Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More

Detects a suspicious copy command to or from an Admin share or remote

Read More

Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More

Detects a suspicious winrar execution in a folder which is not the default installation folder

Read More

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Read More

The psr.exe captures desktop screenshots and saves them on the local machine

Read More

Detects a command used by conti to exfiltrate NTDS

Read More

Detects a command used by conti to dump database

Read More

A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.

Read More

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration

Read More

Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.

Read More

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

Read More

Detects audio capture via PowerShell Cmdlet.

Read More

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Read More

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Read More

Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

Read More

Detect attacker collecting audio via SoundRecorder application.

Read More

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Read More

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Read More

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration

Read More

Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.

Read More

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.

Read More

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc

Read More

Detects dump of credentials in VeeamBackup dbo

Read More

Detects usage of the 'Get-Clipboard' cmdlet via CLI

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Read More

Detects URL pattern used by iOS Implant

Read More

Detects PowerShell scripts that contains reference to keystroke capturing functions

Read More

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Read More

Detects possible collection of data from the clipboard via execution of the osascript binary

Read More

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

Read More

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.

Read More

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects attempts to record audio with arecord utility

Read More

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Read More

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Read More

Collect pertinent data from the configuration files

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

Adversaries may log user keystrokes to intercept credentials as the user types them.

Read More

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data

Read More

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

Read More

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration

Read More

Detects known sensitive file extensions accessed on a network share

Read More

Detects known sensitive file extensions via Zeek

Read More

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Read More

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration

Read More

Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

Read More

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Read More

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Read More

Potential adversaries accessing the microphone and webcam in an endpoint.

Read More

Detects attempts to use screencapture to collect macOS screenshots

Read More

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Read More

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Read More

Detects Processes accessing the camera and microphone from suspicious folder

Read More