EXPLORE DETECTIONS

All Sources Sigma Splunk ESCU Elastic KQL Sublime CrowdStrike

3,270 detections found

Suspicious Non-Browser Network Communication With Google API

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

T1102

Sigmamedium

Suspicious Non-Browser Network Communication With Telegram API

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

T1102T1567T1105

Sigmamedium

Suspicious NTLM Authentication on the Printer Spooler Service

Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service

T1212

Sigmahigh

Suspicious OAuth App File Download Activities

Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.

Sigmamedium

Suspicious Obfuscated PowerShell Code

Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines

Sigmahigh

Suspicious OpenSSH Daemon Error

Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

T1190

Sigmamedium

Suspicious Outbound SMTP Connections

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

T1048.003

Sigmamedium

Suspicious Outlook Child Process

Detects a suspicious process spawning from an Outlook process.

T1204.002

Sigmahigh

Suspicious Outlook Macro Created

Detects the creation of a macro file for Outlook.

T1137T1008T1546

Sigmahigh

Suspicious Package Installed - Linux

Detects installation of suspicious packages using system installation utilities

T1553.004

Sigmamedium

Suspicious Parent Double Extension File Execution

Detect execution of suspicious double extension files in ParentCommandLine

T1036.007

Sigmahigh

Suspicious Path In Keyboard Layout IME File Registry Value

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

T1562.001

Sigmahigh

Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state

T1059

Sigmahigh

Suspicious Ping/Del Command Combination

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

T1070.004

Sigmahigh

Suspicious Plink Port Forwarding

Detects suspicious Plink tunnel port forwarding to a local port

T1572T1021.001

Sigmahigh

Suspicious Powercfg Execution To Change Lock Screen Timeout

Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout

Sigmamedium

Suspicious PowerShell Download - PoshModule

Detects suspicious PowerShell download command

T1059.001

Sigmamedium

Suspicious PowerShell Download - Powershell Script

Detects suspicious PowerShell download command

T1059.001

Sigmamedium

Suspicious PowerShell Download and Execute Pattern

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

T1059.001

Sigmahigh