Detection Ideas
All detection suggestions across threat briefs. Library-matched detections have ready-to-deploy Vega rules.
Want these detections running in your environment?
Enable detections with Vega →Detect browser redirects from ad networks to exploit kits or malware delivery pages
Detect SEO-poisoned results by monitoring for sponsored ad clicks leading to newly registered or typosquatted domains
Detect clipboard-to-terminal paste operations containing encoded or obfuscated commands
Track user clicks on URLs that redirect through multiple domains before payload delivery
Flag suspicious PowerShell execution — encoded commands, download cradles, or AMSI bypass
Detect AppleScript execution spawned by non-standard parent processes
Alert on command-line arguments using character substitution, escape sequences, or encoding
Flag mshta.exe executing content from remote URLs or with obfuscated arguments
Alert on processes accessing browser credential stores, cookies, or session databases
Detect extraction of web session cookies from browser processes or profile directories
Detect file downloads via certutil, bitsadmin, curl, or PowerShell from external URLs
Monitor for C2 communication over HTTP/HTTPS to uncommon or newly registered domains
Detect impersonation of trusted entities in communications or account registrations
Flag processes decoding or deobfuscating data using certutil, base64, or XOR operations
Detect reconnaissance phishing emails that solicit credentials or technical information without delivering payloads
Alert on reported vishing attempts impersonating IT help desks — correlate with subsequent password resets
Detect phishing attempts via email link analysis and sender reputation scoring
Monitor third-party vendor access for unusual activity patterns or access outside normal business hours
Detect logins from valid accounts originating from unusual locations, devices, or at abnormal times
Alert on domain account usage from unexpected hosts or concurrent sessions in different geolocations
Monitor for user-initiated execution of untrusted content from email or web downloads
Monitor for new MFA device registrations, especially shortly after password resets or from untrusted devices
Detect forged SAML tokens or web credentials used from IPs not associated with the identity provider
Alert on creation of new accounts, especially those immediately granted privileged roles
Monitor for modifications to domain trust relationships or federation configurations in identity providers
Detect rapid MFA push notification generation — high-frequency prompts indicate push bombing attacks
Alert on processes reading credential files, environment variables, or configuration stores
Monitor for unauthorized access to SSH keys, certificates, and private key material
Monitor for installation or execution of remote access tools not approved in your environment
Detect traffic routing through proxy services, VPNs, or residential proxy networks not sanctioned by the organization
Monitor access to cloud service dashboards from unusual IPs or newly provisioned accounts
Alert on creation of new cloud compute instances, especially in regions not typically used by the organization
Detect lateral movement via cloud services — unusual API calls or console logins across accounts
Monitor for enumeration of Active Directory, DNS, or cloud resource inventory from non-admin workstations
Detect broad file system enumeration or searching across SharePoint, code repos, and internal wikis
Alert on bulk extraction of browser bookmarks, history, or saved passwords from endpoints
Monitor for mass download or enumeration of SharePoint documents and site collections
Detect cloning or bulk access to internal code repositories from unfamiliar hosts or service accounts
Alert on creation of staging directories or archives consolidating data before exfiltration
Monitor for unusual access patterns to cloud storage — bulk downloads, new access keys, or cross-account access
Detect mass email exports, mailbox delegation changes, or forwarding rules to external addresses
Monitor for large outbound data transfers to web services such as MEGA, Dropbox, or cloud storage APIs
Alert on uploads to cloud storage services from servers or workstations that typically do not perform such transfers
Detect mass file encryption patterns — high-frequency file writes with entropy changes
Alert on unauthorized financial transactions or changes to payment configurations
Detect tampered release artifacts, force-pushed tags, or unauthorized package publications in CI/CD
Detect data exfiltration to code repositories via automated commits or release uploads
Identify suspicious archive creation before potential exfiltration
Detect executables masquerading as legitimate system files in non-standard directories
Detect reflective DLL injection or in-memory assembly loading without disk writes
Monitor cmd.exe for obfuscated commands or unusual parent-child process chains
Alert on deletion of log files, scripts, or artifacts immediately after execution
Alert on remote WMI execution or WMI event subscriptions from non-admin accounts
Detect DNS queries to algorithmically generated domain names
Alert when users execute files downloaded from the internet lacking Mark-of-the-Web
Monitor for sandbox evasion checks — VM detection, timing analysis, environment fingerprinting
Monitor signed Windows binaries used to proxy execution of untrusted code (LOLBins)
Alert on execution that checks for specific environment conditions before proceeding
Monitor for tampering with security tools — service stops, driver unloads, or config changes
Flag heavily obfuscated scripts or binaries with high entropy content
Detect encrypted C2 channels using non-standard certificates or pinned connections
Detect payloads hidden in image files via steganography — look for image downloads followed by script execution
Flag network traffic using protocol impersonation to disguise C2 communications
Detect malware resolving C2 addresses from public web services (pastebins, calendars, DNS TXT)
Alert on credential dumping via LSASS access, SAM registry reads, or DCSync
Monitor critical registry modifications that weaken security controls
Detect deletion of volume shadow copies or disabling of backup services
Flag enumeration of domain accounts, groups, or trust relationships
Monitor public-facing services for exploitation patterns — unusual POST bodies, deserialization payloads
Flag outbound data transfers to webhook endpoints from servers or CI runners
Detect traffic routing through multiple proxy hops or anonymization networks
Baseline normal scripting interpreter usage and alert on deviations
Monitor software supply chain for unauthorized modifications to build pipelines or package registries
Monitor for services created or modified to execute payloads
Detect clearing of Windows Event Logs or selective event deletion
Detect enumeration of attached peripheral devices or removable media
Alert on ESXi administrative commands executed outside of normal change windows
Detect Python scripts executing from non-standard locations or with network activity
Monitor for creation of scheduled tasks or cron jobs by non-administrative users
Monitor for files that bypass Mark-of-the-Web protections via container formats or ADS manipulation
Flag suspicious links in messages that impersonate legitimate services or internal tools
Scan inbound emails for malicious attachments using sandboxing and content analysis
Monitor for JavaScript execution outside of browsers, particularly via wscript or cscript
Detect compiled HTML files (.chm) executing scripts or spawning child processes