HackTool - HollowReaper Execution:
windowsprocess_creationhigh2025-07-01
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
HackTool - Doppelanger LSASS Dumper Execution:
windowsprocess_creationhigh2025-07-01
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
FileFix - Suspicious Child Process from Browser File Upload Abuse:
windowsprocess_creationhigh2025-06-26
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique,
where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.
The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
Trusted Path Bypass via Windows Directory Spoofing:
windowsimage_loadhigh2025-06-17
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
Suspicious Download and Execute Pattern via Curl/Wget:
linuxprocess_creationhigh2025-06-17
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
Special File Creation via Mknod Syscall:
linuxNULLlow2025-05-31
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
or establish covert channels in Linux systems.
Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
and it can be abused to bypass file system restrictions or create backdoors.
System Info Discovery via Sysinfo Syscall:
linuxNULLlow2025-05-30
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall:
linuxNULLmedium2025-05-27
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Disable ASLR Via Personality Syscall - Linux:
linuxNULLlow2025-05-26
Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
exploit development, or to bypass memory protection mechanisms.
A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
attacks more reliable.
Other latest updates
Remote Access Tool - Renamed MeshAgent Execution - MacOS:
macosprocess_creationhigh2025-05-19
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Remote Access Tool - Potential MeshAgent Execution - MacOS:
macosprocess_creationmedium2025-05-19
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
HTTP Request to Low Reputation TLD or Suspicious File Extension:
zeekNULLmedium2025-02-26
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Azure Login Bypassing Conditional Access Policies:
m365NULLhigh2025-01-08
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
AWS Key Pair Import Activity:
awsNULLmedium2024-12-19
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
Splunk Detection rules latest updates
Windows Data Destruction Recursive Exec Files Deletion:
endpointEndpoint2025-06-27
The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.
Windows Raw Access To Disk Volume Partition:
endpointEndpoint2025-06-27
The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.
Windows Raw Access To Master Boot Record Drive:
endpointEndpoint2025-06-27
The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.
Linux Auditd Add User Account Type:
endpointEndpoint2025-06-26
The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.
Potential password in username:
accessEndpoint2025-06-26
The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system.
PowerShell Invoke WmiExec Usage:
endpointEndpoint2025-06-24
The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.
GetNetTcpconnection with PowerShell Script Block:
endpointEndpoint2025-06-24
The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser:
endpointEndpoint2025-06-24
The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network.
GetDomainGroup with PowerShell Script Block:
endpointEndpoint2025-06-24
The following analytic detects the execution of the `Get-DomainGroup` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network.
Windows Powershell Import Applocker Policy:
endpointEndpoint2025-06-24
The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of "Import-Module Applocker" and "Set-AppLockerPolicy" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.
Elevated Group Discovery with PowerView:
endpointEndpoint2025-06-24
The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.
Windows PowerSploit GPP Discovery:
endpointEndpoint2025-06-24
The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.
Recon Using WMI Class:
endpointEndpoint2025-06-24
The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.
Domain Group Discovery with Adsisearcher:
endpointEndpoint2025-06-24
The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
Kubernetes Anomalous Inbound Network Activity from Process:
networkKubernetes2025-06-24
The following analytic identifies anomalous inbound network traffic volumes from processes within containerized workloads. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days. This activity is significant as it may indicate unauthorized data reception, potential breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, it could lead to command and control installation, data integrity damage, container escape, and further environment compromise.
