EXPLORE DETECTIONS
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
Service Started/Stopped Via Wmic.EXE
Detects usage of wmic to start or stop a service
Service StartupType Change Via PowerShell Set-Service
Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Service StartupType Change Via Sc.EXE
Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
ServiceDll Hijack
Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
SES Identity Has Been Deleted
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
Session Manager Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Set Files as System Files Using Attrib.EXE
Detects the execution of "attrib" with the "+s" flag to mark files as system files
Set Suspicious Files as System Files Using Attrib.EXE
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Shadow Copies Creation Using Operating Systems Utilities
Shadow Copies creation using operating systems utilities, possible credential access
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
Share And Session Enumeration Using Net.EXE
Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
SharpHound Recon Account Discovery
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
Shell Context Menu Command Tampering
Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.