EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Enumerate Credentials from Windows Credential Manager With PowerShell

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

T1555
Sigmamedium

Enumeration for 3rd Party Creds From CLI

Detects processes that query known 3rd party registry keys that holds credentials via commandline

T1552.002
Sigmamedium

Enumeration for Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

T1552.002
Sigmamedium

Equation Group Indicators

Detects suspicious shell commands used in various Equation Group scripts and tools

G0020T1059.004
Sigmahigh

Esentutl Gather Credentials

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

T1003T1003.003S0404
Sigmamedium

Esentutl Steals Browser Information

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

T1005
Sigmamedium

Esentutl Volume Shadow Copy Service Keys

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.

T1003.002
Sigmahigh

ESXi Account Creation Via ESXCLI

Detects user account creation on ESXi system via esxcli

T1136T1059.012
Sigmamedium

ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

T1059.012T1098
Sigmahigh

ESXi Network Configuration Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

T1033T1007T1059.012
Sigmamedium

ESXi Storage Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

T1033T1007T1059.012
Sigmamedium

ESXi Syslog Configuration Change Via ESXCLI

Detects changes to the ESXi syslog configuration via "esxcli"

T1685T1690T1059.012
Sigmamedium

ESXi System Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

T1033T1007T1059.012
Sigmamedium

ESXi VM Kill Via ESXCLI

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

T1059.012T1529
Sigmamedium

ESXi VM List Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

T1033T1007T1059.012
Sigmamedium

ESXi VSAN Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

T1033T1007T1059.012
Sigmamedium

ETW Logging Disabled For rpcrt4.dll

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

T1112T1685
Sigmalow

ETW Logging Disabled For SCM

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

T1112T1685
Sigmalow

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

T1112T1685
Sigmahigh

ETW Logging Disabled In .NET Processes - Sysmon Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

T1112T1685
Sigmahigh

ETW Logging Tamper In .NET Processes Via CommandLine

Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

T1685
Sigmahigh

ETW Logging/Processing Option Disabled On IIS Server

Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.

T1685.001T1505.004
Sigmamedium

ETW Trace Evasion Activity

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

T1070T1685
Sigmahigh

Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

T1685.005
Sigmamedium
PreviousPage 28 of 137Next