EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Network Sniffing - Linux

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

T1040
Sigmalow

Network Sniffing - MacOs

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

T1040
Sigmainformational

New Agent Skills Installation Attempt Via Node.EXE

Detects the attempt to install new skills for AI agents using the "npx skills" command. Agent skills enhance AI agents with new capabilities, but attackers may abuse this mechanism to inject malicious commands executed by the agent on behalf of the user. The "npx skills" command can install skills for various agents (e.g., Claude Code, Cursor, and others). Analysts should review any installed skills to verify their legitimacy. Note: Tune this rule based on whether AI agent tooling is allowed in your environment. In environments where such tooling is authorized, this detection may reflect normal activity and the alert level should be adjusted accordingly. In environments where AI agent tooling is not permitted, this activity is likely suspicious and may require immediate investigation.

T1059.007
Sigmamedium

New Application in AppCompat

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

T1204.002
Sigmainformational

New AWS Lambda Function URL Configuration Created

Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Sigmamedium

New BgInfo.EXE Custom DB Path Registry Configuration

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

T1112
Sigmamedium

New BgInfo.EXE Custom VBScript Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

T1112
Sigmamedium

New BgInfo.EXE Custom WMI Query Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

T1112
Sigmamedium

New BITS Job Created Via Bitsadmin

Detects the creation of a new bits job by Bitsadmin

T1197
Sigmalow

New BITS Job Created Via PowerShell

Detects the creation of a new bits job by PowerShell

T1197
Sigmalow

New CA Policy by Non-approved Actor

Monitor and alert on conditional access changes.

T1548
Sigmamedium

New Capture Session Launched Via DXCap.EXE

Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.

T1218
Sigmamedium

New Connection Initiated To Potential Dead Drop Resolver Domain

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

T1102T1102.001
Sigmahigh

New Country

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

T1078
Sigmahigh

New Cron File Created

Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.

T1053.003
Sigmalow

New Custom Shim Database Created

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

T1547.009
Sigmamedium

New DLL Added to AppCertDlls Registry Key

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

T1546.009
Sigmamedium

New DLL Added to AppInit_DLLs Registry Key

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

T1546.010
Sigmamedium

New DLL Registered Via Odbcconf.EXE

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

T1218.008
Sigmamedium

New DMSA Service Account Created in Specific OUs

Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

T1078.002T1098
Sigmamedium

New DNS ServerLevelPluginDll Installed

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

T1574.001T1112
Sigmahigh

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

T1574.001T1112
Sigmahigh

New Federated Domain Added

Detects the addition of a new Federated Domain.

T1484.002
Sigmamedium

New Federated Domain Added - Exchange

Detects the addition of a new Federated Domain.

T1136.003
Sigmamedium
PreviousPage 56 of 137Next