EXPLORE DETECTIONS

Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

T1557T1565.002

Sigmamedium

ISO File Created Within Temp Folders

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

T1566.001

Sigmahigh

ISO Image Mounted

Detects the mount of an ISO image on an endpoint

T1566.001

Sigmamedium

ISO or Image Mount Indicator in Recent Files

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

T1566.001

Sigmamedium

JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Sigmalow

JAMF MDM Potential Suspicious Child Process

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Sigmamedium

Java Payload Strings

Detects possible Java payloads in web access logs

T1190

Sigmahigh

Java Running with Remote Debugging

Detects a JAVA process running with remote debugging allowing more than just localhost to connect

T1203

Sigmamedium

PreviousPage 45 of 136Next