EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

File Recovery From Backup Via Wbadmin.EXE

Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.

T1490
Sigmamedium

File Time Attribute Change

Detect file time attribute change to hide new or changes to existing files

T1070.006
Sigmamedium

File Time Attribute Change - Linux

Detect file time attribute change to hide new or changes to existing files.

T1070.006
Sigmamedium

File With Suspicious Extension Downloaded Via Bitsadmin

Detects usage of bitsadmin downloading a file with a suspicious extension

T1197S0190T1036.003T1105
Sigmahigh

File With Uncommon Extension Created By An Office Application

Detects the creation of files with an executable or script extension by an Office application.

T1204.002
Sigmahigh

FileFix - Command Evidence in TypedPaths

Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.

T1204.004
Sigmahigh

Files Added To An Archive Using Rar.EXE

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

T1560.001
Sigmalow

Files With System DLL Name In Unsuspected Locations

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

T1036.005
Sigmamedium

Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

T1036.005
Sigmamedium

Filter Driver Unloaded Via Fltmc.EXE

Detect filter driver unloading activity via fltmc.exe

T1070T1685T1685.001
Sigmamedium

Findstr GPP Passwords

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

T1552.006
Sigmahigh

Findstr Launching .lnk File

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

T1036T1202T1027.003
Sigmamedium

Finger.EXE Execution

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

T1105
Sigmahigh

Firewall Configuration Discovery Via Netsh.EXE

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

T1016
Sigmalow

Firewall Disabled via Netsh.EXE

Detects netsh commands that turns off the Windows firewall

T1686.003S0108
Sigmamedium

Firewall Rule Deleted Via Netsh.EXE

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

T1686.003
Sigmamedium

Firewall Rule Modified In The Windows Firewall Exception List

Detects when a rule has been modified in the Windows firewall exception list

T1686.003
Sigmalow

Firewall Rule Update Via Netsh.EXE

Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule

Sigmamedium

First Time Seen Remote Named Pipe

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

T1021.002
Sigmahigh

First Time Seen Remote Named Pipe - Zeek

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

T1021.002
Sigmahigh

Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

T1189T1204.002T1036.005
Sigmahigh

Flush Iptables Ufw Chain

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

T1686
Sigmamedium

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

T1074.001
Sigmamedium

Folder Removed From Exploit Guard ProtectedFolders List - Registry

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

T1685
Sigmahigh
PreviousPage 32 of 137Next