OpenEDR Spawning Command Shell:
windowsprocess_creationmedium2026-02-19
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
Potentially Suspicious File Creation by OpenEDR's ITSMService:
windowsfile_eventmedium2026-02-19
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
Uncommon File Created by Notepad++ Updater Gup.EXE:
windowsfile_eventhigh2026-02-03
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
Suspicious Child Process of Notepad++ Updater - GUP.Exe:
windowsprocess_creationhigh2026-02-03
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
Notepad++ Updater DNS Query to Uncommon Domains:
windowsdns_querymedium2026-02-02
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
linux latest updates
Linux Setuid Capability Set on a Binary via Setcap Utility:
linuxprocess_creationlow2026-01-24
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Linux Setgid Capability Set on a Binary via Setcap Utility:
linuxprocess_creationlow2026-01-24
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Script Interpreter Spawning Credential Scanner - Linux:
linuxprocess_creationhigh2025-11-25
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
Suspicious Filename with Embedded Base64 Commands:
linuxfile_eventhigh2025-11-22
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Kaspersky Endpoint Security Stopped Via CommandLine - Linux:
linuxprocess_creationhigh2025-10-18
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Other latest updates
AWS GuardDuty Detector Deleted Or Updated:
awsNULLhigh2025-11-27
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
FortiGate - New VPN SSL Web Portal Added:
fortigateNULLmedium2025-11-01
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
This behavior was observed in pair with modification of VPN SSL settings.
FortiGate - User Group Modified:
fortigateNULLmedium2025-11-01
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
Splunk Detection rules latest updates
MacOS LOLbin:
endpointEndpoint2026-04-13
The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period.
It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection.
If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
MacOS plutil:
endpointEndpoint2026-04-13
The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security.
Suspicious PlistBuddy Usage via OSquery:
endpointEndpoint2026-04-13
The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system.
MacOS AMOS Stealer - Virtual Machine Check Activity:
endpointEndpoint2026-04-13
The following analytic detects AMOS Stealer VM check activity on macOS. It leverages osquery to monitor process events and identifies the execution of the "osascript" command along with specific commandline strings.
This activity is significant as AMOS stealer was seen using this pattern in order to check if the host is a Virtual Machine or not.
If confirmed malicious, this behavior indicate that the host is already infected by the AMOS stealer, which could allow attackers to execute arbitrary code, escalate privileges, steal information, or persist within the environment, posing a significant security risk.
Processes Tapping Keyboard Events:
threatEndpoint2026-04-13
The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.
Microsoft Defender Incident Alerts:
endpointEndpoint2026-04-08
The following analytic is to leverage alerts from Microsoft Defender O365 Incidents. This query aggregates and summarizes all alerts from Microsoft Defender O365 Incidents, providing details such as the destination, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk object, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a static mapping to set the risk score based on the severity of the alert.
Microsoft Defender ATP Alerts:
endpointEndpoint2026-04-08
The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk object, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.
Windows Curl Upload to Remote Destination:
endpointEndpoint2026-03-31
The following analytic detects the use of Windows Curl.exe to upload a file to a remote destination. It identifies command-line arguments such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity is significant because adversaries may use Curl to exfiltrate data or upload malicious payloads. If confirmed malicious, this could lead to data breaches or further compromise of the system. Analysts should review parallel processes and network logs to determine if the upload was successful and isolate the endpoint if necessary.
Linux Ingress Tool Transfer Hunting:
endpointEndpoint2026-03-31
The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage.
Wscript Or Cscript Suspicious Child Process:
endpointEndpoint2026-03-31
This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that uses several application tools that are in the list of the child process it detects but a good pivot and indicator that a script may execute suspicious code.
Linux Auditd File Permission Modification Via Chmod:
endpointEndpoint2026-03-31
The following analytic detects suspicious file permission modifications using the `chmod` command, which may indicate an attacker attempting to alter access controls on critical files or directories. Such modifications can be used to grant unauthorized users elevated privileges or to conceal malicious activities by restricting legitimate access. By monitoring for unusual or unauthorized `chmod` usage, this analytic helps identify potential security breaches, allowing security teams to respond promptly to prevent privilege escalation, data tampering, or other unauthorized actions on the system.
Windows Suspicious VMWare Tools Child Process:
endpointEndpoint2026-03-31
The following analytic identifies child processes spawned by vmtoolsd.exe, the VMWare Tools service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as CVE-2023-20867. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.
Recon Using WMI Class:
endpointEndpoint2026-03-31
The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.
Windows Process Execution From ProgramData:
endpointEndpoint2026-03-31
The following analytic identifies processes running from file paths within
the ProgramData directory, a common location abused by adversaries for executing
malicious code while evading detection. Threat actors often drop and execute payloads
from this directory to bypass security controls, as it typically has write permissions
for standard users. While this behavior can indicate malware execution or persistence
techniques, it is important to note that some legitimate software, installers, and
update mechanisms also run from ProgramData, leading to potential false positives.
Security teams should validate detections by correlating with other indicators,
such as unusual parent processes, unsigned binaries, or anomalous network activity.
Linux Auditd Possible Access To Credential Files:
endpointEndpoint2026-03-31
The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.
