Detection.FYI
open-menu closeme
  • HackTool - WinPwn Execution

    calendar Dec 4, 2023 · attack.credential_access attack.defense_evasion attack.discovery attack.execution attack.privilege_escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003  ·
    Share on: twitter facebook linkedin copy

    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.


    Read More
  • HackTool - WinPwn Execution - ScriptBlock

    calendar Dec 4, 2023 · attack.credential_access attack.defense_evasion attack.discovery attack.execution attack.privilege_escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003  ·
    Share on: twitter facebook linkedin copy

    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.


    Read More
  • Function Call From Undocumented COM Interface EditionUpgradeManager

    calendar Dec 4, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.


    Read More
  • HackTool - winPEAS Execution

    calendar Dec 4, 2023 · attack.privilege_escalation attack.t1082 attack.t1087 attack.t1046  ·
    Share on: twitter facebook linkedin copy

    WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz


    Read More
  • Malware Shellcode in Verclsid Target Process

    calendar Dec 4, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro


    Read More
  • Potential Process Hollowing Activity

    calendar Dec 4, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055.012  ·
    Share on: twitter facebook linkedin copy

    Detects when a memory process image does not match the disk image, indicative of process hollowing.


    Read More
  • Potential Shellcode Injection

    calendar Dec 4, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject


    Read More
  • Cisco BGP Authentication Failures

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects BGP failures which may be indicative of brute force attacks to manipulate routing


    Read More
  • Cisco LDP Authentication Failures

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels


    Read More
  • Github New Secret Created

    calendar Dec 1, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.initial_access attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a user creates action secret for the organization, environment, codespaces or repository.


    Read More
  • Github Self Hosted Runner Changes Detected

    calendar Dec 1, 2023 · attack.impact attack.discovery attack.collection attack.defense_evasion attack.persistence attack.privilege_escalation attack.initial_access attack.t1526 attack.t1213.003 attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.


    Read More
  • HackTool - SysmonEOP Execution

    calendar Dec 1, 2023 · cve.2022.41120 attack.t1068 attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120


    Read More
  • Huawei BGP Authentication Failures

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects BGP failures which may be indicative of brute force attacks to manipulate routing.


    Read More
  • Juniper BGP Missing MD5

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557  ·
    Share on: twitter facebook linkedin copy

    Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.


    Read More
  • Nimbuspwn Exploitation

    calendar Dec 1, 2023 · attack.privilege_escalation attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)


    Read More
  • Potential DLL Sideloading Of Non-Existent DLLs From System Folders

    calendar Dec 1, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation


    Read More
  • PwnKit Local Privilege Escalation

    calendar Dec 1, 2023 · attack.privilege_escalation attack.t1548.001  ·
    Share on: twitter facebook linkedin copy

    Detects potential PwnKit exploitation CVE-2021-4034 in auth logs


    Read More
  • Renamed Mavinject.EXE Execution

    calendar Dec 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055.001 attack.t1218.013  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag


    Read More
  • Suspicious Shells Spawn by Java Utility Keytool

    calendar Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)


    Read More
  • Uncommon One Time Only Scheduled Task At 00:00

    calendar Dec 1, 2023 · attack.execution attack.persistence attack.privilege_escalation attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects scheduled task creation events that include suspicious actions, and is run once at 00:00


    Read More
  • VsCode Powershell Profile Modification

    calendar Dec 1, 2023 · attack.persistence attack.privilege_escalation attack.t1546.013  ·
    Share on: twitter facebook linkedin copy

    Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence


    Read More
  • Potential Persistence Via Netsh Helper DLL

    calendar Nov 28, 2023 · attack.privilege_escalation attack.persistence attack.t1546.007 attack.s0108  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.


    Read More
  • Lazarus APT DLL Sideloading Activity

    calendar Nov 28, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002 attack.g0032 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company


    Read More
  • CobaltStrike Named Pipe Patterns

    calendar Nov 27, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 stp.1k  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles


    Read More
  • Potential Access Token Abuse

    calendar Nov 27, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1134.001 stp.4u  ·
    Share on: twitter facebook linkedin copy

    Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".


    Read More
  • Scheduled Task Creation

    calendar Nov 27, 2023 · attack.execution attack.persistence attack.privilege_escalation attack.t1053.005 attack.s0111 car.2013-08-001 stp.1u  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of scheduled tasks in user session


    Read More
  • Enabling COR Profiler Environment Variables

    calendar Nov 27, 2023 · attack.persistence attack.privilege_escalation attack.defense_evasion attack.t1574.012  ·
    Share on: twitter facebook linkedin copy

    Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.


    Read More
  • Remote Thread Creation By Uncommon Source Image

    calendar Nov 15, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon processes creating remote threads


    Read More
  • Suspicious Shim Database Installation via Sdbinst.EXE

    calendar Nov 15, 2023 · attack.persistence attack.privilege_escalation attack.t1546.011  ·
    Share on: twitter facebook linkedin copy

    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims


    Read More
  • Shell Process Spawned by Java.EXE

    calendar Nov 10, 2023 · attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)


    Read More
  • Suspicious Processes Spawned by Java.EXE

    calendar Nov 10, 2023 · attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)


    Read More
  • Potential Persistence Via Security Descriptors - ScriptBlock

    calendar Nov 2, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.


    Read More
  • Potential Suspicious Activity Using SeCEdit

    calendar Nov 2, 2023 · attack.discovery attack.persistence attack.defense_evasion attack.credential_access attack.privilege_escalation attack.t1562.002 attack.t1547.001 attack.t1505.005 attack.t1556.002 attack.t1562 attack.t1574.007 attack.t1564.002 attack.t1546.008 attack.t1546.007 attack.t1547.014 attack.t1547.010 attack.t1547.002 attack.t1557 attack.t1082  ·
    Share on: twitter facebook linkedin copy

    Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy


    Read More
  • Service Installed By Unusual Client - Security

    calendar Nov 2, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects a service installed by a client which has PID 0 or whose parent has PID 0


    Read More
  • Service Installed By Unusual Client - System

    calendar Nov 2, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects a service installed by a client which has PID 0 or whose parent has PID 0


    Read More
  • Suspicious SQL Query

    calendar Nov 2, 2023 · attack.exfiltration attack.initial_access attack.privilege_escalation attack.t1190 attack.t1505.001  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields


    Read More
  • Win Susp Computer Name Containing Samtheadmin

    calendar Nov 2, 2023 · cve.2021.42278 cve.2021.42287 attack.persistence attack.privilege_escalation attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool


    Read More
  • App Role Added

    calendar Oct 28, 2023 · attack.persistence attack.privilege_escalation attack.t1098.003  ·
    Share on: twitter facebook linkedin copy

    Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.


    Read More
  • Impossible Travel

    calendar Oct 28, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.


    Read More
  • WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

    calendar Oct 28, 2023 · attack.lateral_movement attack.privilege_escalation attack.persistence attack.t1546.003  ·
    Share on: twitter facebook linkedin copy

    Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.


    Read More
  • Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

    calendar Oct 28, 2023 · attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .


    Read More
  • PowerShell Profile Modification

    calendar Oct 28, 2023 · attack.persistence attack.privilege_escalation attack.t1546.013  ·
    Share on: twitter facebook linkedin copy

    Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence


    Read More
  • Suspicious Sysmon as Execution Parent

    calendar Oct 28, 2023 · attack.privilege_escalation attack.t1068 cve.2022.41120 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)


    Read More
  • Diamond Sleet APT Scheduled Task Creation

    calendar Oct 28, 2023 · attack.execution attack.privilege_escalation attack.persistence attack.t1053.005 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability


    Read More
  • Potential System DLL Sideloading From Non System Locations

    calendar Oct 28, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)


    Read More
  • CVE-2021-1675 Print Spooler Exploitation Filename Pattern

    calendar Oct 26, 2023 · attack.execution attack.privilege_escalation attack.resource_development attack.t1587 cve.2021.1675 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675


    Read More
  • CVE-2022-24527 Microsoft Connected Cache LPE

    calendar Oct 26, 2023 · attack.privilege_escalation attack.t1059.001 cve.2022.24527 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache


    Read More
  • Exploitation Indicators Of CVE-2023-20198

    calendar Oct 26, 2023 · attack.privilege_escalation attack.initial_access detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.


    Read More
  • InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

    calendar Oct 26, 2023 · attack.privilege_escalation attack.t1068 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file


    Read More
  • Remote Thread Creation In Uncommon Target Image

    calendar Oct 23, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055.003  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon target processes for remote thread creation


    Read More
  • Abused Debug Privilege by Arbitrary Parent Processes

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detection of unusual child processes by different system processes


    Read More
  • Always Install Elevated MSI Spawned Cmd And Powershell

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"


    Read More
  • AWS Glue Development Endpoint Activity

    calendar Oct 18, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects possible suspicious glue development endpoint activity.


    Read More
  • Azure Kubernetes CronJob

    calendar Oct 18, 2023 · attack.persistence attack.t1053.003 attack.privilege_escalation attack.execution  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.


    Read More
  • Creation Of Non-Existent System DLL

    calendar Oct 18, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking


    Read More
  • DotNet CLR DLL Loaded By Scripting Applications

    calendar Oct 18, 2023 · attack.execution attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.


    Read More
  • Elevated System Shell Spawned

    calendar Oct 18, 2023 · attack.privilege_escalation attack.defense_evasion attack.execution attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges.


    Read More
  • HackTool - CoercedPotato Execution

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the use of CoercedPotato, a tool for privilege escalation


    Read More
  • HackTool - SharpImpersonation Execution

    calendar Oct 18, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1134.001 attack.t1134.003  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively


    Read More
  • HackTool - SharpUp PrivEsc Tool Execution

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1615 attack.t1569.002 attack.t1574.005  ·
    Share on: twitter facebook linkedin copy

    Detects the use of SharpUp, a tool for local privilege escalation


    Read More
  • HackTool - UACMe Akagi Execution

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata


    Read More
  • Malicious Named Pipe Created

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe seen used by known APTs or malware.


    Read More
  • Meterpreter or Cobalt Strike Getsystem Service Installation - Security

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1134.001 attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation


    Read More
  • Meterpreter or Cobalt Strike Getsystem Service Installation - System

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1134.001 attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation


    Read More
  • New PDQDeploy Service - Server Side

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines


    Read More
  • OMIGOD HTTP No Authentication RCE

    calendar Oct 18, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.lateral_movement attack.t1068 attack.t1190 attack.t1203 attack.t1021.006 attack.t1210  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.


    Read More
  • Password Provided In Command Line Of Net.EXE

    calendar Oct 18, 2023 · attack.defense_evasion attack.initial_access attack.persistence attack.privilege_escalation attack.lateral_movement attack.t1021.002 attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects a when net.exe is called with a password in the command line


    Read More
  • Potential Azure Browser SSO Abuse

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.


    Read More
  • Potential CVE-2021-41379 Exploitation Attempt

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1068 cve.2021.41379 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights


    Read More
  • Potential ShellDispatch.DLL Sideloading

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "ShellDispatch.dll"


    Read More
  • Potential WWlib.DLL Sideloading

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "wwlib.dll"


    Read More
  • Powershell WMI Persistence

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1546.003  ·
    Share on: twitter facebook linkedin copy

    Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.


    Read More
  • PUA - AdvancedRun Execution

    calendar Oct 18, 2023 · attack.execution attack.defense_evasion attack.privilege_escalation attack.t1564.003 attack.t1134.002 attack.t1059.003  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of AdvancedRun utility


    Read More
  • PUA - AdvancedRun Suspicious Execution

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts


    Read More
  • PUA - Process Hacker Execution

    calendar Oct 18, 2023 · attack.defense_evasion attack.discovery attack.persistence attack.privilege_escalation attack.t1622 attack.t1564 attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes.


    Read More
  • PUA - System Informer Execution

    calendar Oct 18, 2023 · attack.persistence attack.privilege_escalation attack.discovery attack.defense_evasion attack.t1082 attack.t1564 attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations


    Read More
  • RottenPotato Like Attack Pattern

    calendar Oct 18, 2023 · attack.privilege_escalation attack.credential_access attack.t1557.001  ·
    Share on: twitter facebook linkedin copy

    Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like


    Read More
  • Suspect Svchost Activity

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.


    Read More
  • Suspicious SYSTEM User Process Creation

    calendar Oct 18, 2023 · attack.credential_access attack.defense_evasion attack.privilege_escalation attack.t1134 attack.t1003 attack.t1027  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)


    Read More
  • Third Party Software DLL Sideloading

    calendar Oct 18, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)


    Read More
  • UAC Bypass via Event Viewer

    calendar Oct 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects UAC bypass method using Windows event viewer


    Read More
  • User Added To Admin Group Via Dscl

    calendar Oct 18, 2023 · attack.initial_access attack.privilege_escalation attack.t1078.003  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to create and add an account to the admin group via "dscl"


    Read More
  • User Added To Admin Group Via DseditGroup

    calendar Oct 18, 2023 · attack.initial_access attack.privilege_escalation attack.t1078.003  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.


    Read More
  • User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

    calendar Oct 18, 2023 · attack.lateral_movement attack.privilege_escalation attack.t1558.003  ·
    Share on: twitter facebook linkedin copy

    The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.


    Read More
  • Vulnerable HackSys Extreme Vulnerable Driver Load

    calendar Oct 18, 2023 · attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors


    Read More
  • WMI Persistence

    calendar Oct 18, 2023 · attack.persistence attack.privilege_escalation attack.t1546.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.


    Read More
  • Abuse of Service Permissions to Hide Services Via Set-Service

    calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)


    Read More
  • Abuse of Service Permissions to Hide Services Via Set-Service - PS

    calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)


    Read More
  • Account Tampering - Suspicious Failed Logon Reasons

    calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access attack.t1078  ·
    Share on: twitter facebook linkedin copy

    This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.


    Read More
  • Application AppID Uri Configuration Changes

    calendar Oct 17, 2023 · attack.persistence attack.credential_access attack.privilege_escalation attack.t1552 attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a configuration change is made to an applications AppID URI.


    Read More
  • Application URI Configuration Changes

    calendar Oct 17, 2023 · attack.t1528 attack.t1078.004 attack.persistence attack.credential_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.


    Read More
  • Application Using Device Code Authentication Flow

    calendar Oct 17, 2023 · attack.t1078 attack.defense_evasion attack.persistence attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.


    Read More
  • Applications That Are Using ROPC Authentication Flow

    calendar Oct 17, 2023 · attack.t1078 attack.defense_evasion attack.persistence attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.


    Read More
  • Audit CVE Event

    calendar Oct 17, 2023 · attack.execution attack.t1203 attack.privilege_escalation attack.t1068 attack.defense_evasion attack.t1211 attack.credential_access attack.t1212 attack.lateral_movement attack.t1210 attack.impact attack.t1499.004  ·
    Share on: twitter facebook linkedin copy

    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.


    Read More
  • Changes to Device Registration Policy

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1484  ·
    Share on: twitter facebook linkedin copy

    Monitor and alert for changes to the device registration policy.


    Read More
  • Changes To PIM Settings

    calendar Oct 17, 2023 · attack.privilege_escalation attack.persistence attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when changes are made to PIM roles


    Read More
  • DiagTrackEoP Default Login Username

    calendar Oct 17, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the default "UserName" used by the DiagTrackEoP POC


    Read More
  • DLL Search Order Hijackig Via Additional Space in Path

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.defense_evasion attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack


    Read More
  • DLL Sideloading Of ShellChromeAPI.DLL

    calendar Oct 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter


    Read More
  • KDC RC4-HMAC Downgrade CVE-2022-37966

    calendar Oct 17, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation


    Read More
  • KrbRelayUp Attack Pattern

    calendar Oct 17, 2023 · attack.privilege_escalation attack.credential_access  ·
    Share on: twitter facebook linkedin copy

    Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like


    Read More
  • KrbRelayUp Service Installation

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)


    Read More
  • Malicious DLL File Dropped in the Teams or OneDrive Folder

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.defense_evasion attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded


    Read More
  • Mavinject Inject DLL Into Running Process

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055.001 attack.t1218.013  ·
    Share on: twitter facebook linkedin copy

    Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag


    Read More
  • Modify Group Policy Settings

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1484.001  ·
    Share on: twitter facebook linkedin copy

    Detect malicious GPO modifications can be used to implement many other malicious behaviors.


    Read More
  • Modify Group Policy Settings - ScriptBlockLogging

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1484.001  ·
    Share on: twitter facebook linkedin copy

    Detect malicious GPO modifications can be used to implement many other malicious behaviors.


    Read More
  • Moriya Rootkit - System

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report


    Read More
  • New Kernel Driver Via SC.EXE

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a new service (kernel driver) with the type "kernel"


    Read More
  • New PDQDeploy Service - Client Side

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1


    Read More
  • OMIGOD SCX RunAsProvider ExecuteScript

    calendar Oct 17, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.t1068 attack.t1190 attack.t1203  ·
    Share on: twitter facebook linkedin copy

    Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.


    Read More
  • OMIGOD SCX RunAsProvider ExecuteShellCommand

    calendar Oct 17, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.t1068 attack.t1190 attack.t1203  ·
    Share on: twitter facebook linkedin copy

    Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.


    Read More
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

    calendar Oct 17, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.t1068 attack.t1190 attack.t1203  ·
    Share on: twitter facebook linkedin copy

    Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.


    Read More
  • PIM Alert Setting Changes To Disabled

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects when PIM alerts are set to disabled.


    Read More
  • PIM Approvals And Deny Elevation

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.


    Read More
  • Potential DLL Sideloading Via ClassicExplorer32.dll

    calendar Oct 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software


    Read More
  • Potential DLL Sideloading Via comctl32.dll

    calendar Oct 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading using comctl32.dll to obtain system privileges


    Read More
  • Potential DLL Sideloading Via JsSchHlp

    calendar Oct 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor


    Read More
  • Potential Privilege Escalation Attempt Via .Exe.Local Technique

    calendar Oct 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"


    Read More
  • Potential Privilege Escalation Using Symlink Between Osk and Cmd

    calendar Oct 17, 2023 · attack.privilege_escalation attack.persistence attack.t1546.008  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.


    Read More
  • Privileged Account Creation

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a new admin is created.


    Read More
  • Service DACL Abuse To Hide Services Via Sc.EXE

    calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.


    Read More
  • Service Installation in Suspicious Folder

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects service installation in suspicious folder appdata


    Read More
  • Sliver C2 Default Service Installation

    calendar Oct 17, 2023 · attack.execution attack.privilege_escalation attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands


    Read More
  • Sticky Key Like Backdoor Usage - Registry

    calendar Oct 17, 2023 · attack.privilege_escalation attack.persistence attack.t1546.008 car.2014-11-003 car.2014-11-008  ·
    Share on: twitter facebook linkedin copy

    Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen


    Read More
  • Sudo Privilege Escalation CVE-2019-14287

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1068 attack.t1548.003 cve.2019.14287  ·
    Share on: twitter facebook linkedin copy

    Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287


    Read More
  • Sudo Privilege Escalation CVE-2019-14287 - Builtin

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1068 attack.t1548.003 cve.2019.14287  ·
    Share on: twitter facebook linkedin copy

    Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287


    Read More
  • Suspicious GetTypeFromCLSID ShellExecute

    calendar Oct 17, 2023 · attack.privilege_escalation attack.persistence attack.t1546.015  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious Powershell code that execute COM Objects


    Read More
  • Suspicious New Service Creation

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths


    Read More
  • Suspicious Processes Spawned by WinRM

    calendar Oct 17, 2023 · attack.t1190 attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious processes including shells spawnd from WinRM host process


    Read More
  • Suspicious RunAs-Like Flag Combination

    calendar Oct 17, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools


    Read More
  • Suspicious Scheduled Task Creation

    calendar Oct 17, 2023 · attack.execution attack.privilege_escalation attack.persistence attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.


    Read More
  • Suspicious Scheduled Task Update

    calendar Oct 17, 2023 · attack.execution attack.privilege_escalation attack.persistence attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects update to a scheduled task event that contain suspicious keywords.


    Read More
  • Suspicious ScreenSave Change by Reg.exe

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1546.002  ·
    Share on: twitter facebook linkedin copy

    Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension


    Read More
  • Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

    calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)


    Read More
  • Suspicious Service Installation Script

    calendar Oct 17, 2023 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious service installation scripts


    Read More
  • Triple Cross eBPF Rootkit Execve Hijack

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges


    Read More
  • UAC Bypass Using EventVwr

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of a UAC bypass using Windows Event Viewer


    Read More
  • UAC Bypass Using IDiagnostic Profile

    calendar Oct 17, 2023 · attack.execution attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the "IDiagnosticProfileUAC" UAC bypass technique


    Read More
  • UAC Bypass Using IDiagnostic Profile - File

    calendar Oct 17, 2023 · attack.execution attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique


    Read More
  • UAC Bypass Using Iscsicpl - ImageLoad

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%


    Read More
  • UAC Bypass via ICMLuaUtil

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface


    Read More
  • UAC Bypass via Windows Firewall Snap-In Hijack

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in


    Read More
  • User Added To Privilege Role

    calendar Oct 17, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects when a user is added to a privileged role.


    Read More
  • User Added To Root/Sudoers Group Using Usermod

    calendar Oct 17, 2023 · attack.privilege_escalation attack.persistence  ·
    Share on: twitter facebook linkedin copy

    Detects usage of the "usermod" binary to add users add users to the root or suoders groups


    Read More
  • User State Changed From Guest To Member

    calendar Oct 17, 2023 · attack.privilege_escalation attack.initial_access attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.


    Read More
  • Users Added to Global or Device Admin Roles

    calendar Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Monitor and alert for users added to device admin roles.


    Read More
  • VMGuestLib DLL Sideload

    calendar Oct 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.


    Read More
  • Vulnerable WinRing0 Driver Load

    calendar Oct 17, 2023 · attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation


    Read More
  • Windows Spooler Service Suspicious Binary Load

    calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574 cve.2021.1675 cve.2021.34527  ·
    Share on: twitter facebook linkedin copy

    Detect DLL Load from Spooler Service backup folder


    Read More
  • App Granted Privileged Delegated Or App Permissions

    calendar Oct 12, 2023 · attack.persistence attack.privilege_escalation attack.t1098.003  ·
    Share on: twitter facebook linkedin copy

    Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions


    Read More
  • AWS Attached Malicious Lambda Layer

    calendar Oct 12, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.


    Read More
  • AWS Root Credentials

    calendar Oct 12, 2023 · attack.privilege_escalation attack.t1078.004  ·
    Share on: twitter facebook linkedin copy

    Detects AWS root account usage


    Read More
  • AWS STS AssumeRole Misuse

    calendar Oct 12, 2023 · attack.lateral_movement attack.privilege_escalation attack.t1548 attack.t1550 attack.t1550.001  ·
    Share on: twitter facebook linkedin copy

    Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.


    Read More
  • AWS STS GetSessionToken Misuse

    calendar Oct 12, 2023 · attack.lateral_movement attack.privilege_escalation attack.t1548 attack.t1550 attack.t1550.001  ·
    Share on: twitter facebook linkedin copy

    Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.


    Read More
  • AWS Suspicious SAML Activity

    calendar Oct 12, 2023 · attack.initial_access attack.t1078 attack.lateral_movement attack.t1548 attack.privilege_escalation attack.t1550 attack.t1550.001  ·
    Share on: twitter facebook linkedin copy

    Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.


    Read More
  • Google Cloud Kubernetes CronJob

    calendar Oct 12, 2023 · attack.persistence attack.privilege_escalation attack.execution  ·
    Share on: twitter facebook linkedin copy

    Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.


    Read More
  • User Added to an Administrator's Azure AD Role

    calendar Oct 12, 2023 · attack.persistence attack.privilege_escalation attack.t1098.003 attack.t1078  ·
    Share on: twitter facebook linkedin copy

    User Added to an Administrator's Azure AD Role


    Read More
  • HackTool - CoercedPotato Named Pipe Creation

    calendar Oct 12, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of a pipe name as used by the hack tool CoercedPotato


    Read More
  • HackTool - EfsPotato Named Pipe Creation

    calendar Oct 12, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of a pipe name as used by the hack tool EfsPotato


    Read More
  • Certificate Use With No Strong Mapping

    calendar Oct 11, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.


    Read More
  • COM Hijack via Sdclt

    calendar Oct 4, 2023 · attack.privilege_escalation attack.t1546 attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'


    Read More
  • Malicious Driver Load

    calendar Oct 4, 2023 · attack.privilege_escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects the load of known malicious drivers by hash value


    Read More
  • Malicious Driver Load By Name

    calendar Oct 4, 2023 · attack.privilege_escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects the load of known malicious drivers via their names only.


    Read More
  • Potentially Suspicious Event Viewer Child Process

    calendar Oct 4, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt


    Read More
  • Vulnerable Driver Load

    calendar Oct 4, 2023 · attack.privilege_escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects the load of known vulnerable drivers by hash value


    Read More
  • Vulnerable Driver Load By Name

    calendar Oct 4, 2023 · attack.privilege_escalation attack.t1543.003 attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects the load of known vulnerable drivers via their names only.


    Read More
  • Service Registry Key Read Access Request

    calendar Sep 29, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.


    Read More
  • Invalid PIM License

    calendar Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies when an organization doesn't have the proper license for PIM and is out of compliance.


    Read More
  • Roles Activated Too Frequently

    calendar Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies when the same privilege role has multiple activations by the same user.


    Read More
  • Roles Activation Doesn't Require MFA

    calendar Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies when a privilege role can be activated without performing mfa.


    Read More
  • Roles Are Not Being Used

    calendar Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies when a user has been assigned a privilege role and are not using that role.


    Read More
  • Roles Assigned Outside PIM

    calendar Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.


    Read More
  • Stale Accounts In A Privileged Role

    calendar Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies when an account hasn't signed in during the past n number of days.


    Read More
  • Too Many Global Admins

    calendar Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Identifies an event where there are there are too many accounts assigned the Global Administrator role.


    Read More
  • Azure AD Threat Intelligence

    calendar Sep 11, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Indicates user activity that is unusual for the user or consistent with known attack patterns.


    Read More
  • VMMap Signed Dbghelp.DLL Potential Sideloading

    calendar Sep 7, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.


    Read More
  • VMMap Unsigned Dbghelp.DLL Potential Sideloading

    calendar Sep 7, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.


    Read More
  • Activity From Anonymous IP Address

    calendar Sep 6, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.


    Read More
  • Atypical Travel

    calendar Sep 6, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.


    Read More
  • New Country

    calendar Sep 6, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.


    Read More
  • Suspicious Browser Activity

    calendar Sep 6, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser


    Read More
  • Unfamiliar Sign-In Properties

    calendar Sep 6, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access  ·
    Share on: twitter facebook linkedin copy

    Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.


    Read More
  • Network Connections Where There Should Not Be (Notepad)

    calendar Sep 1, 2023 · attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Looks for network connections from notepad. Inspired by the 2022 Red Canary Threat Detection report.


    Read More
  • Suspicious 'Admin' Local User Creation with Net Command

    calendar Sep 1, 2023 · attack.persistence attack.privilege_escalation attack.t1136.001 attack.t1136 attack.t1078 attack.t1078.003  ·
    Share on: twitter facebook linkedin copy

    Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.


    Read More
  • HackTool - CrackMapExec Execution

    calendar Aug 28, 2023 · attack.execution attack.persistence attack.privilege_escalation attack.credential_access attack.discovery attack.t1047 attack.t1053 attack.t1059.003 attack.t1059.001 attack.t1110 attack.t1201  ·
    Share on: twitter facebook linkedin copy

    This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.


    Read More
  • Suspicious Child Process Of Wermgr.EXE

    calendar Aug 28, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 attack.t1036  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious Windows Error Reporting manager (wermgr.exe) child process


    Read More
  • User Added To Admin Group Via Sysadminctl

    calendar Aug 22, 2023 · attack.initial_access attack.privilege_escalation attack.t1078.003  ·
    Share on: twitter facebook linkedin copy

    Detects attempts to create and add an account to the admin group via "sysadminctl"


    Read More
  • Potential CVE-2023-21554 QueueJumper Exploitation

    calendar Aug 18, 2023 · attack.privilege_escalation attack.execution cve.2023.21554 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)


    Read More
  • Unsigned Mfdetours.DLL Sideloading

    calendar Aug 18, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.


    Read More
  • Bypass UAC Using DelegateExecute

    calendar Aug 17, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Bypasses User Account Control using a fileless method


    Read More
  • Bypass UAC Using SilentCleanup Task

    calendar Aug 17, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC


    Read More
  • CobaltStrike Service Installations in Registry

    calendar Aug 17, 2023 · attack.execution attack.privilege_escalation attack.lateral_movement attack.t1021.002 attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.


    Read More
  • Disable UAC Using Registry

    calendar Aug 17, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0


    Read More
  • Modify User Shell Folders Startup Value

    calendar Aug 17, 2023 · attack.persistence attack.privilege_escalation attack.t1547.001  ·
    Share on: twitter facebook linkedin copy

    Detect modification of the startup key to a path where a payload could be stored to be launched during startup


    Read More
  • ServiceDll Hijack

    calendar Aug 17, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.


    Read More
  • Set TimeProviders DllName

    calendar Aug 17, 2023 · attack.persistence attack.privilege_escalation attack.t1547.003  ·
    Share on: twitter facebook linkedin copy

    Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.


    Read More
  • Suspicious Printer Driver Empty Manufacturer

    calendar Aug 17, 2023 · attack.privilege_escalation attack.t1574 cve.2021.1675  ·
    Share on: twitter facebook linkedin copy

    Detects a suspicious printer driver installation with an empty Manufacturer value


    Read More
  • UAC Bypass Abusing Winsat Path Parsing - Registry

    calendar Aug 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)


    Read More
  • UAC Bypass Using Windows Media Player - Registry

    calendar Aug 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)


    Read More
  • UAC Bypass via Sdclt

    calendar Aug 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)


    Read More
  • CobaltStrike Named Pipe

    calendar Aug 7, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe as used by CobaltStrike


    Read More
  • CobaltStrike Named Pipe Pattern Regex

    calendar Aug 7, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles


    Read More
  • HackTool - DiagTrackEoP Default Named Pipe

    calendar Aug 7, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.


    Read More
  • HackTool - Koh Default Named Pipe

    calendar Aug 7, 2023 · attack.privilege_escalation attack.credential_access attack.t1528 attack.t1134.001  ·
    Share on: twitter facebook linkedin copy

    Detects creation of default named pipes used by the Koh tool


    Read More
  • Potential AVKkid.DLL Sideloading

    calendar Aug 3, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "AVKkid.dll"


    Read More
  • Potential EACore.DLL Sideloading

    calendar Aug 3, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "EACore.dll"


    Read More
  • Potential Mfdetours.DLL Sideloading

    calendar Aug 3, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.


    Read More
  • Potential Vivaldi_elf.DLL Sideloading

    calendar Aug 3, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "vivaldi_elf.dll"


    Read More
  • Potential Shim Database Persistence via Sdbinst.EXE

    calendar Aug 1, 2023 · attack.persistence attack.privilege_escalation attack.t1546.011  ·
    Share on: twitter facebook linkedin copy

    Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims


    Read More
  • Potential CCleanerDU.DLL Sideloading

    calendar Jul 24, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "CCleanerDU.dll"


    Read More
  • Potential CCleanerReactivator.DLL Sideloading

    calendar Jul 20, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "CCleanerReactivator.dll"


    Read More
  • Explorer UAC Bypass Via /NOUACCHECK Parameter

    calendar Jul 17, 2023 · attack.privilege_escalation attack.T1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects possible attempt to circumvent the User Account Control (UAC) by executing Windows Explorer to spawn a command line interpreter process without triggering UAC prompts.


    Read More
  • Potential appverifUI.DLL Sideloading

    calendar Jul 13, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "appverifUI.dll"


    Read More
  • UAC Bypass Via Wsreset

    calendar Jun 21, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.


    Read More
  • APT PRIVATELOG Image Load Pattern

    calendar Jun 20, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances


    Read More
  • Exploiting CVE-2019-1388

    calendar Jun 20, 2023 · attack.privilege_escalation attack.t1068 cve.2019.1388 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM


    Read More
  • Exploiting SetupComplete.cmd CVE-2019-1378

    calendar Jun 20, 2023 · attack.privilege_escalation attack.t1068 attack.execution attack.t1059.003 attack.t1574 cve.2019.1378 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378


    Read More
  • Moriya Rootkit File Created

    calendar Jun 20, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.


    Read More
  • Potential BearLPE Exploitation

    calendar Jun 20, 2023 · attack.privilege_escalation attack.t1053.005 car.2013-08-001 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par


    Read More
  • Potential Dridex Activity

    calendar Jun 20, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 attack.discovery attack.t1135 attack.t1033 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects potential Dridex acitvity via specific process patterns


    Read More
  • Potential SystemNightmare Exploitation Attempt

    calendar Jun 20, 2023 · attack.privilege_escalation attack.t1068 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM


    Read More
  • SOURGUM Actor Behaviours

    calendar Jun 20, 2023 · attack.t1546 attack.t1546.015 attack.persistence attack.privilege_escalation detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM


    Read More
  • Suspicious RazerInstaller Explorer Subprocess

    calendar Jun 20, 2023 · attack.privilege_escalation attack.t1553 detection.emerging_threats  ·
    Share on: twitter facebook linkedin copy

    Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM


    Read More
  • Potential Waveedit.DLL Sideloading

    calendar Jun 15, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.


    Read More
  • CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module

    calendar Jun 14, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects loaded kernel modules that did not meet the WHQL signing requirements.


    Read More
  • CodeIntegrity - Blocked Driver Load With Revoked Certificate

    calendar Jun 13, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects blocked load attempts of revoked drivers


    Read More
  • CodeIntegrity - Blocked Image Load With Revoked Certificate

    calendar Jun 13, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects blocked image load events with revoked certificates by code integrity.


    Read More
  • CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked

    calendar Jun 13, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects block events for files that are disallowed by code integrity for protected processes


    Read More
  • CodeIntegrity - Revoked Image Loaded

    calendar Jun 13, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects image load events with revoked certificates by code integrity.


    Read More
  • CodeIntegrity - Revoked Kernel Driver Loaded

    calendar Jun 13, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the load of a revoked kernel driver


    Read More
  • CodeIntegrity - Unsigned Image Loaded

    calendar Jun 13, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects loaded unsigned image on the system


    Read More
  • CodeIntegrity - Unsigned Kernel Module Loaded

    calendar Jun 13, 2023 · attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the presence of a loaded unsigned kernel module on the system.


    Read More
  • Potential Edputil.DLL Sideloading

    calendar Jun 11, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "edputil.dll"


    Read More
  • Potential 7za.DLL Sideloading

    calendar Jun 11, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "7za.dll"


    Read More
  • Potential RjvPlatform.DLL Sideloading From Default Location

    calendar Jun 11, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.


    Read More
  • Potential RjvPlatform.DLL Sideloading From Non-Default Location

    calendar Jun 11, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.


    Read More
  • CodeIntegrity - Blocked Image/Driver Load For Policy Violation

    calendar Jun 9, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.


    Read More
  • Potential Persistence Via GlobalFlags

    calendar Jun 5, 2023 · attack.privilege_escalation attack.persistence attack.defense_evasion attack.t1546.012 car.2013-01-002  ·
    Share on: twitter facebook linkedin copy

    Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys


    Read More
  • Potential SmadHook.DLL Sideloading

    calendar Jun 2, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus


    Read More
  • Potential Goopdate.DLL Sideloading

    calendar May 20, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe


    Read More
  • LiveKD Driver Creation

    calendar May 17, 2023 · attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of the LiveKD driver, which is used for live kernel debugging


    Read More
  • LiveKD Driver Creation By Uncommon Process

    calendar May 17, 2023 · attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of the LiveKD driver by a process image other than "livekd.exe".


    Read More
  • LiveKD Kernel Memory Dump File Created

    calendar May 17, 2023 · attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.


    Read More
  • Windows Kernel Debugger Execution

    calendar May 17, 2023 · attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the Windows Kernel Debugger "kd.exe".


    Read More
  • Potential RoboForm.DLL Sideloading

    calendar May 15, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager


    Read More
  • Potential Chrome Frame Helper DLL Sideloading

    calendar May 15, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "chrome_frame_helper.dll"


    Read More
  • Potential Wazuh Security Platform DLL Sideloading

    calendar May 15, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL side loading of DLLs that are part of the Wazuh security platform


    Read More
  • PSEXEC Remote Execution File Artefact

    calendar May 15, 2023 · attack.lateral_movement attack.privilege_escalation attack.execution attack.persistence attack.t1136.002 attack.t1543.003 attack.t1570 attack.s0029  ·
    Share on: twitter facebook linkedin copy

    Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system


    Read More
  • PUA - Process Hacker Driver Load

    calendar May 15, 2023 · attack.privilege_escalation cve.2021.21551 attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects driver load of the Process Hacker tool


    Read More
  • PUA - System Informer Driver Load

    calendar May 15, 2023 · attack.privilege_escalation attack.t1543  ·
    Share on: twitter facebook linkedin copy

    Detects driver load of the System Informer tool


    Read More
  • Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report)

    calendar May 10, 2023 · attack.privilege_escalation attack.t1548.001  ·
    Share on: twitter facebook linkedin copy

    Detects search for setuid or setgid binaries. This rule looks specifically for execution of the find binary searching for executables with the setuid or setgid bit set. Part of the RedCanary 2023 Threat Detection Report.


    Read More
  • Potential Gamarue DLL Filename (RedCanary Threat Detection Report)

    calendar May 10, 2023 · attack.privilege_escalation attack.t1055.001  ·
    Share on: twitter facebook linkedin copy

    Detects Gamarue DLL filename in command line strings. Part of the RedCanary 2023 Threat Detection Report.


    Read More
  • Powershell Injecting Into Anything (RedCanary Threat Detection Report)

    calendar May 10, 2023 · attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects instances of PowerShell accessing any other processes. Part of the RedCanary 2023 Threat Detection Report.


    Read More
  • Process Executing Sans Command Line (RedCanary Threat Detection Report)

    calendar May 10, 2023 · attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects processes running without command lines, which can indicate process injection. Part of the RedCanary 2023 Threat Detection Report.


    Read More
  • Suspicious Network Connections (RedCanary Threat Detection Report)

    calendar May 10, 2023 · attack.privilege_escalation attack.t1055  ·
    Share on: twitter facebook linkedin copy

    Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report.


    Read More
  • Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

    calendar May 9, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location


    Read More
  • Potential Persistence Via PowerShell User Profile Using Add-Content

    calendar May 9, 2023 · attack.persistence attack.privilege_escalation attack.t1546.013  ·
    Share on: twitter facebook linkedin copy

    Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence


    Read More
  • Suspicious Child Process Of SQL Server

    calendar May 9, 2023 · attack.t1505.003 attack.t1190 attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.


    Read More
  • Suspicious Child Process Of Veeam Dabatase

    calendar May 9, 2023 · attack.initial_access attack.persistence attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.


    Read More
  • Potential SolidPDFCreator.DLL Sideloading

    calendar May 8, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "SolidPDFCreator.dll"


    Read More
  • Process Explorer Driver Creation By Non-Sysinternals Binary

    calendar May 5, 2023 · attack.persistence attack.privilege_escalation attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.


    Read More
  • Process Monitor Driver Creation By Non-Sysinternals Binary

    calendar May 5, 2023 · attack.persistence attack.privilege_escalation attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.


    Read More
  • Potential DLL Sideloading Of DBGCORE.DLL

    calendar May 5, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of "dbgcore.dll"


    Read More
  • Potential DLL Sideloading Of DBGHELP.DLL

    calendar May 5, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of "dbghelp.dll"


    Read More
  • Standard User In High Privileged Group

    calendar May 5, 2023 · attack.credential_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detect standard users login that are part of high privileged groups such as the Administrator group


    Read More
  • Remote WMI ActiveScriptEventConsumers

    calendar May 2, 2023 · attack.lateral_movement attack.privilege_escalation attack.persistence attack.t1546.003  ·
    Share on: twitter facebook linkedin copy

    Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network


    Read More
  • CVE-2021-3156 Exploitation Attempt

    calendar Apr 21, 2023 · attack.privilege_escalation attack.t1068 cve.2021.3156  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing required to trigger the heap-based buffer overflow.


    Read More
  • CVE-2021-3156 Exploitation Attempt Bruteforcing

    calendar Apr 21, 2023 · attack.privilege_escalation attack.t1068 cve.2021.3156  ·
    Share on: twitter facebook linkedin copy

    Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing. required to trigger the heap-based buffer overflow.


    Read More
  • Detection of Possible Rotten Potato

    calendar Apr 21, 2023 · attack.privilege_escalation attack.t1134 attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges


    Read More
  • Disabled Users Failing To Authenticate From Source Using Kerberos

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.


    Read More
  • Failed Logins with Different Accounts from Single Source System

    calendar Apr 21, 2023 · attack.persistence attack.privilege_escalation attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious failed logins with different user accounts from a single source system


    Read More
  • Failed NTLM Logins with Different Accounts from Single Source System

    calendar Apr 21, 2023 · attack.persistence attack.privilege_escalation attack.t1078  ·
    Share on: twitter facebook linkedin copy

    Detects suspicious failed logins with different user accounts from a single source system


    Read More
  • Invalid Users Failing To Authenticate From Single Source Using NTLM

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.


    Read More
  • Invalid Users Failing To Authenticate From Source Using Kerberos

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.


    Read More
  • Malicious Service Installations

    calendar Apr 21, 2023 · attack.persistence attack.privilege_escalation attack.t1003 attack.t1035 attack.t1050 car.2013-09-005 attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.


    Read More
  • Meterpreter or Cobalt Strike Getsystem Service Installation

    calendar Apr 21, 2023 · attack.privilege_escalation attack.t1134.001 attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation


    Read More
  • MSI Spawned Cmd and Powershell Spawned Processes

    calendar Apr 21, 2023 · attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes


    Read More
  • Multiple Users Failing to Authenticate from Single Process

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects failed logins with multiple accounts from a single process on the system.


    Read More
  • Multiple Users Remotely Failing To Authenticate From Single Source

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects a source system failing to authenticate against a remote host with multiple users.


    Read More
  • OMIGOD SCX RunAsProvider ExecuteScript

    calendar Apr 21, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.t1068 attack.t1190 attack.t1203  ·
    Share on: twitter facebook linkedin copy

    Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.


    Read More
  • Password Spraying via Explicit Credentials

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects a single user failing to authenticate to multiple users using explicit credentials.


    Read More
  • Valid Users Failing to Authenticate From Single Source Using Kerberos

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.


    Read More
  • Valid Users Failing to Authenticate from Single Source Using NTLM

    calendar Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.


    Read More
  • Windows Kernel and 3rd-Party Drivers Exploits Token Stealing

    calendar Apr 21, 2023 · attack.privilege_escalation attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level


    Read More
  • Potential Libvlc.DLL Sideloading

    calendar Apr 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"


    Read More
  • CobaltStrike Service Installations - System

    calendar Apr 14, 2023 · attack.execution attack.privilege_escalation attack.lateral_movement attack.t1021.002 attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement


    Read More
  • ProcessHacker Privilege Elevation

    calendar Apr 14, 2023 · attack.execution attack.privilege_escalation attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects a ProcessHacker tool that elevated privileges to a very high level


    Read More
  • Service Installation with Suspicious Folder Pattern

    calendar Apr 14, 2023 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects service installation with suspicious folder patterns


    Read More
  • Vulnerable Netlogon Secure Channel Connection Allowed

    calendar Apr 14, 2023 · attack.privilege_escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.


    Read More
  • Potential Iviewers.DLL Sideloading

    calendar Apr 12, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)


    Read More
  • Potential Rcdll.DLL Sideloading

    calendar Apr 12, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of rcdll.dll


    Read More
  • CMSTP UAC Bypass via COM Object Access

    calendar Apr 11, 2023 · attack.execution attack.defense_evasion attack.privilege_escalation attack.t1548.002 attack.t1218.003 attack.g0069 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)


    Read More
  • Always Install Elevated Windows Installer

    calendar Apr 3, 2023 · attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege


    Read More
  • Aruba Network Service Potential DLL Sideloading

    calendar Mar 15, 2023 · attack.privilege_escalation attack.persistence attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking


    Read More
  • Microsoft Office DLL Sideload

    calendar Mar 15, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location


    Read More
  • Important Scheduled Task Deleted/Disabled

    calendar Mar 14, 2023 · attack.execution attack.privilege_escalation attack.persistence attack.t1053.005  ·
    Share on: twitter facebook linkedin copy

    Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities


    Read More
  • Potential Antivirus Software DLL Sideloading

    calendar Mar 13, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002  ·
    Share on: twitter facebook linkedin copy

    Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc


    Read More
  • Interactive AT Job

    calendar Mar 10, 2023 · attack.privilege_escalation attack.t1053.002  ·
    Share on: twitter facebook linkedin copy

    Detects an interactive AT job, which may be used as a form of privilege escalation.


    Read More
  • Sticky Key Like Backdoor Execution

    calendar Mar 7, 2023 · attack.privilege_escalation attack.persistence attack.t1546.008 car.2014-11-003 car.2014-11-008  ·
    Share on: twitter facebook linkedin copy

    Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen


    Read More
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation

    calendar Mar 7, 2023 · attack.execution attack.persistence attack.privilege_escalation attack.s0111 attack.g0022 attack.g0060 car.2013-08-001 attack.t1053.005 attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a schtask via PowerSploit or Empire Default Configuration.


    Read More
  • Persistence Via Sticky Key Backdoor

    calendar Mar 7, 2023 · attack.t1546.008 attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.


    Read More
  • Potential Meterpreter/CobaltStrike Activity

    calendar Mar 5, 2023 · attack.privilege_escalation attack.t1134.001 attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting


    Read More
  • Potential Privilege Escalation via Service Permissions Weakness

    calendar Mar 5, 2023 · attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level


    Read More
  • Suspicious Child Process Created as System

    calendar Mar 5, 2023 · attack.privilege_escalation attack.t1134.002  ·
    Share on: twitter facebook linkedin copy

    Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts


    Read More
  • Suspicious Debugger Registration Cmdline

    calendar Mar 5, 2023 · attack.persistence attack.privilege_escalation attack.t1546.008  ·
    Share on: twitter facebook linkedin copy

    Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).


    Read More
  • Suspicious NTLM Authentication on the Printer Spooler Service

    calendar Mar 2, 2023 · attack.privilege_escalation attack.credential_access attack.t1212  ·
    Share on: twitter facebook linkedin copy

    Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service


    Read More
  • Security Privileges Enumeration Via Whoami.EXE

    calendar Feb 28, 2023 · attack.privilege_escalation attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.


    Read More
  • Service Security Descriptor Tampering Via Sc.EXE

    calendar Feb 28, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detection of sc.exe utility adding a new service with special permission which hides that service.


    Read More
  • Suspicious Whoami.EXE Execution From Privileged Process

    calendar Feb 28, 2023 · attack.privilege_escalation attack.discovery attack.t1033  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors


    Read More
  • User Added to Local Administrators

    calendar Feb 27, 2023 · attack.privilege_escalation attack.t1078 attack.persistence attack.t1098  ·
    Share on: twitter facebook linkedin copy

    This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity


    Read More
  • HackTool - Empire PowerShell UAC Bypass

    calendar Feb 21, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002 car.2019-04-001  ·
    Share on: twitter facebook linkedin copy

    Detects some Empire PowerShell UAC bypass methods


    Read More
  • New Service Creation Using PowerShell

    calendar Feb 21, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a new service using powershell.


    Read More
  • New Service Creation Using Sc.EXE

    calendar Feb 21, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects the creation of a new service using the "sc.exe" utility.


    Read More
  • Regedit as Trusted Installer

    calendar Feb 21, 2023 · attack.privilege_escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe


    Read More
  • Suspicious Service Path Modification

    calendar Feb 21, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects service path modification via the "sc" binary to a suspicious command or path


    Read More
  • Potential PrintNightmare Exploitation Attempt

    calendar Feb 20, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574 cve.2021.1675  ·
    Share on: twitter facebook linkedin copy

    Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675


    Read More
  • Powerup Write Hijack DLL

    calendar Feb 17, 2023 · attack.persistence attack.privilege_escalation attack.defense_evasion attack.t1574.001  ·
    Share on: twitter facebook linkedin copy

    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).


    Read More
  • HackTool - LocalPotato Execution

    calendar Feb 14, 2023 · attack.defense_evasion attack.privilege_escalation cve.2023.21746  ·
    Share on: twitter facebook linkedin copy

    Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples


    Read More
  • Possible Privilege Escalation via Weak Service Permissions

    calendar Feb 14, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
    Share on: twitter facebook linkedin copy

    Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand


    Read More
  • Potential UAC Bypass Via Sdclt.EXE

    calendar Feb 14, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.


    Read More
  • PUA - Wsudo Suspicious Execution

    calendar Feb 13, 2023 · attack.execution attack.privilege_escalation attack.t1059  ·
    Share on: twitter facebook linkedin copy

    Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)


    Read More
  • UAC Bypass Tools Using ComputerDefaults

    calendar Feb 13, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)


    Read More
  • UAC Bypass Using Event Viewer RecentViews

    calendar Feb 13, 2023 · attack.defense_evasion attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using Event Viewer RecentViews


    Read More
  • Rundll32 Registered COM Objects

    calendar Feb 9, 2023 · attack.privilege_escalation attack.persistence attack.t1546.015  ·
    Share on: twitter facebook linkedin copy

    load malicious registered COM objects


    Read More
  • HackTool - Impersonate Execution

    calendar Feb 8, 2023 · attack.privilege_escalation attack.defense_evasion attack.t1134.001 attack.t1134.003  ·
    Share on: twitter facebook linkedin copy

    Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively


    Read More
  • SCM Database Privileged Operation

    calendar Feb 7, 2023 · attack.privilege_escalation attack.t1548  ·
    Share on: twitter facebook linkedin copy

    Detects non-system users performing privileged operation os the SCM database


    Read More
  • Sdclt Child Processes

    calendar Feb 7, 2023 · attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.


    Read More
  • Buffer Overflow Attempts

    calendar Feb 1, 2023 · attack.t1068 attack.privilege_escalation  ·
    Share on: twitter facebook linkedin copy

    Detects buffer overflow attempts in Unix system log files


    Read More
  • CobaltStrike Service Installations - Security

    calendar Feb 1, 2023 · attack.execution attack.privilege_escalation attack.lateral_movement attack.t1021.002 attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement


    Read More
  • Code Injection by ld.so Preload

    calendar Feb 1, 2023 · attack.persistence attack.privilege_escalation attack.t1574.006  ·
    Share on: twitter facebook linkedin copy

    Detects the ld.so preload persistence file. See man ld.so for more information.


    Read More
  • Malicious Service Installations

    calendar Feb 1, 2023 · attack.persistence attack.privilege_escalation attack.t1003 car.2013-09-005 attack.t1543.003 attack.t1569.002  ·
    Share on: twitter facebook linkedin copy

    Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.


    Read More
  • Possible Coin Miner CPU Priority Param

    calendar Feb 1, 2023 · attack.privilege_escalation attack.t1068  ·
    Share on: twitter facebook linkedin copy

    Detects command line parameter very often used with coin miners


    Read More
  • PowerShell ShellCode

    calendar Feb 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 attack.execution attack.t1059.001  ·
    Share on: twitter facebook linkedin copy

    Detects Base64 encoded Shellcode


    Read More
  • Shell Open Registry Keys Manipulation

    calendar Feb 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002 attack.t1546.001  ·
    Share on: twitter facebook linkedin copy

    Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)


    Read More
  • Suspicious Driver Load from Temp

    calendar Feb 1, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003  ·
    Share on: twitter facebook linkedin copy

    Detects a driver load from a temporary directory


    Read More
  • UAC Bypass Abusing Winsat Path Parsing - File

    calendar Feb 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)


    Read More
  • UAC Bypass Abusing Winsat Path Parsing - Process

    calendar Feb 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)


    Read More
  • UAC Bypass Using .NET Code Profiler on MMC

    calendar Feb 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy

    Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)


    Read More
  • UAC Bypass Using ChangePK and SLUI

    calendar Feb 1, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1548.002  ·
    Share on: twitter facebook linkedin copy