As attackers become more creative in bypassing traditional network defenses, analysts need fast, clear insight into the logic behind complex detection rules. That’s where Uncoder AI’s Full Summary feature becomes a game-changer—especially for teams working with Palo Alto Cortex XSIAM Query Language (XQL). In a recent use case, Uncoder AI helped threat hunters break down […]
Adversaries frequently repurpose trusted tools like curl.exe to tunnel traffic through SOCKS proxies and even reach .onion domains. Whether it’s for data exfiltration or command-and-control communication, such activity often flies under the radar—unless you’re explicitly detecting for it. This is exactly what CrowdStrike Endpoint Security Query Language allows teams to do. But when logic grows […]
When attackers repurpose legitimate binaries like curl.exe to tunnel through SOCKS proxies and access .onion domains, it poses a major visibility gap for defenders. These behaviors can signal C2 activity, data staging, or use of a backdoor like Kalambur. VMware Carbon Black allows you to detect these patterns with detailed command-line monitoring, but parsing the […]
Loading legitimate system drivers from illegitimate or suspicious directories is a known tactic for persistence, evasion, or execution by adversaries. One high-value target in this category is clfs.sys — a legitimate Windows driver tied to the Common Log File System. To detect this activity, Microsoft Defender for Endpoint supports advanced KQL-based detection logic. But to […]
Potentially Unwanted Applications (PUAs) like NimScan are increasingly used by adversaries during the reconnaissance phase to map open ports or identify network assets. Detecting their execution early is key—but doing so with hash-based or path-based rules in Cortex XQL can result in logic that’s functional, but hard to interpret quickly. Uncoder AI’s AI-generated Decision Tree […]
When malware like the Kalambur backdoor leverages native tools like curl.exe to route traffic through TOR, defenders need visibility at the process and command-line level. But in tools like Microsoft Sentinel, queries for such activity—written in Kusto Query Language (KQL)—can quickly grow difficult to interpret. That’s where Uncoder AI’s AI-generated Decision Tree delivers immediate value. […]
One of the more advanced tactics in attacker playbooks is tampering with event log configurations to erase traces of compromise. Detecting such attempts via Windows Registry modifications is complex—often involving detailed Splunk queries that filter by registry keys and permissions. To quickly make sense of these queries, analysts are turning to Uncoder AI’s AI-generated Decision […]
CrushFTP is a popular file transfer application, but in the wrong hands, it can become a stealthy foothold for lateral movement. A process like crushftpservice.exe spawning common Windows binaries such as cmd.exe , powershell.exe , or wscript.exe often signals that something deeper is at play. This is exactly the scenario where detection rules written in […]
File transfer services like CrushFTP are critical for business operations—but they can also be leveraged as stealthy launchpads for post-exploitation activity. When a server process such as crushftpservice.exe spawns command-line interpreters like powershell.exe , cmd.exe , or bash.exe , it may signal that an attacker is executing commands or deploying payloads under the radar. In […]
In modern cyberattacks, attackers rely not only on payloads but also on clever evasion techniques. One of the most subtle methods? Whitespace padding in command-line arguments—a tactic often used to obscure malicious behavior and throw off static detection. A recent VMware Carbon Black Cloud Query leverages this concept to detect suspicious .lnk file execution chains. […]