Endpoint

Threat actors are actively leveraging Microsoft's ClickOnce technology, a legitimate application deployment mechanism, to distribute and execute malware by exploiting its user-friendly deployment process that bypasses administrative privilege requirements.

Threat actors are performing create, read, update, or delete (CRUD) operations against Azure VM or VM Scale Set extensions (e.g., CustomScript, DSC) from an anomalous source Autonomous System (AS) number, enabling high-privilege code execution and persistence on guest operating systems (SYSTEM on Windows, root on Linux) by abusing compromised Azure identities.

Identifies suspicious command executions via a web server on Linux systems, potentially indicating a vulnerability exploitation or remote shell access for persistence.

This rule detects the abuse of Azure Virtual Machine Run Command to execute scripts remotely, correlating Azure Activity Log events with endpoint process starts, identifying instances where adversaries use Run Command to run scripts as SYSTEM or root.

This rule identifies suspicious process start events where the parent process matches Azure Virtual Machine Run Command execution patterns on Windows (PowerShell with `-ExecutionPolicy Unrestricted` and `script?.ps1`) or Linux (waagent running `script.sh` under `/var/lib/waagent/run-command/`), exposing on-guest payloads.

Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.

The analytic identifies potential threats related to the theft or forgery of authentication certificates by detecting when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe, indicating an ongoing attack aimed at compromising authentication mechanisms that could grant unauthorized access to sensitive systems and data.

This rule detects the execution of macOS built-in commands such as `defaults`, `mkpassdb`, and `dscl` used by adversaries to dump user account hashes for credential access and lateral movement.

This rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.

This rule detects multiple external EDR alerts on the same host, indicating a potential compromise, by analyzing alert data from various EDR solutions like CrowdStrike, SentinelOne, and M365 Defender to identify hosts triggering multiple alerts, enabling prioritization of investigation and response.

Detection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.

This detection identifies PowerShell scripts that directly call the TabExpansion internal function, which is uncommon and may indicate malicious activity, such as TabShell, potentially bypassing sandboxes by loading PowerShell functions via directory traversal.

Attackers modify Windows Registry keys associated with Windows Defender to disable real-time behavior monitoring, a common tactic used by malware to evade detection and persist on compromised systems.

The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.

A machine learning job has detected high bytes of data written to an external device, potentially indicating illicit data copying or transfer activities leading to data exfiltration over a physical medium such as USB.

A PowerShell command attempting to remove the Windows Defender directory is detected via PowerShell Script Block Logging, potentially indicating an attacker's attempt to disable endpoint protection for further malicious activities.

The analytic detects the use of `dism.exe` to remove Windows Defender, potentially allowing adversaries to evade detection and carry out further malicious actions.

Detection of Windows Firewall rule deletion events (Event ID 4948) indicating potential attacker attempts to bypass security controls or malware disabling protections for persistence and command-and-control.

An attacker modifies the Windows Defender ThreatSeverityDefaultAction registry setting to weaken defenses, potentially leading to unaddressed threats and system compromise.

The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature, preventing timely malware definition updates and potentially leading to system compromise.

Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.

Adversaries use Add-MpPreference or Set-MpPreference commands to add exclusions in Windows Defender, allowing malicious code to execute undetected, and this activity can be detected via Endpoint Detection and Response (EDR) agents.

Adversaries tamper with Windows Defender's Attack Surface Reduction (ASR) rules or threat default actions using Add-MpPreference or Set-MpPreference commands, aiming to bypass the security tool for undetected malicious code execution.

Adversaries may attempt to disable or modify security tools to evade detection; this analytic identifies the execution of `auditpol.exe` with the `/set` and `/exclude` command-line arguments to exclude specific users' events from audit logs, potentially evading detection and enabling further malicious activities.

An attacker attempts to stop security services on a Windows endpoint using sc.exe, net.exe, or PowerShell Stop-Service cmdlet to weaken defenses for further malicious activity.

This analytic detects unexpected shutdowns of the Linux auditd daemon, potentially indicating attempts to disable security monitoring and evade detection by attackers.

The use of Microsoft Workflow Compiler (microsoft.workflow.compiler.exe), a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319, can indicate malicious intent such as code execution or persistence mechanisms, potentially leading to unauthorized access.

Attackers are using PowerShell commands with specific Set-MpPreference parameters to disable Windows Defender's real-time behavior monitoring, a common tactic for malware to evade detection and persist on compromised systems.

Detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe), a behavior often associated with malware executing malicious MSBuild processes via scripts.

The execution of MpCmdRun.exe with the '-RemoveDefinitions' argument, used to remove definitions from the Windows Malware Protection Engine, can indicate potential malware activity or attempts to bypass security measures.

Detection of abnormal Linux audit daemon (auditd) termination via DAEMON_ABORT events, indicating potential auditing subsystem failure due to resource exhaustion, corruption, or malicious interference.

Detection of Windows Firewall being disabled via the `netsh` command, potentially exposing the system to external threats and unauthorized communication.

Detection of failed file download attempts on ESXi hosts, potentially indicating unauthorized or malicious activity such as installing or updating components, including VIBs or scripts.

The creation of an XLL file outside of typical locations can indicate an attempt to abuse Excel COM objects to load and execute a malicious XLL payload, often used in spearphishing attacks to achieve remote code execution.

This detection identifies delete events on CrowdStrike registry keys, which typically occur during agent uninstallation, so any unplanned or unexpected removal of these keys should be investigated for malicious activity such as defense evasion or exploits like CVE-2022-44721.

This analytic detects the use of `wmic.exe` with the `delete` command to terminate a process by specifying its executable path, often used to disable security tools or critical processes during the setup of malicious activities like cryptocurrency mining.

This analytic detects the execution of attacker tools used for unauthorized access, network scanning, privilege escalation, password dumping, or data exfiltration, based on process activity data from EDR agents and focusing on known attacker tool names.

The Netspy network scanner, a tool for internal network discovery, is executed on a Windows endpoint to enumerate active hosts and services, potentially for reconnaissance purposes.

The sfc.exe utility is used with the "-u" parameter to uninstall Cisco Secure Endpoint components, potentially disabling endpoint protection and facilitating further exploitation.

The sfc.exe utility is being used with the '-unblock' parameter, a feature within Cisco Secure Endpoint, to remove system blocks imposed by the endpoint protection, potentially indicating an attempt to bypass security measures and execute blocked malicious payloads.

An attacker attempts to disable the Immunet Protect service of Cisco Secure Endpoint by leveraging the `sfc.exe` utility with the `-k` parameter, potentially blinding the EDR for further compromise.

A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.

The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.

The analytic identifies the use of taskkill.exe to forcibly terminate processes, focusing on command-line executions that include specific taskkill parameters, which can indicate attempts to disable security tools or disrupt legitimate applications.

Detection of modifications to the Windows registry that change the Windows Defender Quick Scan Interval, potentially impairing its ability to detect malware promptly.