EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Compress Data and Lock With Password for Exfiltration With WINZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

T1560.001
Sigmamedium

Compress-Archive Cmdlet Execution

Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

T1560
Sigmalow

Compressed File Creation Via Tar.EXE

Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

T1560T1560.001
Sigmalow

Compressed File Extraction Via Tar.EXE

Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

T1560T1560.001
Sigmalow

Computer Discovery And Export Via Get-ADComputer Cmdlet

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

T1033
Sigmamedium

Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

T1033
Sigmamedium

Computer Password Change Via Ksetup.EXE

Detects password change for the computer's domain account or host principal via "ksetup.exe"

Sigmamedium

Computer System Reconnaissance Via Wmic.EXE

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

T1047
Sigmamedium

Conhost Spawned By Uncommon Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

T1059
Sigmamedium

Conhost.exe CommandLine Path Traversal

detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking

T1059.003
Sigmahigh

Connection Proxy

Detects setting proxy configuration

T1090
Sigmalow

Console CodePage Lookup Via CHCP

Detects use of chcp to look up the system locale value as part of host discovery

T1614.001
Sigmamedium

Container Residence Discovery Via Proc Virtual FS

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

T1082
Sigmalow

Container With A hostPath Mount Created

Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.

T1611
Sigmalow

Control Panel Items

Detects the malicious use of a control panel item

T1218.002T1546
Sigmahigh

ConvertTo-SecureString Cmdlet Usage Via CommandLine

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

T1027T1059.001
Sigmamedium

Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE

Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share

Sigmahigh

Copy From Or To Admin Share Or Sysvol Folder

Detects a copy command or a copy utility execution to or from an Admin share or remote

T1039T1048T1021.002
Sigmamedium

Copy From VolumeShadowCopy Via Cmd.EXE

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

T1490
Sigmahigh

Copy Passwd Or Shadow From TMP Path

Detects when the file "passwd" or "shadow" is copied from tmp path

T1552.001
Sigmahigh

Copying Sensitive Files with Credential Data

Files with well-known filenames (sensitive files with credential data) copying

T1003.002T1003.003S0404
Sigmahigh

Crash Dump Created By Operating System

Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.

T1003.002T1005
Sigmamedium

CrashControl CrashDump Disabled

Detects disabling the CrashDump per registry (as used by HermeticWiper)

T1564T1112
Sigmamedium

Create Volume Shadow Copy with Powershell

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

T1003.003
Sigmahigh
PreviousPage 18 of 137Next