OpenEDR Spawning Command Shell:
windowsprocess_creationmedium2026-02-19
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
Potentially Suspicious File Creation by OpenEDR's ITSMService:
windowsfile_eventmedium2026-02-19
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
Uncommon File Created by Notepad++ Updater Gup.EXE:
windowsfile_eventhigh2026-02-03
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
Suspicious Child Process of Notepad++ Updater - GUP.Exe:
windowsprocess_creationhigh2026-02-03
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
Notepad++ Updater DNS Query to Uncommon Domains:
windowsdns_querymedium2026-02-02
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
linux latest updates
Linux Setuid Capability Set on a Binary via Setcap Utility:
linuxprocess_creationlow2026-01-24
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Linux Setgid Capability Set on a Binary via Setcap Utility:
linuxprocess_creationlow2026-01-24
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Suspicious Filename with Embedded Base64 Commands:
linuxfile_eventhigh2025-11-22
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Kaspersky Endpoint Security Stopped Via CommandLine - Linux:
linuxprocess_creationhigh2025-10-18
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Python WebServer Execution - Linux:
linuxprocess_creationmedium2025-10-17
Detects the execution of Python web servers via command line interface (CLI).
After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Other latest updates
AWS GuardDuty Detector Deleted Or Updated:
awsNULLhigh2025-11-27
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
FortiGate - New VPN SSL Web Portal Added:
fortigateNULLmedium2025-11-01
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
This behavior was observed in pair with modification of VPN SSL settings.
FortiGate - User Group Modified:
fortigateNULLmedium2025-11-01
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
Splunk Detection rules latest updates
Possible Lateral Movement PowerShell Spawn:
endpointEndpoint2026-03-26
The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.
Disable Schedule Task:
endpointEndpoint2026-03-26
The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.
Processes launching netsh:
endpointEndpoint2026-03-26
The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security.
Sc exe Manipulating Windows Services:
endpointEndpoint2026-03-26
The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.
Detect Rundll32 Inline HTA Execution:
endpointEndpoint2026-03-26
The following analytic detects the execution of "rundll32.exe" with inline protocol handlers such as "JavaScript", "VBScript", and "About". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.
Anomalous usage of 7zip:
endpointEndpoint2026-03-26
The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation.
Windows Information Discovery Fsutil:
endpointEndpoint2026-03-26
The following analytic identifies the execution of the Windows built-in tool FSUTIL with the "FSINFO" or "Volume" parameters, in order to discover file system and disk information.
This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details.
Monitoring this activity is significant because FSUTIL can be abused by adversaries to gather detailed information about the file system, aiding in further exploitation.
If confirmed malicious, this activity could enable attackers to map the file system, identify valuable data, and plan subsequent actions such as privilege escalation or persistence.
Scheduled Task Deleted Or Created via CMD:
endpointEndpoint2026-03-26
The following analytic detects the creation or deletion of scheduled tasks via schtasks.exe when invoked with create or delete flags, specifically focusing on those executions where the process includes additional parameters such as /tr, /sc, or /ru. The detection uses Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, and filters out events originating from trusted system paths like C:\Windows\System32 or C:\Program Files. It further narrows results to cases where schtasks.exe is launched by potentially suspicious parent processes such as cmd.exe, wscript.exe, or cscript.exe, and excludes service accounts. This behavior may indicate adversary efforts to gain persistence or evade detection by manipulating scheduled tasks using scripts or command shells. If confirmed malicious, such activity could lead to unauthorized code execution or the removal of monitoring mechanisms on endpoints.
Windows Service Create Kernel Mode Driver:
endpointEndpoint2026-03-26
The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures.
Windows Account Access Removal via Logoff Exec:
endpointEndpoint2026-03-26
The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.
Windows Delete or Modify System Firewall:
endpointEndpoint2026-03-26
The following analytic identifies 'netsh' processes that delete or modify firewall configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific keywords. This activity is significant because it can indicate malware, such as NJRAT, attempting to alter firewall settings to evade detection or remove traces. If confirmed malicious, this behavior could allow an attacker to disable security measures, facilitating further compromise and persistence within the network.
Windows Net System Service Discovery:
endpointEndpoint2026-03-26
The following analytic detects the enumeration of Windows services using the net start command, which is a built-in utility that lists all running services on a system. Adversaries, system administrators, or automated tools may use this command to gain situational awareness of what services are active, identify potential security software, or discover opportunities for privilege escalation and lateral movement. The execution of net start is often associated with reconnaissance activity during the early stages of an intrusion, as attackers attempt to map out the system’s defense mechanisms and operational services. By monitoring process execution for instances of cmd.exe /c net start or similar command-line usage, defenders can detect potentially suspicious activity. Correlating this behavior with other reconnaissance commands, such as tasklist or sc query, strengthens detection fidelity. While net start is not inherently malicious, unusual or repeated use in non-administrative contexts should be flagged for further investigation.
Attempt To Add Certificate To Untrusted Store:
endpointEndpoint2026-03-26
The following analytic detects attempts to add a certificate to the untrusted
certificate store using the 'certutil -addstore' command.
It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model.
This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access.
If confirmed malicious, this could lead to the compromise of system security, allowing attackers
to bypass defenses and potentially escalate privileges or persist in the environment.
Conti Common Exec parameter:
endpointEndpoint2026-03-26
The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands.
Windows Rundll32 WebDAV Request:
endpointEndpoint2026-03-24
The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment.
