EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Indirect Command Execution By Program Compatibility Wizard

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

T1218
Sigmalow

Indirect Command Execution From Script File Via Bash.EXE

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

T1202
Sigmamedium

Indirect Command Execution via SFTP ProxyCommand

Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.

T1202
Sigmamedium

Indirect Inline Command Execution Via Bash.EXE

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

T1202
Sigmamedium

InfDefaultInstall.exe .inf Execution

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

T1218
Sigmamedium

Ingress/Egress Security Group Modification

Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.

T1190
Sigmamedium

Inline Python Execution - Spawn Shell Via OS System Library

Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.

T1059
Sigmahigh

Insecure Proxy/DOH Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.

Sigmamedium

Insecure Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "--insecure" flag.

Sigmamedium

Insensitive Subfolder Search Via Findstr.EXE

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

T1218T1564.004T1552.001T1105
Sigmalow

Install New Package Via Winget Local Manifest

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

T1059
Sigmamedium

Install Root Certificate

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

T1553.004
Sigmalow

Installation of TeamViewer Desktop

TeamViewer_Desktop.exe is create during install

T1219.002
Sigmamedium

Installation of WSL Kali-Linux

Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.

T1059
Sigmahigh

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

T1053.002
Sigmahigh

Interactive Bash Suspicious Children

Detects suspicious interactive bash as a parent to rather uncommon child processes

T1059.004T1036
Sigmamedium

Interesting Service Enumeration Via Sc.EXE

Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

T1003
Sigmalow

Internet Explorer Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

T1547.001
Sigmamedium

Internet Explorer DisableFirstRunCustomize Enabled

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Sigmamedium

Invalid PIM License

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

T1078
Sigmahigh

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

T1003.003
Sigmamedium

Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace

Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.

T1059.001T1027.010
Sigmamedium

Invoke-Obfuscation CLIP+ Launcher

Detects Obfuscated use of Clip.exe to execute PowerShell

T1027T1059.001
Sigmahigh

Invoke-Obfuscation CLIP+ Launcher - PowerShell

Detects Obfuscated use of Clip.exe to execute PowerShell

T1027T1059.001
Sigmahigh
PreviousPage 43 of 137Next