EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators

Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.

T1219.002
Sigmahigh

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

T1003T1558.003T1550.003
Sigmacritical

HackTool - Rubeus Execution - ScriptBlock

Detects the execution of the hacktool Rubeus using specific command line flags

T1003T1558.003T1550.003
Sigmahigh

HackTool - SafetyKatz Dump Indicator

Detects default lsass dump filename generated by SafetyKatz.

T1003.001
Sigmahigh

HackTool - SafetyKatz Execution

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

T1003.001
Sigmacritical

HackTool - SecurityXploded Execution

Detects the execution of SecurityXploded Tools

T1555
Sigmacritical

HackTool - SharpChisel Execution

Detects usage of the Sharp Chisel via the commandline arguments

T1090.001
Sigmahigh

HackTool - SharpDPAPI Execution

Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.

T1134.001T1134.003
Sigmahigh

HackTool - SharPersist Execution

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

T1053
Sigmahigh

HackTool - SharpEvtMute DLL Load

Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs

T1685.001
Sigmahigh

HackTool - SharpEvtMute Execution

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

T1685.001
Sigmahigh

HackTool - SharpImpersonation Execution

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

T1134.001T1134.003
Sigmahigh

HackTool - SharpLDAPmonitor Execution

Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.

Sigmamedium

HackTool - SharpLdapWhoami Execution

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

T1033
Sigmahigh

HackTool - SharpMove Tool Execution

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

T1021.002
Sigmahigh

HackTool - SharpUp PrivEsc Tool Execution

Detects the use of SharpUp, a tool for local privilege escalation

T1615T1569.002T1574.005
Sigmacritical

HackTool - SharpView Execution

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

T1049T1069.002T1482T1135T1033
Sigmahigh

HackTool - SharpWSUS/WSUSpendu Execution

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

T1210
Sigmahigh

HackTool - SILENTTRINITY Stager DLL Load

Detects SILENTTRINITY stager dll loading activity

T1071
Sigmahigh

HackTool - SILENTTRINITY Stager Execution

Detects SILENTTRINITY stager use via PE metadata

T1071
Sigmahigh

HackTool - Sliver C2 Implant Activity Pattern

Detects process activity patterns as seen being used by Sliver C2 framework implants

T1059
Sigmacritical

HackTool - SOAPHound Execution

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

T1087
Sigmahigh

HackTool - Stracciatella Execution

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

T1059T1685
Sigmahigh

HackTool - SysmonEnte Execution

Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon

T1685.001
Sigmahigh
PreviousPage 39 of 137Next