GhostRedirectors #3687

MHaggis · 2025-09-18T19:43:06Z

Tagged analytics

detections/endpoint/bitsadmin_download_file.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/certutil_with_decode_argument.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/detect_exchange_web_shell.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/detect_remote_access_software_usage_file.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/detect_remote_access_software_usage_process.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/executables_or_script_creation_in_suspicious_path.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/headless_browser_mockbin_or_mocky_request.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/web/ivanti_epm_sql_injection_remote_code_execution.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/lolbas_with_network_traffic.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/malicious_powershell_process___encoded_command.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/powershell_4104_hunting.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/short_lived_windows_accounts.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/web/sql_injection_with_long_urls.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/web/supernova_webshell.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/suspicious_curl_network_connection.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/suspicious_process_executed_from_container_file.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/w3wp_spawning_shell.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/web/web_remote_shellservlet_access.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_create_local_account.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_create_local_administrator_account_via_net.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_curl_download_to_suspicious_path.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_file_download_via_powershell.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_http_network_communication_from_msiexec.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_iis_components_add_new_module.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_iis_components_new_module_added.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_modify_registry_disable_restricted_admin.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_process_execution_from_programdata.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_sqlcmd_execution.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml — GhostRedirector IIS Module and Rungan Backdoor
detections/endpoint/windows_suspicious_process_file_path.yml — GhostRedirector IIS Module and Rungan Backdoor

New Story

stories/ghostredirector_iis_module_and_rungan_backdoor.yml — GhostRedirector IIS Module and Rungan Backdoor

GhostRedirectors

b6083e5

MHaggis requested review from patel-bhavin and ljstella as code owners September 18, 2025 19:43

github-actions bot added Detections Stories labels Sep 18, 2025

Update windows_process_execution_from_programdata.yml

a265197

nasbench approved these changes Sep 22, 2025

View reviewed changes

nasbench added this to the v5.15.0 milestone Sep 22, 2025

Merge branch 'develop' into GhostRedirector

b647bfa

patel-bhavin modified the milestones: v5.15.0, v5.16.0 Sep 25, 2025

Merge branch 'develop' into GhostRedirector

8b20564

patel-bhavin merged commit 3514a3e into develop Sep 29, 2025
4 checks passed

patel-bhavin deleted the GhostRedirector branch September 29, 2025 19:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

GhostRedirectors #3687

GhostRedirectors #3687

Uh oh!

MHaggis commented Sep 18, 2025

Uh oh!

Uh oh!

Uh oh!

GhostRedirectors #3687

GhostRedirectors #3687

Uh oh!

Conversation

MHaggis commented Sep 18, 2025

Tagged analytics

Uh oh!

Uh oh!

Uh oh!