Logins at unusual hours, at unusual frequency, or accessing unusual data or systems
Users changing or escalating privileges for critical systems
Discover malware communicating with external attackers
Insertion of USB thumb drives, use of personal email services, unauthorized cloud storage or excessive printing
suspicious anomaly detection on multiple servers and endpoints
Obtain sensitive information used in fraud and impersonation
Identifying unusual traffic from organization devices, which might be leveraged by an attacker to perform an attack.
Detecting emails forwarded or sent to other entities other than stated recipient
Attackers attempting to escalate privileges or accessing other IT systems, on their way to a lucrative target
Monitor logins to an F5 SSL-VPN by VIP users, identified as VIP users, during off-hours
Detects malware downloaded from suspicious URL (used by Lazarus)
privileged user accounts was breached
Wiper variant found on c:\windows\system32 after add GOV Intel IOC’s to monitoring
Phorpiex Breakdown Malware – Blocked by EDR (File path: C:\WINDOWS\system32\)
ntds.dit file was created in C:\windows\temp directory
Suspicious Communication from Suspicious source to internal asset
The event log was Cleared containing the Audit Log was Cleared
Protection disabled, antivirus removed, or status of threat updates.
Regular DNS requests to known bad domains indicate a compromised system communicating with a C2 server
Ivanti Alert on Exploit Signature Detection (CVE-2023-32560)
Suspicious communication from suspicious source via 8443 port
Detects suspicious hacking related Windows command line commands