EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

HackTool - KrbRelay Execution

Detects the use of KrbRelay, a Kerberos relaying tool

T1558.003
Sigmahigh

HackTool - KrbRelayUp Execution

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

T1558.003T1550.003
Sigmahigh

HackTool - LaZagne Execution

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Sigmamedium

HackTool - LittleCorporal Generated Maldoc Injection

Detects the process injection of a LittleCorporal generated Maldoc.

T1204.002T1055.003
Sigmahigh

HackTool - LocalPotato Execution

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Sigmahigh

HackTool - Mimikatz Execution

Detection well-known mimikatz command line arguments

T1003.001T1003.002T1003.004T1003.005T1003.006
Sigmahigh

HackTool - Mimikatz Kirbi File Creation

Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.

T1558
Sigmacritical

HackTool - NetExec Execution

Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems. Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.

T1018T1021
Sigmahigh

HackTool - NetExec File Indicators

Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that extraction path are unique to NetExec and serve as reliable on-disk indicators of execution. NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for Active Directory enumeration, credential harvesting, and remote code execution.

T1021.002T1059.005
Sigmahigh

HackTool - NoFilter Execution

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

T1134T1134.001
Sigmahigh

HackTool - NPPSpy Hacktool Usage

Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file

Sigmahigh

HackTool - PCHunter Execution

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

T1082T1057T1012T1083T1007
Sigmahigh

HackTool - Potential CobaltStrike Process Injection

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

T1055.001
Sigmahigh

HackTool - Potential Impacket Lateral Movement Activity

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

T1047T1021.003
Sigmahigh

HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

T1003
Sigmahigh

HackTool - PowerTool Execution

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

T1685
Sigmahigh

HackTool - Powerup Write Hijack DLL

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

T1574.001
Sigmahigh

HackTool - PPID Spoofing SelectMyParent Tool Execution

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

T1134.004
Sigmahigh

HackTool - PurpleSharp Execution

Detects the execution of the PurpleSharp adversary simulation tool

T1587
Sigmacritical

HackTool - Pypykatz Credentials Dumping Activity

Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored

T1003.002
Sigmahigh

HackTool - Quarks PwDump Execution

Detects usage of the Quarks PwDump tool via commandline arguments

T1003.002
Sigmahigh

HackTool - QuarksPwDump Dump File

Detects a dump file written by QuarksPwDump password dumper

T1003.002
Sigmacritical

HackTool - RedMimicry Winnti Playbook Execution

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

T1106T1059.003T1218.011
Sigmahigh

HackTool - RemoteKrbRelay Execution

Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.

T1558.003
Sigmahigh
PreviousPage 38 of 137Next