EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Google Workspace Application Removed

Detects when an an application is removed from Google Workspace.

Sigmamedium

Google Workspace Government Attack Warning

Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor

T1078
Sigmamedium

Google Workspace Granted Domain API Access

Detects when an API access service account is granted domain authority.

T1098
Sigmamedium

Google Workspace MFA Disabled

Detects when multi-factor authentication (MFA) is disabled.

Sigmamedium

Google Workspace Out Of Domain Email Forwarding

Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.

T1114.003
Sigmamedium

Google Workspace Role Modified or Deleted

Detects when an a role is modified or deleted in Google Workspace.

Sigmamedium

Google Workspace Role Privilege Deleted

Detects when an a role privilege is deleted in Google Workspace.

Sigmamedium

Google Workspace User Granted Admin Privileges

Detects when an Google Workspace user is granted admin privileges.

T1098
Sigmamedium

GoToAssist Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

T1219.002
Sigmamedium

Gpresult Display Group Policy Information

Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information

T1615
Sigmamedium

Gpscript Execution

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

T1218
Sigmamedium

Granting Of Permissions To An Account

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

T1098.003
Sigmamedium

Greedy File Deletion Using Del

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

T1070.004
Sigmamedium

Group Has Been Deleted Via Groupdel

Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

T1531
Sigmamedium

Group Membership Reconnaissance Via Whoami.EXE

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

T1033
Sigmamedium

Group Policy Abuse for Privilege Addition

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

T1484.001
Sigmamedium

Guacamole Two Users Sharing Session Anomaly

Detects suspicious session with two users present

T1212
Sigmahigh

Guest Account Enabled Via Sysadminctl

Detects attempts to enable the guest account using the sysadminctl utility

T1078T1078.001
Sigmalow

Guest User Invited By Non Approved Inviters

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

T1078.004
Sigmamedium

Guest Users Invited To Tenant By Non Approved Inviters

Detects guest users being invited to tenant by non-approved inviters

T1078
Sigmamedium

GUI Input Capture - macOS

Detects attempts to use system dialog prompts to capture user credentials

T1056.002
Sigmalow

Gzip Archive Decode Via PowerShell

Detects attempts of decoding encoded Gzip archives via PowerShell.

T1132.001
Sigmamedium

Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

T1190T1110
Sigmahigh

HackTool - ADCSPwn Execution

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

T1557.001
Sigmahigh
PreviousPage 35 of 137Next