EXPLORE DETECTIONS

All Sources Sigma Splunk ESCU Elastic KQL Sublime CrowdStrike

3,252 detections found

Potential Attachment Manager Settings Attachments Tamper

Detects tampering with attachment manager settings policies attachments (See reference for more information)

Sigmahigh

Potential AutoLogger Sessions Tampering

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging

Sigmahigh

Potential AVKkid.DLL Sideloading

Detects potential DLL sideloading of "AVKkid.dll"

T1574.001

Sigmamedium

Potential Azure Browser SSO Abuse

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

T1574.001

Sigmalow

Potential Base64 Decoded From Images

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

T1140

Sigmahigh

Potential Base64 Encoded User-Agent

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

T1071.001

Sigmamedium

Potential Binary Impersonating Sysinternals Tools

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

T1218T1202T1036.005

Sigmamedium

Potential Binary Or Script Dropper Via PowerShell

Detects PowerShell creating a binary executable or a script file.

Sigmamedium

Potential Binary Proxy Execution Via Cdb.EXE

Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file

T1106T1218T1127

Sigmamedium

Potential Binary Proxy Execution Via VSDiagnostics.EXE

Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.

T1218

Sigmamedium

Potential BOINC Software Execution (UC-Berkeley Signature)

Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.

T1553

Sigmainformational

Potential Browser Data Stealing

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

T1555.003

Sigmamedium

Potential Bucket Enumeration on AWS

Looks for potential enumeration of AWS buckets via ListBuckets.

T1580T1619

Sigmalow

Potential CCleanerDU.DLL Sideloading

Detects potential DLL sideloading of "CCleanerDU.dll"

T1574.001

Sigmamedium

Potential CCleanerReactivator.DLL Sideloading

Detects potential DLL sideloading of "CCleanerReactivator.dll"

T1574.001

Sigmamedium

Potential Chrome Frame Helper DLL Sideloading

Detects potential DLL sideloading of "chrome_frame_helper.dll"

T1574.001

Sigmamedium

Potential ClickFix Execution Pattern - Registry

Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.

T1204.001

Sigmahigh