Vendor
medium
advisory
Potential Evasion via Windows Filtering Platform Blocking Security Software
2 rules 2 TTPsAdversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.
Windows Filtering Platform +2
defense-evasion
windows-filtering-platform
endpoint-security
2r
2t
high
advisory
Komari Agent Abused as SYSTEM-Level Backdoor
2 rules 4 TTPs 2 IOCsThreat actors are abusing the Komari monitoring agent, a project hosted on GitHub, as a SYSTEM-level backdoor following initial access through compromised VPN credentials and lateral movement via Impacket.
Defender +2
komari
backdoor
nssm
github
rat
reverse shell
2r
4t
2i
medium
advisory
LSASS Loading Suspicious DLL
2 rules 2 TTPs 9 IOCsDetection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.
Windows
credential-access
lsass
dll-injection
2r
2t
9i