EXPLORE DETECTIONS
GoToAssist Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Gpscript Execution
Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
Granting Of Permissions To An Account
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Greedy File Deletion Using Del
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
Group Has Been Deleted Via Groupdel
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
Group Membership Reconnaissance Via Whoami.EXE
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Guest Account Enabled Via Sysadminctl
Detects attempts to enable the guest account using the sysadminctl utility
Guest User Invited By Non Approved Inviters
Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
Gzip Archive Decode Via PowerShell
Detects attempts of decoding encoded Gzip archives via PowerShell.
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
HackTool - Certify Execution
Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
HackTool - Certipy Execution
Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
HackTool - CoercedPotato Execution
Detects the use of CoercedPotato, a tool for privilege escalation