EXPLORE DETECTIONS
LiveKD Driver Creation By Uncommon Process
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
LiveKD Kernel Memory Dump File Created
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Load Of RstrtMgr.DLL By An Uncommon Process
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
Loaded Module Enumeration Via Tasklist.EXE
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Local Accounts Discovery
Local accounts, System Owner/User discovery using operating systems utilities
Local File Read Using Curl.EXE
Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Local Groups Discovery - MacOs
Detects enumeration of local system groups
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local System Accounts Discovery - MacOs
Detects enumeration of local systeam accounts on MacOS
Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
Locked Workstation
Detects locked workstation session events that occur automatically after a standard period of inactivity.
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
Logon from a Risky IP Address
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.