Vendor

ManageEngine

4 briefs RSS

Persistence via Scheduled Job Creation

This detection rule identifies attempts to establish persistence on Windows systems by creating scheduled jobs in the Windows Tasks directory, excluding known legitimate jobs.

Microsoft Defender XDR +5 persistence windows

2r 1t Jan 9, 2024

medium advisory

Potential Defense Evasion via Filter Manager (fltMC.exe)

2 rules 1 TTP

Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.

Defender XDR +3 defense-evasion filter-driver fltMC.exe windows

2r 1t Jan 3, 2024

medium advisory

Multiple Remote Management Tool Vendors on Same Host

2 rules

This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

AeroAdmin +60 remote-access-tool command-and-control rmm windows

2r Jan 3, 2024

medium advisory

Multiple Remote Management Tool Vendors on Same Host

3 rules

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

AeroAdmin +55 command-and-control rmm windows threat-detection

3r Jan 2, 2024