WScript or CScript Dropper - File:
windowsfile_eventhigh2022-01-10
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
Application URI Configuration Changes:
azureNULLhigh2022-06-02
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Suspicious Curl File Upload - Linux:
linuxprocess_creationmedium2022-09-15
Detects a suspicious curl process start the adds a file to a web request
Password Protected ZIP File Opened:
windowsNULLmedium2022-05-09
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Suspicious Download from Office Domain:
windowsprocess_creationhigh2021-12-27
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
Linux Doas Conf File Creation:
linuxfile_eventmedium2022-01-20
Detects the creation of doas.conf file in linux host platform.
Detection of PowerShell Execution via Sqlps.exe:
windowsprocess_creationmedium2020-10-10
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
