Detection rules for tracked tradecraft

Detects a process opening the Security Account Manager (SAM) hive through a Volume Shadow Copy path. This is the heart of BlueHammer (CVE-2026-32201) and the post-BlueHammer Defender LPE drops (RedSun, UnDefend, YellowKey, GreenPlasma) released by the "Chaotic Eclipse / Nightmare-Eclipse" persona in April-May 2026: the exploit baits Windows Defender into creating a VSS snapshot and exposing it before acquiring exclusive control, then reads `\Device\HarddiskVolumeShadowCopyN\Windows\System32\config\SAM` from a low-privilege context to lift the local Administrator NTLM hash. The same primitive is generalisable to any SAM-via-VSS credential-dumping technique (T1003.002 + T1006), regardless of the bug feeding into it. Filter on subject: only lsass.exe, services.exe, and signed Microsoft Defender / backup binaries have a legitimate reason to read the SAM hive out of a shadow copy. Anything else firing this rule is high-signal.

Detects EventID 4624 (logon type 10, RemoteInteractive) where the source workstation is internal but not one of the org's allow-listed administrator jump hosts. State-sponsored intrusion sets (APT29, APT40) routinely use legitimate RDP after credential theft instead of dropping additional tooling. Tune the allowlist to your environment's actual admin source set.

Detects sequential invocation of native Windows discovery binaries — the living-off-the-land pattern characteristic of Volt Typhoon (CISA AA24-038A). Volt Typhoon avoids dropping tooling and instead chains netsh / wmic / ldifde / ntdsutil to enumerate the environment.

Detects an interactive Azure AD sign-in where Microsoft Identity Protection flagged the IP as anonymous/Tor and the session risk is high. APT29 (Midnight Blizzard) has repeatedly used residential proxies and anonymizers for password-spray and OAuth-token replay; APT33 (Peach Sandstorm) ran large-scale password-spray against tenants with similar telemetry.

Detects "Update application – Certificates and secrets management" audit events that add credentials to an existing service principal or application. This is the persistence pattern Microsoft documented after the 2024 Midnight Blizzard intrusion into their corporate tenant (APT29 / NOBELIUM). Investigation is warranted whenever a newly added credential is followed by Graph API consumption from a new IP.

Detects a burst of EventID 4625 failed logons (LogonType 3 or 10) from a single external IP, followed within minutes by a successful EventID 4624 from the same IP. APT28 (Forest Blizzard) and Akira affiliates both rely on internet-exposed RDP / VPN as the initial-access foothold.

Detects user-agents and request paths characteristic of mass-exploit campaigns against internet-exposed appliances. The MOVEit CVE-2023-34362 (Cl0p) and Fortinet / Ivanti zero-day campaigns (APT40, Akira) all left recognizable user-agent + path fingerprints in WAF and proxy logs.

Detects mshta.exe spawning powershell.exe or cmd.exe as a child process — a long-running MuddyWater (MERCURY / Mango Sandstorm) initial-execution pattern observed in CISA AA22-055A and follow-on reporting. Legitimate mshta usage almost never chains into a scripting interpreter.

Detects a single process renaming a high count of files in a short window to extensions associated with cataloged ransomware brands. Designed as a last-line behavioral detection — if this fires, encryption is already underway and isolation is the response.

Detects the canonical pre-encryption pattern: deletion of Volume Shadow Copies via vssadmin.exe, wmic shadowcopy delete, or a diskshadow script. Every cataloged ransomware brand (LockBit, ALPHV/BlackCat, Akira, Play, Cl0p) executes this step before encryption to prevent rollback.

Detects the request signature emitted by NoName057(16)'s DDoSia client — short randomized paths, no Referer, missing or rotating User-Agent — hitting a single host above a per-source rate threshold. Useful as an early warning when DDoSia adds your domain to its target list (published in their public Telegram channel) before bot volume saturates upstream defenses.

Detects an Okta admin event that resets a user's MFA factor (admin.user .mfa.factor.reset_all) immediately followed by an interactive sign-in from a country the user has not signed in from in the last 30 days. This is the core Scattered Spider tradecraft (UNC3944 / Octo Tempest) documented in CISA AA23-320A. Help-desk staff are voice-phished into performing the reset, then the operator signs in within minutes.

Detects DNS resolution of cloud-storage and paste-service domains commonly used as ransomware exfiltration channels (mega.nz, anonfiles, transfer.sh, bashupload, gofile, etc.), combined with a session whose egress byte count exceeds a tunable threshold. The MOVEit-era Cl0p campaign and most Akira affiliate operations exfiltrate via these paths before encrypting.