EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

EventLog EVTX File Deleted

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

T1070
Sigmamedium

EventLog Query Requests By Builtin Utilities

Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.

T1552
Sigmamedium

EVTX Created In Uncommon Location

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

T1685.001
Sigmamedium

Exchange PowerShell Cmdlet History Deleted

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

T1070
Sigmahigh

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

T1059.001T1114
Sigmahigh

Exchange Set OabVirtualDirectory ExternalUrl Property

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

T1505.003
Sigmahigh

Executable from Webdav

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

T1105
Sigmamedium

Execute Code with Pester.bat

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

T1059.001T1216
Sigmamedium

Execute Code with Pester.bat as Parent

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

T1059.001T1216
Sigmamedium

Execute Files with Msdeploy.exe

Detects file execution using the msdeploy.exe lolbin

T1218
Sigmamedium

Execute From Alternate Data Streams

Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

T1564.004
Sigmamedium

Execute Invoke-command on Remote Host

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

T1021.006
Sigmamedium

Execute Pcwrun.EXE To Leverage Follina

Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability

T1218
Sigmahigh

Execution DLL of Choice Using WAB.EXE

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

T1218
Sigmahigh

Execution From Webserver Root Folder

Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors

T1505.003
Sigmamedium

Execution Of Non-Existing File

Detects process creation events where the Image field lacks an absolute path, which occurs when the backing file no longer exists on disk at the time of logging - commonly caused by Process Ghosting or other unorthodox process creation techniques.

T1055
Sigmahigh

Execution of Powershell Script in Public Folder

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

T1059.001
Sigmahigh

Execution Of Script Located In Potentially Suspicious Directory

Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.

Sigmamedium

Execution of Suspicious File Type Extension

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Sigmamedium

Execution via stordiag.exe

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

T1218
Sigmahigh

Execution via WorkFolders.exe

Detects using WorkFolders.exe to execute an arbitrary control.exe

T1218
Sigmahigh

Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

T1071.001
Sigmahigh

Explorer NOUACCHECK Flag

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

T1548.002
Sigmahigh

Explorer Process Tree Break

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

T1036
Sigmamedium
PreviousPage 29 of 137Next