EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Sigmahigh

Ie4uinit Lolbin Use From Invalid Path

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

T1218
Sigmamedium

IIS Native-Code Module Command Line Installation

Detects suspicious IIS native-code module installations via command line

T1505.003
Sigmamedium

IIS WebServer Access Logs Deleted

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

T1070
Sigmamedium

IIS WebServer Log Deletion via CommandLine Utilities

Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.

T1070
Sigmamedium

ImagingDevices Unusual Parent/Child Processes

Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity

Sigmahigh

Impacket PsExec Execution

Detects execution of Impacket's psexec.py.

T1021.002
Sigmahigh

Import LDAP Data Interchange Format File Via Ldifde.EXE

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

T1218T1105
Sigmamedium

Import New Module Via PowerShell CommandLine

Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session

Sigmalow

Import PowerShell Modules From Suspicious Directories

Detects powershell scripts that import modules from suspicious directories

T1059.001
Sigmamedium

Import PowerShell Modules From Suspicious Directories - ProcCreation

Detects powershell scripts that import modules from suspicious directories

T1059.001
Sigmamedium

Important Scheduled Task Deleted or Disabled

Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

T1489
Sigmahigh

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

T1053.005
Sigmahigh

Important Windows Event Auditing Disabled

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

T1685.001
Sigmahigh

Important Windows Eventlog Cleared

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

T1685.005
Sigmahigh

Important Windows Service Terminated Unexpectedly

Detects important or interesting Windows services that got terminated unexpectedly.

Sigmahigh

Important Windows Service Terminated With Error

Detects important or interesting Windows services that got terminated for whatever reason

Sigmahigh

Imports Registry Key From a File

Detects the import of the specified file to the registry with regedit.exe.

T1112
Sigmamedium

Imports Registry Key From an ADS

Detects the import of a alternate datastream to the registry with regedit.exe.

T1112
Sigmahigh

Impossible Travel

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

T1078
Sigmahigh

Inbox Rules Creation Or Update Activity in O365

Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.

T1564.008T1114.003
Sigmamedium

Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet

Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.

T1564.008T1114.003
Sigmamedium

Increased Failed Authentications Of Any Type

Detects when sign-ins increased by 10% or greater.

T1078
Sigmamedium

Indicator Removal on Host - Clear Mac System Logs

Detects deletion of local audit logs

T1685.006
Sigmamedium
PreviousPage 42 of 137Next