EXPLORE DETECTIONS
HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Hacktool Execution - PE Metadata
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
HackTool Service Registration or Execution
Detects installation or execution of services
Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Harvesting Of Wifi Credentials Via Netsh.EXE
Detect the harvesting of wifi credentials using netsh.exe
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
HH.EXE Execution
Detects the execution of "hh.exe" to open ".chm" files.
HH.EXE Initiated HTTP Network Connection
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Hidden Local User Creation
Detects the creation of a local hidden user account which should not happen for event ID 4720.
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Hide Schedule Task Via Index Value Tamper
Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
Hiding Files with Attrib.exe
Detects usage of attrib.exe to hide files from users.
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Hijack Legit RDP Session to Move Laterally
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity