Hello. How can we help you?

August 20, 2025 – Content Update

We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault monthly releases. Much like Microsoft’s Patch Tuesday, the DARC Vault acts as a consistent and reliable source of enhanced security content, empowering users to stay ahead of evolving threats with fresh detections every month.
Each month, we deliver the latest Out-Of-The-Box (OOTB) content that not only introduces brand-new capabilities but also enhances existing detections. This fortnight, we are excited to announce a significant update focused on Windows, Linux, MSSQL, and Active Directory.

Below is a summary of the new additions and improvements:

Summary of Fortnightly Improvements

Content TypeActionsCount
DetectionsNew27
Enhanced
DashboardsNew
ReportsNew2

New Detections

#NameDescription
1Potential Command Execution via MSSQL xp_cmdshellDetects potential execution of the `xp_cmdshell` stored procedure in MSSQL, which allows execution of operating system commands directly from SQL queries. This functionality is often abused by attackers for command execution or lateral movement.
2Failed MSSQL Logon Attempt from Public IPDetects multiple failed MSSQL login attempts originating from a public IP address within a short period, which may indicate brute-force attempts or external reconnaissance.
3MSSQL xp_cmdshell Configuration Change DetectedDetects potential configuration change of the `xp_cmdshell` feature in MSSQL, which allows enabling or disabling command shell execution from within SQL queries. Attackers may enable this feature to escalate privileges or execute system commands.
4MSSQL User Account added to Sysdamin RoleDetects when a user account is added to the `sysadmin` server role in MSSQL. Attackers may abuse this action to escalate privileges and gain administrative access to the database server.
5Stored Procedure Set to Auto-Execute on SQL StartupDetects the use of `sp_procoption` in MSSQL, which is used to configure a stored procedure to automatically execute every time SQL Server starts. Attackers may abuse this feature to maintain persistence within the database environment.
6Failed Login Attempt by User to MSSQL ServerDetects multiple consecutive failed login attempts by a user account to the MSSQL server, which may indicate brute-force attempts or misuse of credentials.
7DROP or ALTER Command executed on MSSQL DBDetects potential data destruction or unauthorized schema modifications in MSSQL by monitoring for execution of DROP, TRUNCATE, or ALTER commands against tables or databases. These commands, if misused, can lead to data loss or impact the integrity of the database environment.
8Audit Log Tampering using ALTER or DROP in MSSQLDetects potential tampering of MSSQL audit logs through the execution of `ALTER` or `DROP` statements targeting server audits. Attackers may attempt to alter or remove audit records to hide unauthorized activities.
9Communication To Ngrok Tunneling ServiceInvestigating communication to Ngrok tunneling service via network connections.
10Linux Reverse Shell IndicatorInvestigating Linux Reverse Shell Indicator for unauthorized network connections.
11Communication To LocaltoNet Tunneling Service InitiatedInvestigating communication to LocaltoNet tunneling service.
12Katz Stealer DLL LoadedKatz Stealer DLL Loaded under investigation. Detects malicious DLLs loaded into processes.
13DNS Query To Katz Stealer DomainsInvestigating DNS queries to Katz Stealer domains.
14Network Query To Katz Stealer DomainsInvestigating network queries to Katz Stealer domains.
15HKTL – SharpSuccessor Privilege Escalation Tool ExecutionDetects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor vulnerability for local privilege escalation in Windows Server 2025 Active Directory environments. This tool allows an attacker to impersonate other users and potentially gain domain admin privileges by abusing specific AD mechanisms.
16Manual Memory Dumping via Proc FilesystemManual Memory Dumping via Proc Filesystem under investigation.
17Suspicious Kernel Feature ActivitySuspicious Kernel Feature Activity detected via process execution and command line patterns.
18Suspicious Driver Creation Outside Standard PathsDetects the creation of `.sys` driver files outside of standard Windows driver directories, which may indicate malicious or unauthorized driver installation.
19Potential Malicious DNS Query Indicating Kerberos Coercion DetectedPotential Malicious DNS Query Indicating Kerberos Coercion Detected under investigation.
20Attempts of Kerberos Coercion Via DNS SPN SpoofingDetects suspicious process creation patterns associated with Kerberos coercion techniques, leveraging DNS SPN spoofing to trigger authentication attempts.
21Known Vulnerable Driver Load Attempt DetectedKnown Vulnerable Driver Load Attempt Detected. Attack involves loading known vulnerable drivers.
22Potential Driver Load with Suspicious Signature Status DetectedPotential Driver Load with Suspicious Signature Status Detected under investigation.
23Potential Malicious Modification of AD Certificate Services DetectedPotential Malicious Modification of AD Certificate Services Detected under investigation.
24Potential Kernel-Mode Driver Installation DetectedPotential Kernel-Mode Driver Installation Detected under investigation.
25Kerberos Coercion Attempt via Encoded SPN on DnsNodeKerberos Coercion Attempt via Encoded SPN on DnsNode under investigation.
26Potential Self-Signed Root Certificate Installation DetectedPotential Self-Signed Root Certificate Installation Detected under investigation.
27Azure External Guest User InvitationInvestigating Azure External Guest User Invitation with successful results.

New Report

Name
Active Directory Policy Changes
Active Directory Security Insights