EXPLORE DETECTIONS

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

T1059.001T1036.003

Sigmalow

Renamed ProcDump Execution

Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.

T1036.003

Sigmahigh

Renamed PsExec Service Execution

Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators

Sigmahigh

Renamed Remote Utilities RAT (RURAT) Execution

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

S0592

Sigmamedium

Renamed Schtasks Execution

Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.

T1036.003T1053.005

Sigmahigh

Renamed SysInternals DebugView Execution

Detects suspicious renamed SysInternals DebugView execution

T1588.002

Sigmahigh

Renamed Sysinternals Sdelete Execution

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)

T1485

Sigmahigh

Renamed Visual Studio Code Tunnel Execution

Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

T1071.001T1219

Sigmahigh

Renamed Vmnat.exe Execution

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

T1574.001

Sigmahigh

Renamed VsCode Code Tunnel Execution - File Indicator

Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.

Sigmahigh

Renamed Whoami Execution

Detects the execution of whoami that has been renamed to a different name to avoid detection

T1033

Sigmacritical

Renamed ZOHO Dctask64 Execution

Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

T1036T1055.001T1202T1218

Sigmahigh

Replace Desktop Wallpaper by Powershell

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

T1491.001

Sigmalow

Replace.exe Usage

Detects the use of Replace.exe which can be used to replace file with another file

T1105

Sigmamedium

Replay Attack Detected

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

T1558

Sigmahigh

Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

T1218.008

Sigmamedium

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

T1020

Sigmahigh

Restricted Software Access By SRP

Detects restricted access to applications by the Software Restriction Policies (SRP) policy

T1072

Sigmahigh

RestrictedAdminMode Registry Value Tampering

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

T1112

Sigmahigh

PreviousPage 96 of 136Next