CylanceMDR

protection enhancements

Rule Name

: "Bcdedit Safeboot Modified"

MITRE Techniques

: T1562, T1562.009

Description

: This detection rule identifies instances where the bcdedit command is executed with the safeboot argument. BCDEdit is a command-line tool used for managing Boot Configuration Data (BCD). Attackers may use the safeboot argument to reboot a system into Safe Mode to potentially disable security controls such as antivirus or endpoint detection tools, which might not operate in Safe Mode.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: MITRE

Date added

: March 2025

Rule Name

: "Dsquery Command Execution"

MITRE Techniques

: T1087, T1087.002, T1482, T1082, T1018

Description

: This rule detects usage of the dsquery command. This command line utility can be used to query Active Directory (AD) from the host.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: MITRE

Date added

: March 2025

Rule Name

: "Suspicious Cryptographic Activity"

MITRE Techniques

: T1027, T1055, T1486, T1573, T1573.001

Description

: This rule detects suspicious process launches involving cryptographic operations, such as AES, commonly abused by SolarMarker and Luma malware.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: Squiblydoo

Date added

: March 2025

Rule Name

: "Credential Dumping via gsecdump"

MITRE Techniques

: T1003, T1003.001, T1003.002, T1003.004

Description

: This rule detects the execution of gsecdump, a tool used for credential dumping on Windows systems. Credential dumping involves extracting password hashes, plaintext passwords, or other authentication tokens from the operating system. The execution of gsecdump can target various credential storage locations including the Local Security Authority Subsystem Service (LSASS) and the Security Accounts Manager (SAM) database. False positives are less likely with this rule.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: MITRE and Red Canary

Date added

: February 2025

Rule Name

: "Base64 Encoded PowerShell Execution of Bitstransfer"

MITRE Techniques

: T1059, T1059.001, T1105, T1071, T1197

Description

: This rule detects the execution of a base64 encoded Bitstransfer download via PowerShell. Adversaries will obfuscate PowerShell Bitstransfer download commands to download malicious payloads and evade detection. False positives though unlikely can be occur from legitimate system admin tools and scripts.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: Medium

Date added

: February 2025

Rule Name

: "Base64 Encoded PowerShell Execution of .NET Webclient"

MITRE Techniques

: T1059, T1059.001, T1105, T1071

Description

: This rule detects the use of a base64 encoded invocation of the System.Net.Webclient class via PowerShell. Adversaries will use System.Net.Webclient to download malicious payloads. False positives, though unlikely, can occur from legitimate system admin tools and scripts.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: Medium

Date added

: February 2025

Rule Name

: "Base64 Encoded PowerShell Execution of Invoke-Restmethod"

MITRE Techniques

: T1059, T1059.001, T1105, T1071

Description

: This rule detects the execution of a base64 encoded Invoke-Restmethod command via PowerShell. Adversaries will use Invoke-Restmethod to download malicious payloads. False positives though unlikely can occur from legitimate system admin tools and scripts.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: Medium

Date added

: February 2025

Rule Name

: "Base64 Encoded PowerShell Execution of Invoke-Webrequest"

MITRE Techniques

: T1059, T1059.001, T1105, T1071

Description

: This rule detects the execution of a base64 encoded Invoke-Webrequest command via PowerShell. Adversaries will use Invoke-Webrequest to download malicious payloads. False positives though unlikely can occur from legitimate system admin tools and scripts.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: Medium

Date added

: February 2025

Rule Name

: "Comprehensive UAC Bypass Detection"

MITRE Techniques

: T1548, T1548.002, T1112, T1059, T1059.001

Description

: This rule detects UAC bypass attempts through registry modifications and PowerShell commands. It combines monitoring for specific registry keys, DelegateExecute, and PowerShell-based manipulations.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional References

: Splunk and Sevagas

Date added

: January 2025

Rule Name

: "AMSI Bypass PowerShell Command Execution"

MITRE Techniques

: T1059, T1059.001, T1562, T1562.001

Description

: This rule detects AMSI bypass through PowerShell by setting amsiInitFailed to true or by removing the registry key in HKLM\Software\Microsoft\AMSI. The Windows Anti-malware Scan Interface (AMSI) is a versatile interface standard that allows applications and services to integrate with any anti-malware product that's present on a device. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. Adversaries disable AMSI to avoid possible detection of their malware, tools, and activities. False positives are not likely.

Rule Type

: Advanced Detection

Platform

:

Windows

Additional Reference

: Red Canary (AMSI InitFailed)  and Red Canary (Remove AMSI Provider Reg Key)

Date added

: January 2025