Hello. How can we help you?
October 28, 2025 – Content Update
We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault monthly releases. Much like Microsoft’s Patch Tuesday, the DARC Vault acts as a consistent and reliable source of enhanced security content, empowering users to stay ahead of evolving threats with fresh detections every month.
Each month, we deliver the latest Out-Of-The-Box (OOTB) content that not only introduces brand-new capabilities but also enhances existing detections. This fortnight, we are excited to announce a significant update focused on Windows, Linux, Azure, and General Threat Hunting.
Below is a summary of the new additions and improvements:
Summary of Fortnightly Improvements
| Content Type | Actions | Count |
| Detections | New | 59 |
| Enhanced | – | |
| Dashboards | New | – |
| Reports | New | – |
New Detections
| # | Name | Description |
| 1 | SSH Enable on ESXi Host via VIM-CMD | SSH enabled on ESXi Host via VIM-CMD command execution. |
| 2 | Potential Hex-Encoded Payload Execution via Command Line | Potential Hex-Encoded Payload Execution via Command Line detected and under investigation. |
| 3 | Suspicious Process Spawned by kthreadd | Suspicious Process Spawned by kthreadd under investigation. |
| 4 | Binary File Modification Detected in System Paths | Investigating suspicious binary file changes involving critical commands. |
| 5 | Unusual LD_PRELOADLD_LIBRARY_PATH Command Line Arguments edit | Detects unusual LD_PRELOAD or LD_LIBRARY_PATH command line arguments in executed processes. |
| 6 | Suspicious SSH Daemon Remote Port Forwarding Detected | Suspicious SSH Daemon Remote Port Forwarding detected on various platforms. |
| 7 | Potential Data Exfiltration Through Curl | Potential data exfiltration via curl command with specific flags and patterns. |
| 8 | Hex Encoding-Decoding Activity | This detection rule identifies activities where hex encoding/decoding tools likehexdump,od, orxxdare used. These tools are commonly utilized to analyze or modify binary data, and in some cases, could indicate malicious actions such as the preparation of obfuscated data for exfiltration. |
| 9 | Suspicious SUDO PASSWD Command Execution | Investigating suspicious SUDO PASSWD command execution on various platforms. |
| 10 | DNS Queries to trycloudflare with Fast-Flux Patterns | DNS Queries to trycloudflare with Fast-Flux Patterns under investigation. |
| 11 | High-Risk Domain TLDs Threat Intelligence Monitoring | High-Risk Domain TLDs Threat Intelligence Monitoring under investigation. Monitoring domains with risky TLDs. |
| 12 | Detection of Android Banking Malware Anatsa C2 Communications | Detection of Android Banking Malware Anatsa C2 Communications under investigation. |
| 13 | Detection of CVE-2025-53770 Exploitation Attempt – POST to ToolPane aspx | Detection of CVE-2025-53770 Exploitation Attempt – POST to ToolPane aspx under investigation. |
| 14 | Detect Access and Modification of BitLocker CLSID Key | Detect access and modification of BitLocker CLSID Key in Windows registry. |
| 15 | Windows System Shutdown or Unexpected Shutdown by Non-System Users | Investigating unexpected Windows system shutdowns by non-system users. |
| 16 | Scheduled Task Deletion – Updater | Scheduled Task Deletion – Updater under investigation. Detects deletion of scheduled tasks named ‘Updater’. |
| 17 | Rhadamanthys – Suspicious Dropper File Creation | Rhadamanthys – Suspicious Dropper File Creation under investigation. |
| 18 | Potential Host Escape via Cgroup Release Agent-CVE_2022_0492 | Investigating potential host escape via Cgroup release agent (CVE-2022-0492). |
| 19 | Creation or Access of spinstall0 aspx Web Shell | Detection of CVE-2025-53770 Exploitation Attempt – Creation or Access of spinstall0 aspx Web Shell under investigation. |
| 20 | Executable File Creation with Multiple Extensions | Executable File Creation with Multiple Extensions under investigation. |
| 21 | Detection of Windows Defender Driver Unloading | Detection of Windows Defender Driver Unloading under investigation. |
| 22 | Suspicious DLL Loads for BOF Dynamic API Resolution | Suspicious DLL Loads for BOF Dynamic API Resolution under investigation. |
| 23 | Windows Gather Victim Network Info Through IP Check Web Services | Windows Gather Victim Network Info Through IP Check Web Services under investigation. |
| 24 | Remote File Download via PowerShell | Detects potentially malicious remote file download activity executed via PowerShell |
| 25 | Program Files Directory Masquerading | Program Files Directory Masquerading under investigation. This attack involves hiding malicious files in legitimate directories. |
| 26 | Suspicious Browser Child Process Creation | Suspicious Browser Child Process Creation under investigation. |
| 27 | Suspicious Userinit Child Process | Investigating suspicious child processes of userinit.exe excluding known safe processes. |
| 28 | PHP Execution from Non-Standard Path | Detects PHP execution from non-standard paths to identify potential masquerading attacks. |
| 29 | Suspicious LSASS Access via Direct Syscalls – SysWhispers Behavior | Suspicious LSASS Access via Direct Syscalls – SysWhispers Behavior under investigation. |
| 30 | Potential PrintNightmare Exploitation via Spoolsv Access | Potential PrintNightmare Exploitation via Spoolsv Access under investigation. |
| 31 | Detect Credential Dumping through LSASS access | This detection identifies suspicious access to the LSASS (Local Security Authority Subsystem Service) process, which is commonly targeted by attackers to extract credentials stored in memory. Unauthorized access to LSASS is a key indicator of credential dumping attempts using tools like Mimikatz, procdump, and others. |
| 32 | Cryptocurrency Miner Process Execution | Cryptocurrency Miner Process Execution detected via process creation and command line patterns. |
| 33 | Proxy Execution via Console Window Host | Investigating Proxy Execution via Console Window Host on Windows platforms. |
| 34 | Unusual Web Config File Access | Investigating unusual access to web config files. |
| 35 | Suspicious WMI Event Subscription Created | Suspicious WMI Event Subscription Created under investigation. Detects malicious WMI event subscriptions. |
| 36 | Script Execution via Microsoft HTML Application | Script Execution via Microsoft HTML Application under investigation. |
| 37 | Hidden PowerShell Execution with Suspicious Flags | Hidden PowerShell Execution with Suspicious Flags detected. Investigating potential malicious activity. |
| 38 | Suspicious Process Access via Direct Syscalls – SysWhispers Behavior | Suspicious Process Access via Direct Syscalls – SysWhispers Behavior under investigation. |
| 39 | Suspicious Remote Process Access by BOF | Suspicious Remote Process Access by BOF under investigation. |
| 40 | LittleCorporal Maldoc Injection | LittleCorporal Maldoc Injection involves process injection via Office apps and memory manipulation. |
| 41 | Potential File Transfer via Curl | Potential File Transfer via Curl under investigation. Detects suspicious curl usage. |
| 42 | Renamed Automation Script Interpreter | Renamed Automation Script Interpreter under investigation. |
| 43 | Credential Dumping Activity By Python Based Tool | Credential Dumping Activity By Python Based Tool under investigation. |
| 44 | UAC Bypass via WOW64 Logger DLL Hijack | UAC Bypass via WOW64 Logger DLL Hijack under investigation. |
| 45 | Suspicious Svchost Process Access via MSBuild | Suspicious Svchost Process Access via MSBuild under investigation. |
| 46 | Potential CobaltStrike BOF Injection via CallTrace Pattern | Potential CobaltStrike BOF Injection via CallTrace Pattern under investigation. |
| 47 | Application Installation Detected on Windows System | Investigating application installations on Windows using specific command patterns. |
| 48 | Potential Suspicious Mofcomp Execution | Potential Suspicious Mofcomp Execution under investigation. |
| 49 | Suspicious Scripting in a WMI Consumer | Suspicious scripting in WMI Consumer detected. Investigating potential malicious scripting activities. |
| 50 | Execution via Windows Command Debugging Utility | Investigating execution via Windows Command Debugging Utility using cdb.exe. |
| 51 | Detection of Remote Registry Service Enablement | Detection of Remote Registry Service Enablement under investigation. |
| 52 | Persistence via WMI Standard Registry Provider | Investigating persistence via WMI Standard Registry Provider. |
| 53 | Code Signing Policy Modification Through Registry | Investigating Code Signing Policy Modification through registry changes. |
| 54 | PowerShell Script Block Logging Disabled | Investigating PowerShell Script Block Logging Disabled attack on Windows systems. |
| 55 | Suspicious Certificate Authentication | Investigating suspicious certificate authentication using Kerberos ticket requests. |
| 56 | High Volume Cloud Storage Uploads Monitoring | Monitoring high volume cloud storage uploads excluding OneDrive. |
| 57 | Azure Key Vault Modified | This detection identifies modifications to an Azure Key Vault, such as changes to access policies, network settings, or other configurations. Azure Key Vault is used to store sensitive information like encryption keys, secrets, and certificates. Unauthorized modifications may indicate an attempt to weaken security controls, exfiltrate sensitive data, or establish persistence. Analysts should verify if the change was expected, review the associated user or service principal, and check for privilege escalation or unauthorized access. |
| 58 | Successful User Removed from Windows Group | Successful User Removed from Windows Group under investigation. |
| 59 | Office 365 Successful Logins Outside of Expected Geolocations | Office 365 Successful Logins Outside of Expected Geolocations under investigation.. |