attack.t1082

Suspicious Command Arguments from Explorer or Wermgr

Sep 1, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects the suspicious command line arguments from potentially-injected versions of explorer or wermgr processes.

Read More
HackTool - PCHunter Execution

Aug 28, 2023 · attack.execution attack.discovery attack.t1082 attack.t1057 attack.t1012 attack.t1083 attack.t1007 ·
Share on:

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More
PUA - System Informer Execution

Aug 28, 2023 · attack.persistence attack.privilege_escalation attack.discovery attack.defense_evasion attack.t1082 attack.t1564 attack.t1543 ·
Share on:

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More
Suspicious Kernel Dump Using Dtrace

Aug 28, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Read More
Container Residence Discovery Via Proc Virtual FS

Aug 24, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

Read More
Docker Container Discovery Via Dockerenv Listing

Aug 24, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Read More
Potential Container Discovery Via Inodes Listing

Aug 24, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects listing of the inodes of the "/" directory to determin if the we are running inside of a container.

Read More
OS Architecture Discovery Via Grep

Jun 2, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"

Read More
Potential GobRAT File Discovery Via Grep

Jun 2, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects the use of grep to discover specific files created by the GobRAT malware

Read More
Potential System Information Discovery Via Wmic.EXE

May 5, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Read More
Domain User Enumeration Network Recon 01

Apr 21, 2023 · attack.discovery attack.t1087.002 attack.t1082 ·
Share on:

Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29

Read More
Reconnaissance Activity Using BuiltIn Commands

Apr 21, 2023 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001 ·
Share on:

Detects execution of a set of builtin commands often used in recon stages by different attack groups

Read More
System Information Discovery - Auditd

Mar 27, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects System Information Discovery commands

Read More
HackTool - winPEAS Execution

Mar 23, 2023 · attack.privilege_escalation attack.t1082 attack.t1087 attack.t1046 ·
Share on:

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Read More
CMD Shell Output Redirect

Mar 7, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects the use of the redirection character ">" to redicrect information in commandline

Read More
Potential Suspicious Activity Using SeCEdit

Mar 5, 2023 · attack.discovery attack.persistence attack.defense_evasion attack.credential_access attack.privilege_escalation attack.t1562.002 attack.t1547.001 attack.t1505.005 attack.t1556.002 attack.t1562 attack.t1574.007 attack.t1564.002 attack.t1546.008 attack.t1546.007 attack.t1547.014 attack.t1547.010 attack.t1547.002 attack.t1557 attack.t1082 ·
Share on:

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More
Suspicious Execution of Hostname

Mar 5, 2023 · attack.discovery attack.t1082 ·
Share on:

Use of hostname to get information

Read More
Network Reconnaissance Activity

Mar 2, 2023 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001 ·
Share on:

Detects a set of suspicious network related commands often used in recon stages

Read More
Suspicious Execution of Systeminfo

Mar 2, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects usage of the "systeminfo" command to retrieve information

Read More
Suspicious Query of MachineGUID

Mar 2, 2023 · attack.discovery attack.t1082 ·
Share on:

Use of reg to get MachineGuid information

Read More
Driverquery Lookup

Jan 9, 2023 · attack.discovery attack.t1082 ·
Share on:

Detects use of driverquery to look up the installed and configured drivers as part of host discovery

Read More
Cisco Discovery

Jan 4, 2023 · attack.discovery attack.t1083 attack.t1201 attack.t1057 attack.t1018 attack.t1082 attack.t1016 attack.t1049 attack.t1033 attack.t1124 ·
Share on:

Find information about network devices that is not stored in config files

Read More
System and Hardware Information Discovery

Nov 27, 2022 · attack.discovery attack.t1082 ·
Share on:

Detects system information discovery commands

Read More
System Information Discovery

Oct 25, 2022 · attack.discovery attack.t1082 ·
Share on:

Detects system information discovery commands

Read More