EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Exports Critical Registry Keys To a File

Detects the export of a crital Registry key to a file.

T1012
Sigmahigh

Exports Registry Key To a File

Detects the export of the target Registry key to a file.

T1012
Sigmalow

Exports Registry Key To an Alternate Data Stream

Exports the target Registry key and hides it in the specified alternate data stream.

T1564.004
Sigmahigh

External Disk Drive Or USB Storage Device Was Recognized By The System

Detects external disk drives or plugged-in USB devices.

T1091T1200
Sigmalow

External Remote RDP Logon from Public IP

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

T1133T1078T1110
Sigmamedium

External Remote SMB Logon from Public IP

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

T1133T1078T1110
Sigmahigh

Extracting Information with PowerShell

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

T1552.001
Sigmamedium

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

T1190
Sigmamedium

F5 BIG-IP iControl Rest API Command Execution - Webserver

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

T1190
Sigmamedium

Failed Authentications From Countries You Do Not Operate Out Of

Detect failed authentications from countries you do not operate out of.

T1078.004T1110
Sigmalow

Failed Code Integrity Checks

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

T1027.001
Sigmainformational

Failed DNS Zone Transfer

Detects when a DNS zone transfer failed.

T1590.002
Sigmamedium

Failed Event Log Clear Via WMI NTEventLogFile ClearEventLog

Detects failed attempts to clear Windows event logs via the WMI NTEventLogFile ClearEventLog method. Event 5858 in the WMI-Activity operational log is an error event, meaning it is only generated when the WMI operation encounters an error (e.g. access denied, provider failure). It could be an indication of an attacker attempting to clear event logs via WMI, but failing due to insufficient privileges or other issues. Successful clearing operations will NOT produce this event; for those, correlate with Security event 1102 or System event 104.

T1685.005
Sigmamedium

Failed Logon From Public IP

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

T1078T1190T1133
Sigmamedium

Failed MSExchange Transport Agent Installation

Detects a failed installation of a Exchange Transport Agent

T1505.002
Sigmahigh

Fax Service DLL Search Order Hijack

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

T1574.001
Sigmahigh

File Access Of Signal Desktop Sensitive Data

Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.

T1003
Sigmamedium

File and Directory Discovery - Linux

Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.

T1083
Sigmainformational

File and Directory Discovery - MacOS

Detects usage of system utilities to discover files and directories

T1083
Sigmainformational

File And SubFolder Enumeration Via Dir Command

Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.

T1217
Sigmalow

File Creation Date Changed to Another Year

Detects when the file creation time is changed to a year before 2020. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.

T1070.006
Sigmalow

File Creation In Suspicious Directory By Msdt.EXE

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

T1547.001
Sigmahigh

File Decoded From Base64/Hex Via Certutil.EXE

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

T1027
Sigmahigh

File Decryption Using Gpg4win

Detects usage of Gpg4win to decrypt files

Sigmamedium
PreviousPage 30 of 137Next