Identifying unauthorized access to sensitive data—especially passwords—remains a critical concern for cybersecurity teams. When such access happens through legitimate tools like Notepad, visibility becomes a challenge. But with Uncoder AI’s Full Summary feature, security analysts can immediately understand the logic behind detection rules targeting exactly that type of threat. Explore Uncoder AI In a recent […]
Monitoring remote file transfer utilities like rsync is essential in detecting stealthy lateral movement or data exfiltration across Unix-based environments. But not all rsync usage is equal. In some cases, it can silently launch shell processes under the hood—making threat detection harder for defenders. That’s where Uncoder AI’s Full Summary becomes invaluable. When used alongside […]
As attackers become more creative in bypassing traditional network defenses, analysts need fast, clear insight into the logic behind complex detection rules. That’s where Uncoder AI’s Full Summary feature becomes a game-changer—especially for teams working with Palo Alto Cortex XSIAM Query Language (XQL). In a recent use case, Uncoder AI helped threat hunters break down […]
Adversaries frequently repurpose trusted tools like curl.exe to tunnel traffic through SOCKS proxies and even reach .onion domains. Whether it’s for data exfiltration or command-and-control communication, such activity often flies under the radar—unless you’re explicitly detecting for it. This is exactly what CrowdStrike Endpoint Security Query Language allows teams to do. But when logic grows […]
When attackers repurpose legitimate binaries like curl.exe to tunnel through SOCKS proxies and access .onion domains, it poses a major visibility gap for defenders. These behaviors can signal C2 activity, data staging, or use of a backdoor like Kalambur. VMware Carbon Black allows you to detect these patterns with detailed command-line monitoring, but parsing the […]
Loading legitimate system drivers from illegitimate or suspicious directories is a known tactic for persistence, evasion, or execution by adversaries. One high-value target in this category is clfs.sys — a legitimate Windows driver tied to the Common Log File System. To detect this activity, Microsoft Defender for Endpoint supports advanced KQL-based detection logic. But to […]
Potentially Unwanted Applications (PUAs) like NimScan are increasingly used by adversaries during the reconnaissance phase to map open ports or identify network assets. Detecting their execution early is key—but doing so with hash-based or path-based rules in Cortex XQL can result in logic that’s functional, but hard to interpret quickly. Uncoder AI’s AI-generated Decision Tree […]
When malware like the Kalambur backdoor leverages native tools like curl.exe to route traffic through TOR, defenders need visibility at the process and command-line level. But in tools like Microsoft Sentinel, queries for such activity—written in Kusto Query Language (KQL)—can quickly grow difficult to interpret. That’s where Uncoder AI’s AI-generated Decision Tree delivers immediate value. […]
One of the more advanced tactics in attacker playbooks is tampering with event log configurations to erase traces of compromise. Detecting such attempts via Windows Registry modifications is complex—often involving detailed Splunk queries that filter by registry keys and permissions. To quickly make sense of these queries, analysts are turning to Uncoder AI’s AI-generated Decision […]
CrushFTP is a popular file transfer application, but in the wrong hands, it can become a stealthy foothold for lateral movement. A process like crushftpservice.exe spawning common Windows binaries such as cmd.exe , powershell.exe , or wscript.exe often signals that something deeper is at play. This is exactly the scenario where detection rules written in […]