EXPLORE DETECTIONS
HackTool - SharpEvtMute Execution
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - SharpLDAPmonitor Execution
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
HackTool - SharpLdapWhoami Execution
Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
HackTool - SharpMove Tool Execution
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
HackTool - SharpWSUS/WSUSpendu Execution
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
HackTool - SILENTTRINITY Stager DLL Load
Detects SILENTTRINITY stager dll loading activity
HackTool - SILENTTRINITY Stager Execution
Detects SILENTTRINITY stager use via PE metadata
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
HackTool - SOAPHound Execution
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
HackTool - SysmonEnte Execution
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
HackTool - TruffleSnout Execution
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
HackTool - UACMe Akagi Execution
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
HackTool - winPEAS Execution
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
HackTool - Wmiexec Default Powershell Command
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script