splunk/security_content v5.24.0

on GitHub

🚀 Key Highlights

• Cisco SD-WAN Analytics: Expanded coverage for Cisco SD-WAN environments with new analytics targeting exploitation and anomalous traffic patterns, including detections for Cisco SD-WAN Arbitrary File Overwrite Exploitation Activity and Cisco SD-WAN Uncommon User-Agent Multi-URI Activity, improving visibility into potential exploitation attempts and suspicious HTTP behaviors indicative of adversary interaction with SD-WAN infrastructure.
• BlankGrabber Stealer and Muddy Water Analytics: Expanded detection coverage for BlankGrabber, a Windows-based information stealer used to harvest browser credentials, cryptocurrency wallets, and authentication tokens, by tagging existing analytics and introducing new detections focused on browser data access, suspicious registry queries, WMI reconnaissance, and defense evasion behaviors such as PowerShell exclusion tampering. This update enhances visibility into credential harvesting, data staging, and stealthy exfiltration activity commonly associated with phishing-delivered stealers and cracked software infections, helping defenders detect and respond to early-stage compromise before widespread account takeover or financial theft occurs.
• Lotus Blossom (Chrysalis Backdoor) Supply Chain Attack: Added new detection coverage for the Lotus Blossom (Billbug) APT group's Chrysalis backdoor campaign, which leveraged a Notepad++ supply chain compromise (June–December 2025) to target government, financial, and IT sectors. This release introduces detections for Bitdefender DLL sideloading abuse, BluetoothService-based persistence, and TinyCC shellcode execution, along with tagging existing analytics for system and user discovery behaviors observed across multiple infection chains. These updates improve visibility into stealthy execution, persistence mechanisms, and post-compromise reconnaissance associated with sophisticated supply chain intrusions and staged payload delivery.
• Standardized Risk Scoring Across Detections: Implemented consistent risk scoring across all analytics by assigning a score of 50 for TTP detections and 20 for anomaly-based detections, improving prioritization, correlation, and alert triage across detection workflows.

New Analytic Story - [4]

• BlankGrabber Stealer
• Lotus Blossom Chrysalis Backdoor
• MuddyWater
• QuietVault

Updated Analytic Story - [1]

• Cisco Catalyst SD-WAN Analytics

New Analytics - [14]

• Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
• Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
• Linux Auditd AI CLI Permission Override Activated
• Linux Docker Root Directory Mount
• Linux Docker Shell Execution
• Windows Bluetooth Service Installed From Uncommon Location
• Windows Excel Spawning Microsoft Project Application
• Windows Hosts File Access
• Windows MpCmdRun RemoveDefinitions Execution
• Windows Product Key Registry Query
• Windows Rundll32 Execution With Log.DLL
• Windows TinyCC Shellcode Execution
• Windows WMI Reconnaissance Class Query
• Windows WinRAR Launched Outside Default Installation Directory

Updated Analytics - [1655]

• 3CX Supply Chain Attack Network Indicators
• ASL AWS Concurrent Sessions From Different Ips
• ASL AWS Create Policy Version to allow all resources
• ASL AWS Credential Access GetPasswordData
• ASL AWS Credential Access RDS Password reset
• ASL AWS Defense Evasion Delete CloudWatch Log Group
• ASL AWS Defense Evasion Delete Cloudtrail
• ASL AWS Defense Evasion Stop Logging Cloudtrail
• ASL AWS Defense Evasion Update Cloudtrail
• ASL AWS Detect Users creating keys with encrypt policy without MFA
• ASL AWS Disable Bucket Versioning
• ASL AWS EC2 Snapshot Shared Externally
• ASL AWS ECR Container Upload Outside Business Hours
• ASL AWS ECR Container Upload Unknown User
• ASL AWS IAM AccessDenied Discovery Events
• ASL AWS IAM Assume Role Policy Brute Force
• ASL AWS IAM Failure Group Deletion
• ASL AWS Multi-Factor Authentication Disabled
• ASL AWS Network Access Control List Created with All Open Ports
• ASL AWS Network Access Control List Deleted
• ASL AWS New MFA Method Registered For User
• ASL AWS SAML Update identity provider
• ASL AWS UpdateLoginProfile
• AWS AMI Attribute Modification for Exfiltration
• AWS Bedrock Delete GuardRails
• AWS Bedrock Delete Knowledge Base
• AWS Bedrock Delete Model Invocation Logging Configuration
• AWS Bedrock High Number List Foundation Model Failures
• AWS Bedrock Invoke Model Access Denied
• AWS Concurrent Sessions From Different Ips
• AWS Console Login Failed During MFA Challenge
• AWS Create Policy Version to allow all resources
• AWS CreateLoginProfile
• AWS Credential Access Failed Login
• AWS Credential Access GetPasswordData
• AWS Credential Access RDS Password reset
• AWS Defense Evasion Delete CloudWatch Log Group
• AWS Defense Evasion Delete Cloudtrail
• AWS Defense Evasion Impair Security Services
• AWS Defense Evasion Stop Logging Cloudtrail
• AWS Defense Evasion Update Cloudtrail
• AWS Detect Users creating keys with encrypt policy without MFA
• AWS Detect Users with KMS keys performing encryption S3
• AWS Disable Bucket Versioning
• AWS EC2 Snapshot Shared Externally
• AWS ECR Container Scanning Findings High
• AWS ECR Container Scanning Findings Low Informational Unknown
• AWS ECR Container Scanning Findings Medium
• AWS ECR Container Upload Outside Business Hours
• AWS ECR Container Upload Unknown User
• AWS Excessive Security Scanning
• AWS Exfiltration via Anomalous GetObject API Activity
• AWS Exfiltration via Batch Service
• AWS Exfiltration via Bucket Replication
• AWS Exfiltration via DataSync Task
• AWS Exfiltration via EC2 Snapshot
• AWS High Number Of Failed Authentications For User
• AWS High Number Of Failed Authentications From Ip
• AWS IAM AccessDenied Discovery Events
• AWS IAM Assume Role Policy Brute Force
• AWS IAM Failure Group Deletion
• AWS Multi-Factor Authentication Disabled
• AWS Multiple Failed MFA Requests For User
• AWS Multiple Users Failing To Authenticate From Ip
• AWS Network Access Control List Created with All Open Ports
• AWS Network Access Control List Deleted
• AWS New MFA Method Registered For User
• AWS SAML Update identity provider
• AWS SetDefaultPolicyVersion
• AWS Successful Console Authentication From Multiple IPs
• AWS Successful Single-Factor Authentication
• AWS Unusual Number of Failed Authentications From Ip
• AWS UpdateLoginProfile
• Access LSASS Memory for Dump Creation
• Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
• Active Setup Registry Autostart
• Add DefaultUser And Password In Registry
• Add or Set Windows Defender Exclusion
• Adobe ColdFusion Access Control Bypass
• Adobe ColdFusion Unauthenticated Arbitrary File Read
• AdsiSearcher Account Discovery
• Advanced IP or Port Scanner Execution
• Allow File And Printing Sharing In Firewall
• Allow Inbound Traffic By Firewall Rule Registry
• Allow Inbound Traffic In Firewall Rule
• Allow Network Discovery In Firewall
• Allow Operation with Consent Admin
• Anomalous usage of 7zip
• Attacker Tools On Endpoint
• Attempt To Add Certificate To Untrusted Store
• Auto Admin Logon Registry Entry
• Azure AD Admin Consent Bypassed by Service Principal
• Azure AD Application Administrator Role Assigned
• Azure AD Authentication Failed During MFA Challenge
• Azure AD AzureHound UserAgent Detected
• Azure AD Block User Consent For Risky Apps Disabled
• Azure AD Concurrent Sessions From Different Ips
• Azure AD Device Code Authentication
• Azure AD External Guest User Invited
• Azure AD FullAccessAsApp Permission Assigned
• Azure AD Global Administrator Role Assigned
• Azure AD High Number Of Failed Authentications For User
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD Multi-Factor Authentication Disabled
• Azure AD Multiple AppIDs and UserAgents Authentication Spike
• Azure AD Multiple Denied MFA Requests For User
• Azure AD Multiple Failed MFA Requests For User
• Azure AD Multiple Service Principals Created by SP
• Azure AD Multiple Service Principals Created by User
• Azure AD Multiple Users Failing To Authenticate From Ip
• Azure AD New Custom Domain Added
• Azure AD New Federated Domain Added
• Azure AD New MFA Method Registered For User
• Azure AD New MFA Method Registered
• Azure AD OAuth Application Consent Granted By User
• Azure AD PIM Role Assigned
• Azure AD PIM Role Assignment Activated
• Azure AD Privileged Authentication Administrator Role Assigned
• Azure AD Privileged Graph API Permission Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Privileged Role Assigned
• Azure AD Service Principal Authentication
• Azure AD Service Principal Created
• Azure AD Service Principal Enumeration
• Azure AD Service Principal New Client Credentials
• Azure AD Service Principal Owner Added
• Azure AD Service Principal Privilege Escalation
• Azure AD Successful Authentication From Different Ips
• Azure AD Successful PowerShell Authentication
• Azure AD Successful Single-Factor Authentication
• Azure AD Tenant Wide Admin Consent Granted
• Azure AD Unusual Number of Failed Authentications From Ip
• Azure AD User Consent Blocked for Risky Application
• Azure AD User Consent Denied for OAuth Application
• Azure AD User Enabled And Password Reset
• Azure AD User ImmutableId Attribute Updated
• Azure Active Directory High Risk Sign-in
• Azure Automation Account Created
• Azure Automation Runbook Created
• Azure Runbook Webhook Created
• BCDEdit Failure Recovery Modification
• BITS Job Persistence
• BITSAdmin Download File
• Batch File Write to System32
• Bcdedit Command Back To Normal Mode Boot
• CHCP Command Execution
• CMD Echo Pipe - Escalation
• CMLUA Or CMSTPLUA UAC Bypass
• CertUtil With Decode Argument
• Certutil exe certificate extraction
• Change To Safe Mode With Network Config
• Check Elevated CMD using whoami
• Circle CI Disable Security Job
• Cisco AI Defense Security Alerts by Application Name
• Cisco ASA - AAA Policy Tampering
• Cisco ASA - Device File Copy Activity
• Cisco ASA - Device File Copy to Remote Location
• Cisco ASA - Logging Disabled via CLI
• Cisco ASA - Logging Filters Configuration Tampering
• Cisco ASA - Logging Message Suppression
• Cisco ASA - New Local User Account Created
• Cisco ASA - Packet Capture Activity
• Cisco ASA - Reconnaissance Command Activity
• Cisco ASA - User Account Deleted From Local Database
• Cisco ASA - User Account Lockout Threshold Exceeded
• Cisco ASA - User Privilege Level Change
• Cisco Duo Admin Login Unusual Browser
• Cisco Duo Admin Login Unusual Country
• Cisco Duo Admin Login Unusual Os
• Cisco Duo Bulk Policy Deletion
• Cisco Duo Bypass Code Generation
• Cisco Duo Policy Allow Devices Without Screen Lock
• Cisco Duo Policy Allow Network Bypass 2FA
• Cisco Duo Policy Allow Old Flash
• Cisco Duo Policy Allow Old Java
• Cisco Duo Policy Allow Tampered Devices
• Cisco Duo Policy Bypass 2FA
• Cisco Duo Policy Deny Access
• Cisco Duo Policy Skip 2FA for Other Countries
• Cisco Duo Set User Status to Bypass 2FA
• Cisco IOS Suspicious Privileged Account Creation
• Cisco IOS XE Implant Access
• Cisco Isovalent - Access To Cloud Metadata Service
• Cisco Isovalent - Cron Job Creation
• Cisco Isovalent - Curl Execution With Insecure Flags
• Cisco Isovalent - Late Process Execution
• Cisco Isovalent - Non Allowlisted Image Use
• Cisco Isovalent - Nsenter Usage in Kubernetes Pod
• Cisco Isovalent - Pods Running Offensive Tools
• Cisco Isovalent - Potential Escape to Host
• Cisco Isovalent - Shell Execution
• Cisco NVM - Curl Execution With Insecure Flags
• Cisco NVM - Installation of Typosquatted Python Package
• Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
• Cisco NVM - Non-Network Binary Making Network Connection
• Cisco NVM - Outbound Connection to Suspicious Port
• Cisco NVM - Rclone Execution With Network Activity
• Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
• Cisco NVM - Susp Script From Archive Triggering Network Activity
• Cisco NVM - Suspicious Download From File Sharing Website
• Cisco NVM - Suspicious File Download via Headless Browser
• Cisco NVM - Suspicious Network Connection From Process With No Args
• Cisco NVM - Suspicious Network Connection Initiated via MsXsl
• Cisco NVM - Suspicious Network Connection to IP Lookup Service API
• Cisco NVM - Webserver Download From File Sharing Website
• Cisco Network Interface Modifications
• Cisco SD-WAN - Low Frequency Rogue Peer
• Cisco SD-WAN - Peering Activity
• Cisco SNMP Community String Configuration Changes
• Cisco Secure Firewall - Binary File Type Download
• Cisco Secure Firewall - Bits Network Activity
• Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
• Cisco Secure Firewall - Blocked Connection
• Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
• Cisco Secure Firewall - Communication Over Suspicious Ports
• Cisco Secure Firewall - Connection to File Sharing Domain
• Cisco Secure Firewall - File Download Over Uncommon Port
• Cisco Secure Firewall - High EVE Threat Confidence
• Cisco Secure Firewall - High Priority Intrusion Classification
• Cisco Secure Firewall - High Volume of Intrusion Events Per Host
• Cisco Secure Firewall - Intrusion Events by Threat Activity
• Cisco Secure Firewall - Lumma Stealer Activity
• Cisco Secure Firewall - Lumma Stealer Download Attempt
• Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
• Cisco Secure Firewall - Malware File Downloaded
• Cisco Secure Firewall - Oracle E-Business Suite Correlation
• Cisco Secure Firewall - Oracle E-Business Suite Exploitation
• Cisco Secure Firewall - Potential Data Exfiltration
• Cisco Secure Firewall - Privileged Command Execution via HTTP
• Cisco Secure Firewall - React Server Components RCE Attempt
• Cisco Secure Firewall - Remote Access Software Usage Traffic
• Cisco Secure Firewall - Repeated Blocked Connections
• Cisco Secure Firewall - Repeated Malware Downloads
• Cisco Secure Firewall - SSH Connection to Non-Standard Port
• Cisco Secure Firewall - SSH Connection to sshd_operns
• Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
• Cisco Secure Firewall - Static Tundra Smart Install Abuse
• Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
• Cisco Secure Firewall - Wget or Curl Download
• Cisco Smart Install Oversized Packet Detection
• Cisco Smart Install Port Discovery and Status
• Cisco TFTP Server Configuration for Data Exfiltration
• Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
• Citrix ADC and Gateway Unauthorized Data Disclosure
• Clear Unallocated Sector Using Cipher App
• Clop Common Exec Parameter
• Clop Ransomware Known Service Name
• Cloud API Calls From Previously Unseen User Roles
• Cloud Compute Instance Created By Previously Unseen User
• Cloud Compute Instance Created In Previously Unused Region
• Cloud Compute Instance Created With Previously Unseen Image
• Cloud Compute Instance Created With Previously Unseen Instance Type
• Cloud Instance Modified By Previously Unseen User
• Cloud Provisioning Activity From Previously Unseen City
• Cloud Provisioning Activity From Previously Unseen Country
• Cloud Provisioning Activity From Previously Unseen IP Address
• Cloud Provisioning Activity From Previously Unseen Region
• Cloud Security Groups Modifications by User
• Common Ransomware Extensions
• Confluence CVE-2023-22515 Trigger Vulnerability
• Confluence Data Center and Server Privilege Escalation
• Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
• Confluence Unauthenticated Remote Code Execution CVE-2022-26134
• ConnectWise ScreenConnect Authentication Bypass
• ConnectWise ScreenConnect Path Traversal Windows SACL
• ConnectWise ScreenConnect Path Traversal
• Conti Common Exec parameter
• Control Loading from World Writable Directory
• Create Remote Thread In Shell Application
• Create Remote Thread into LSASS
• Create or delete windows shares using net exe
• Creation of Shadow Copy with wmic and powershell
• Creation of Shadow Copy
• Creation of lsass Dump with Taskmgr
• Credential Dumping via Copy Command from Shadow Copy
• Credential Dumping via Symlink to Shadow Copy
• CrowdStrike Falcon Stream Alerts
• Crowdstrike Admin Weak Password Policy
• Crowdstrike Admin With Duplicate Password
• Crowdstrike High Identity Risk Severity
• Crowdstrike Medium Identity Risk Severity
• Crowdstrike Medium Severity Alert
• Crowdstrike Multiple LOW Severity Alerts
• Crowdstrike Privilege Escalation For Non-Admin User
• Crowdstrike User Weak Password Policy
• Crowdstrike User with Duplicate Password
• CrushFTP Authentication Bypass Exploitation
• CrushFTP Max Simultaneous Users From IP
• CrushFTP Server Side Template Injection
• Curl Execution with Percent Encoded URL
• DLLHost with no Command Line Arguments with Network
• DNS Exfiltration Using Nslookup App
• DNS Kerberos Coercion
• DNS Query Length With High Standard Deviation
• DSQuery Domain Discovery
• Delete ShadowCopy With PowerShell
• Deleting Shadow Copies
• Detect AzureHound Command-Line Arguments
• Detect AzureHound File Modifications
• Detect Certify Command Line Arguments
• Detect Certify With PowerShell Script Block Logging
• Detect Certipy File Modifications
• Detect Copy of ShadowCopy with Script Block Logging
• Detect Credential Dumping through LSASS access
• Detect Empire with PowerShell Script Block Logging
• Detect Excessive Account Lockouts From Endpoint
• Detect Excessive User Account Lockouts
• Detect Exchange Web Shell
• Detect HTML Help Spawn Child Process
• Detect HTML Help URL in Command Line
• Detect HTML Help Using InfoTech Storage Handlers
• Detect Large ICMP Traffic
• Detect MSHTA Url in Command Line
• Detect Mimikatz With PowerShell Script Block Logging
• Detect New Local Admin account
• Detect New Open S3 Buckets over AWS CLI
• Detect New Open S3 buckets
• Detect Outbound SMB Traffic
• Detect Outlook exe writing a zip file
• Detect Password Spray Attack Behavior From Source
• Detect Password Spray Attack Behavior On User
• Detect Password Spray Attempts
• Detect Path Interception By Creation Of program exe
• Detect PsExec With accepteula Flag
• Detect RClone Command-Line Usage
• Detect RTLO In File Name
• Detect RTLO In Process
• Detect Rare Executables
• Detect Regasm Spawning a Process
• Detect Regasm with Network Connection
• Detect Regasm with no Command Line Arguments
• Detect Regsvcs Spawning a Process
• Detect Regsvcs with Network Connection
• Detect Regsvcs with No Command Line Arguments
• Detect Regsvr32 Application Control Bypass
• Detect Remote Access Software Usage DNS
• Detect Remote Access Software Usage FileInfo
• Detect Remote Access Software Usage File
• Detect Remote Access Software Usage Process
• Detect Remote Access Software Usage Registry
• Detect Remote Access Software Usage Traffic
• Detect Remote Access Software Usage URL
• Detect Rundll32 Inline HTA Execution
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Detect SharpHound Usage
• Detect Spike in AWS Security Hub Alerts for EC2 Instance
• Detect Use of cmd exe to Launch Script Interpreters
• Detect WMI Event Subscription Persistence
• Detect hosts connecting to dynamic domain providers
• Detect mshta inline hta execution
• Disable AMSI Through Registry
• Disable Defender AntiVirus Registry
• Disable Defender BlockAtFirstSeen Feature
• Disable Defender Enhanced Notification
• Disable Defender MpEngine Registry
• Disable Defender Spynet Reporting
• Disable Defender Submit Samples Consent Feature
• Disable ETW Through Registry
• Disable Logs Using WevtUtil
• Disable Registry Tool
• Disable Schedule Task
• Disable Security Logs Using MiniNt Registry
• Disable Show Hidden Files
• Disable UAC Remote Restriction
• Disable Windows App Hotkeys
• Disable Windows Behavior Monitoring
• Disable Windows SmartScreen Protection
• Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
• Disabled Kerberos Pre-Authentication Discovery With PowerView
• Disabling CMD Application
• Disabling ControlPanel
• Disabling Defender Services
• Disabling Firewall with Netsh
• Disabling FolderOptions Windows Feature
• Disabling NoRun Windows App
• Disabling Remote User Account Control
• Disabling SystemRestore In Registry
• Disabling Task Manager
• Disabling Windows Local Security Authority Defences via Registry
• Domain Account Discovery with Dsquery
• Domain Account Discovery with Wmic
• Domain Controller Discovery with Nltest
• Domain Group Discovery With Dsquery
• Domain Group Discovery with Adsisearcher
• Download Files Using Telegram
• Dump LSASS via comsvcs DLL
• Dump LSASS via procdump
• ESXi Account Modified
• ESXi Audit Tampering
• ESXi Bulk VM Termination
• ESXi Download Errors
• ESXi Encryption Settings Modified
• ESXi External Root Login Activity
• ESXi Firewall Disabled
• ESXi Lockdown Mode Disabled
• ESXi Loghost Config Tampering
• ESXi Malicious VIB Forced Install
• ESXi Reverse Shell Patterns
• ESXi SSH Brute Force
• ESXi SSH Enabled
• ESXi Sensitive Files Accessed
• ESXi Shared or Stolen Root Account
• ESXi Shell Access Enabled
• ESXi Syslog Config Change
• ESXi System Clock Manipulation
• ESXi System Information Discovery
• ESXi User Granted Admin Role
• ESXi VIB Acceptance Level Tampering
• ESXi VM Discovery
• ESXi VM Exported via Remote Tool
• ETW Registry Disabled
• Elevated Group Discovery With Wmic
• Enable RDP In Other Port Number
• Enable WDigest UseLogonCredential Registry
• Enumerate Users Local Group Using Telegram
• Eventvwr UAC Bypass
• Excessive Attempt To Disable Services
• Excessive File Deletion In WinDefender Folder
• Excessive Usage Of Cacls App
• Excessive Usage Of SC Service Utility
• Excessive Usage Of Taskkill
• Excessive Usage of NSLOOKUP App
• Excessive distinct processes from Windows Temp
• Excessive number of service control start as disabled
• Excessive number of taskhost processes
• Exchange PowerShell Module Usage
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• Executables Or Script Creation In Temp Path
• Execute Javascript With Jscript COM CLSID
• Execution of File with Multiple Extensions
• Exploit Public Facing Application via Apache Commons Text
• Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
• F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
• F5 TMUI Authentication Bypass
• File Download or Read to Pipe Execution
• File with Samsam Extension
• Firewall Allowed Program Enable
• FodHelper UAC Bypass
• Fortinet Appliance Auth bypass
• Fsutil Zeroing File
• GCP Authentication Failed During MFA Challenge
• GCP Multi-Factor Authentication Disabled
• GCP Multiple Failed MFA Requests For User
• GCP Multiple Users Failing To Authenticate From Ip
• GCP Successful Single-Factor Authentication
• GCP Unusual Number of Failed Authentications From Ip
• GPUpdate with no Command Line Arguments with Network
• GSuite Email Suspicious Attachment
• Get ADUserResultantPasswordPolicy with Powershell Script Block
• Get ADUserResultantPasswordPolicy with Powershell
• Get DomainPolicy with Powershell Script Block
• Get DomainPolicy with Powershell
• Get DomainUser with PowerShell Script Block
• Get DomainUser with PowerShell
• Get-DomainTrust with PowerShell Script Block
• Get-DomainTrust with PowerShell
• Get-ForestTrust with PowerShell Script Block
• Get-ForestTrust with PowerShell
• GetDomainComputer with PowerShell Script Block
• GetDomainComputer with PowerShell
• GetDomainController with PowerShell Script Block
• GetDomainGroup with PowerShell Script Block
• GetDomainGroup with PowerShell
• GetWmiObject DS User with PowerShell Script Block
• GetWmiObject DS User with PowerShell
• GetWmiObject Ds Computer with PowerShell Script Block
• GetWmiObject Ds Computer with PowerShell
• GetWmiObject Ds Group with PowerShell Script Block
• GetWmiObject Ds Group with PowerShell
• GitHub Enterprise Delete Branch Ruleset
• GitHub Enterprise Disable 2FA Requirement
• GitHub Enterprise Disable Audit Log Event Stream
• GitHub Enterprise Disable Classic Branch Protection Rule
• GitHub Enterprise Disable Dependabot
• GitHub Enterprise Disable IP Allow List
• GitHub Enterprise Modify Audit Log Event Stream
• GitHub Enterprise Pause Audit Log Event Stream
• GitHub Enterprise Register Self Hosted Runner
• GitHub Enterprise Remove Organization
• GitHub Enterprise Repository Archived
• GitHub Enterprise Repository Deleted
• GitHub Organizations Delete Branch Ruleset
• GitHub Organizations Disable 2FA Requirement
• GitHub Organizations Disable Classic Branch Protection Rule
• GitHub Organizations Disable Dependabot
• GitHub Organizations Repository Archived
• GitHub Organizations Repository Deleted
• Gsuite Email Suspicious Subject With Attachment
• Gsuite Email With Known Abuse Web Service Link
• HTTP C2 Framework User Agent
• HTTP Duplicated Header
• HTTP Malware User Agent
• HTTP PUA User Agent
• HTTP Possible Request Smuggling
• HTTP RMM User Agent
• HTTP Rapid POST with Mixed Status Codes
• HTTP Request to Reserved Name on IIS Server
• HTTP Scripting Tool User Agent
• Headless Browser Mockbin or Mocky Request
• Headless Browser Usage
• Hide User Account From Sign-In Screen
• Hiding Files And Directories With Attrib exe
• High Frequency Copy Of Files In Network Share
• High Number of Login Failures from a single source
• High Process Termination Frequency
• High Volume of Bytes Out to Url
• ICACLS Grant Command
• Icacls Deny Command
• Impacket Lateral Movement Commandline Parameters
• Impacket Lateral Movement WMIExec Commandline Parameters
• Impacket Lateral Movement smbexec CommandLine Parameters
• Interactive Session on Remote Endpoint with PowerShell
• Internal Horizontal Port Scan NMAP Top 20
• Internal Horizontal Port Scan
• Internal Vertical Port Scan
• Ivanti Connect Secure Command Injection Attempts
• Ivanti Connect Secure SSRF in SAML Component
• Ivanti Connect Secure System Information Access via Auth Bypass
• Ivanti EPM SQL Injection Remote Code Execution
• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
• Ivanti Sentry Authentication Bypass
• Ivanti VTM New Account Creation
• Java Class File download by Java User Agent
• Java Writing JSP File
• Jenkins Arbitrary File Read CVE-2024-23897
• JetBrains TeamCity Authentication Bypass CVE-2024-27198
• JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
• JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
• JetBrains TeamCity RCE Attempt
• Jscript Execution Using Cscript App
• Juniper Networks Remote Code Execution Exploit Detection
• Kerberoasting spn request with RC4 encryption
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl
• Kerberos Pre-Authentication Flag Disabled with PowerShell
• Kerberos Service Ticket Request Using RC4 Encryption
• Kerberos TGT Request Using RC4 Encryption
• Kerberos User Enumeration
• Kubernetes Abuse of Secret by Unusual Location
• Kubernetes Abuse of Secret by Unusual User Agent
• Kubernetes Abuse of Secret by Unusual User Group
• Kubernetes Abuse of Secret by Unusual User Name
• Kubernetes Access Scanning
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes Nginx Ingress LFI
• Kubernetes Nginx Ingress RFI
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanner Image Pulling
• Kubernetes Scanning by Unauthenticated IP Address
• Kubernetes Suspicious Image Pulling
• Kubernetes Unauthorized Access
• LOLBAS With Network Traffic
• Linux APT Privilege Escalation
• Linux AWK Privilege Escalation
• Linux Account Manipulation Of SSH Config and Keys
• Linux Add Files In Known Crontab Directories
• Linux At Allow Config File Creation
• Linux At Application Execution
• Linux Auditd Add User Account Type
• Linux Auditd Add User Account
• Linux Auditd At Application Execution
• Linux Auditd Auditd Daemon Abort
• Linux Auditd Auditd Daemon Shutdown
• Linux Auditd Auditd Daemon Start
• Linux Auditd Auditd Service Stop
• Linux Auditd Base64 Decode Files
• Linux Auditd Change File Owner To Root
• Linux Auditd Clipboard Data Copy
• Linux Auditd Data Destruction Command
• Linux Auditd Data Transfer Size Limits Via Split Syscall
• Linux Auditd Data Transfer Size Limits Via Split
• Linux Auditd Database File And Directory Discovery
• Linux Auditd Dd File Overwrite
• Linux Auditd Disable Or Modify System Firewall
• Linux Auditd Doas Conf File Creation
• Linux Auditd Doas Tool Execution
• Linux Auditd Edit Cron Table Parameter
• Linux Auditd File And Directory Discovery
• Linux Auditd File Permission Modification Via Chmod
• Linux Auditd File Permissions Modification Via Chattr
• Linux Auditd Find Credentials From Password Managers
• Linux Auditd Find Credentials From Password Stores
• Linux Auditd Find Ssh Private Keys
• Linux Auditd Hardware Addition Swapoff
• Linux Auditd Hidden Files And Directories Creation
• Linux Auditd Insert Kernel Module Using Insmod Utility
• Linux Auditd Install Kernel Module Using Modprobe Utility
• Linux Auditd Kernel Module Enumeration
• Linux Auditd Kernel Module Using Rmmod Utility
• Linux Auditd Nopasswd Entry In Sudoers File
• Linux Auditd Osquery Service Stop
• Linux Auditd Possible Access Or Modification Of Sshd Config File
• Linux Auditd Possible Access To Credential Files
• Linux Auditd Possible Access To Sudoers File
• Linux Auditd Preload Hijack Library Calls
• Linux Auditd Preload Hijack Via Preload File
• Linux Auditd Private Keys and Certificate Enumeration
• Linux Auditd Service Restarted
• Linux Auditd Service Started
• Linux Auditd Setuid Using Chmod Utility
• Linux Auditd Setuid Using Setcap Utility
• Linux Auditd Shred Overwrite Command
• Linux Auditd Sudo Or Su Execution
• Linux Auditd Sysmon Service Stop
• Linux Auditd System Network Configuration Discovery
• Linux Auditd Unix Shell Configuration Modification
• Linux Auditd Unload Module Via Modprobe
• Linux Auditd Virtual Disk File And Directory Discovery
• Linux Auditd Whoami User Discovery
• Linux Busybox Privilege Escalation
• Linux Change File Owner To Root
• Linux Clipboard Data Copy
• Linux Composer Privilege Escalation
• Linux Cpulimit Privilege Escalation
• Linux Csvtool Privilege Escalation
• Linux Curl Upload File
• Linux DD File Overwrite
• Linux Data Destruction Command
• Linux Decode Base64 to Shell
• Linux Deleting Critical Directory Using RM Command
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux Disable Services
• Linux Doas Conf File Creation
• Linux Doas Tool Execution
• Linux Emacs Privilege Escalation
• Linux File Created In Kernel Driver Directory
• Linux File Creation In Init Boot Directory
• Linux File Creation In Profile Directory
• Linux Find Privilege Escalation
• Linux GDB Privilege Escalation
• Linux GNU Awk Privilege Escalation
• Linux Gdrive Binary Activity
• Linux Gem Privilege Escalation
• Linux Hardware Addition SwapOff
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• Linux Indicator Removal Clear Cache
• Linux Indicator Removal Service File Deletion
• Linux Ingress Tool Transfer with Curl
• Linux Insert Kernel Module Using Insmod Utility
• Linux Install Kernel Module Using Modprobe Utility
• Linux Iptables Firewall Modification
• Linux Kernel Module Enumeration
• Linux Magic SysRq Key Abuse
• Linux Make Privilege Escalation
• Linux Medusa Rootkit
• Linux MySQL Privilege Escalation
• Linux NOPASSWD Entry In Sudoers File
• Linux Ngrok Reverse Proxy Usage
• Linux Node Privilege Escalation
• Linux Obfuscated Files or Information Base64 Decode
• Linux Octave Privilege Escalation
• Linux OpenVPN Privilege Escalation
• Linux PHP Privilege Escalation
• Linux Possible Access Or Modification Of sshd Config File
• Linux Possible Access To Credential Files
• Linux Possible Access To Sudoers File
• Linux Possible Append Command To At Allow Config File
• Linux Possible Append Command To Profile Config File
• Linux Possible Ssh Key File Creation
• Linux Preload Hijack Library Calls
• Linux Proxy Socks Curl
• Linux Puppet Privilege Escalation
• Linux RPM Privilege Escalation
• Linux Ruby Privilege Escalation
• Linux SSH Authorized Keys Modification
• Linux SSH Remote Services Script Execute
• Linux Service File Created In Systemd Directory
• Linux Service Restarted
• Linux Service Started Or Enabled
• Linux Setuid Using Chmod Utility
• Linux Setuid Using Setcap Utility
• Linux Shred Overwrite Command
• Linux Sqlite3 Privilege Escalation
• Linux Stdout Redirection To Dev Null File
• Linux Stop Services
• Linux Sudoers Tmp File Creation
• Linux Suspicious React or Next.js Child Process
• Linux System Network Discovery
• Linux System Reboot Via System Request Key
• Linux Telnet Authentication Bypass
• Linux Unix Shell Enable All SysRq Functions
• Linux Visudo Utility Execution
• Linux c89 Privilege Escalation
• Linux c99 Privilege Escalation
• Linux pkexec Privilege Escalation
• Loading Of Dynwrapx Module
• Log4Shell JNDI Payload Injection Attempt
• Log4Shell JNDI Payload Injection with Outbound Connection
• Logon Script Event Trigger Execution
• M365 Copilot Application Usage Pattern Anomalies
• M365 Copilot Failed Authentication Patterns
• M365 Copilot Non Compliant Devices Accessing M365 Copilot
• M365 Copilot Session Origin Anomalies
• MCP Prompt Injection
• MS Scripting Process Loading Ldap Module
• MS Scripting Process Loading WMI Module
• MSBuild Suspicious Spawned By Script Process
• MacOS AMOS Stealer - Virtual Machine Check Activity
• MacOS LOLbin
• MacOS plutil
• Mailsniper Invoke functions
• Malicious InProcServer32 Modification
• Malicious PowerShell Process - Execution Policy Bypass
• Malicious PowerShell Process With Obfuscation Techniques
• Malicious Powershell Executed As A Service
• Microsoft Defender ATP Alerts
• Microsoft Defender Incident Alerts
• Microsoft SharePoint Server Elevation of Privilege
• Mimikatz PassTheTicket CommandLine Parameters
• Mmc LOLBAS Execution Process Spawn
• Modification Of Wallpaper
• Modify ACL permission To Files Or Folder
• Monitor Registry Keys for Print Monitors
• Mshta spawning Rundll32 OR Regsvr32 Process
• Msmpeng Application DLL Side Loading
• Multiple Archive Files Http Post Traffic
• NET Profiler UAC bypass
• NLTest Domain Trust Discovery
• Nginx ConnectWise ScreenConnect Authentication Bypass
• Ngrok Reverse Proxy on Network
• Nishang PowershellTCPOneLine
• Non Chrome Process Accessing Chrome Default Dir
• Non Firefox Process Access Firefox Profile Dir
• Notepad with no Command Line Arguments
• Ntdsutil Export NTDS
• O365 Add App Role Assignment Grant User
• O365 Added Service Principal
• O365 Admin Consent Bypassed by Service Principal
• O365 Advanced Audit Disabled
• O365 Application Available To Other Tenants
• O365 Application Registration Owner Added
• O365 ApplicationImpersonation Role Assigned
• O365 BEC Email Hiding Rule Created
• O365 Block User Consent For Risky Apps Disabled
• O365 Bypass MFA via Trusted IP
• O365 Compliance Content Search Exported
• O365 Compliance Content Search Started
• O365 Concurrent Sessions From Different Ips
• O365 Cross-Tenant Access Change
• O365 DLP Rule Triggered
• O365 Disable MFA
• O365 Elevated Mailbox Permission Assigned
• O365 Email Access By Security Administrator
• O365 Email Hard Delete Excessive Volume
• O365 Email New Inbox Rule Created
• O365 Email Password and Payroll Compromise Behavior
• O365 Email Receive and Hard Delete Takeover Behavior
• O365 Email Reported By Admin Found Malicious
• O365 Email Reported By User Found Malicious
• O365 Email Security Feature Changed
• O365 Email Send Attachments Excessive Volume
• O365 Email Send and Hard Delete Exfiltration Behavior
• O365 Email Send and Hard Delete Suspicious Behavior
• O365 Email Suspicious Behavior Alert
• O365 Email Suspicious Search Behavior
• O365 Email Transport Rule Changed
• O365 Excessive Authentication Failures Alert
• O365 Excessive SSO logon errors
• O365 Exfiltration via File Access
• O365 Exfiltration via File Download
• O365 Exfiltration via File Sync Download
• O365 External Guest User Invited
• O365 External Identity Policy Changed
• O365 File Permissioned Application Consent Granted by User
• O365 FullAccessAsApp Permission Assigned
• O365 High Number Of Failed Authentications for User
• O365 High Privilege Role Granted
• O365 Mail Permissioned Application Consent Granted by User
• O365 Mailbox Email Forwarding Enabled
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Mailbox Read Access Granted to Application
• O365 Multiple AppIDs and UserAgents Authentication Spike
• O365 Multiple Failed MFA Requests For User
• O365 Multiple Mailboxes Accessed via API
• O365 Multiple OS Vendors Authenticating From User
• O365 Multiple Service Principals Created by SP
• O365 Multiple Service Principals Created by User
• O365 Multiple Users Failing To Authenticate From Ip
• O365 New Email Forwarding Rule Created
• O365 New Email Forwarding Rule Enabled
• O365 New Federated Domain Added
• O365 New Forwarding Mailflow Rule Created
• O365 New MFA Method Registered
• O365 OAuth App Mailbox Access via EWS
• O365 OAuth App Mailbox Access via Graph API
• O365 PST export alert
• O365 Privileged Graph API Permission Assigned
• O365 Privileged Role Assigned To Service Principal
• O365 Privileged Role Assigned
• O365 Safe Links Detection
• O365 Security And Compliance Alert Triggered
• O365 Service Principal New Client Credentials
• O365 Service Principal Privilege Escalation
• O365 SharePoint Allowed Domains Policy Changed
• O365 SharePoint Malware Detection
• O365 SharePoint Suspicious Search Behavior
• O365 Tenant Wide Admin Consent Granted
• O365 Threat Intelligence Suspicious Email Delivered
• O365 Threat Intelligence Suspicious File Detected
• O365 User Consent Blocked for Risky Application
• O365 User Consent Denied for OAuth Application
• O365 ZAP Activity Detection
• Okta Authentication Failed During MFA Challenge
• Okta IDP Lifecycle Modifications
• Okta Mismatch Between Source and Response for Verify Push Request
• Okta Multi-Factor Authentication Disabled
• Okta Multiple Accounts Locked Out
• Okta Multiple Failed MFA Requests For User
• Okta Multiple Users Failing To Authenticate From Ip
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Successful Single Factor Authentication
• Okta Suspicious Activity Reported
• Okta Suspicious Use of a Session Cookie
• Okta ThreatInsight Threat Detected
• Okta Unauthorized Access to Application
• Okta User Logins from Multiple Cities
• Outbound Network Connection from Java Using Default Ports
• Overwriting Accessibility Binaries
• PaperCut NG Remote Web Access Attempt
• Permission Modification using Takeown App
• PetitPotam Network Share Access Request
• PetitPotam Suspicious Kerberos TGT Request
• Ping Sleep Batch Command
• PingID Mismatch Auth Source and Verification Response
• PingID Multiple Failed MFA Requests For User
• PingID New MFA Method After Credential Reset
• PingID New MFA Method Registered For User
• Plain HTTP POST Exfiltrated Data
• Possible Lateral Movement PowerShell Spawn
• Potential System Network Configuration Discovery Activity
• Potential Telegram API Request Via CommandLine
• PowerShell 4104 Hunting
• PowerShell Domain Enumeration
• PowerShell Enable PowerShell Remoting
• PowerShell Invoke CIMMethod CIMSession
• PowerShell Invoke WmiExec Usage
• PowerShell Loading DotNET into Memory via Reflection
• PowerShell Script Block With URL Chain
• PowerShell Start or Stop Service
• PowerShell Start-BitsTransfer
• PowerShell WebRequest Using Memory Stream
• Powershell COM Hijacking InprocServer32 Modification
• Powershell Creating Thread Mutex
• Powershell Disable Security Monitoring
• Powershell Enable SMB1Protocol Feature
• Powershell Execute COM Object
• Powershell Fileless Process Injection via GetProcAddress
• Powershell Fileless Script Contains Base64 Encoded Content
• Powershell Load Module in Meterpreter
• Powershell Processing Stream Of Data
• Powershell Remote Services Add TrustedHost
• Powershell Remote Thread To Known Windows Process
• Powershell Remove Windows Defender Directory
• Powershell Using memory As Backing Store
• Powershell Windows Defender Exclusion Commands
• Prevent Automatic Repair Mode using Bcdedit
• Print Processor Registry Autostart
• Print Spooler Adding A Printer Driver
• Print Spooler Failed to Load a Plug-in
• Process Creating LNK file in Suspicious Location
• Process Deleting Its Process File Path
• Process Execution via WMI
• Process Kill Base On File Path
• Processes launching netsh
• Prohibited Network Traffic Allowed
• Protocol or Port Mismatch
• Protocols passing authentication in cleartext
• Ransomware Notes bulk creation
• Recon AVProduct Through Pwh or WMI
• Recon Using WMI Class
• Recursive Delete of Directory In Batch CMD
• Reg exe Manipulating Windows Services Registry Keys
• Registry Keys Used For Persistence
• Registry Keys Used For Privilege Escalation
• Registry Keys for Creating SHIM Databases
• Regsvr32 Silent and Install Param Dll Loading
• Regsvr32 with Known Silent Switch Cmdline
• Remcos RAT File Creation in Remcos Folder
• Remcos client registry install entry
• Remote Desktop Network Traffic
• Remote Process Instantiation via DCOM and PowerShell Script Block
• Remote Process Instantiation via DCOM and PowerShell
• Remote Process Instantiation via WMI and PowerShell Script Block
• Remote Process Instantiation via WMI and PowerShell
• Remote Process Instantiation via WMI
• Remote Process Instantiation via WinRM and PowerShell Script Block
• Remote Process Instantiation via WinRM and PowerShell
• Remote Process Instantiation via WinRM and Winrs
• Remote System Discovery with Adsisearcher
• Remote System Discovery with Dsquery
• Remote System Discovery with Wmic
• Remote WMI Command Attempt
• Resize ShadowStorage volume
• Revil Common Exec Parameter
• Revil Registry Entry
• Rubeus Command Line Parameters
• Rubeus Kerberos Ticket Exports Through Winlogon Access
• RunDLL Loading DLL By Ordinal
• Rundll32 Control RunDLL World Writable Directory
• Rundll32 Create Remote Thread To A Process
• Rundll32 CreateRemoteThread In Browser
• Rundll32 DNSQuery
• Rundll32 LockWorkStation
• Rundll32 Process Creating Exe Dll Files
• Rundll32 Shimcache Flush
• Rundll32 with no Command Line Arguments with Network
• Ryuk Test Files Detected
• Ryuk Wake on LAN Command
• SLUI RunAs Elevated
• SLUI Spawning a Process
• Samsam Test File Write
• Sc exe Manipulating Windows Services
• SchCache Change By App Connect And Create ADSI Object
• Schedule Task with HTTP Command Arguments
• Schedule Task with Rundll32 Command Trigger
• Scheduled Task Creation on Remote Endpoint using At
• Scheduled Task Deleted Or Created via CMD
• Scheduled Task Initiation on Remote Endpoint
• Schtasks Run Task On Demand
• Schtasks scheduling job on remote system
• Schtasks used for forcing a reboot
• Screensaver Event Trigger Execution
• Script Execution via WMI
• Sdclt UAC Bypass
• Sdelete Application Execution
• SearchProtocolHost with no Command Line with Network
• SecretDumps Offline NTDS Dumping Tool
• ServicePrincipalNames Discovery with PowerShell
• ServicePrincipalNames Discovery with SetSPN
• Services Escalate Exe
• Services LOLBAS Execution Process Spawn
• Set Default PowerShell Execution Policy To Unrestricted or Bypass
• Shai-Hulud 2 Exfiltration Artifact Files
• Shai-Hulud Workflow File Creation or Modification
• Shim Database File Creation
• Shim Database Installation With Suspicious Parameters
• Short Lived Scheduled Task
• Short Lived Windows Accounts
• SilentCleanup UAC Bypass
• Single Letter Process On Endpoint

... truncated

Macros Added - [1]

• cisco_sd_wan_service_proxy_access

Lookups Added - [1]

• browser_process_and_path

Deprecated/removed detections tables

List of removed detections in ESCU version 5.24.0

List of detections scheduled for removal in ESCU version 5.26.0