Sigma Rules
274 rules found for "discovery"
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Pnscan Binary Data Transmission Activity
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
PUA - TruffleHog Execution - Linux
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
Linux Remote System Discovery
Detects the enumeration of other remote systems.
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
Potential Discovery Activity Using Find - Linux
Detects usage of "find" binary in a suspicious manner to perform discovery
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
System Information Discovery
Detects system information discovery commands
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
System Network Discovery - Linux
Detects enumeration of local network configuration
Vim GTFOBin Abuse - Linux
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
File and Directory Discovery - MacOS
Detects usage of system utilities to discover files and directories
System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
Local System Accounts Discovery - MacOs
Detects enumeration of local systeam accounts on MacOS
Local Groups Discovery - MacOs
Detects enumeration of local system groups
MacOS Network Service Scanning
Detects enumeration of local or remote network services.
Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Macos Remote System Discovery
Detects the enumeration of other remote systems.
Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
Potential Discovery Activity Using Find - MacOS
Detects usage of "find" binary in a suspicious manner to perform discovery
System Network Discovery - macOS
Detects enumeration of local network configuration
System Information Discovery Using sw_vers
Detects the use of "sw_vers" for system information discovery
System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
System Network Connections Discovery - MacOs
Detects usage of system utilities to discover system network connections
System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
Cisco Collect Data
Collect pertinent data from the configuration files
Cisco Discovery
Find information about network devices that is not stored in config files
Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
PUA - Advanced IP/Port Scanner Update Check
Detect the update check performed by Advanced IP/Port Scanner utilities.
Successful IIS Shortname Fuzzing Scan
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Azure AD Health Service Agents Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Potential AD User Enumeration From Non-Machine Account
Detects read access to a domain user from a non-machine account
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Password Policy Enumerated
Detects when the password policy is enumerated.
Windows Pcap Drivers
Detects Windows Pcap driver installation based on a list of associated .sys files.
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
SCM Database Handle Failure
Detects non-system users failing to get a handle of the SCM database.
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"