EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Antivirus - Relevant File Paths Alerts Signature

Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

T1588
Sigmahigh

Antivirus - Remote Access Tools Signature

Detects a highly relevant Antivirus alert that reports a remote access tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

T1203T1219.002
Sigmacritical

Antivirus - Web Shell Detection Signature

Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

T1505.003
Sigmahigh

Antivirus Filter Driver Disallowed On Dev Drive - Registry

Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".

T1685
Sigmahigh

Anydesk Remote Access Software Service Installation

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Sigmamedium

Anydesk Temporary Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

T1219.002
Sigmamedium

Apache Segmentation Fault

Detects a segmentation fault error message caused by a crashing apache worker process

T1499.004
Sigmahigh

Apache Threading Error

Detects an issue in apache logs that reports threading related errors

T1190T1210
Sigmamedium

App Assigned To Azure RBAC/Microsoft Entra Role

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

T1098.003
Sigmamedium

App Granted Microsoft Permissions

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

T1528
Sigmahigh

App Granted Privileged Delegated Or App Permissions

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

T1098.003
Sigmahigh

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

T1552T1078.004
Sigmahigh

Application Removed Via Wmic.EXE

Detects the removal or uninstallation of an application via "Wmic.EXE".

T1047
Sigmamedium

Application Termination Attempt via Wmic.EXE

Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may use wmic to terminate security products or other applications on the compromised host. This event is triggered on on attempt and process creation can be either successful or unsuccessful.

T1047
Sigmamedium

Application Uninstalled

An application has been removed. Check if it is critical.

T1489
Sigmalow

Application URI Configuration Changes

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

T1528T1078.004
Sigmahigh

Application Using Device Code Authentication Flow

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

T1078
Sigmamedium

Applications That Are Using ROPC Authentication Flow

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

T1078
Sigmamedium

AppLocker Application Would Have Been Blocked

Detects when AppLocker "Audit only" enforcement mode reports that an Application, DLL, Script, MSI, or Packaged-App would have been blocked if AppLocker "Enforce rules" enforcement mode was enabled.

T1204.002T1059.001T1059.003T1059.005T1059.006+1
Sigmamedium

AppLocker Prevented Application or Script from Running

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

T1204.002T1059.001T1059.003T1059.005T1059.006+1
Sigmamedium

AppX Located in Known Staging Directory Added to Deployment Pipeline

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.

Sigmahigh

AppX Located in Uncommon Directory Added to Deployment Pipeline

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.

Sigmamedium

AppX Package Deployment Failed Due to Signing Requirements

Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.

Sigmamedium

AppX Package Installation Attempts Via AppInstaller.EXE

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

T1105
Sigmamedium
PreviousPage 5 of 137Next