Hello. How can we help you?
July 15, 2025 – Content Update
We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault fortnightly releases. Just like Microsoft’s Patch Tuesday, the DARC Vault serves as a reliable source for enhanced security content, enabling our users to stay ahead of evolving threats.
Each fortnight, we deliver the latest Out-Of-The-Box (OOTB) content that not only introduces brand-new capabilities but also enhances existing detections. This fortnight, we are excited to announce a significant update focused on Windows and Linux.
Below is a summary of the new additions and improvements:
Summary of Fortnightly Improvements
| Content Type | Actions | Count |
| Detections | New | 14 |
| Enhanced | – | |
| Dashboards | New | – |
| Reports | New | – |
New Detections
| # | Name | Description |
| 1 | Application Installation Detected on Linux System | This use case detects application installation activities on Linux systems by monitoring commands commonly used for software installation and package management. Detecting these events helps identify unauthorized software installations or potential misuse of privileged commands. |
| 2 | Potential Modification of Key Configuration Files | This use case focuses on detecting potential modifications to critical configuration files on Linux systems, such as /etc/passwd, /etc/shadow, or /etc/ssh/sshd_config. These files are vital for user authentication, access control, and secure communication, and any unauthorized changes could indicate malicious activity. |
| 3 | Binary File Modification Detected in System Paths | This use case is designed to detect suspicious changes to binary files in critical directories on Linux systems, such as /bin, /usr/bin, /sbin, or /usr/sbin. These directories contain essential executables, and unauthorized changes could indicate malicious activity, such as attempts to replace legitimate binaries with malicious versions. |
| 4 | Cron Job Modification Detected | Monitoring Cron Job Modifications to detect unauthorized changes. |
| 5 | Application Modification Activity Detected on Linux | This use case detects modification activities related to applications on Linux systems. These activities include updates, upgrades, package removals, and configuration changes. Detecting such modifications is crucial for identifying unauthorized or suspicious changes to applications, which could indicate potential compromise or misconfigurations. |
| 6 | Application Removal Detected on Linux System | This use case detects application deletion activities on Linux systems, focusing on commands related to package removal, file deletions, and uninstallation. Identifying such events is essential for detecting unauthorized or malicious software removal activities, which could indicate an attempt to erase traces of compromise. |
| 7 | Forest Blizzard – Suspicious File Creation | This detection identifies suspicious file creation events in the C:\\ProgramData directory, where files with uncommon or potentially malicious extensions (e.g., .save, .bat, .dll) are created under folders impersonating legitimate software vendors such as Microsoft, Adobe, Intel, or antivirus software vendors. This activity aligns with known tactics used by the Forest Blizzard (APT28) group to establish persistence or prepare for execution of payloads. |
| 8 | Kalambur RDP Detected | Monitoring for suspicious process additions involving curl.exe and SOCKS proxy usage. |
| 9 | Application Installation Detected on Windows System | This use case is designed to detect the installation of applications on Windows systems. It focuses on detecting common installation commands and methods, including MSI installations, PowerShell scripts, and package managers like Chocolatey (choco) and Windows Package Manager (winget). Detecting unauthorized or unexpected application installations is crucial for identifying potential security risks or unauthorized software on the system. |
| 10 | Forest Blizzard – Process Creation Activity | This detection identifies suspicious use of schtasks.exe to create or delete scheduled tasks related to Forest Blizzard (aka APT28) activity. The APT group is known to use scheduled tasks with obfuscated names and paths to maintain persistence or execute malicious scripts, often involving servtask.bat, execute.bat, or doit.bat. |
| 11 | Application Modification Activity Detected on Windows | This use case detects application modifications on Windows systems by monitoring processes related to installation, update, or patching activities. Detecting such modifications can help in identifying unauthorized or suspicious changes to installed applications or software packages on systems. |
| 12 | Application Removal Detected on Windows System | This use case detects the deletion of applications on Windows systems by monitoring uninstall commands, file deletions, and registry modifications. Detecting application deletions can help identify unauthorized software removal or potential tampering with critical system applications. |
| 13 | Suspicious CrushFTP Child Process | This detection identifies suspicious child processes spawned by the CrushFTP service on Windows systems. Attackers often exploit CrushFTP to execute arbitrary commands by spawning shell interpreters (e.g., bash, cmd, PowerShell) through the CrushFTP service. |
| 14 | Forest Blizzard JS File Creation | This detection identifies suspicious JavaScript file creation in the Windows DriverStore FileRepository directory, a technique reportedly used by Forest Blizzard APT for post-compromise persistence or further payload execution. |