EXPLORE DETECTIONS
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
Share And Session Enumeration Using Net.EXE
Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
SharpHound Recon Account Discovery
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
Shell Context Menu Command Tampering
Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Invocation via Apt - Linux
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Open Registry Keys Manipulation
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
Shell Process Spawned by Java.EXE
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Shell32 DLL Execution in Suspicious Directory
Detects shell32.dll executing a DLL in a suspicious directory
Shellshock Expression
Detects shellshock expressions in log files
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
Sign-in Failure Due to Conditional Access Requirements Not Met
Define a baseline threshold for failed sign-ins due to Conditional Access failures
Sign-In From Malware Infected IP
Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
Sign-ins by Unknown Devices
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Sign-ins from Non-Compliant Devices
Monitor and alert for sign-ins where the device was non-compliant.