EXPLORE DETECTIONS
Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
Cisco Show Commands Input
See what commands are being input into the device by other people, full credentials can be in the history
Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Clear Linux Logs
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Clear PowerShell History - PowerShell
Detects keywords that could indicate clearing PowerShell history
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Cleartext Protocol Usage
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
ClickOnce Deployment Execution - Dfsvc.EXE Child Process
Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
Clipboard Collection of Image Data with Xclip Tool
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection with Xclip Tool - Auditd
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the osascript binary
Clipboard Data Collection Via Pbpaste
Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
Cloudflared Portable Execution
Detects the execution of the "cloudflared" binary from a non standard location.
Cloudflared Quick Tunnel Execution
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.
Cloudflared Tunnel Connections Cleanup
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Cloudflared Tunnel Execution
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.