading detection and establishing persistence.

The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature, preventing timely malware definition updates and potentially leading to system compromise.

An attacker modifies the Windows Registry to disable Windows Defender protocol recognition, hindering its ability to detect and respond to malware, potentially leading to successful data exfiltration or system compromise.

Detection of Windows Defender profile registry key deletion, indicating potential defense evasion by malware or threat actors aiming to disable security controls.

The analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter, potentially allowing attackers to deceive users into visiting malicious websites without browser warnings.

Attackers may disable Windows Defender logging by modifying specific registry keys to evade detection and conceal malicious activities.

Attackers modify the Windows registry to disable Windows Defender's infection reporting, preventing detailed threat information from reaching Microsoft and potentially allowing malware to evade detection.

Attackers may disable Windows Defender's ability to compute file hashes by modifying the EnableFileHashComputation registry value, impairing its malware detection capabilities.

Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.

Adversaries use Add-MpPreference or Set-MpPreference commands to add exclusions in Windows Defender, allowing malicious code to execute undetected, and this activity can be detected via Endpoint Detection and Response (EDR) agents.

An attacker modifies the Windows Registry to disable Windows Defender's Enhanced Notification feature, preventing users from receiving security alerts and potentially allowing malicious activities to go unnoticed, ultimately enabling persistence and evasion.

An attacker modifies the Windows Registry key 'DisableAntiSpyware' to disable Windows Defender, a technique commonly associated with Ryuk ransomware to evade defenses.

An attacker modifies the Windows Registry to disable the Windows Defender BlockAtFirstSeen feature, potentially allowing malware to bypass initial detection and increasing the risk of system compromise.

Adversaries tamper with Windows Defender's Attack Surface Reduction (ASR) rules or threat default actions using Add-MpPreference or Set-MpPreference commands, aiming to bypass the security tool for undetected malicious code execution.

Attackers modify the Windows Registry to disable auditing for Windows Defender Application Guard, hindering security monitoring and enabling malicious activity to go unnoticed.

Attackers modify Windows Defender registry settings to disable antivirus and antispyware protections, evading detection and maintaining persistence.

This analytic detects registry modifications that disable the Control Panel on Windows systems by monitoring changes to the registry path '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel' with a value of '0x00000001', which is commonly used by malware to prevent users from accessing the Control Panel and hindering remediation efforts.

An attacker disables Windows AutoLogger sessions by modifying specific registry values to evade defenses and blind EDR and log ingest tools.

Adversaries may clear the global object access auditing policy using `auditpol.exe` with the `/resourceSACL` flag and either `/clear` or `/remove` arguments to evade detection by removing audit configurations.

Adversaries may attempt to disable or modify security tools to evade detection; this analytic identifies the execution of `auditpol.exe` with the `/set` and `/exclude` command-line arguments to exclude specific users' events from audit logs, potentially evading detection and enabling further malicious activities.

Adversaries may disable Windows audit policies using the legacy auditpol.exe utility to evade detection by limiting the data available for security monitoring and incident response.

Detection of disabled important audit policies via Windows EventCode 4719, indicating potential attacker attempts to evade detection on a compromised domain controller, leading to data theft, privilege escalation, and network compromise.

The execution of `auditpol.exe` with the `/clear` or `/remove` command-line arguments indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits, potentially leading to full machine compromise or lateral movement.

Attackers disable Windows application hotkeys by modifying specific registry entries to hinder incident response and evade detection.

Attackers modify the AppCertDLL registry key via command-line utilities to load malicious DLLs during system startup, achieving persistence and privilege escalation.

Detection of Active Directory Group Policy being disabled using the Group Policy Management Console, potentially indicating malicious attempts to weaken security controls.

Detection of disabled audit policies on a Windows domain controller by monitoring Windows Security Event Logs for EventCode 4719, indicative of an attacker attempting to evade detection and potentially leading to data theft, privilege escalation, and full network compromise.

This search detects the creation of a .key file in the root directory of the system drive, an activity associated with ransomware execution before file encryption.

This analytic detects unexpected shutdowns of the Linux auditd daemon, potentially indicating attempts to disable security monitoring and evade detection by attackers.

Detection of non-Chrome processes accessing the Chrome 'Local State' file, potentially leading to extraction of the master key used for decrypting saved passwords.

This analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.

Detection of a process attempting to terminate the Lsass.exe process, indicating a potential attempt to perform credential dumping, privilege escalation, or evasion of security policies.

Attackers may execute malicious code from unusual file paths such as Windows fonts or debug directories to evade defenses and gain unauthorized access, as detected by endpoint detection and response (EDR) agents.

The creation of a DLL file within PowerShell module directories can indicate malicious PowerShell activity, such as installing new modules or attempts at ScriptBlock smuggling, and this activity is detected using Sysmon Event ID 11.

Detection of msbuild.exe execution from a non-standard path, indicating potential attempts to evade detection and execute malicious code.

The use of Microsoft Workflow Compiler (microsoft.workflow.compiler.exe), a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319, can indicate malicious intent such as code execution or persistence mechanisms, potentially leading to unauthorized access.

Detection of the renaming of microsoft.workflow.compiler.exe, a technique used by attackers to evade security controls and potentially execute arbitrary code for privilege escalation or persistence.

Detection of 'netsh' command execution to enable network discovery in the firewall, a technique commonly used by ransomware such as REvil and RedDot to discover and compromise additional machines on the network.

Detection of PowerShell commands used to import AppLocker XML policies, potentially indicating an attempt to bypass security controls, as observed with Azorult malware.

Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.

Detection of the use of schtasks.exe to disable scheduled tasks, a common tactic used by adversaries like IcedID to disable security applications and evade detection, potentially leading to persistence and further system compromise.

Detects the creation of scheduled tasks within a Group Policy Object (GPO) by monitoring for the creation of the ScheduledTasks.xml file in the SYSVOL share, potentially indicating malicious persistence.

Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.

Detection of adversaries deleting the Raccine Rules Updater scheduled task via `schtasks.exe` to disable the ransomware protection tool, potentially leading to data encryption and loss.

This brief detects network connection events associated with the Cloudflared tool, used to create tunnels via Cloudflare, potentially for unauthorized access or exfiltration, by establishing outbound connections to Cloudflare Edge Servers.

Attackers are increasingly abusing Cloudflare tunnels, created via the cloudflared client, for establishing stealthy command and control channels and evading network defenses by proxying traffic through Cloudflare's infrastructure.

The detection identifies the modification of the Windows Registry key 'PONT_STRING' under Outlook Options by a process other than Outlook.exe, potentially indicating malware activity such as NotDoor.

This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.

Adversaries may mount OneDrive shares as network drives using net.exe or net1.exe to stage, access, or exfiltrate data through cloud-hosted WebDAV paths, potentially bypassing traditional file share monitoring.

Attackers modify or disable Office 365 advanced security settings, such as AntiPhish, SafeLink, SafeAttachment, or Malware policies, to evade detection and operate with reduced risk within the target tenant.

An attacker modifies trusted IP settings in Office 365 to bypass multi-factor authentication (MFA), potentially leading to unauthorized access and data compromise.

This brief details detection strategies for NorthStar C2 agent execution on Windows endpoints, an open-source command and control framework used for penetration testing and red teaming.

This analytic identifies non-Chrome processes accessing the Chrome user data file 'login data', which is an SQLite database containing sensitive information like saved passwords, potentially leading to credential theft.

Detection of network connections originating from processes running within suspicious Windows directories, indicating potential malware execution and command-and-control activity.

This brief details detection of executables associated with Mustang Panda being launched from non-standard locations, potentially indicating compromise via USB or other removable media.

This detection identifies a DLL decoding and executing the PowGoop config.txt payload, indicating a stage in the MuddyWater infection chain where an obfuscated PowerShell beacon is unwrapped and live C2 communication starts.

Detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe), a behavior often associated with malware executing malicious MSBuild processes via scripts.

The execution of MpCmdRun.exe with the '-RemoveDefinitions' argument, used to remove definitions from the Windows Malware Protection Engine, can indicate potential malware activity or attempts to bypass security measures.

The Microsoft 365 'risk-based step-up consent' security setting is disabled by an adversary to allow users to grant consent to malicious applications, potentially leading to unauthorized access and data breaches.

A Metasploit module exploits Atlassian Confluence servers by deploying a malicious Java plugin that downloads Meterpreter, granting the attacker full control over the compromised system.

Detection of 'pkill' command execution on Linux systems, a technique used by threat actors to disable security defenses or terminate critical processes, potentially leading to data corruption or destruction.

Detection of abnormal Linux audit daemon (auditd) termination via DAEMON_ABORT events, indicating potential auditing subsystem failure due to resource exhaustion, corruption, or malicious interference.

The IOBit Unlocker Extension DLL is being registered via regsvr32.exe, a Windows utility used to unlock files or folders by terminating locking processes, which could be abused for malicious purposes.

An attacker modifies the Windows registry to hide a user account from the login screen, potentially establishing a hidden admin account for persistence and evading detection.

Detection of GitHub Organizations branch ruleset deletions, which could indicate attempts to bypass code review requirements and introduce unauthorized code changes.

The disabling of two-factor authentication (2FA) in GitHub Organizations is detected through audit log monitoring, potentially indicating an attacker's attempt to weaken account security and facilitate unauthorized access.

An IP allow list was disabled in GitHub Enterprise, potentially allowing unauthorized access from untrusted networks and exposing sensitive code repositories.

An attacker modifies or disables audit log event streaming in GitHub Enterprise to evade detection by preventing security monitoring platforms from receiving audit events.

The disabling of two-factor authentication (2FA) in GitHub Enterprise, detected via audit logs, weakens account security and increases the risk of account takeover and supply chain compromise.

A user disables Dependabot security features within a GitHub repository, potentially enabling attackers to exploit unpatched vulnerabilities in dependencies.

This analytic detects when classic branch protection rules are disabled in GitHub Organizations, potentially allowing malicious actors to bypass code review and security controls.

Attackers can establish persistence by placing a malicious Get-Variable.exe in the WindowsApps folder, hijacking the legitimate PowerShell cmdlet and executing upon PowerShell window initialization, as seen with the Colibri malware.

The Flax Typhoon group uses SoftEther VPN, masquerading the VPN client as legitimate Windows binaries like conhost.exe and dllhost.exe, to obfuscate their network activity within compromised Taiwanese organizations.

This analytic detects the modification of Windows Firewall settings to enable file and printer sharing, a common technique used by ransomware to facilitate lateral movement and broader network encryption.

Detection of firewall rule modification to allow specific application execution, potentially bypassing restrictions and enabling unauthorized network communication.

The execution of utilities from the `symboliclink-testing-tools` toolkit is detected, which can be used by attackers to exploit Windows symbolic link vulnerabilities to achieve local privilege escalation from a standard user to SYSTEM.

An adversary may disable critical Windows services to evade defenses or disrupt system operations, detected by monitoring for an excessive number of service-disabled events on a single host.

Adversaries use taskkill.exe to disable security tools, and this detection identifies instances where taskkill.exe is executed excessively within a short timeframe, indicative of malicious activity aimed at defense evasion.

Detection of an excessive number of `sc.exe` processes launched with the `start= disabled` argument indicating potential attempts to disable critical services and impair system defenses.

This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host, potentially allowing the installation of unsigned or unverified software and lowering the system's integrity enforcement.

Detection of ESXi syslog configuration changes via esxcli command, potentially indicating an attempt to disrupt logging and evade detection.

This detection identifies when the ESXi firewall is disabled or set to permissive mode, potentially exposing the host to unauthorized access and network-based attacks, often preceding lateral movement, data exfiltration, or malware installation.

Detection of modifications to ESXi host encryption settings, such as disabling secure boot or executable verification, which may indicate attempts to weaken hypervisor integrity and allow unauthorized code execution.

Detection of failed file download attempts on ESXi hosts, potentially indicating unauthorized or malicious activity such as installing or updating components, including VIBs or scripts.

Detection identifies the use of the esxcli system auditrecords commands to tamper with logging on an ESXi host, potentially evading detection and hindering forensic analysis.

The creation of an XLL file outside of typical locations can indicate an attempt to abuse Excel COM objects to load and execute a malicious XLL payload, often used in spearphishing attacks to achieve remote code execution.

This analytic detects suspicious configuration changes on Cisco devices by analyzing archive logs for activities such as backdoor account creation, SNMP community string modifications, and TFTP server configurations, potentially indicating attacker presence and lateral movement.

This analytic detects the execution of programs associated with the PuTTY SSH client suite, including putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe, which can be used to establish unauthorized remote connections, transfer files, or execute commands on remote systems potentially leading to network compromise.

Detection of netsh.exe execution by unusual processes indicative of potential malicious activity, including persistence and network configuration changes by threat actors.

This analytic detects the use of `wmic.exe` with the `delete` command to terminate a process by specifying its executable path, often used to disable security tools or critical processes during the setup of malicious activities like cryptocurrency mining.

Attackers may disable Event Tracing for Windows (ETW) by modifying specific registry keys to evade detection and hinder security monitoring, potentially leading to further system compromise.

This brief outlines detection strategies for default Cobalt Strike PowerShell beacons, which are used for command and control, by identifying specific function and variable names within PowerShell script block logs.

This analytic detects the execution of attacker tools used for unauthorized access, network scanning, privilege escalation, password dumping, or data exfiltration, based on process activity data from EDR agents and focusing on known attacker tool names.

This brief outlines detection strategies for adversaries attempting to retrieve LAPS passwords using PowerShell and the 'ms-Mcs-AdmPwd' property, potentially leading to lateral movement and privilege escalation within a Windows domain.

This detection identifies a spike in Active Directory group or object modifications, potentially indicating unauthorized access, defense impairment, or persistence establishment by threat actors.

An attacker modifies the Windows registry to disable the Windows Defender Submit Samples Consent feature, preventing the submission of suspicious files for analysis, and potentially evading detection.

The Netspy network scanner, a tool for internal network discovery, is executed on a Windows endpoint to enumerate active hosts and services, potentially for reconnaissance purposes.

This detection identifies registry modifications associated with the Windows Downdate attack, specifically focusing on pending.xml file modifications outside standard locations, which could force a Windows downgrade for exploitation.

This brief details a detection for a PowerShell loader pattern commonly used with Cobalt Strike to decompress and execute payloads, often observed in scripted web delivery attacks.

The sfc.exe utility is used with the "-u" parameter to uninstall Cisco Secure Endpoint components, potentially disabling endpoint protection and facilitating further exploitation.

The sfc.exe utility is being used with the '-unblock' parameter, a feature within Cisco Secure Endpoint, to remove system blocks imposed by the endpoint protection, potentially indicating an attempt to bypass security measures and execute blocked malicious payloads.

Tampering with logging filter configurations on Cisco ASA devices can allow attackers to evade detection by reducing logging levels or disabling specific log categories.

Detection of deletion of critical AWS Security Services configurations like CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules to evade detection, potentially leading to data breaches and unauthorized access.

Detection of AWS Network Access Control List (ACL) deletion via CloudTrail logs indicating potential unauthorized access or data exfiltration.

Detection of AWS CloudWatch log group deletions via CloudTrail logs, excluding console-based actions, indicating potential defense evasion by attackers attempting to hide their tracks.

Attackers may attempt to evade detection by altering CloudTrail logging configurations, such as changing multi-regional logging to a single region, which impairs the logging of their activities and hinders incident response.

Detection of AWS CloudTrail `StopLogging` events indicating potential defense evasion by adversaries attempting to operate undetected within a compromised AWS environment by halting the logging of their malicious activities.

Detection of AWS CloudTrail StopLogging events indicates a potential defense evasion attempt by an attacker to operate stealthily within a compromised AWS environment and hinder incident response.

Attackers modify AWS CloudTrail settings using UpdateTrail events to evade detection by disabling or limiting logging, as indicated by non-console user agents.

Detection of attempts to delete AWS Bedrock model invocation logging configurations, potentially indicating an adversary trying to remove audit trails of model interactions after credential compromise, to hide malicious AI model usage.

Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.

Attackers disable the Antimalware Scan Interface (AMSI) by modifying the Windows registry value 'AmsiEnable' to '0x00000000' to evade detection, commonly employed by ransomware, RATs, and APTs.

Detection of AMSI (Antimalware Scan Interface) tampering via PowerShell reflection, utilizing PowerShell Script Block Logging (EventCode=4104) to identify commands manipulating `system.management.automation.amsi`, potentially leading to undetected malicious code execution and system compromise.

Detection of Active Directory Group Policy deletion using event ID 5136, indicating potential malicious activity or misconfiguration.

Attackers can use dnscmd.exe with administrative privileges to configure the Microsoft DNS ServerLevelPluginDll setting, allowing them to load arbitrary DLLs and execute code within the DNS service context for persistence and privilege escalation.

The creation of Universal Data Link (UDL) files on Windows systems can indicate a phishing technique where attackers bypass email filters and capture user credentials by tricking victims into testing a connection to a malicious server.

Adversaries can use the `ftype` command to modify Windows file associations, potentially redirecting legitimate file execution to malicious payloads for persistence, execution, and defense evasion.

Detection of cleared Windows event logs (Security Event ID 1102 or System log event 104) indicates potential defense evasion and obfuscation by threat actors attempting to remove evidence of their activities.

This analytic detects modifications to the Windows registry, specifically targeting the `ServiceKeepAlive` value, to impair Windows Defender's ability to perform timely health checks, potentially leading to a vulnerable system state.

Detects the execution of QEMU with the -nographic flag and an image file on Windows systems, a technique used for persistence and initial access by installing a rogue Linux virtual machine.

Detection of a process making DNS queries to the Telegram API domain, which is indicative of malware utilizing Telegram bots for command and control (C2) communications.

Detects an increase in modifications to AD user objects, which may indicate unauthorized access, impaired defenses, or persistence establishment.

Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.

Detection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.

The execution of Microsoft devtunnels.exe can be abused by attackers to expose compromised systems to the internet, establish covert communication channels, and bypass network security measures, facilitating data exfiltration or command-and-control.

This brief details the detection of UserInitMprLogonScript registry entry modifications, a technique employed by threat actors for persistence and privilege escalation by ensuring payloads execute automatically at system startup.

The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.

The analytic detects suspicious disabling or modification of the system firewall on Linux systems, which can indicate unauthorized access or attempts to maintain control over a system by disabling host protections.

Attackers modify the Windows registry to disable the command prompt (cmd.exe), hindering incident response and potentially maintaining persistence.

This analytic detects the use of the taskkill command to terminate known browser processes, a technique employed by malware such as Braodo stealer to steal credentials by forcefully closing browsers like Chrome, Edge, and Firefox to unlock files containing sensitive information.

This analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.

Attackers may abuse the AWS S3 PutBucketLifecycle API to rapidly delete CloudTrail logs by setting short expiration periods on S3 buckets, hindering incident response and forensic investigations.

The analytic detects the creation or replacement of AWS Network Access Control Lists (ACLs) with rules that allow all traffic from a specified CIDR block, potentially exposing the network to unauthorized access and increasing the risk of data breaches.

An adversary may delete AWS CloudTrail logs to evade detection and operate stealthily within a compromised environment, using the `DeleteTrail` event while excluding actions from the AWS console.

The analytic identifies the use of taskkill.exe to forcibly terminate processes, focusing on command-line executions that include specific taskkill parameters, which can indicate attempts to disable security tools or disrupt legitimate applications.

The following analytic detects modification of the Windows registry to disable the Run application in the Start menu by monitoring changes to the registry path '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun' with a value of '0x00000001', potentially hindering system cleaning and aiding malware persistence.

Detection of Hypervisor-protected Code Integrity (HVCI) being disabled by modifying specific Windows registry keys, potentially allowing the execution of malicious kernel-mode code.

This analytic detects modifications to the Windows Registry to set Windows Defender SmartScreen level to 'Warn', which can reduce user suspicion and increase the risk of malware execution.

Detection of modifications to the Windows registry that change the Windows Defender Quick Scan Interval, potentially impairing its ability to detect malware promptly.

An attacker modifies the Windows Registry to disable Windows Defender Potentially Unwanted Application (PUA) protection, increasing the risk of malware installation and system compromise.

An attacker modifies the Windows registry to disable the Windows Defender Firewall and Network Protection settings, potentially weakening the system's security posture and increasing vulnerability to further attacks.

Attackers obfuscate commands in Windows by dynamically constructing them using substrings extracted from environment variables, a technique observed in malware families such as Cobalt Strike and Meterpreter.

Detection of `auditpol.exe` execution with arguments to modify the audit policy security descriptor, indicative of defense evasion by adversaries aiming to limit audit logging.

Detection of the Sysmon filter driver being unloaded via `fltMC.exe`, which can blind security monitoring and allow malicious actions to go undetected.

Detection of wevtutil.exe being used with parameters to clear event logs, indicating potential attempts to evade detection and hinder forensic investigations by adversaries.

Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.

The analytic detects the execution of renamed instances of msbuild.exe, a legitimate tool abused by attackers to execute malicious code while evading detection, potentially leading to system compromise, data exfiltration, or lateral movement.

Attackers may modify the Windows registry to disable ETW logging for the .NET Framework, hindering endpoint detection and response capabilities.

Detection of PowerShell commands, specifically `Add-MpPreference` or `Set-MpPreference`, used to create Windows Defender exclusions, enabling attackers to bypass antivirus defenses and execute malicious code undetected.

This detection identifies potential misuse of Microsoft Devtunnels within Visual Studio by detecting image load events, indicating that an attacker could expose a compromised system or service to the internet for covert communication and data exfiltration.

The creation of MSC files within a 'C:\Windows \System32' directory can be exploited to execute malicious files due to path parsing vulnerabilities in Windows, potentially leading to privilege escalation, persistence, and defense evasion.

Detection of Linux audit daemon (auditd) re-initialization events, which can indicate attempts to re-enable audit logging after evasion or restarts with modified rule sets.

Detection of disabled classic branch protection rules in GitHub Enterprise, indicating potential bypass of code review and security controls, leading to unauthorized code changes and supply chain compromise.

An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.

The disabling of Lockdown Mode on an ESXi host may indicate a threat actor attempting to weaken host security controls to enable broader remote access for data exfiltration, lateral movement, or VM tampering.

The creation of the 'Level Watchdog' task, indicative of the Level remote management tool installation, is detected, highlighting the potential abuse of legitimate RMM tools for persistence and execution by threat actors on Windows systems.

This brief details the detection of the Level remote management tool PowerShell installer on Windows endpoints, which can be exploited by threat actors for malicious purposes to maintain persistence and execute commands, although it's a legitimate IT tool.

An attacker modifies an AWS S3 bucket lifecycle policy to rapidly expire CloudTrail logs, hindering incident response and forensic analysis.

Detection of AWS Network Access Control List (ACL) deletion using AWS CloudTrail logs, which can remove critical access restrictions, potentially allowing unauthorized access to cloud instances and leading to data exfiltration or further compromise.

The analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR by monitoring `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic, potentially leading to unauthorized network access.

Detection of AWS Bedrock GuardRails deletion, which are security controls to prevent harmful AI outputs, could indicate an adversary attempting to remove safety measures after credential compromise to enable malicious model outputs.

This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.

This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.