Windows Recovery Environment Disabled Via Reagentc:
windowsprocess_creationmedium2025-07-31
Detects attempts to disable windows recovery environment using Reagentc.
ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Password Set to Never Expire via WMI:
windowsprocess_creationmedium2025-07-30
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
Potential JLI.dll Side-Loading:
windowsimage_loadhigh2025-07-25
Detects potential DLL side-loading of jli.dll.
JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
and others in order to load malicious payloads in context of legitimate Java processes.
Suspicious File Write to SharePoint Layouts Directory:
windowsfile_eventhigh2025-07-24
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
Suspicious File Created in Outlook Temporary Directory:
windowsfile_eventhigh2025-07-22
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
linux latest updates
Suspicious Download and Execute Pattern via Curl/Wget:
linuxprocess_creationhigh2025-06-17
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
Special File Creation via Mknod Syscall:
linuxNULLlow2025-05-31
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
or establish covert channels in Linux systems.
Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
and it can be abused to bypass file system restrictions or create backdoors.
System Info Discovery via Sysinfo Syscall:
linuxNULLlow2025-05-30
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall:
linuxNULLmedium2025-05-27
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Disable ASLR Via Personality Syscall - Linux:
linuxNULLlow2025-05-26
Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
exploit development, or to bypass memory protection mechanisms.
A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
attacks more reliable.
Other latest updates
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network:
zeekNULLhigh2025-06-20
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Remote Access Tool - Renamed MeshAgent Execution - MacOS:
macosprocess_creationhigh2025-05-19
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Remote Access Tool - Potential MeshAgent Execution - MacOS:
macosprocess_creationmedium2025-05-19
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
HTTP Request to Low Reputation TLD or Suspicious File Extension:
zeekNULLmedium2025-02-26
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Azure Login Bypassing Conditional Access Policies:
m365NULLhigh2025-01-08
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Splunk Detection rules latest updates
Windows InstallUtil URL in Command Line:
endpointEndpoint2025-09-09
The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.
Windows MSIExec Remote Download:
endpointEndpoint2025-09-09
The following analytic detects the use of msiexec.exe with an HTTP or
HTTPS URL in the command line, indicating a remote file download attempt. This detection
leverages data from Endpoint Detection and Response (EDR) agents, focusing on process
execution logs that include command-line details. This activity is significant as
it may indicate an attempt to download and execute potentially malicious software
from a remote server. If confirmed malicious, this could lead to unauthorized code
execution, system compromise, or further malware deployment within the network.
Cisco NVM - Suspicious Network Connection to IP Lookup Service API:
endpointEndpoint2025-09-09
This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services,
such as `ipinfo.io`, `icanhazip.com`, `ip-api.com`, and others.
These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate
network reconnaissance, virtual machine detection, or staging by malware.
This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns.
The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser
processes to reduce noise.
Cisco NVM - Suspicious Network Connection Initiated via MsXsl:
endpointEndpoint2025-09-09
This analytic identifies the use of `msxsl.exe` initiating a network connection to a non-private IP address.
Although `msxsl.exe` is a legitimate Microsoft utility used to apply XSLT transformations, adversaries can abuse it
to execute arbitrary code or load external resources in an evasive manner.
This detection leverages Cisco NVM telemetry to identify potentially malicious use of `msxsl.exe` making network connections
that may indicate command and control (C2) or data exfiltration activity.
Cisco NVM - Webserver Download From File Sharing Website:
endpointEndpoint2025-09-09
This analytic detects unexpected outbound network connections initiated by known webserver processes such as `httpd.exe`, `nginx.exe`, or `tomcat.exe` to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin.
Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise,
where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation.
The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.
Windows File Download Via PowerShell:
endpointEndpoint2025-09-09
The following analytic detects the use of PowerShell's download methods such as
"DownloadString" and "DownloadData" from the WebClient class or Invoke-WebRequest
and it's aliases "IWR" or "Curl".
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
process execution logs that include command-line details.
This activity can be significant such methods and functions are commonly used in malicious
PowerShell scripts to fetch and execute remote code.
If confirmed malicious, this behavior could allow an attacker to download and run
arbitrary code, potentially leading to unauthorized access, data exfiltration,
or further compromise of the affected system.
Windows InstallUtil Remote Network Connection:
endpointEndpoint2025-09-09
The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.
Cisco NVM - Suspicious Network Connection From Process With No Args:
endpointEndpoint2025-09-09
This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments.
It leverages Cisco Network Visibility Module (NVM) flow data and process arguments
to identify outbound connections initiated by curl where TLS checks were explicitly disabled.
Binaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution.
When these processes are seen initiating a network connection with an empty or missing command line, it can indicate
potential injection and communication with a command and control server.
Cisco Smart Install Oversized Packet Detection:
networkNetwork2025-09-09
This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786
within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and
protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message
sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance
against Cisco devices exposing Smart Install.
Cisco NVM - Rclone Execution With Network Activity:
endpointEndpoint2025-09-09
This detection identifies execution of the file synchronization utility "rclone".
It leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions
initiating network connections.
While rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration.
This analytic inspects process name and arguments for rclone and flags usage of suspicious flags.
If matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.
Cisco NVM - Susp Script From Archive Triggering Network Activity:
endpointEndpoint2025-09-09
This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using
`explorer.exe`, `winrar.exe`, or `7zFM.exe`.
When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.
It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.
This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
Windows Outlook Macro Created by Suspicious Process:
endpointEndpoint2025-09-09
The following analytic detects the creation of an Outlook Macro (VbaProject.OTM) by a suspicious process. This file is normally created when you create a macro from within Outlook. If this file is created by a process other than Outlook.exe it may be maliciously created. This detection leverages data from the Filesystem datamodel, specifically looking for the file creation event for VbaProject.OTM. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.
Detect RClone Command-Line Usage:
endpointEndpoint2025-09-09
The following analytic detects the usage of `rclone.exe` with specific command-line arguments indicative of file transfer activities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as `rclone.exe` is often used by adversaries for data exfiltration, especially during ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and potential loss of sensitive information. Immediate isolation of the affected endpoint and further investigation are recommended.
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download:
endpointEndpoint2025-09-09
This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`.
This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or
bypassing script execution policies and bypassing the usage of the "mshta.exe" binary.
The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity
along with process information such as command-line arguments
If confirmed malicious, this activity may indicate initial access or payload download.
WMIC XSL Execution via URL:
endpointEndpoint2025-09-09
The following analytic detects `wmic.exe` loading a remote XSL script
via a URL. This detection leverages Endpoint Detection and Response (EDR) data,
focusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT
switch. This activity is significant as it indicates a potential application control
bypass, allowing adversaries to execute JScript or VBScript within an XSL file.
If confirmed malicious, this technique can enable attackers to execute arbitrary
code, escalate privileges, or maintain persistence using a trusted Windows tool,
posing a severe threat to the environment.
