EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Dump Credentials from Windows Credential Manager With PowerShell

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

T1555
Sigmamedium

Dump Ntds.dit To Suspicious Location

Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

Sigmamedium

Dumping of Sensitive Hives Via Reg.EXE

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

T1003.002T1003.004T1003.005
Sigmahigh

Dumping Process via Sqldumper.exe

Detects process dump via legitimate sqldumper.exe binary

T1003.001
Sigmamedium

DumpMinitool Execution

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

T1036T1003.001
Sigmamedium

DumpStack.log Defender Evasion

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Sigmacritical

Dynamic .NET Compilation Via Csc.EXE

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

T1027.004
Sigmamedium

Dynamic .NET Compilation Via Csc.EXE - Hunting

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

T1027.004
Sigmamedium

Dynamic CSharp Compile Artefact

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

T1027.004
Sigmalow

Elevated System Shell Spawned

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.

T1059
Sigmamedium

Elevated System Shell Spawned From Uncommon Parent Location

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

T1059
Sigmamedium

Email Exifiltration Via Powershell

Detects email exfiltration via powershell cmdlets

Sigmahigh

Enable BPF Kprobes Tracing

Detects common command used to enable bpf kprobes tracing

Sigmamedium

Enable LM Hash Storage

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

T1112
Sigmahigh

Enable LM Hash Storage - ProcCreation

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

T1112
Sigmahigh

Enable Local Manifest Installation With Winget

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Sigmamedium

Enable Microsoft Dynamic Data Exchange

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

T1559.002
Sigmamedium

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

T1685
Sigmamedium

Enable Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

T1021.006
Sigmamedium

Enabled User Right in AD to Control User Objects

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

T1098
Sigmahigh

Enabling COR Profiler Environment Variables

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

T1574.012
Sigmamedium

End User Consent

Detects when an end user consents to an application

T1528
Sigmalow

End User Consent Blocked

Detects when end user consent is blocked due to risk-based consent.

T1528
Sigmamedium

Enumerate All Information With Whoami.EXE

Detects the execution of "whoami.exe" with the "/all" flag

T1033
Sigmamedium
PreviousPage 27 of 137Next