Anomaly

Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.

This detection identifies instances where a Windows Firewall rule has been modified, potentially indicating an attempt to weaken security policies and allow malicious traffic or prevent legitimate communications.

Detection of abnormal Linux audit daemon (auditd) termination via DAEMON_ABORT events, indicating potential auditing subsystem failure due to resource exhaustion, corruption, or malicious interference.

An IP allow list was disabled in GitHub Enterprise, potentially allowing unauthorized access from untrusted networks and exposing sensitive code repositories.

Detection of failed file download attempts on ESXi hosts, potentially indicating unauthorized or malicious activity such as installing or updating components, including VIBs or scripts.

The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.

Detection of Linux audit daemon (auditd) re-initialization events, which can indicate attempts to re-enable audit logging after evasion or restarts with modified rule sets.