EXPLORE DETECTIONS
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Local Groups Discovery - MacOs
Detects enumeration of local system groups
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local System Accounts Discovery - MacOs
Detects enumeration of local system accounts on MacOS systems. This can be used by attackers to identify accounts for lateral movement or privilege escalation.
Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
Locked Workstation
Detects locked workstation session events that occur automatically after a standard period of inactivity.
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
Logon from a Risky IP Address
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
LOLBAS Data Exfiltration by DataSvcUtil.exe
Detects when a user performs data exfiltration by using DataSvcUtil.exe
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
Lolbin Runexehelper Use As Proxy
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
Lolbin Unregmp2.exe Use As Proxy
Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
Low Reputation Effective Top-Level Domain (eTLD)
Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.
LSA PPL Protection Setting Modification via CommandLine
Detects modification of LSA PPL protection settings via CommandLine. It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference