EXPLORE DETECTIONS
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Tomcat WebServer Logs Deleted
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
Tor Client/Browser Execution
Detects the use of Tor or Tor-Browser to connect to onion routing networks
Touch Suspicious Service File
Detects usage of the "touch" process in service file.
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Transferring Files with Credential Data via Network Shares - Zeek
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Triple Cross eBPF Rootkit Execve Hijack
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Triple Cross eBPF Rootkit Install Commands
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Tunneling Tool Execution
Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Abusing Winsat Path Parsing - Registry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
UAC Bypass Using Consent and Comctl32 - File
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)