Threat Detection

Threat actors are performing create, read, update, or delete (CRUD) operations against Azure VM or VM Scale Set extensions (e.g., CustomScript, DSC) from an anomalous source Autonomous System (AS) number, enabling high-privilege code execution and persistence on guest operating systems (SYSTEM on Windows, root on Linux) by abusing compromised Azure identities.

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

Successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal can lead to arbitrary code execution, backdoor account creation, credential harvesting, and persistence on Azure-hosted virtual machines.

This correlation identifies potential lateral movement activities within an Active Directory environment by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame, potentially leading to privilege escalation, access to sensitive information, and persistence within the environment.

This rule detects potential privilege escalation attempts on Linux systems by monitoring the use of `unshare` with user namespace-related arguments followed by a UID change to root, indicating a transition to root and a potential local privilege escalation.

Wiz's Runtime Sensor for Google Cloud Run Containers offers real-time threat detection and response for serverless container workloads by monitoring process execution, system calls, and runtime behavior to detect unauthorized activity, correlate events into consolidated threats, and enable automated responses.

The rule detects Microsoft Graph activity from delegated user tokens where a single user session and source IP rapidly touches multiple high-value Graph paths indicative of reconnaissance, suggesting a broad enumeration playbook.

This brief outlines how Linux cgroups, a kernel feature for resource management, can be repurposed to provide valuable telemetry for detecting malicious processes, particularly in systemd, Docker, and Kubernetes environments, aiding in investigations of server compromises.

This rule detects suspicious Kerberos authentication ticket requests by correlating network connections to the standard Kerberos port (88) from a source machine with a Kerberos authentication ticket request from the target domain controller, which could indicate lateral movement or credential access attempts within a Windows domain.

The rule detects the use of wmic.exe for shadow copy deletion on Windows endpoints, a common tactic used in ransomware or other destructive attacks to inhibit system recovery.

This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.

Detection of potential NTLM relay attacks targeting computer accounts by identifying authentication events originating from hosts other than the account's owner, indicating possible credential theft and misuse.

Threat actors are rapidly exfiltrating data by exploiting blind spots created by an over-reliance on endpoint data, necessitating a comprehensive security approach that incorporates cloud, identity, and network telemetry for effective threat detection and response.

This rule identifies hosts triggering multiple distinct, globally rare Elastic Defend behavior rules, increasing the likelihood of detecting compromised hosts while reducing false positives.

This rule detects multiple external EDR alerts on the same host, indicating a potential compromise, by analyzing alert data from various EDR solutions like CrowdStrike, SentinelOne, and M365 Defender to identify hosts triggering multiple alerts, enabling prioritization of investigation and response.

A user created a self-hosted email threat detection tool, named VerdictMail, employing IMAP IDLE for real-time monitoring and multi-stage enrichment via SPF, DKIM, DMARC, DNSBL, WHOIS, URLhaus, and VirusTotal, coupled with an LLM for threat assessment.

This rule uses alert data to identify hosts with multiple alerts across different ATT&CK tactics, indicating a higher likelihood of compromise and enabling analysts to prioritize triage and response based on accumulated risk score.

This rule identifies when multiple different alerts involving the same user are triggered, which could indicate a compromised user account and requires further investigation.

A machine learning job has detected an unusually high number of processes started within a single Remote Desktop Protocol (RDP) session, potentially indicating lateral movement activity.

This alert detects when Okta's ThreatInsight identifies a security threat within an Okta environment, potentially indicating command and control activity.

This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.

A machine learning job detected an RDP session initiated at an unusual time or day, potentially indicating lateral movement activity within a network.

This analytic identifies suspicious programs such as script interpreters, rundll32, or MSBuild being executed shortly after user logon, indicating potential persistence mechanisms abusing the registry run keys.

This rule detects Kubernetes pod exec API calls using curl or wget to fetch HTTPS URLs, potentially indicating malicious activity such as staging tools or exfiltrating data.

This rule detects suspicious use of whoami.exe to display user, group, and privileges information for the user who is currently logged on to the local system, potentially indicating post-compromise discovery activity.

This rule detects newly observed, low-frequency, high-severity Elastic SIEM detection alerts affecting a single agent, helping prioritize triage and response by highlighting alerts tied to specific detection rules that have not been seen previously for the host.

This rule correlates multiple security alerts associated with the same ATT&CK tactic on a single host within a defined time window, helping to identify hosts exhibiting concentrated malicious behavior indicative of an active intrusion or post-compromise activity, focusing on Credential Access, Defense Evasion, Execution, and Command and Control tactics.

Detects an unusual volume of Kubernetes API get requests against multiple distinct Secret objects from the same client fingerprint, potentially indicating credential access or in-cluster reconnaissance.

The IOBit Unlocker Extension DLL is being registered via regsvr32.exe, a Windows utility used to unlock files or folders by terminating locking processes, which could be abused for malicious purposes.

This rule identifies the creation and subsequent execution of a Windows script downloaded from the internet, a technique used by adversaries for initial access and execution on Windows systems.

The rule detects suspicious loading of the Remote Desktop Services ActiveX Client (mstscax.dll) from unusual locations, potentially indicating RDP lateral movement on Windows systems.

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

A machine learning job has detected unusually high variance of RDP session duration, potentially indicating lateral movement and session persistence by threat actors.