EXPLORE DETECTIONS
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Change PowerShell Policies to an Insecure Level - PowerShell
Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Change User Agents with WebRequest
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Changes To PIM Settings
Detects when changes are made to PIM roles
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Chmod Targeting Sensitive Directories
Detects chmod targeting files in sensitive directory paths on Linux systems. Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Chromium Browser Instance Executed With Custom Extension
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Cisco BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco Clear Logs
Clear command history in network OS which is used for defense evasion
Cisco Collect Data
Collect pertinent data from the configuration files
Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
Cisco Denial of Service
Detect a system being shutdown or put into different boot mode
Cisco Disabling Logging
Turn off logging locally or remote
Cisco Discovery
Find information about network devices that is not stored in config files
Cisco Dot1x Disabled
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
Cisco Duo Successful MFA Authentication Via Bypass Code
Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
Cisco File Deletion
See what files are being deleted from flash file systems