EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Local Groups Discovery - Linux

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

T1069.001
Sigmalow

Local Groups Discovery - MacOs

Detects enumeration of local system groups

T1069.001
Sigmainformational

Local Groups Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

T1069.001
Sigmalow

Local Network Connection Initiated By Script Interpreter

Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.

T1105
Sigmamedium

Local Privilege Escalation Indicator TabTip

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

T1557.001
Sigmahigh

Local System Accounts Discovery - Linux

Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

T1087.001
Sigmalow

Local System Accounts Discovery - MacOs

Detects enumeration of local system accounts on MacOS systems. This can be used by attackers to identify accounts for lateral movement or privilege escalation.

T1087.001
Sigmalow

Local User Creation

Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

T1136.001
Sigmalow

Locked Workstation

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Sigmainformational

Logged-On User Password Change Via Ksetup.EXE

Detects password change for the logged-on user's via "ksetup.exe"

Sigmamedium

Logging Configuration Changes on Linux Host

Detect changes of syslog daemons configuration files

T1685
Sigmahigh

Login to Disabled Account

Detect failed attempts to sign in to disabled accounts.

T1078.004
Sigmamedium

Logon from a Risky IP Address

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

T1078
Sigmamedium

LOL-Binary Copied From System Directory

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

T1036.003
Sigmahigh

LOLBAS Data Exfiltration by DataSvcUtil.exe

Detects when a user performs data exfiltration by using DataSvcUtil.exe

T1567
Sigmamedium

Lolbas OneDriveStandaloneUpdater.exe Proxy Download

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

T1105
Sigmahigh

LOLBIN Execution From Abnormal Drive

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Sigmamedium

Lolbin Runexehelper Use As Proxy

Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs

T1218
Sigmamedium

Lolbin Unregmp2.exe Use As Proxy

Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"

T1218
Sigmamedium

Low Reputation Effective Top-Level Domain (eTLD)

Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.

T1071.004
Sigmamedium

LSA PPL Protection Setting Modification via CommandLine

Detects modification of LSA PPL protection settings via CommandLine. It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.

T1689
Sigmamedium

LSASS Access Detected via Attack Surface Reduction

Detects Access to LSASS Process

T1003.001
Sigmahigh

LSASS Access From Non System Account

Detects potential mimikatz-like tools accessing LSASS from non system account

T1003.001
Sigmamedium

LSASS Access From Potentially White-Listed Processes

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

T1003.001S0002
Sigmahigh
PreviousPage 49 of 137Next