EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Discovery of a System Time

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

T1124
Sigmalow

Discovery Using AzureHound

Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.

T1087.004T1526
Sigmahigh

Disk Image Creation Via Hdiutil - MacOS

Detects the execution of the hdiutil utility in order to create a disk image.

Sigmamedium

Disk Image Mounting Via Hdiutil - MacOS

Detects the execution of the hdiutil utility in order to mount disk images.

T1566.001T1560.001
Sigmamedium

Diskshadow Child Process Spawned

Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.

T1218
Sigmamedium

Diskshadow Script Mode - Execution From Potential Suspicious Location

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

T1218
Sigmamedium

Diskshadow Script Mode - Uncommon Script Extension Execution

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

T1218
Sigmamedium

Diskshadow Script Mode Execution

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.

T1218
Sigmamedium

Dism Remove Online Package

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

T1685
Sigmamedium

Displaying Hidden Files Feature Disabled

Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.

T1564.001
Sigmamedium

Django Framework Exceptions

Detects suspicious Django web application framework exceptions that could indicate exploitation attempts

T1190
Sigmamedium

DLL Call by Ordinal Via Rundll32.EXE

Detects calls of DLLs exports by ordinal numbers via rundll32.dll.

T1218.011
Sigmamedium

DLL Execution via Rasautou.exe

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

T1218
Sigmamedium

DLL Execution Via Register-cimprovider.exe

Detects using register-cimprovider.exe to execute arbitrary dll file.

T1574
Sigmamedium

DLL Load By System Process From Suspicious Locations

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

T1070
Sigmamedium

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

T1547.008
Sigmahigh

DLL Loaded From Suspicious Location Via Cmspt.EXE

Detects cmstp loading "dll" or "ocx" files from suspicious locations

T1218.003
Sigmahigh

DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

T1218
Sigmamedium

DLL Search Order Hijackig Via Additional Space in Path

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

T1574.001
Sigmahigh

DLL Sideloading by VMware Xfer Utility

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

T1574.001
Sigmahigh

DLL Sideloading Of ShellChromeAPI.DLL

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

T1574.001
Sigmahigh

Dllhost.EXE Execution Anomaly

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

T1055
Sigmahigh

Dllhost.EXE Initiated Network Connection To Non-Local IP Address

Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

T1218T1559.001
Sigmamedium

DllUnregisterServer Function Call Via Msiexec.EXE

Detects MsiExec loading a DLL and calling its DllUnregisterServer function

T1218.007
Sigmamedium
PreviousPage 24 of 137Next