EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

T1134.001T1134.002
Sigmahigh

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

T1134.001T1134.002
Sigmahigh

Microsoft 365 - Impossible Travel Activity

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

T1078
Sigmamedium

Microsoft 365 - Potential Ransomware Activity

Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.

T1486
Sigmamedium

Microsoft 365 - Unusual Volume of File Deletion

Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.

T1485
Sigmamedium

Microsoft 365 - User Restricted from Sending Email

Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.

T1199
Sigmamedium

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

T1574.001
Sigmahigh

Microsoft Defender Tamper Protection Trigger

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

T1685
Sigmahigh

Microsoft Excel Add-In Loaded

Detects Microsoft Excel loading an Add-In (.xll) file

T1204.002
Sigmalow

Microsoft Excel Add-In Loaded From Uncommon Location

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

T1204.002
Sigmamedium

Microsoft IIS Connection Strings Decryption

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

T1003
Sigmahigh

Microsoft IIS Service Account Password Dumped

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

T1003
Sigmahigh

Microsoft Malware Protection Engine Crash

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

T1211T1685
Sigmahigh

Microsoft Malware Protection Engine Crash - WER

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

T1211T1685
Sigmahigh

Microsoft Office DLL Sideload

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

T1574.001
Sigmahigh

Microsoft Office Protected View Disabled

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

T1685
Sigmahigh

Microsoft Office Trusted Location Updated

Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.

T1112
Sigmamedium

Microsoft Sync Center Suspicious Network Connections

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

T1055T1218
Sigmamedium

Microsoft Teams Sensitive File Access By Uncommon Applications

Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.

T1528
Sigmamedium

Microsoft VBA For Outlook Addin Loaded Via Outlook

Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

T1204.002
Sigmamedium

Microsoft Word Add-In Loaded

Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.

T1204.002
Sigmalow

Microsoft Workflow Compiler Execution

Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

T1127T1218
Sigmamedium

Mimikatz DC Sync

Detects Mimikatz DC sync security events

S0002T1003.006
Sigmahigh

Mimikatz Use

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

S0002T1003.002T1003.004T1003.001T1003.006
Sigmahigh
PreviousPage 52 of 137Next