EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

HackTool - SysmonEOP Execution

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

T1068
Sigmacritical

HackTool - TruffleSnout Execution

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

T1482
Sigmahigh

HackTool - Typical HiveNightmare SAM File Export

Detects files written by the different tools that exploit HiveNightmare

T1552.001
Sigmahigh

HackTool - UACMe Akagi Execution

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

T1548.002
Sigmahigh

HackTool - Windows Credential Editor (WCE) Execution

Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.

T1003.001S0005
Sigmacritical

HackTool - winPEAS Execution

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

T1082T1087T1046
Sigmahigh

HackTool - WinPwn Execution

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

T1046T1082T1106T1518T1548.002+3
Sigmahigh

HackTool - WinPwn Execution - ScriptBlock

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

T1046T1082T1106T1518T1548.002+3
Sigmahigh

HackTool - WinRM Access Via Evil-WinRM

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

T1021.006
Sigmamedium

HackTool - Wmiexec Default Powershell Command

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

Sigmahigh

HackTool - WSASS Execution

Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.

T1003.001
Sigmahigh

HackTool - XORDump Execution

Detects suspicious use of XORDump process memory dumping utility

T1036T1003.001
Sigmahigh

Hacktool Execution - Imphash

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

T1588.002T1003
Sigmacritical

Hacktool Execution - PE Metadata

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

T1588.002T1003
Sigmahigh

HackTool Named File Stream Created

Detects the creation of a named file stream with the imphash of a well-known hack tool

S0139T1564.004
Sigmahigh

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

T1087T1114T1059T1550.002
Sigmahigh

HackTool Service Registration or Execution

Detects installation or execution of services

T1569.002S0029
Sigmahigh

Hardware Model Reconnaissance Via Wmic.EXE

Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information

T1047
Sigmamedium

Harvesting Of Wifi Credentials Via Netsh.EXE

Detect the harvesting of wifi credentials using netsh.exe

T1040
Sigmamedium

Headless Process Launched Via Conhost.EXE

Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.

T1059.001T1059.003
Sigmamedium

HH.EXE Execution

Detects the execution of "hh.exe" to open ".chm" files.

T1218.001
Sigmalow

HH.EXE Initiated HTTP Network Connection

Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.

T1218.001
Sigmamedium

Hidden Executable In NTFS Alternate Data Stream

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

S0139T1564.004
Sigmamedium

Hidden Files and Directories

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

T1564.001
Sigmalow
PreviousPage 40 of 137Next