Detects user permission data export attempt.

Read More

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Read More

Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.

Read More

Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.

Read More

Detects user data export activity.

Read More

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Read More

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More

Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

Read More

Detects the use of "sw_vers" for system information discovery

Read More

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

Read More

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Read More

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Find information about network devices that is not stored in config files

Read More

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

Read More

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Read More

Detects a set of suspicious network related commands often used in recon stages

Read More

Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"

Read More

Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.

Read More

Detects the use of grep to discover specific files created by the GobRAT malware

Read More

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More

Use of hostname to get information

Read More

Detects usage of the "systeminfo" command to retrieve information

Read More

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Read More

Use of reg to get MachineGuid information

Read More

Detects system information discovery commands

Read More

Detects system information discovery commands

Read More

Detects System Information Discovery commands

Read More

Detects use of driverquery to look up the installed and configured drivers as part of host discovery

Read More

Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29

Read More

Detects the suspicious command line arguments from potentially-injected versions of explorer or wermgr processes.

Read More

Detects execution of a set of builtin commands often used in recon stages by different attack groups

Read More