EXPLORE DETECTIONS
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
HackTool - SafetyKatz Dump Indicator
Detects default lsass dump filename generated by SafetyKatz.
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
HackTool - SharpChisel Execution
Detects usage of the Sharp Chisel via the commandline arguments
HackTool - SharpDPAPI Execution
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
HackTool - SharPersist Execution
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
HackTool - SharpEvtMute DLL Load
Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SharpEvtMute Execution
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - SharpLDAPmonitor Execution
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
HackTool - SharpLdapWhoami Execution
Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
HackTool - SharpMove Tool Execution
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
HackTool - SharpWSUS/WSUSpendu Execution
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
HackTool - SILENTTRINITY Stager DLL Load
Detects SILENTTRINITY stager dll loading activity
HackTool - SILENTTRINITY Stager Execution
Detects SILENTTRINITY stager use via PE metadata
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
HackTool - SOAPHound Execution
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
HackTool - SysmonEnte Execution
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon