EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Malicious Named Pipe Created

Detects the creation of a named pipe seen used by known APTs or malware.

T1055
Sigmacritical

Malicious Nishang PowerShell Commandlets

Detects Commandlet names and arguments from the Nishang exploitation framework

T1059.001
Sigmahigh

Malicious PE Execution by Microsoft Visual Studio Debugger

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

T1218
Sigmamedium

Malicious PowerShell Commandlets - PoshModule

Detects Commandlet names from well-known PowerShell exploitation frameworks

T1482T1087T1087.001T1087.002T1069.001+3
Sigmahigh

Malicious PowerShell Commandlets - ProcessCreation

Detects Commandlet names from well-known PowerShell exploitation frameworks

T1482T1087T1087.001T1087.002T1069.001+3
Sigmahigh

Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

T1482T1087T1087.001T1087.002T1069.001+3
Sigmahigh

Malicious PowerShell Keywords

Detects keywords from well-known PowerShell exploitation frameworks

T1059.001
Sigmamedium

Malicious PowerShell Scripts - FileCreation

Detects the creation of known offensive powershell scripts used for exploitation

T1059.001
Sigmahigh

Malicious PowerShell Scripts - PoshModule

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

T1059.001
Sigmahigh

Malicious ShellIntel PowerShell Commandlets

Detects Commandlet names from ShellIntel exploitation scripts.

T1059.001
Sigmahigh

Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

T1078T1078.002
Sigmahigh

Malicious Windows Script Components File Execution by TAEF Detection

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

T1218
Sigmalow

Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

T1071.001
Sigmahigh

ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

T1055.001
Sigmahigh

Manipulation of User Computer or Group Security Principals Across AD

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

T1136.002
Sigmamedium

Manual Execution of Script Inside of a Compressed File

This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. 1. Compressed file opened using 7zip. 2. Compressed file opened using WinRar. 3. Compressed file opened using native windows File Explorer capabilities. When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."

T1059
Sigmamedium

Mask System Power Settings Via Systemctl

Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.

T1653
Sigmahigh

Masquerading as Linux Crond Process

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

T1036.003
Sigmamedium

Mavinject Inject DLL Into Running Process

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

T1055.001T1218.013
Sigmahigh

MaxMpxCt Registry Value Changed

Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.

T1070.005
Sigmalow

Measurable Increase Of Successful Authentications

Detects when successful sign-ins increased by 10% or greater.

T1078
Sigmalow

Mesh Agent Service Installation

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

T1219.002
Sigmamedium

Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

T1021.002T1570T1569.002
Sigmahigh

Metasploit SMB Authentication

Alerts on Metasploit host's authentications on the domain.

T1021.002
Sigmahigh
PreviousPage 51 of 137Next