EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

MITRE BZAR Indicators for Execution

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

T1047T1053.002T1569.002
Sigmamedium

MITRE BZAR Indicators for Persistence

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

T1547.004
Sigmamedium

MMC Executing Files with Reversed Extensions Using RTLO Abuse

Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.

T1204.002T1218.014T1036.002
Sigmahigh

MMC Loading Script Engines DLLs

Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.

T1059.005T1218.014
Sigmamedium

MMC Spawning Windows Shell

Detects a Windows command line executable started from MMC

T1021.003
Sigmahigh

MMC20 Lateral Movement

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

T1021.003
Sigmahigh

Modification of IE Registry Settings

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence

T1112
Sigmalow

Modification of ld.so.preload

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

T1574.006
Sigmahigh

Modification or Deletion of an AWS RDS Cluster

Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.

T1020
Sigmahigh

Modify Group Policy Settings

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

T1484.001
Sigmamedium

Modify Group Policy Settings - ScriptBlockLogging

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

T1484.001
Sigmamedium

Modify System Firewall

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

T1686
Sigmamedium

Modify User Shell Folders Startup Value

Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.

T1547.001
Sigmahigh

Modifying Crontab

Detects suspicious modification of crontab file.

T1053.003
Sigmamedium

Monero Crypto Coin Mining Pool Lookup

Detects suspicious DNS queries to Monero mining pools

T1496T1567
Sigmahigh

Monitoring For Persistence Via BITS

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.

T1197
Sigmamedium

Moriya Rootkit - System

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

T1543.003
Sigmacritical

Mount Execution With Hidepid Parameter

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

T1564
Sigmamedium

MpiExec Lolbin

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

T1218
Sigmahigh

MSDT Execution Via Answer File

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).

T1218
Sigmahigh

MSExchange Transport Agent Installation

Detects the Installation of a Exchange Transport Agent

T1505.002
Sigmamedium

MSExchange Transport Agent Installation - Builtin

Detects the Installation of a Exchange Transport Agent

T1505.002
Sigmamedium

MSHTA Execution with Suspicious File Extensions

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

T1140T1218.005T1059.007
Sigmahigh

Mshtml.DLL RunHTMLApplication Suspicious Usage

Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)

Sigmahigh
PreviousPage 53 of 137Next