EXPLORE

EXPLORE DETECTIONS

🔍
9,403 detections found

Abusable DLL Potential Sideloading From Suspicious Location

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

T1059
Sigmahigh

Abuse of Service Permissions to Hide Services Via Set-Service

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

T1574.011
Sigmahigh

Abuse of Service Permissions to Hide Services Via Set-Service - PS

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

T1574.011
Sigmahigh

Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure

Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.

T1566T1566.001T1566.002T1598T1598.003+2
Sublimehigh

Abuse: Robinhood injected content

Detects messages from Robinhood with injected HTML into one of the list fields, often the 'Device' field.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Abused Debug Privilege by Arbitrary Parent Processes

Detection of unusual child processes by different system processes

T1548
Sigmahigh

Abusing Print Executable

Attackers can use print.exe for remote file copy

T1218
Sigmamedium

Accepted Default Telnet Port Connection

This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.

T1071T1021T1133T1190
Elasticmedium

Access Control List Modification via setfacl

This rule detects Linux Access Control List (ACL) modification via the setfacl command. Attackers may use the setfacl utility to modify file and directory permissions in order to evade detection and maintain persistence on a compromised system.

T1222T1222.002
Elasticlow

Access LSASS Memory for Dump Creation

The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.

Splunk

Access of Sudoers File Content

Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.

T1592.004
Sigmamedium

Access Review On Role Assignable Group AutoDeleted

This happens when a role such as identity Governance Admin Tries to do an access review on a role assignable group.

KQL

Access To .Reg/.Hive Files By Uncommon Applications

Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.

T1112
Sigmalow

Access to a Sensitive LDAP Attribute

Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.

T1003T1552T1552.004T1649T1078+2
Elasticmedium

Access To ADMIN$ Network Share

Detects access to ADMIN$ network share

T1021.002
Sigmalow

Access To Browser Credential Files By Uncommon Applications

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

T1003
Sigmalow

Access To Browser Credential Files By Uncommon Applications - Security

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.

T1555.003
Sigmalow

Access to Browser Login Data

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

T1555.003
Sigmamedium

Access To Chromium Browsers Sensitive Files By Uncommon Applications

Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.

T1003
Sigmalow

Access To Crypto Currency Wallets By Uncommon Applications

Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.

T1003
Sigmamedium

Access To Potentially Sensitive Sysvol Files By Uncommon Applications

Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.

T1552.006
Sigmamedium

Access To Sysvol Policies Share By Uncommon Process

Detects file access requests to the Windows Sysvol Policies Share by uncommon processes

T1552.006
Sigmamedium

Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint

The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.

Splunk

Access To Windows Credential History File By Uncommon Applications

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

T1555.004
Sigmamedium
PreviousPage 2 of 392Next