Sensitive File Dump Via Print.EXE:
windowsprocess_creationhigh2026-04-28
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
Indirect Command Execution via SFTP ProxyCommand:
windowsprocess_creationmedium2026-04-27
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
PUA - Memory Dump Mount Via MemProcFS:
windowsprocess_creationhigh2026-04-27
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
Service Startup Type Change Via Wmic.EXE:
windowsprocess_creationmedium2026-04-27
Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
HackTool - NetExec File Indicators:
windowsfile_eventhigh2026-04-08
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
Active Directory enumeration, credential harvesting, and remote code execution.
linux latest updates
Python One-Liners with Base64 Decoding - Linux:
linuxprocess_creationhigh2026-03-09
Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
Linux Setuid Capability Set on a Binary via Setcap Utility:
linuxprocess_creationlow2026-01-24
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Linux Setgid Capability Set on a Binary via Setcap Utility:
linuxprocess_creationlow2026-01-24
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Script Interpreter Spawning Credential Scanner - Linux:
linuxprocess_creationhigh2025-11-25
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
Suspicious Filename with Embedded Base64 Commands:
linuxfile_eventhigh2025-11-22
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Other latest updates
Google Workspace Out Of Domain Email Forwarding:
gcpNULLmedium2026-04-28
Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
Google Workspace Government Attack Warning:
gcpNULLmedium2026-04-28
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
Kubernetes Potential Enumeration Activity:
kubernetesNULLmedium2026-04-28
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
Cisco Dot1x Disabled:
ciscoNULLmedium2026-04-28
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.
Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.
This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
Splunk Detection rules latest updates
MacOS Keychains Dumped:
endpointEndpoint2026-04-28
Detects command-line attempts to access or dump macOS Keychain data using native utilities or direct file access.
This includes credential dumping via the `security` utility (e.g. `dump-keychain -d`), bulk certificate export using `security find-certificate`, and direct file copying of Keychain database files using utilities such as `cat`.
Keychain files are located in `~/Library/Keychains/`, `/Library/Keychains/`, and `/Network/Library/Keychains/`.
This technique is commonly associated with post-exploitation credential harvesting, where an attacker with local access seeks to escalate privileges or move laterally by obtaining stored credentials for applications, Wi-Fi networks, system services, and certificates.
Azure Active Directory High Risk Sign-in:
identityAzure Active Directory2026-04-28
The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment.
Curl Execution with Percent Encoded URL:
endpointEndpoint2026-04-28
The following analytic detects the execution of the curl utility where the command line includes percent-encoded characters and explicit file output options (such as -o or --output).
It leverages process execution telemetry from Endpoint Detection and Response (EDR) data sources to identify curl commands that may be using URL encoding to obfuscate download locations or payload paths.
This behavior is notable because percent-encoded URLs are commonly used by adversaries to evade simple string-based detections, hide malicious infrastructure, or bypass network security controls.
When combined with file download behavior, this activity may indicate malware staging, payload retrieval, or secondary tool deployment.
Analysts should review the decoded URL, destination host, parent process, and downloaded file to determine whether the activity is authorized or malicious.
The analytic calculates the number of percent (%) characters in the curl command line and triggers when a threshold of three or more is met, indicating potential URL encoding.
Adjust the threshold as needed based on your environment and tuning requirements.
PowerShell PInvoke Process Injection API Chain:
endpointEndpoint2026-04-22
The following analytic detects PowerShell Script Block Logging (Event ID 4104) evidence of a complete P/Invoke process-injection API chain at either the compile phase or the execution phase.
Compile phase:
Detects inline .NET class definitions created via `Add-Type -TypeDefinition` where the embedded C# source includes `[DllImport]` declarations and full P/Invoke signatures such as `extern <ReturnType> <FunctionName>`. This reduces false positives from comments, string literals, and arbitrary text references.
Execution phase:
Detects PowerShell static method invocation patterns using `::MethodName(` syntax, anchored with execution-context indicators such as `[IntPtr]::Zero` or `Marshal]::Copy`.
Injection technique coverage:
1. Self-injection shellcode runner
- VirtualAlloc + VirtualProtect + CreateThread
2. Remote thread injection
- OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + CreateRemoteThread
3. APC injection
- OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + QueueUserAPC
4. Thread-context hijacking
- OpenThread + SuspendThread + GetThreadContext + WriteProcessMemory + SetThreadContext + ResumeThread
5. Process hollowing
- CreateProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + SetThreadContext + ResumeThread
6. Section-map injection
- NtCreateSection + NtMapViewOfSection (+ CreateRemoteThread in this analytic)
7. Reflective DLL loading
- VirtualAlloc + GetProcAddress + GetModuleHandle + VirtualProtect + CreateThread
8. DLL injection
- OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + GetModuleHandle + GetProcAddress + CreateRemoteThread
Including the execution phase ensures coverage when an adversary loads a pre-compiled assembly from memory or disk and bypasses Add-Type entirely, since the static method call pattern is still captured in the script block regardless of how the class was originally compiled.
Wscript Or Cscript Suspicious Child Process:
endpointEndpoint2026-04-21
This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that uses several application tools that are in the list of the child process it detects but a good pivot and indicator that a script may execute suspicious code.
Windows Unusual Process Load Mozilla NSS-Mozglue Module:
endpointEndpoint2026-04-21
The following analytic identifies processes loading Mozilla NSS-Mozglue libraries such as mozglue.dll and nss3.dll. It leverages Sysmon Event logs, specifically monitoring EventCode 7, which tracks image loaded events. This activity is significant because it can indicate unauthorized access or manipulation of these libraries, which are commonly used by Mozilla applications like Firefox and Thunderbird. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
Windows Screen Capture in TEMP folder:
endpointEndpoint2026-04-21
The following analytic detects the creation of screen capture files by the Braodo stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders. Monitoring for these files helps to quickly identify malicious screen capture attempts, allowing security teams to respond and mitigate potential information exposure before sensitive data is compromised.
Logon Script Event Trigger Execution:
endpointEndpoint2026-04-21
The following analytic detects the modification of the UserInitMprLogonScript registry entry, which is often used by attackers to establish persistence and gain privilege escalation upon system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the specified registry path. This activity is significant because it is a common technique used by APT groups and malware to ensure their payloads execute automatically when the system starts. If confirmed malicious, this could allow attackers to maintain persistent access and potentially escalate their privileges on the compromised host.
Non Chrome Process Accessing Chrome Default Dir:
endpointEndpoint2026-04-21
The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.
Windows Credentials from Password Stores Chrome LocalState Access:
endpointEndpoint2026-04-21
The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.
Windows Gather Victim Network Info Through Ip Check Web Services:
endpointEndpoint2026-04-21
The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.
Windows Credential Access From Browser Password Store:
endpointEndpoint2026-04-21
The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.
Windows Credentials from Password Stores Chrome Login Data Access:
endpointEndpoint2026-04-21
The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.
Windows Unsecured Outlook Credentials Access In Registry:
endpointEndpoint2026-04-21
The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.
Recon Using WMI Class:
endpointEndpoint2026-04-21
The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.
