EXPLORE DETECTIONS
HackTool - Generic Process Access
Detects process access requests from hacktool processes based on their default image name
HackTool - GMER Rootkit Detector and Remover Execution
Detects the execution GMER tool based on image and hash fields.
HackTool - HandleKatz Duplicating LSASS Handle
Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
HackTool - HandleKatz LSASS Dumper Execution
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
HackTool - Hashcat Password Cracker Execution
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
HackTool - Htran/NATBypass Execution
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
HackTool - Hydra Password Bruteforce Execution
Detects command line parameters used by Hydra password guessing hack tool
HackTool - Impacket File Indicators
Detects file creation events with filename patterns used by Impacket.
HackTool - Impacket Tools Execution
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
HackTool - Impersonate Execution
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
HackTool - Jlaive In-Memory Assembly Execution
Detects the use of Jlaive to execute assemblies in a copied PowerShell
HackTool - Koadic Execution
Detects command line parameters used by Koadic hack tool
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
HackTool - KrbRelay Execution
Detects the use of KrbRelay, a Kerberos relaying tool
HackTool - KrbRelayUp Execution
Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
HackTool - LittleCorporal Generated Maldoc Injection
Detects the process injection of a LittleCorporal generated Maldoc.
HackTool - LocalPotato Execution
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
HackTool - Mimikatz Execution
Detection well-known mimikatz command line arguments
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators