HKTL - SharpSuccessor Privilege Escalation Tool Execution:
windowsprocess_creationhigh2025-06-06
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
RegAsm.EXE Execution Without CommandLine Flags or Files:
windowsprocess_creationlow2025-06-04
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
MSSQL Destructive Query:
windowsNULLmedium2025-06-04
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
DNS Query To Common Malware Hosting and Shortener Services:
windowsdns_querymedium2025-06-02
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
Such DNS activity can indicate potential delivery or command-and-control communication attempts.
linux latest updates
Special File Creation via Mknod Syscall:
linuxNULLlow2025-05-31
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
or establish covert channels in Linux systems.
Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
and it can be abused to bypass file system restrictions or create backdoors.
System Info Discovery via Sysinfo Syscall:
linuxNULLlow2025-05-30
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall:
linuxNULLmedium2025-05-27
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Disable ASLR Via Personality Syscall - Linux:
linuxNULLlow2025-05-26
Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
exploit development, or to bypass memory protection mechanisms.
A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
attacks more reliable.
Potential Abuse of Linux Magic System Request Key:
linuxNULLmedium2025-05-23
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
Other latest updates
HTTP Request to Low Reputation TLD or Suspicious File Extension:
zeekNULLmedium2025-02-26
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Azure Login Bypassing Conditional Access Policies:
m365NULLhigh2025-01-08
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
New AWS Lambda Function URL Configuration Created:
awsNULLmedium2024-12-19
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
AWS SAML Provider Deletion Activity:
awsNULLmedium2024-12-19
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
AWS Key Pair Import Activity:
awsNULLmedium2024-12-19
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
Splunk Detection rules latest updates
Cobalt Strike Named Pipes:
endpointEndpoint2025-06-17
The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify specific named pipes commonly used by Cobalt Strike's Artifact Kit and Malleable C2 Profiles. This activity is significant because Cobalt Strike is a popular tool for adversaries to conduct post-exploitation tasks, and identifying its named pipes can reveal potential malicious activity. If confirmed malicious, this could indicate an active Cobalt Strike beacon, leading to unauthorized access, data exfiltration, or further lateral movement within the network.
Network Traffic to Active Directory Web Services Protocol:
endpointNetwork2025-06-17
The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.
Modify ACL permission To Files Or Folder:
endpointEndpoint2025-06-17
The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone or to system account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "cacls.exe," "icacls.exe," and "xcacls.exe" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise.
Excessive Usage Of Cacls App:
endpointEndpoint2025-06-17
The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`,
or `icacls.exe` to change file or folder permissions.
It looks for 10 or more execution of the aforementioned processes in the span of 1 minute.
It leverages data from Endpoint Detection and Response (EDR) agents,
focusing on process names and command-line executions.
This activity is significant as it may indicate an adversary attempting
to restrict access to malware components or artifacts on a compromised system.
If confirmed malicious, this behavior could prevent users from deleting or accessing
critical files, aiding in the persistence and concealment of malicious activities.
ICACLS Grant Command:
endpointEndpoint2025-06-17
The following analytic detects the use of the ICACLS command to grant
additional access permissions to files or directories. It leverages data from Endpoint
Detection and Response (EDR) agents, focusing on specific process names and command-line
arguments. This activity is significant because it is commonly used by Advanced
Persistent Threats (APTs) and coinminer scripts to evade detection and maintain
control over compromised systems. If confirmed malicious, this behavior could allow
attackers to manipulate file permissions, potentially leading to unauthorized access,
data exfiltration, or further system compromise.
Suspicious Copy on System32:
endpointEndpoint2025-06-17
The following analytic detects potentially suspicious file copy operations targeting the
System32 or SysWow64 directories as source, often indicative of malicious activity.
It leverages data from Endpoint Detection and Response (EDR) agents,
focusing on activity initiated by command-line tools like cmd.exe or PowerShell.
This behavior is significant as it may indicate an attempt to evade defenses by copying
an existing binary from the system directory and renaming it.
If confirmed malicious, this activity could allow an attacker to execute
code undetected and potentially leading to system compromise or further lateral movement
within the network.
Icacls Deny Command:
endpointEndpoint2025-06-17
The following analytic detects instances where an adversary modifies
security permissions of a file or directory using commands like "icacls.exe", "cacls.exe",
or "xcacls.exe" with deny options. It leverages data from Endpoint Detection and
Response (EDR) agents, focusing on process names and command-line executions. This
activity is significant as it is commonly used by Advanced Persistent Threats (APTs)
and coinminer scripts to evade detection and impede access to critical files. If
confirmed malicious, this could allow attackers to maintain persistence and hinder
incident response efforts.
Gsuite Suspicious Shared File Name:
endpointGSuite2025-06-17
The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like "dhl," "ups," "invoice," and "shipment." This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user's system.
Prohibited Network Traffic Allowed:
networkEndpoint2025-06-17
The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture.
Windows AD Suspicious GPO Modification:
endpointEndpoint2025-06-16
This analytic looks for a the creation of potentially harmful GPO which could lead to persistence or code execution on remote hosts. Note, this analyic is looking for the absence of the corresponding 5136 events which is evidence of the GPOs being manually edited (using a tool like PowerView) or potentially missing logs.
Detect Renamed WinRAR:
endpointEndpoint2025-06-16
The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise.
Windows MOVEit Transfer Writing ASPX:
endpointEndpoint2025-06-16
The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.
Detect Outbound SMB Traffic:
networkEndpoint2025-06-10
The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.
Print Processor Registry Autostart:
endpointEndpoint2025-06-10
The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine.
