EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

MSI Installation From Suspicious Locations

Detects MSI package installation from suspicious locations

Sigmamedium

MSI Installation From Web

Detects installation of a remote msi file from web.

T1218T1218.007
Sigmamedium

Msiexec Quiet Installation

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

T1218.007
Sigmamedium

MsiExec Web Install

Detects suspicious msiexec process starts with web addresses as parameter

T1218.007T1105
Sigmamedium

Msiexec.EXE Initiated Network Connection Over HTTP

Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.

T1218.007
Sigmalow

MSSQL Add Account To Sysadmin Role

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

Sigmahigh

MSSQL Destructive Query

Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".

T1485
Sigmamedium

MSSQL Disable Audit Settings

Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server

Sigmahigh

MSSQL Server Failed Logon

Detects failed logon attempts from clients to MSSQL server.

T1110
Sigmalow

MSSQL Server Failed Logon From External Network

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

T1110
Sigmamedium

MSSQL SPProcoption Set

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Sigmahigh

MSSQL XPCmdshell Option Change

Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.

Sigmahigh

MSSQL XPCmdshell Suspicious Execution

Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands

Sigmahigh

Mstsc.EXE Execution From Uncommon Parent

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Sigmahigh

Mstsc.EXE Execution With Local RDP File

Detects potential RDP connection via Mstsc using a local ".rdp" file

T1219.002
Sigmalow

Msxsl.EXE Execution

Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

T1220
Sigmamedium

Multi Factor Authentication Disabled For User Account

Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.

Sigmamedium

Multifactor Authentication Denied

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

T1078.004T1110T1621
Sigmamedium

Multifactor Authentication Interrupted

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

T1078.004T1110T1621
Sigmamedium

Named Pipe Created Via Mkfifo

Detects the creation of a new named pipe using the "mkfifo" utility

Sigmalow

Narrator's Feedback-Hub Persistence

Detects abusing Windows 10 Narrator's Feedback-Hub

T1547.001
Sigmahigh

NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

T1112
Sigmahigh

Net WebClient Casing Anomalies

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

T1059.001
Sigmahigh

Net.EXE Execution

Detects execution of "Net.EXE".

T1007T1049T1018T1135T1201+6
Sigmalow
PreviousPage 54 of 137Next