EXPLORE
Sign In

EXPLORE DETECTIONS

🔍
All SourcesSigmaSplunk ESCUElasticKQLSublimeCrowdStrike
3,252 detections found

Password Policy Enumerated

Detects when the password policy is enumerated.

T1201
Sigmamedium

Password Protected Compressed File Extraction Via 7Zip

Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

T1560.001
Sigmalow

Password Protected ZIP File Opened

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

T1027
Sigmamedium

Password Protected ZIP File Opened (Email Attachment)

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

T1027T1566.001
Sigmahigh

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

T1027T1105T1036
Sigmahigh

Password Provided In Command Line Of Net.EXE

Detects a when net.exe is called with a password in the command line

T1021.002T1078
Sigmamedium

Password Reset By User Account

Detect when a user has reset their password in Azure AD

T1078.004
Sigmamedium

Password Set to Never Expire via WMI

Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.

T1047T1098
Sigmamedium

Password Spray Activity

Indicates that a password spray attack has been successfully performed.

T1110
Sigmahigh

Path To Screensaver Binary Modified

Detects value modification of registry key containing path to binary used as screensaver.

T1546.002
Sigmamedium

Path Traversal Exploitation Attempts

Detects path traversal exploitation attempts

T1190
Sigmamedium

Payload Decoded and Decrypted via Built-in Utilities

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

T1059T1204T1140S0482S0402
Sigmamedium

PCRE.NET Package Image Load

Detects processes loading modules related to PCRE.NET package

T1059
Sigmahigh

PCRE.NET Package Temp Files

Detects processes creating temp files related to PCRE.NET package

T1059
Sigmahigh

PDF File Created By RegEdit.EXE

Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.

Sigmahigh

PDQ Deploy Remote Adminstartion Tool Execution

Detect use of PDQ Deploy remote admin tool

T1072
Sigmamedium

Periodic Backup For System Registry Hives Enabled

Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".

T1113
Sigmamedium

Perl Inline Command Execution

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

T1059
Sigmamedium

Permission Check Via Accesschk.EXE

Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges

T1069.001
Sigmamedium

Permission Misconfiguration Reconnaissance Via Findstr.EXE

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

T1552.006
Sigmamedium

Persistence and Execution at Scale via GPO Scheduled Task

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

T1053.005
Sigmahigh

Persistence Via Cron Files

Detects creation of cron file or files in Cron directories which could indicates potential persistence.

T1053.003
Sigmamedium

Persistence Via Disk Cleanup Handler - Autorun

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Sigmamedium

Persistence Via Hhctrl.ocx

Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary

Sigmahigh
PreviousPage 63 of 136Next