EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

HackTool - EDRSilencer Execution

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

T1685
Sigmahigh

HackTool - EDRSilencer Execution - Filter Added

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

T1685
Sigmahigh

HackTool - EfsPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool EfsPotato

T1055
Sigmahigh

HackTool - Empire PowerShell Launch Parameters

Detects suspicious powershell command line parameters used in Empire

T1059.001
Sigmahigh

HackTool - Empire PowerShell UAC Bypass

Detects some Empire PowerShell UAC bypass methods

T1548.002
Sigmacritical

HackTool - Empire UserAgent URI Combo

Detects user agent and URI paths used by empire agents

T1071.001
Sigmahigh

HackTool - Evil-WinRm Execution - PowerShell Module

Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.

Sigmahigh

HackTool - F-Secure C3 Load by Rundll32

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

T1218.011
Sigmacritical

HackTool - Generic Process Access

Detects process access requests from hacktool processes based on their default image name

T1003.001S0002
Sigmahigh

HackTool - GMER Rootkit Detector and Remover Execution

Detects the execution GMER tool based on image and hash fields.

Sigmahigh

HackTool - HandleKatz Duplicating LSASS Handle

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

T1106T1003.001
Sigmahigh

HackTool - HandleKatz LSASS Dumper Execution

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

T1003.001
Sigmahigh

HackTool - Hashcat Password Cracker Execution

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

T1110.002
Sigmahigh

HackTool - HollowReaper Execution

Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.

T1055.012
Sigmahigh

HackTool - Htran/NATBypass Execution

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

T1090S0040
Sigmahigh

HackTool - Hydra Password Bruteforce Execution

Detects command line parameters used by Hydra password guessing hack tool

T1110T1110.001
Sigmahigh

HackTool - Impacket File Indicators

Detects file creation events with filename patterns used by Impacket.

T1003.001
Sigmahigh

HackTool - Impacket Tools Execution

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

T1557.001
Sigmahigh

HackTool - Impersonate Execution

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

T1134.001T1134.003
Sigmamedium

HackTool - Inveigh Execution

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

T1003.001
Sigmacritical

HackTool - Inveigh Execution Artefacts

Detects the presence and execution of Inveigh via dropped artefacts

T1219.002
Sigmacritical

HackTool - Jlaive In-Memory Assembly Execution

Detects the use of Jlaive to execute assemblies in a copied PowerShell

T1059.003
Sigmamedium

HackTool - Koadic Execution

Detects command line parameters used by Koadic hack tool

T1059.003T1059.005T1059.007
Sigmahigh

HackTool - Koh Default Named Pipe

Detects creation of default named pipes used by the Koh tool

T1528T1134.001
Sigmacritical
PreviousPage 37 of 137Next