EXPLORE DETECTIONS
HackTool - NPPSpy Hacktool Usage
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
HackTool - PCHunter Execution
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
HackTool - Potential Impacket Lateral Movement Activity
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
HackTool - PowerTool Execution
Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
HackTool - Powerup Write Hijack DLL
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
HackTool - PPID Spoofing SelectMyParent Tool Execution
Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
HackTool - PurpleSharp Execution
Detects the execution of the PurpleSharp adversary simulation tool
HackTool - Pypykatz Credentials Dumping Activity
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
HackTool - Quarks PwDump Execution
Detects usage of the Quarks PwDump tool via commandline arguments
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
HackTool - RedMimicry Winnti Playbook Execution
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
HackTool - RemoteKrbRelay Execution
Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
HackTool - SafetyKatz Dump Indicator
Detects default lsass dump filename generated by SafetyKatz.
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
HackTool - SharpChisel Execution
Detects usage of the Sharp Chisel via the commandline arguments
HackTool - SharpDPAPI Execution
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
HackTool - SharPersist Execution
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
HackTool - SharpEvtMute DLL Load
Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs