New Detection Rules Feed

Suspicious Microsoft OAuth Flow via Auth Broker to DRS elastic-siem New rule STIX2

This rule detects a potential OAuth phishing attack in Microsoft Entra ID. It identifies scenarios where two successful sign-in events share the same user principal and session ID but originate from different IP addresses within a five-minute window. The detection logic specifically targets OAuth flows where the client application is the Microsoft Authentication Broker (MAB) and the resource is the Device Registration Service (DRS), a pattern highly indicative of an attacker using a stolen authorization code to gain access. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1528

initial-access credential-access cloud-security malicious-activity TA0001 TA0006 T1566 T1566.002 T1528

Potential Kerberos Coercion via DNS-Based SPN Spoofing elastic-siem New rule STIX2

This rule detects the creation of a DNS record containing a specific base64-encoded pattern (`UWhRCA...BAAAA`), which corresponds to a marshaled `CREDENTIAL_TARGET_INFORMATION` structure. This activity is indicative of Kerberos coercion attacks that leverage DNS-based SPN spoofing. Adversaries use this technique to force systems to authenticate to attacker-controlled hosts, enabling reflective Kerberos relay attacks to gain privileged access, potentially as `NT AUTHORITY\SYSTEM`. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187

credential-access endpoint-security malicious-activity TA0006 T1557 T1557.001 T1187

Potential Kerberos SPN Spoofing via Suspicious DNS Query elastic-siem New rule STIX2

This rule identifies DNS queries on Windows systems containing a specific Base64-encoded pattern (`*UWhRC*BAAAA*`). This pattern is indicative of a marshaled CREDENTIAL_TARGET_INFORMATION structure, which is a key component in Kerberos coercion attacks. Adversaries exploit this by creating malicious DNS records to spoof a Service Principal Name (SPN), tricking a victim system into authenticating to an attacker-controlled host. This technique facilitates credential theft, often through NTLM reflection. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187

credential-access malicious-activity endpoint-security TA0006 T1557 T1557.001 T1187

Windows DNS Query Request To TinyUrl splunk New rule STIX2

This Splunk analytic detects DNS queries to `tinyurl.com` originating from processes running in potentially suspicious Windows directories, such as `AppData` or `Temp`. The rule leverages Sysmon Event ID 22 (DNS Query) to identify this behavior. Threat actors frequently use URL shorteners like TinyURL to obfuscate malicious destinations for command-and-control (C2) infrastructure or malware payloads, making DNS requests from non-browser applications in these locations highly suspicious. Relevant MITRE ATT&CK tactics: TA0011 Relevant MITRE ATT&CK techniques: T1105, T1071, T1102

command-and-control execution endpoint-security TA0011 T1105 T1071 T1102

Windows Chromium Browser with Custom User Data Directory splunk New rule STIX2

This detection identifies the launch of a Chromium-based browser (Chrome, Edge, Brave, etc.) with the '--user-data-dir' command-line argument. This parameter specifies a custom user profile directory. While it has legitimate uses for testing or profile separation, threat actors and malware leverage it to create isolated browser environments for stealthy operations, credential harvesting, or evading detection by storing artifacts in non-standard locations. Relevant MITRE ATT&CK tactics: TA0005, TA0006 Relevant MITRE ATT&CK techniques: T1497, T1564.004

defense-evasion credential-access malicious-activity endpoint-security TA0005 TA0006 T1497 T1564.004

Windows Disable Internet Explorer Addons splunk New rule STIX2

This rule detects the execution of Internet Explorer (iexplore.exe) with the -extoff flag, which disables all browser extensions. This behavior is often exploited by attackers to conduct operations that could evade security plugins like antivirus extensions or toolbars. The use of the -extoff flag, especially when initiated by applications like Office, PowerShell, or scheduled tasks, is informal and could signify potential phishing or command-and-control activities. Relevant MITRE ATT&CK tactics: TA0011, TA0005 Relevant MITRE ATT&CK techniques: T1176.001, T1071.001, T1070.004

malicious-activity command-and-control defense-evasion discovery TA0011 TA0005 T1176.001 T1071.001 T1070.004

Windows Chromium Browser No Security Sandbox Process splunk New rule STIX2

This rule detects the execution of a Chromium-based browser process with the `--no-sandbox` command-line flag. This flag disables the browser's security sandbox, a critical defense mechanism that isolates browser processes from the underlying operating system. Threat actors commonly use this technique to facilitate malicious code execution, escape browser isolation for credential theft, or enable UI spoofing, often as part of a malware dropper or loader. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1497, T1497.001

malicious-activity defense-evasion endpoint-security TA0005 T1497 T1497.001

AWS CloudTrail Log Evasion elastic-siem New rule STIX2

This rule identifies attempts to evade AWS CloudTrail logging for IAM policy actions. An adversary can pad an IAM policy document with excessive whitespace, causing it to exceed CloudTrail's logging size limits. This results in the policy details being omitted from the log, replaced by a "requestParameters too large" message. The detection logic specifically targets successful IAM events in CloudTrail logs where the `request_parameters` field indicates that details were omitted for this reason, effectively detecting efforts to obscure unauthorized policy modifications. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.008

cloud-security defense-evasion TA0005 T1562 T1562.008

External Attack Surface Monitoring (EASM) KQL kql New rule STIX2

This KQL query identifies internet-facing devices by querying the ExposureGraphNodes table for devices or virtual machines flagged as internet-facing. It then cross-references these devices with DeviceNetworkEvents from the last 30 days to find listening connections, excluding localhost. The query ultimately summarizes the number of unique exposed listening ports per device, providing a measure of the external attack surface for the MDE device fleet. Relevant MITRE ATT&CK tactics: TA0043 Relevant MITRE ATT&CK techniques: T1595, T1046

discovery network-security cloud-security TA0043 T1595 T1046

Kubeconfig File Creation or Modification elastic-siem New rule STIX2

This rule detects the creation or modification of common Kubernetes configuration files (kubeconfig) on Linux systems. The detection logic, implemented in EQL, monitors specific file paths like `/root/.kube/config` and `/etc/kubernetes/*.conf` while excluding legitimate activities from processes such as `kubeadm` and `kubelet`. Such file activity may indicate an attacker's attempt to gain unauthorized access, move laterally within a Kubernetes cluster, or evade defenses by using alternate authentication materials. Relevant MITRE ATT&CK tactics: TA0008, TA0005, TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1550, T1078, T1552.007

lateral-movement defense-evasion initial-access cloud-security endpoint-security TA0008 TA0005 TA0001 TA0006 T1550 T1078 T1552.007