EXPLORE DETECTIONS
DumpStack.log Defender Evasion
Detects the use of the filename DumpStack.log to evade Microsoft Defender
Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Dynamic .NET Compilation Via Csc.EXE - Hunting
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Dynamic CSharp Compile Artefact
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
Elevated System Shell Spawned
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
Elevated System Shell Spawned From Uncommon Parent Location
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
Enable BPF Kprobes Tracing
Detects common command used to enable bpf kprobes tracing
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Enable LM Hash Storage - ProcCreation
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Enable Local Manifest Installation With Winget
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Enable Microsoft Dynamic Data Exchange
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
Enable Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Enabling COR Profiler Environment Variables
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
End User Consent
Detects when an end user consents to an application
End User Consent Blocked
Detects when end user consent is blocked due to risk-based consent.
Enumerate All Information With Whoami.EXE
Detects the execution of "whoami.exe" with the "/all" flag
Enumerate Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Enumeration for 3rd Party Creds From CLI
Detects processes that query known 3rd party registry keys that holds credentials via commandline
Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.