EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Detects Obfuscated Powershell via use Rundll32 in Scripts

T1027T1059.001
Sigmahigh

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

T1027T1059.001
Sigmahigh

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

T1027T1059.001
Sigmahigh

ISATAP Router Address Was Set

Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

T1557T1565.002
Sigmamedium

ISO File Created Within Temp Folders

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

T1566.001
Sigmahigh

ISO Image Mounted

Detects the mount of an ISO image on an endpoint

T1566.001
Sigmamedium

ISO or Image Mount Indicator in Recent Files

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

T1566.001
Sigmamedium

JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Sigmalow

JAMF MDM Potential Suspicious Child Process

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Sigmamedium

Java Payload Strings

Detects possible Java payloads in web access logs

T1190
Sigmahigh

Java Running with Remote Debugging

Detects a JAVA process running with remote debugging allowing more than just localhost to connect

T1203
Sigmamedium

JexBoss Command Sequence

Detects suspicious command sequence that JexBoss

T1059.004
Sigmahigh

JNDIExploit Pattern

Detects exploitation attempt using the JNDI-Exploit-Kit

T1190
Sigmahigh

JScript Compiler Execution

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

T1127
Sigmalow

Juniper BGP Missing MD5

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

T1078T1110T1557
Sigmalow

JXA In-memory Execution Via OSAScript

Detects possible malicious execution of JXA in-memory via OSAScript

T1059.002T1059.007
Sigmahigh

Kaspersky Endpoint Security Stopped Via CommandLine - Linux

Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.

T1685
Sigmahigh

Kavremover Dropped Binary LOLBIN Usage

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

T1127
Sigmahigh

Kerberoasting Activity - Initial Query

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

T1558.003
Sigmamedium

Kerberos Manipulation

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

T1212
Sigmahigh

Kerberos Network Traffic RC4 Ticket Encryption

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

T1558.003
Sigmamedium

Kernel Memory Dump Via LiveKD

Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory

Sigmahigh

KrbRelayUp Service Installation

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

T1543
Sigmahigh

Kubernetes Admission Controller Modification

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

T1078T1552T1552.007
Sigmamedium
PreviousPage 46 of 137Next