EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

File Deleted Via Sysinternals SDelete

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

T1070.004
Sigmamedium

File Deletion

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

T1070.004
Sigmainformational

File Deletion Via Del

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

T1070.004
Sigmalow

File Download And Execution Via IEExec.EXE

Detects execution of the IEExec utility to download and execute files

T1105
Sigmahigh

File Download From Browser Process Via Inline URL

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.

T1105
Sigmamedium

File Download From IP Based URL Via CertOC.EXE

Detects when a user downloads a file from an IP based URL using CertOC.exe

T1105
Sigmahigh

File Download From IP URL Via Curl.EXE

Detects file downloads directly from IP address URL using curl.exe

Sigmamedium

File Download Using Notepad++ GUP Utility

Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.

T1105
Sigmahigh

File Download Using ProtocolHandler.exe

Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)

T1218
Sigmamedium

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

T1197S0190T1036.003T1105
Sigmamedium

File Download Via Bitsadmin To A Suspicious Target Folder

Detects usage of bitsadmin downloading a file to a suspicious target folder

T1197S0190T1036.003T1105
Sigmahigh

File Download via CertOC.EXE

Detects when a user downloads a file by using CertOC.exe

T1105
Sigmamedium

File Download Via Curl.EXE

Detects file download using curl.exe

T1105
Sigmamedium

File Download Via InstallUtil.EXE

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"

T1218
Sigmamedium

File Download Via Nscurl - MacOS

Detects the execution of the nscurl utility in order to download files.

T1105
Sigmamedium

File Download Via Windows Defender MpCmpRun.EXE

Detects the use of Windows Defender MpCmdRun.EXE to download files

T1218T1105
Sigmahigh

File Download with Headless Browser

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

T1105T1564.003
Sigmahigh

File Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

T1027
Sigmamedium

File Encryption Using Gpg4win

Detects usage of Gpg4win to encrypt files

Sigmamedium

File Encryption/Decryption Via Gpg4win From Suspicious Locations

Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.

Sigmahigh

File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell

Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.

T1135
Sigmahigh

File In Suspicious Location Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

T1027
Sigmahigh

File or Folder Permissions Change

Detects file and folder permission changes.

T1222.002
Sigmalow

File or Folder Permissions Modifications

Detects a file or folder's permissions being modified or tampered with.

T1222.001
Sigmamedium
PreviousPage 31 of 137Next