Renamed Schtasks Execution:
windowsprocess_creationhigh2025-11-27
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
Suspicious FileFix Execution Pattern:
windowsprocess_creationhigh2025-11-24
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
HackTool - WSASS Execution:
windowsprocess_creationhigh2025-11-23
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
Unsigned .node File Loaded:
windowsimage_loadmedium2025-11-22
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
Windows Default Domain GPO Modification via GPME:
windowsprocess_creationmedium2025-11-22
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
linux latest updates
Suspicious Filename with Embedded Base64 Commands:
linuxfile_eventhigh2025-11-22
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Kaspersky Endpoint Security Stopped Via CommandLine - Linux:
linuxprocess_creationhigh2025-10-18
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Mask System Power Settings Via Systemctl:
linuxprocess_creationhigh2025-10-17
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
Audit Rules Deleted Via Auditctl:
linuxprocess_creationhigh2025-10-17
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Python WebServer Execution - Linux:
linuxprocess_creationmedium2025-10-17
Detects the execution of Python web servers via command line interface (CLI).
After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Other latest updates
AWS GuardDuty Detector Deleted Or Updated:
awsNULLhigh2025-11-27
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
FortiGate - New VPN SSL Web Portal Added:
fortigateNULLmedium2025-11-01
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
This behavior was observed in pair with modification of VPN SSL settings.
FortiGate - User Group Modified:
fortigateNULLmedium2025-11-01
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
Splunk Detection rules latest updates
Windows Curl Download to Suspicious Path:
endpointEndpoint2025-11-25
The following analytic detects the use of Windows Curl.exe to download
a file to a suspicious location, such as AppData, ProgramData, or Public directories.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
command-line executions that include the -O or --output options. This activity is
significant because downloading files to these locations can indicate an attempt
to bypass security controls or establish persistence. If confirmed malicious, this
behavior could lead to unauthorized code execution, data exfiltration, or further
compromise of the system.
GitHub Workflow File Creation or Modification:
endpointEndpoint2025-11-25
The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints.
This hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise.
GitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers.
By monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows.
This data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.
GitHub Enterprise Register Self Hosted Runner:
networkGitHub2025-11-25
The following analytic identifies when a self-hosted runner is created in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for actions related to creating new self-hosted runners at the organization or enterprise level. his behavior warrants monitoring because self-hosted runners execute workflow jobs on customer-controlled infrastructure, which could be exploited by attackers to execute malicious code, access sensitive data, or pivot to other systems. While self-hosted runners are a legitimate feature, their creation should be carefully controlled as compromised runners pose significant security risks. The impact includes potential remote code execution, data exfiltration, and lateral movement within the environment if a runner is compromised. SOC teams should investigate unexpected runner creation events to verify they are authorized and properly secured, especially if created by unfamiliar users or in unusual contexts.
Windows Curl Upload to Remote Destination:
endpointEndpoint2025-11-25
The following analytic detects the use of Windows Curl.exe to upload a file to a remote destination. It identifies command-line arguments such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity is significant because adversaries may use Curl to exfiltrate data or upload malicious payloads. If confirmed malicious, this could lead to data breaches or further compromise of the system. Analysts should review parallel processes and network logs to determine if the upload was successful and isolate the endpoint if necessary.
Shai-Hulud Workflow File Creation or Modification:
endpointEndpoint2025-11-25
Detects creation or deletion of malicious GitHub Actions workflow files associated with
Shai-Hulud worm variants on Linux or Windows endpoints. This includes the original shai-hulud-workflow.yml,
the 2.0 backdoor discussion.yaml (enables command injection via GitHub Discussions on self-hosted
runners named SHA1HULUD), and the secrets exfiltration workflow formatter_*.yml pattern. These
files are used to exfiltrate credentials and propagate across repositories.
Windows File Download Via PowerShell:
endpointEndpoint2025-11-25
The following analytic detects the use of PowerShell's download methods such as
"DownloadString" and "DownloadData" from the WebClient class or Invoke-WebRequest
and it's aliases "IWR" or "Curl".
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
process execution logs that include command-line details.
This activity can be significant such methods and functions are commonly used in malicious
PowerShell scripts to fetch and execute remote code.
If confirmed malicious, this behavior could allow an attacker to download and run
arbitrary code, potentially leading to unauthorized access, data exfiltration,
or further compromise of the affected system.
Shai-Hulud 2 Exfiltration Artifact Files:
endpointEndpoint2025-11-25
Detects creation of exfiltration artifact files associated with Shai-Hulud 2.0 npm supply
chain malware. The malware creates cloud.json, contents.json, environment.json, truffleSecrets.json,
and actionsSecrets.json files containing harvested credentials from AWS, Azure, GCP, GitHub secrets,
and environment variables. These files are staged before being pushed to attacker-controlled repositories.
File Download or Read to Pipe Execution:
endpointEndpoint2025-11-25
The following analytic detects the use of download or file reading utilities from Windows, Linux or MacOS to download or read the contents of a file from a remote or local source and pipe it directly to a shell for execution.
This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions.
This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j.
If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.
Windows Modify Registry to Add or Modify Firewall Rule:
endpointEndpoint2025-11-20
The following analytic detects a potential addition or modification of firewall rules, signaling possible configuration changes or security policy adjustments. It tracks commands such as netsh advfirewall firewall add rule and netsh advfirewall firewall set rule, which may indicate attempts to alter network access controls. Monitoring these actions ensures the integrity of firewall settings and helps prevent unauthorized network access.
LOLBAS With Network Traffic:
networkEndpoint2025-11-20
The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.
Windows NetSupport RMM DLL Loaded By Uncommon Process:
endpointEndpoint2025-11-20
The following analytic detects the loading of specific dynamic-link libraries (DLLs) associated with the NetSupport Remote Manager (RMM) tool by any process on a Windows system.
Modules such as CryptPak.dll, HTCTL32.DLL, IPCTL32.DLL, keyshowhook.dll, pcicapi.DLL, PCICL32.DLL, and TCCTL32.DLL, are integral to NetSupport's functionality.
This detection is particularly valuable when these modules are loaded by processes running from unusual directories (e.g., Downloads, ProgramData, or user-specific folders) rather than the legitimate Program Files installation path, or by executables that have been renamed but retain the internal "client32" identifier.
This helps to identify instances where the legitimate NetSupport tool is being misused by adversaries as a Remote Access Trojan (RAT).
Windows Modify Registry Delete Firewall Rules:
endpointEndpoint2025-11-20
The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.
Windows File and Directory Permissions Enable Inheritance:
endpointEndpoint2025-11-20
The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.
Windows File and Directory Enable ReadOnly Permissions:
endpointEndpoint2025-11-20
The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.
Windows Credentials from Password Stores Deletion:
endpointEndpoint2025-11-20
The following analytic detects the execution of the Windows OS tool cmdkey.exe with the /delete parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. The activity is significant because cmdkey.exe can be used by attackers to delete stored credentials, potentially leading to privilege escalation and persistence. If confirmed malicious, this behavior could allow attackers to remove stored user credentials, hindering incident response efforts and enabling further unauthorized access to the compromised system.
