attack.collection

Esentutl Steals Browser Information
level
status experimental

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Windows Screen Capture with CopyFromScreen
level
status experimental

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

VeeamBackup Database Credentials Dump
level
status experimental

Detects dump of credentials in VeeamBackup dbo

Linux Capabilities Discovery
level
status experimental

Detects attempts to discover the files with setuid/setgid capabilitiy on them. That would allow adversary to escalate their privileges.

Clipboard Collection with Xclip Tool
level
status experimental

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Screen Capture with Import Tool
level
status experimental

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Screen Capture with Xwd
level
status experimental

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Conti Backup Database
level
status experimental

Detects a command used by conti to dump database

Conti Volume Shadow Listing
level
status experimental

Detects a command used by conti to exfiltrate NTDS

Google Full Network Traffic Packet Capture
level
status experimental

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

WinDivert Driver Load
level
status experimental

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Powershell Keylogging
level
status experimental

Adversaries may log user keystrokes to intercept credentials as the user types them.

Recon Information for Export with Command Prompt
level
status experimental

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Recon Information for Export with PowerShell
level
status experimental

Once established within a system or network, an adversary may use automated techniques for collecting internal data

Automated Collection Command Prompt
level
status experimental

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Automated Collection Command PowerShell
level
status experimental

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Compress Data and Lock With Password for Exfiltration With 7-ZIP
level
status experimental

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Compress Data and Lock With Password for Exfiltration With WINZIP
level
status experimental

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Use of CLIP
level
status experimental

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Powershell Local Email Collection
level
status experimental

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Zip A Folder With PowerShell For Staging In Temp
level
status experimental

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration

Mavinject Inject DLL Into Running Process
level
status experimental

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

Copy from Admin Share
level
status test

Detects a suspicious copy command to or from an Admin share

Cisco Stage Data
level
status test

Various protocols maybe used to put data on the device for exfil or infil

Cisco Collect Data
level
status test

Collect pertinent data from the configuration files

Audio Capture via SoundRecorder
level
status test

Detect attacker collecting audio via SoundRecorder application.

Audio Capture via PowerShell
level
status test

Detects audio capture via PowerShell Cmdlet.

Data Compressed - rar.exe
level
status test

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Psr.exe Capture Screenshots
level
status test

The psr.exe captures desktop screenshots and saves them on the local machine

Suspicious Compression Tool Parameters
level
status test

Detects suspicious command line arguments of common data compression tools

iOS Implant URL Pattern
level
status test

Detects URL pattern used by iOS Implant

Suspicious System.Drawing Load
level
status experimental

A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.

Suspicious Camera and Microphone Access
level
status experimental

Detects Processes accessing the camera and microphone from suspicious folder

Suspicious Access to Sensitive File Extensions
level
status experimental

Detects known sensitive file extensions accessed on a network share

Screen Capture - macOS
level
status test

Detects attempts to use screencapture to collect macOS screenshots

Rar with Password or Compression Level
level
status experimental

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Processes Accessing the Microphone and Webcam
level
status test

Potential adversaries accessing the microphone and webcam in an endpoint.

Exchange PowerShell Snap-Ins Used by HAFNIUM
level
status experimental

Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM

Clipboard Collection of Image Data with Xclip Tool
level
status experimental

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

AWS EC2 VM Export Failure
level
status experimental

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Audio Capture
level
status experimental

Detects attempts to record audio with arecord utility

ADFS Database Named Pipe Connection
level
status experimental

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.