attack.t1106 | Detection.FYI

HackTool - HandleKatz Duplicating LSASS Handle

Apr 25, 2025 · attack.execution attack.t1106 attack.defense-evasion attack.t1003.001 attack.credential-access ·
Share on:

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Read More
Potential WinAPI Calls Via CommandLine

Apr 7, 2025 · attack.execution attack.t1106 ·
Share on:

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Read More
Potential Direct Syscall of NtOpenProcess

Nov 1, 2024 · attack.execution attack.t1106 ·
Share on:

Detects potential calls to NtOpenProcess directly from NTDLL.

Read More
HackTool - WinPwn Execution

Oct 1, 2024 · attack.credential-access attack.defense-evasion attack.discovery attack.execution attack.privilege-escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003 ·
Share on:

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More
HackTool - WinPwn Execution - ScriptBlock

Oct 1, 2024 · attack.credential-access attack.defense-evasion attack.discovery attack.execution attack.privilege-escalation attack.t1046 attack.t1082 attack.t1106 attack.t1518 attack.t1548.002 attack.t1552.001 attack.t1555 attack.t1555.003 ·
Share on:

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More
BPFDoor Abnormal Process ID or Lock File Accessed

Aug 12, 2024 · attack.execution attack.t1106 attack.t1059 ·
Share on:

detects BPFDoor .lock and .pid files access in temporary file storage facility

Read More
HackTool - CobaltStrike BOF Injection Pattern

Aug 12, 2024 · attack.execution attack.t1106 attack.defense-evasion attack.t1562.001 ·
Share on:

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Read More
HackTool - RedMimicry Winnti Playbook Execution

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1106 attack.t1059.003 attack.t1218.011 ·
Share on:

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Read More
Potential Binary Proxy Execution Via Cdb.EXE

Aug 12, 2024 · attack.execution attack.t1106 attack.defense-evasion attack.t1218 attack.t1127 ·
Share on:

Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file

Read More
Potential WinAPI Calls Via PowerShell Scripts

Aug 12, 2024 · attack.execution attack.t1059.001 attack.t1106 ·
Share on:

Detects use of WinAPI functions in PowerShell scripts

Read More
Suspicious Mshta.EXE Execution Patterns

Aug 12, 2024 · attack.execution attack.t1106 ·
Share on:

Detects suspicious mshta process execution patterns

Read More
Turla Group Named Pipes

Aug 12, 2024 · attack.g0010 attack.execution attack.t1106 detection.emerging-threats ·
Share on:

Detects a named pipe used by Turla group samples

Read More
Nullsoft Scriptable Installer Script (NSIS) execution

Aug 2, 2024 · attack.execution attack.t1106 dist.public ·
Share on:

Detects the loading of the NSIS System plugin library, indicative of an NSIS script execution.

Read More
Nullsoft Scriptable Installer Script (NSIS) file creation

Aug 2, 2024 · attack.execution attack.t1106 dist.public ·
Share on:

Detects the creation of the NSIS System plugin library, indicative of an NSIS script execution.

Read More