EXPLORE
Sign In

EXPLORE DETECTIONS

🔍
All SourcesSigmaSplunk ESCUElasticKQLSublimeCrowdStrike
3,252 detections found

Esentutl Steals Browser Information

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

T1005
Sigmamedium

Esentutl Volume Shadow Copy Service Keys

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.

T1003.002
Sigmahigh

ESXi Account Creation Via ESXCLI

Detects user account creation on ESXi system via esxcli

T1136T1059.012
Sigmamedium

ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

T1059.012T1098
Sigmahigh

ESXi Network Configuration Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

T1033T1007T1059.012
Sigmamedium

ESXi Storage Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

T1033T1007T1059.012
Sigmamedium

ESXi Syslog Configuration Change Via ESXCLI

Detects changes to the ESXi syslog configuration via "esxcli"

T1562.001T1562.003T1059.012
Sigmamedium

ESXi System Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

T1033T1007T1059.012
Sigmamedium

ESXi VM Kill Via ESXCLI

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

T1059.012T1529
Sigmamedium

ESXi VM List Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

T1033T1007T1059.012
Sigmamedium

ESXi VSAN Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

T1033T1007T1059.012
Sigmamedium

ETW Logging Disabled For rpcrt4.dll

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

T1112T1562
Sigmalow

ETW Logging Disabled For SCM

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

T1112T1562
Sigmalow

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

T1112T1562
Sigmahigh

ETW Logging Disabled In .NET Processes - Sysmon Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

T1112T1562
Sigmahigh

ETW Logging Tamper In .NET Processes Via CommandLine

Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

T1562
Sigmahigh

ETW Logging/Processing Option Disabled On IIS Server

Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.

T1562.002T1505.004
Sigmamedium

ETW Trace Evasion Activity

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

T1070T1562.006
Sigmahigh

Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

T1070.001
Sigmamedium

EventLog EVTX File Deleted

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

T1070
Sigmamedium

EventLog Query Requests By Builtin Utilities

Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.

T1552
Sigmamedium

EVTX Created In Uncommon Location

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

T1562.002
Sigmamedium

Exchange PowerShell Cmdlet History Deleted

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

T1070
Sigmahigh

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

T1059.001T1114
Sigmahigh
PreviousPage 28 of 136Next