Sigma Rules
274 rules found for "discovery"
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
DNS Server Discovery Via LDAP Query
Detects DNS server discovery via LDAP query requests from uncommon applications
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
Advanced IP Scanner - File Event
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Potential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
GatherNetworkInfo.VBS Reconnaissance Script Output
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Uncommon Connection to Active Directory Web Services
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
Suspicious Network Connection to IP Lookup Service APIs
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
Python Initiated Connection
Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
Use Get-NetTCPConnection
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
AD Groups Or Users Enumeration Using PowerShell - PoshModule
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Use Get-NetTCPConnection - PowerShell Module
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Suspicious Get Local Groups Information
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Suspicious Get Information for SMB Share - PowerShell Module
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - PsScript
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
PowerShell ADRecon Execution
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
Get-ADUser Enumeration Using UserAccountControl Flags
Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
DirectorySearcher Powershell Exploitation
Enumerates Active Directory to determine computers that are joined to the domain
Active Directory Computers Enumeration With Get-AdComputer
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
Active Directory Group Enumeration With Get-AdGroup
Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
Automated Collection Bookmarks Using Get-ChildItem PowerShell
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Security Software Discovery Via Powershell Script
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
PowerShell Hotfix Enumeration
Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Powershell MsXml COM Object
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
Powershell Sensitive File Discovery
Detect adversaries enumerate sensitive files
Detected Windows Software Discovery - PowerShell
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Powershell Directory Enumeration
Detects technique used by MAZE ransomware to enumerate directories using Powershell
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
Suspicious PowerShell Get Current User
Detects the use of PowerShell to identify the current logged user.
Suspicious GPO Discovery With Get-GPO
Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
Suspicious Process Discovery With Get-Process
Get the processes that are running on the local computer.
Suspicious Get Local Groups Information - PowerShell
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Suspicious Get Information for SMB Share
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Powershell Suspicious Win32_PnPEntity
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Powershell XML Execute Command
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code