EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Kubernetes CronJob/Job Modification

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Sigmamedium

Kubernetes Events Deleted

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

T1070
Sigmamedium

Kubernetes Potential Enumeration Activity

Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.

T1609T1613
Sigmamedium

Kubernetes Rolebinding Modification

Detects when a Kubernetes Rolebinding is created or modified.

Sigmamedium

Kubernetes Secrets Enumeration

Detects enumeration of Kubernetes secrets.

T1552.007
Sigmalow

Kubernetes Secrets Modified or Deleted

Detects when Kubernetes Secrets are Modified or Deleted.

Sigmamedium

Kubernetes Unauthorized or Unauthenticated Access

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.

Sigmalow

Launch Agent/Daemon Execution Via Launchctl

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

T1569.001T1543.001T1543.004
Sigmamedium

Launch-VsDevShell.PS1 Proxy Execution

Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.

T1216.001
Sigmamedium

Legitimate Application Dropped Archive

Detects programs on a Windows system that should not write an archive to disk

T1218
Sigmahigh

Legitimate Application Dropped Executable

Detects LOLBINs and applications that should not legitimately drop executable or executable-equivalent files to disk. This may indicate malware staging, process injection, or abuse of a trusted binary for payload delivery.

T1218
Sigmahigh

Legitimate Application Dropped Script

Detects LOLBINs and applications that should not legitimately drop script files to disk. This may indicate malware staging or abuse of a trusted binary for script-based code execution.

T1218
Sigmahigh

Legitimate Application Writing Files In Uncommon Location

Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.

T1218T1105
Sigmahigh

Linux Base64 Encoded Pipe to Shell

Detects suspicious process command line that uses base64 encoded input for execution with a shell

T1140
Sigmamedium

Linux Base64 Encoded Shebang In CLI

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

T1140
Sigmamedium

Linux Capabilities Discovery

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

T1083T1548
Sigmalow

Linux Command History Tampering

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

T1070.003
Sigmahigh

Linux Crypto Mining Indicators

Detects command line parameters or strings often used by crypto miners

T1496
Sigmahigh

Linux Crypto Mining Pool Connections

Detects process connections to a Monero crypto mining pool

T1496
Sigmahigh

Linux Doas Conf File Creation

Detects the creation of doas.conf file in linux host platform.

T1548
Sigmamedium

Linux Doas Tool Execution

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

T1548
Sigmalow

Linux HackTool Execution

Detects known hacktool execution based on image name.

T1587
Sigmahigh

Linux Keylogging with Pam.d

Detect attempt to enable auditing of TTY input

T1003T1056.001
Sigmahigh

Linux Logs Clearing Attempts

Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. Adversaries often try to clear logs to cover their tracks after performing malicious activities.

T1685.006
Sigmamedium
PreviousPage 47 of 137Next