EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

DMP/HDMP File Creation

Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.

Sigmalow

DMSA Link Attributes Modified

Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

T1078.002T1098
Sigmalow

DMSA Service Account Created in Specific OUs - PowerShell

Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

T1078.002T1098
Sigmamedium

DNS Events Related To Mining Pools

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

T1569.002T1496
Sigmalow

DNS Exfiltration and Tunneling Tools Execution

Well-known DNS Exfiltration tools execution

T1048.001T1071.004T1132.001
Sigmahigh

DNS HybridConnectionManager Service Bus

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

T1554
Sigmahigh

DNS Query by Finger Utility

Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.

T1071.004T1059.003
Sigmahigh

DNS Query for Anonfiles.com Domain - DNS Client

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

T1567.002
Sigmahigh

DNS Query for Anonfiles.com Domain - Sysmon

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

T1567.002
Sigmahigh

DNS Query Request By QuickAssist.EXE

Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

T1071.001T1210
Sigmalow

DNS Query Request By Regsvr32.EXE

Detects DNS queries initiated by "Regsvr32.exe"

T1559.001T1218.010
Sigmamedium

DNS Query Request To OneLaunch Update Service

Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

T1056
Sigmalow

DNS Query To AzureWebsites.NET By Non-Browser Process

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

T1219.002
Sigmamedium

DNS Query To Common Malware Hosting and Shortener Services

Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.

T1071.004
Sigmamedium

DNS Query To Devtunnels Domain

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

T1071.001T1572
Sigmamedium

DNS Query to External Service Interaction Domains

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

T1190T1595.002
Sigmahigh

DNS Query To MEGA Hosting Website

Detects DNS queries for subdomains related to MEGA sharing website

T1567.002
Sigmamedium

DNS Query To MEGA Hosting Website - DNS Client

Detects DNS queries for subdomains related to MEGA sharing website

T1567.002
Sigmamedium

DNS Query To Put.io - DNS Client

Detects DNS queries for subdomains related to "Put.io" sharing website.

Sigmamedium

DNS Query To Remote Access Software Domain From Non-Browser App

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

T1219.002
Sigmamedium

DNS Query To Ufile.io

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

T1567.002
Sigmalow

DNS Query To Ufile.io - DNS Client

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

T1567.002
Sigmalow

DNS Query To Visual Studio Code Tunnels Domain

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

T1071.001
Sigmamedium

DNS Query Tor .Onion Address - Sysmon

Detects DNS queries to an ".onion" address related to Tor routing networks

T1090.003
Sigmahigh
PreviousPage 25 of 137Next