EXPLORE DETECTIONS
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
HackTool - TruffleSnout Execution
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
HackTool - UACMe Akagi Execution
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
HackTool - winPEAS Execution
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
HackTool - Wmiexec Default Powershell Command
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Hacktool Execution - PE Metadata
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
HackTool Service Registration or Execution
Detects installation or execution of services
Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Harvesting Of Wifi Credentials Via Netsh.EXE
Detect the harvesting of wifi credentials using netsh.exe
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
HH.EXE Execution
Detects the execution of "hh.exe" to open ".chm" files.
HH.EXE Initiated HTTP Network Connection
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character