Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Read More

Detects potential Active Directory enumeration via LDAP

Read More

Detects default file names outputted by the BloodHound collection tool SharpHound

Read More

Detects DNS server discovery via LDAP query requests from uncommon applications

Read More

Detects execution of "dsquery.exe" for domain trust discovery

Read More

Detects command line parameters used by Bloodhound and Sharphound hack tools

Read More

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects nltest commands that can be used for information discovery

Read More

Detects nltest commands that can be used for information discovery

Read More

Detects AdFind execution with common flags seen used during attacks

Read More

AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.

Read More

Left unchecked, SocGholish may lead to domain discovery. This type of behavior is often a precursor to ransomware activity, and should be quickly quelled to prevent further progression of the threat. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects domain trust enumeration with nltest.exe, a procedure associated with SocGholish. Part of the RedCanary 2023 Threat Detection Report.

Read More