EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Netcat The Powershell Version

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

T1095T1059.001
Sigmamedium

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

T1685T1112
Sigmahigh

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

T1685T1112
Sigmahigh

Netsh Allow Group Policy on Microsoft Defender Firewall

Adversaries may modify system firewalls in order to bypass controls limiting network usage

T1686.003
Sigmamedium

NetSupport Manager Service Install

Detects NetSupport Manager service installation on the target system.

Sigmamedium

Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

T1105
Sigmahigh

Network Communication Initiated To Portmap.IO Domain

Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

T1041T1090.002
Sigmamedium

Network Communication With Crypto Mining Pool

Detects initiated network connections to crypto mining pools

T1496
Sigmahigh

Network Connection Initiated By AddinUtil.EXE

Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.

T1218
Sigmahigh

Network Connection Initiated By Eqnedt32.EXE

Detects network connections from the Equation Editor process "eqnedt32.exe".

T1203
Sigmahigh

Network Connection Initiated By IMEWDBLD.EXE

Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.

T1105
Sigmahigh

Network Connection Initiated By PowerShell Process

Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.

T1059.001
Sigmalow

Network Connection Initiated By Regsvr32.EXE

Detects a network connection initiated by "Regsvr32.exe"

T1559.001T1218.010
Sigmamedium

Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

T1105
Sigmahigh

Network Connection Initiated From Users\Public Folder

Detects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement.

T1105
Sigmamedium

Network Connection Initiated To AzureWebsites.NET By Non-Browser Process

Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

T1102T1102.001
Sigmamedium

Network Connection Initiated To BTunnels Domains

Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

T1567T1572
Sigmamedium

Network Connection Initiated To Cloudflared Tunnels Domains

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

T1567T1572
Sigmamedium

Network Connection Initiated To DevTunnels Domain

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

T1567.001T1572
Sigmamedium

Network Connection Initiated To Mega.nz

Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.

T1567.002
Sigmalow

Network Connection Initiated To Visual Studio Code Tunnels Domain

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

T1567T1572
Sigmamedium

Network Connection Initiated via Finger.EXE

Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such network connections can also help identify potential malicious infrastructure used by threat actors

T1071.004T1059.003
Sigmahigh

Network Connection Initiated Via Notepad.EXE

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

T1055
Sigmahigh

Network Reconnaissance Activity

Detects a set of suspicious network related commands often used in recon stages

T1087T1082
Sigmahigh
PreviousPage 55 of 137Next