EXPLORE DETECTIONS

All Sources Sigma Splunk ESCU Elastic KQL Sublime CrowdStrike

3,252 detections found

NTFS Vulnerability Exploitation

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

T1499.001

Sigmahigh

NTLM Brute Force

Detects common NTLM brute force device names

T1110

Sigmamedium

NTLM Logon

Detects logons using NTLM, which could be caused by a legacy source or attackers

T1550.002

Sigmalow

NTLMv1 Logon Between Client and Server

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

T1550.002

Sigmamedium

Number Of Resource Creation Or Deployment Activities

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

T1098

Sigmamedium

Obfuscated IP Download Activity

Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command

Sigmamedium

Obfuscated IP Via CLI

Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line

Sigmamedium

Obfuscated PowerShell MSI Install via WindowsInstaller COM

Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.

T1027.010T1218.007T1059.001

Sigmahigh

Obfuscated PowerShell OneLiner Execution

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

T1059.001T1562.001

Sigmahigh

Octopus Scanner Malware

Detects Octopus Scanner Malware.

T1195T1195.001

Sigmahigh

Odbcconf.EXE Suspicious DLL Location

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

T1218.008

Sigmahigh

Office Application Initiated Network Connection Over Uncommon Ports

Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.

Sigmamedium

Office Application Initiated Network Connection To Non-Local IP

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

T1203

Sigmamedium

Office Application Startup - Office Test

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

T1137.002

Sigmamedium

Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

T1547.001

Sigmamedium

Office Macro File Creation

Detects the creation of a new office macro files on the systems

T1566.001

Sigmalow

Office Macro File Creation From Suspicious Process

Detects the creation of a office macro file from a a suspicious process

T1566.001

Sigmahigh

Office Macro File Download

Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.

T1566.001

Sigmalow