EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Hidden Flag Set On File/Directory Via Chflags - MacOS

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

T1218T1564.004T1552.001T1105
Sigmamedium

Hidden Local User Creation

Detects the creation of a local hidden user account which should not happen for event ID 4720.

T1136.001
Sigmahigh

Hidden Powershell in Link File Pattern

Detects events that appear when a user click on a link file with a powershell command in it

T1059.001
Sigmamedium

Hidden User Creation

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

T1564.002
Sigmamedium

Hide Schedule Task Via Index Value Tamper

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

T1685
Sigmahigh

Hiding Files with Attrib.exe

Detects usage of attrib.exe to hide files from users.

T1564.001
Sigmamedium

Hiding User Account Via SpecialAccounts Registry Key

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

T1564.002
Sigmahigh

Hiding User Account Via SpecialAccounts Registry Key - CommandLine

Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

T1564.002
Sigmamedium

Hijack Legit RDP Session to Move Laterally

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

T1219.002
Sigmahigh

History File Deletion

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

T1565.001
Sigmahigh

HKTL - SharpSuccessor Privilege Escalation Tool Execution

Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.

T1068
Sigmahigh

HTML File Opened From Download Folder

Detects web browser process opening an HTML file from a user's Downloads folder. This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users. When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware. During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.

T1598.002T1566.001
Sigmalow

HTML Help HH.EXE Suspicious Child Process

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

T1047T1059.001T1059.003T1059.005T1059.007+6
Sigmahigh

HTTP Logging Disabled On IIS Server

Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.

T1685.001T1505.004
Sigmahigh

HTTP Request to Low Reputation TLD or Suspicious File Extension

Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.

Sigmamedium

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

T1071.001
Sigmamedium

Huawei BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

T1078T1110T1557
Sigmalow

HybridConnectionManager Service Installation

Rule to detect the Hybrid Connection Manager service installation.

T1554
Sigmahigh

HybridConnectionManager Service Installation - Registry

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

T1608
Sigmahigh

HybridConnectionManager Service Running

Rule to detect the Hybrid Connection Manager service running on an endpoint.

T1554
Sigmahigh

Hypervisor Enforced Paging Translation Disabled

Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.

T1685
Sigmahigh

Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine

Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.

T1685
Sigmahigh

IE Change Domain Zone

Hides the file extension through modification of the registry

T1137
Sigmamedium

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Sigmahigh
PreviousPage 41 of 137Next