EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Critical Hive In Suspicious Location Access Bits Cleared

Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

T1003.002
Sigmahigh

Crontab Enumeration

Detects usage of crontab to list the tasks of the user

T1007
Sigmalow

Cross Site Scripting Strings

Detects XSS attempts injected via GET requests in access logs

T1189
Sigmahigh

Crypto Miner User Agent

Detects suspicious user agent strings used by crypto miners in proxy logs

T1071.001
Sigmahigh

Csc.EXE Execution Form Potentially Suspicious Parent

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

T1059.005T1059.007T1218.005T1027.004
Sigmahigh

Cscript/Wscript Potentially Suspicious Child Process

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Sigmamedium

Cscript/Wscript Uncommon Script Extension Execution

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

T1059.005T1059.007
Sigmahigh

CSExec Service File Creation

Detects default CSExec service filename which indicates CSExec service installation and execution

T1569.002S0029
Sigmamedium

CSExec Service Installation

Detects CSExec service installation and execution events

T1569.002
Sigmamedium

Curl Download And Execute Combination

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

T1218T1105
Sigmahigh

Curl File Upload To File Sharing Websites

Detects usage of curl to upload files to known file sharing domains, which may indicate data exfiltration.

T1567.002
Sigmahigh

Curl Usage on Linux

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

T1105
Sigmalow

Curl Web Request With Potential Custom User-Agent

Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings

Sigmamedium

Curl.EXE Execution

Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server

T1105
Sigmalow

Curl.EXE Execution With Custom UserAgent

Detects execution of curl.exe with custom useragent options

T1071.001
Sigmamedium

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

T1547.001
Sigmamedium

CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

T1547.001
Sigmamedium

CurrentVersion NT Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

T1547.001
Sigmamedium

Custom File Open Handler Executes PowerShell

Detects the abuse of custom file open handler, executing powershell

T1202
Sigmahigh

Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

T1560.001
Sigmalow

Data Copied To Clipboard Via Clip.EXE

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

T1115
Sigmalow

Data Exfiltration to Unsanctioned Apps

Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.

T1537
Sigmamedium

Data Exfiltration with Wget

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

T1048.003
Sigmamedium

Data Export From MSSQL Table Via BCP.EXE

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

T1048
Sigmamedium
PreviousPage 20 of 137Next