EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

HackTool - BabyShark Agent Default URL Pattern

Detects Baby Shark C2 Framework default communication patterns

T1071.001
Sigmacritical

HackTool - Bloodhound/Sharphound Execution

Detects command line parameters used by Bloodhound and Sharphound hack tools

T1087.001T1087.002T1482T1069.001T1069.002+1
Sigmahigh

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

T1055.012T1059.005T1059.007T1218.005
Sigmahigh

HackTool - Certify Execution

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

T1649
Sigmahigh

HackTool - Certipy Execution

Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

T1649
Sigmahigh

HackTool - CobaltStrike BOF Injection Pattern

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

T1106T1685
Sigmahigh

HackTool - CobaltStrike Malleable Profile Patterns - Proxy

Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).

T1071.001
Sigmahigh

HackTool - CoercedPotato Execution

Detects the use of CoercedPotato, a tool for privilege escalation

T1055
Sigmahigh

HackTool - CoercedPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

T1055
Sigmahigh

HackTool - Covenant PowerShell Launcher

Detects suspicious command lines used in Covenant luanchers

T1059.001T1564.003
Sigmahigh

HackTool - CrackMapExec Execution

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

T1047T1053T1059.003T1059.001T1110+1
Sigmahigh

HackTool - CrackMapExec Execution Patterns

Detects various execution patterns of the CrackMapExec pentesting framework

T1047T1053T1059.003T1059.001S0106
Sigmahigh

HackTool - CrackMapExec File Indicators

Detects file creation events with filename patterns used by CrackMapExec.

T1003.001
Sigmahigh

HackTool - CrackMapExec PowerShell Obfuscation

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

T1059.001T1027.005
Sigmahigh

HackTool - CrackMapExec Process Patterns

Detects suspicious process patterns found in logs when CrackMapExec is used

T1003.001
Sigmahigh

HackTool - CreateMiniDump Execution

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine

T1003.001
Sigmahigh

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

T1003.001T1003.002T1003.004T1003.005
Sigmacritical

HackTool - Default PowerSploit/Empire Scheduled Task Creation

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

S0111G0022G0060T1053.005T1059.001
Sigmahigh

HackTool - DiagTrackEoP Default Named Pipe

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

Sigmacritical

HackTool - DInjector PowerShell Cradle Execution

Detects the use of the Dinject PowerShell cradle based on the specific flags

T1055
Sigmacritical

HackTool - Doppelanger LSASS Dumper Execution

Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods

T1003.001
Sigmahigh

HackTool - Dumpert Process Dumper Default File

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

T1003.001
Sigmacritical

HackTool - Dumpert Process Dumper Execution

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

T1003.001
Sigmacritical

Hacktool - EDR-Freeze Execution

Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.

T1685
Sigmahigh
PreviousPage 36 of 137Next