EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Forfiles Command Execution

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

T1059
Sigmamedium

Forfiles.EXE Child Process Masquerading

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

T1036
Sigmahigh

FortiGate - Firewall Address Object Added

Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.

T1686.002
Sigmamedium

FortiGate - New Administrator Account Created

Detects the creation of an administrator account on a Fortinet FortiGate Firewall.

T1136.001
Sigmamedium

FortiGate - New Firewall Policy Added

Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.

T1686.002
Sigmamedium

FortiGate - New Local User Created

Detects the creation of a new local user on a Fortinet FortiGate Firewall. The new local user could be used for VPN connections.

T1136.001
Sigmamedium

FortiGate - New VPN SSL Web Portal Added

Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.

T1133
Sigmamedium

FortiGate - User Group Modified

Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.

Sigmamedium

FortiGate - VPN SSL Settings Modified

Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.

T1133
Sigmamedium

Fsutil Drive Enumeration

Attackers may leverage fsutil to enumerated connected drives.

T1120
Sigmalow

Fsutil Suspicious Invocation

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

T1070T1485
Sigmahigh

FTP Connection Open Attempt Via Winscp CLI

Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.

T1048
Sigmamedium

Function Call From Undocumented COM Interface EditionUpgradeManager

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

T1548.002
Sigmamedium

GAC DLL Loaded Via Office Applications

Detects any GAC DLL being loaded by an Office Product

T1204.002
Sigmahigh

Gatekeeper Bypass via Xattr

Detects macOS Gatekeeper bypass via xattr utility

T1553.001
Sigmalow

GatherNetworkInfo.VBS Reconnaissance Script Output

Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".

Sigmamedium

GCP Access Policy Deleted

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

T1098
Sigmamedium

GCP Break-glass Container Workload Deployed

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

T1548
Sigmamedium

Get-ADUser Enumeration Using UserAccountControl Flags

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

T1033
Sigmamedium

Github Delete Action Invoked

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

T1213.003
Sigmamedium

Github Fork Private Repositories Setting Enabled/Cleared

Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).

T1020T1537
Sigmamedium

Github High Risk Configuration Disabled

Detects when a user disables a critical security feature for an organization.

T1556
Sigmahigh

Github New Secret Created

Detects when a user creates action secret for the organization, environment, codespaces or repository.

T1078.004
Sigmalow

Github Outside Collaborator Detected

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

T1098.001T1098.003T1213.003
Sigmamedium
PreviousPage 33 of 137Next