EXPLORE DETECTIONS
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
DCERPC SMB Spoolss Named Pipe
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
Decode Base64 Encoded Text
Detects usage of base64 utility to decode arbitrary base64-encoded text
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
Deleted Data Overwritten Via Cipher.EXE
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Deployment AppX Package Was Blocked By AppLocker
Detects an appx package deployment that was blocked by AppLocker policy.
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
Deployment Of The AppX Package Was Blocked By The Policy
Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.
Desktop.INI Created by Uncommon Process
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Detected Windows Software Discovery
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Detected Windows Software Discovery - PowerShell
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.