EXPLORE DETECTIONS

All Sources Sigma Splunk ESCU Elastic KQL Sublime CrowdStrike

3,252 detections found

Devtoolslauncher.exe Executes Specified Binary

The Devtoolslauncher.exe executes other binary

Dfsvc.EXE Initiated Network Connection Over Uncommon Port

Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.

T1203

Sigmahigh

Dfsvc.EXE Network Connection To Non-Local IPs

Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs

T1203

Sigmamedium

DHCP Callout DLL Installation

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

T1574.001T1112

Sigmahigh

DHCP Server Error Failed Loading the CallOut DLL

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

T1574.001

Sigmahigh

DHCP Server Loaded the CallOut DLL

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

T1574.001

Sigmahigh

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

T1202

Sigmahigh

DiagTrackEoP Default Login Username

Detects the default "UserName" used by the DiagTrackEoP POC

Sigmacritical

Direct Autorun Keys Modification

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

T1547.001

Sigmamedium

Directory Removal Via Rmdir

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

T1070.004

Sigmalow

Directory Service Restore Mode(DSRM) Registry Value Tampering

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

T1556

Sigmahigh

DirectorySearcher Powershell Exploitation

Enumerates Active Directory to determine computers that are joined to the domain

T1018

Sigmamedium

DirLister Execution

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

T1083

Sigmalow

Disable Administrative Share Creation at Startup

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

T1070.005

Sigmamedium