| macOS |
NEW - macOS: Node.js Process Spawning osascript via nohup
This new detection rule identifies when someone is usingnohupto launchosascriptin a detached context, which is a technique malicious node package manager (npm) post-install hooks use to escape the process tree and establish persistence.
Default state: Enabled |
| macOS |
NEW - macOS: osascript Spawning Curl to Download Remote Payload
This new detection rule identifiesosascriptspawning a shell that invokes curl to download a remote payload, which is a technique seen in the recent Axios npm supply chain compromise.
Default state: Enabled
|
| macOS |
NEW - macOS: Suspicious Binary Execution from Library Caches
This new detection rule identifies commands referencing a binary masquerading as a system process in/Library/Caches/, a technique used by the Axios supply chain RAT to blend in with legitimate macOS system activity.
Default state: Enabled
|
Microsoft 365
|
NEW - Microsoft 365: External Account Accessing Personal SharePoint Site
This new detection rule identifies file operations on personal SharePoint sites by external or guest accounts, which may indicate unauthorized access to sensitive user files.
Default state: Disabled
|
Windows
|
NEW - Cmdkey Credential Listing Reconnaissance
This new detection rule monitors forcmdkeyexecutions that include stored credentials, which may indicate credential reconnaissance during post-compromise activity.
Default state: Enabled
|
Windows
|
NEW - Fscan Network Scanning Tool Execution
This new detection rule identifies execution of Fscan, which is an open-source offensive network scanning tool frequently used by threat actors for post-exploitation reconnaissance and lateral movement discovery.
Default state: Enabled
|
Windows
|
NEW - NT Path Prefix: Shell Execution of Executable
This new detection rule identifies command interpreters executing files via NT path prefixes (e.g.,\??\,\\?\, or\\.\), a technique bad actors use to bypass security tools that rely on standard path-based detection rules.
Default state: Enabled
|
Windows
|
NEW - PowerShell Remove and Insert Method Obfuscation
This new detection rule identifies PowerShell scripts containing heavy string method obfuscation, where strings are constructed character-by-character through chained.Remove()and.Insert()method calls to evade static string-based detections.
Default state: Enabled
|
Windows
|
NEW - Recursive where.EXE Command Wildcard Executable Resolution
This new detection rule identifies the use ofwhere /rwith wildcards to recursively search Windows system directories for executable files, a technique observed in ClickFix campaigns to resolve binary paths without using their literal names.
Default state: Enabled
|
Windows
|
NEW - Remote Access Tool: Net Monitor for Employees
This new detection rule monitors for execution of Net Monitor for Employees software and relatedmsiexeccommands, which may indicate unauthorized remote access tool installation.
Default state: Enabled
|
Windows
|
NEW - Remote Access Tool: SimpleHelp
This new detection rule identifies process creation events for SimpleHelp remote access software. While legitimate, SimpleHelp has been exploited by threat actors to maintain unauthorized access to compromised systems.
Default state: Disabled
|
Windows
|
NEW - Runas Binary Usage
This new detection rule identifies use of therunasutility to execute commands under a different user context, a technique associated with privilege escalation during post-compromise activity.
Default state: Disabled
|
| Windows |
NEW - Unicode Path Masquerading in Trusted Directory
This new detection rule identifies process execution from paths containing Unicode characters that visually mimic trusted Windows directory names, a technique used to bypass EDR solutions that whitelist processes from trusted directories.
Default state: Enabled
|
Windows
|
NEW - Whoami All Execution
This new detection rule identifies execution ofwhoami /all, a discovery command used to enumerate user identity, privileges, and group memberships commonly observed during post-exploitation reconnaissance.
Default state: Disabled
|
Windows / macOS / Linux
|
NEW - OpenClaw AI Agent Process Execution
This new detection rule identifies process creation events for OpenClaw (formerly Clawdbot, Moltbot), an AI agent that grants full OS-level shell access and has been widely exploited via malicious skills and exposed gateways.
Default state: Disabled
|
Windows / macOS / Linux
|
NEW - OpenClaw Installation or Persistence Artifact
This new detection rule identifies OpenClaw installation commands and persistence artifacts including systemd services, macOS launch agents, and configuration directory files that indicate the AI agent has been installed on a system.
Default state: Enabled
|
Fortigate
|
UPDATE - Fortigate: Successful Admin Login from External IP Address
We improved detection logic to reduce false positives in certain FortiGate management login scenarios.
|
HTTP Access / Windows
|
UPDATE - ConnectWise ScreenConnect CVE Detections (CVE-2024-1708, CVE-2024-1709)
We rewrote the analysis text for all three ConnectWise ScreenConnect CVE detections with improved investigation guidance, CVE context, and better field coverage in matched evidence.
|
Sophos Central
|
UPDATE - Sophos Central: Threat Event
We refined detection logic to reduce false positives from routine Sophos protection activity.
|
| Windows |
UPDATE - Decimal Character Encoded Command
We expanded detection coverage to identify additional PowerShell obfuscation variants used by threat actors to evade detection.
|
| Windows |
UPDATE - Potential EDR-Freeze Isolation Pattern
We improved query performance and refined detection logic to reduce false positives.
|
| Windows |
UPDATE - Reconnaissance via Net Commands
We refined detection logic to reduce false positives from legitimate administrative tool activity.
|
| Windows |
UPDATE - Webshells by File Write
We refined detection logic to reduce false positives from legitimate application activity.
|
