EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Cisco Dot1x Disabled

Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.

T1685T1556.004
Sigmamedium

Cisco Duo Successful MFA Authentication Via Bypass Code

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Sigmamedium

Cisco File Deletion

See what files are being deleted from flash file systems

T1070.004T1561.001T1561.002
Sigmamedium

Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

T1078T1110T1557
Sigmalow

Cisco Local Accounts

Find local accounts being created or modified as well as remote authentication configurations

T1136.001T1098
Sigmahigh

Cisco Modify Configuration

Modifications to a config that will serve an adversary's impacts or persistence

T1490T1505T1565.002T1053
Sigmamedium

Cisco Show Commands Input

See what commands are being input into the device by other people, full credentials can be in the history

T1552.003
Sigmamedium

Cisco Sniffing

Show when a monitor or a span/rspan is setup or modified

T1040
Sigmamedium

Cisco Stage Data

Various protocols maybe used to put data on the device for exfil or infil

T1074T1105T1560.001
Sigmalow

Classes Autorun Keys Modification

Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.

T1547.001
Sigmamedium

Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.

T1685.006
Sigmamedium

Clear PowerShell History - PowerShell

Detects keywords that could indicate clearing PowerShell history

T1070.003
Sigmamedium

Clear PowerShell History - PowerShell Module

Detects keywords that could indicate clearing PowerShell history

T1070.003
Sigmamedium

Clearing Windows Console History

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

T1070T1070.003
Sigmahigh

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Sigmalow

Clfs.SYS Loaded By Process Located In a Potential Suspicious Location

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

T1059
Sigmamedium

ClickOnce Deployment Execution - Dfsvc.EXE Child Process

Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.

Sigmamedium

ClickOnce Trust Prompt Tampering

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

T1112
Sigmamedium

Clipboard Access Via OSAScript

Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts

T1115T1059.002
Sigmamedium

Clipboard Collection of Image Data with Xclip Tool

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

T1115
Sigmalow

Clipboard Collection with Xclip Tool

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

T1115
Sigmalow

Clipboard Collection with Xclip Tool - Auditd

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

T1115
Sigmalow

Clipboard Data Collection Via Pbpaste

Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.

T1115
Sigmamedium

Cloudflared Portable Execution

Detects the execution of the "cloudflared" binary from a non standard location.

T1090.001
Sigmamedium
PreviousPage 15 of 137Next