Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

Read More

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Read More

Detect use of PDQ Deploy remote admin tool

Read More

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

Read More

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

Read More

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

Read More

Detects the use of smbexec.py tool by detecting a specific service installation

Read More

Detects port forwarding activity via SSH.exe

Read More

Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.

Read More

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

Read More

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Read More

Detects remote PowerShell sessions

Read More

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Read More

Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321

Read More

Detects a suspicious copy command to or from an Admin share or remote

Read More

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Read More

Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022

Read More

Detects an executable in the Windows folder accessing suspicious domains

Read More

Detects a Windows command line executable started from MMC

Read More

Detects execution of Net.exe, whether suspicious or benign.

Read More

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.

Read More

Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.

Read More

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Read More

Detects suspicious command line in which a user gets added to the local Remote Desktop Users group

Read More

Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)

Read More

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Read More

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Read More

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Read More

Detects automated lateral movement by Turla group

Read More

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Read More

Detects WannaCry ransomware activity

Read More

Detects when an admin share is mounted using net.exe

Read More

Detects when an internet hosted webdav share is mounted using the "net.exe" utility

Read More

Detects when a share is mounted using the "net.exe" utility

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More

Detects logons using NTLM, which could be caused by a legacy source or attackers

Read More

Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.

Read More

Detects logon events that specify new credentials

Read More

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

Read More

Detects svchost hosting RDP termsvcs communicating with the loopback address

Read More

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Read More

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Read More

Detects suspicious processes logging on with explicit credentials

Read More

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

Read More

Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.

Read More

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Read More

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Read More

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.

Read More

Detects an issue in apache logs that reports threading related errors

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.

Read More

Detects default CSExec pipe creation

Read More

Detects default RemCom pipe creation

Read More

Detects the execution of the hacktool Rubeus using specific command line flags

Read More

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

Read More

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Read More

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Read More

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

Read More

Detects remote RPC calls to modify the registry and possible execute code

Read More

Detects remote RPC calls to create or execute a scheduled task via ATSvc

Read More

Detects remote RPC calls to create or execute a scheduled task

Read More

Detects remote RPC calls to create or execute a scheduled task via SASec

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

Read More

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Read More

Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later

Read More

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

Read More

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Read More

Detects a suspicious RDP session redirect using tscon.exe

Read More

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Read More

Detects remote PowerShell sessions

Read More

Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects files written to an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detect remote login by Administrator user (depending on internal pattern).

Read More

Detects the attack technique pass the hash which is used to move laterally inside the network

Read More

RDP login with localhost source address may be a tunnelled login

Read More

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Read More

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Read More

Detects repeated failed (outgoing) attempts to mount a hidden share

Read More

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More

Detects remote execution via service creation on the destination host

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Read More

Detects potential SMB file creation activity associated with Impacket smbclient.py.

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Read More

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Read More

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Read More

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

Read More

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

Read More

Detects the creation of the default output filename used by the wmiexec tool

Read More

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Read More

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Read More

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Read More

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Read More

Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines

Read More

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Read More

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Read More

Detects RDP session hijacking by using MSTSC shadowing

Read More

Detects suspicious Plink tunnel port forwarding to a local port

Read More

Detects access to $ADMIN share

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Read More

Detects Pandemic Windows Implant

Read More

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detection of potential us of SMB to transfer DLL's into the C$ folder of hosts unique to Qbot malware for purposes of lateral movement.

Read More

Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.

Read More

Detects use of AnyDesk

Read More

Detects use of SplashTop

Read More

Detects use of SplashTop

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Read More

Detects blocking of process creations originating from PSExec and WMI commands

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Read More

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Read More

Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.

Read More

Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.

Read More

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Read More

Detects execution of Impacket's psexec.py.

Read More

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Read More

Detects remote service activity via remote access to the svcctl named pipe

Read More

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Read More

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Read More

Detects the use of tools that copy files from or to remote systems

Read More

Alerts on Metasploit host's authentications on the domain.

Read More

Detects potential use of Rubeus via registered new trusted logon process

Read More

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.

Read More

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More

Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.

Read More