EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

LSASS Access From Program In Potentially Suspicious Folder

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

T1003.001S0002
Sigmamedium

LSASS Dump Keyword In CommandLine

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

T1003.001
Sigmahigh

Lsass Full Dump Request Via DumpType Registry Settings

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

T1003.001
Sigmahigh

LSASS Memory Access by Tool With Dump Keyword In Name

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

T1003.001S0002
Sigmahigh

Lsass Memory Dump via Comsvcs DLL

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

T1003.001
Sigmahigh

LSASS Process Crashed - Application

Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.

T1003.001
Sigmahigh

LSASS Process Dump Artefact In CrashDumps Folder

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

T1003.001
Sigmahigh

LSASS Process Memory Dump Creation Via Taskmgr.EXE

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

T1003.001
Sigmahigh

LSASS Process Memory Dump Files

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

T1003.001
Sigmahigh

LSASS Process Reconnaissance Via Findstr.EXE

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

T1552.006
Sigmahigh

MacOS Emond Launch Daemon

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

T1546.014
Sigmamedium

MacOS Network Service Scanning

Detects enumeration of local or remote network services.

T1046
Sigmalow

Macos Remote System Discovery

Detects the enumeration of other remote systems.

T1018
Sigmainformational

MacOS Scripting Interpreter AppleScript

Detects execution of AppleScript of the macOS scripting language AppleScript.

T1059.002
Sigmamedium

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

T1112
Sigmahigh

Mail Forwarding/Redirecting Activity In O365

Detects email forwarding or redirecting activity in O365 Audit logs.

T1114.003T1564.008T1020
Sigmamedium

Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet

Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet

T1114.003T1564.008T1020
Sigmamedium

Mailbox Export to Exchange Webserver

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

T1505.003
Sigmacritical

Malicious Base64 Encoded PowerShell Keywords in Command Lines

Detects base64 encoded strings used in hidden malicious PowerShell command lines

T1059.001
Sigmahigh

Malicious DLL File Dropped in the Teams or OneDrive Folder

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

T1574.001
Sigmahigh

Malicious Driver Load

Detects loading of known malicious drivers via their hash.

T1543.003T1068
Sigmahigh

Malicious Driver Load By Name

Detects loading of known malicious drivers via the file name of the drivers.

T1543.003T1068
Sigmamedium

Malicious IP Address Sign-In Failure Rate

Indicates sign-in from a malicious IP address based on high failure rates.

T1090
Sigmahigh

Malicious IP Address Sign-In Suspicious

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

T1090
Sigmahigh
PreviousPage 50 of 137Next