attack.t1082

Redirect Output in CommandLine
level
status experimental

Use “>” to redicrect information in commandline

Cisco Discovery
level
status test

Find information about network devices that is not stored in config files

System Information Discovery
level
status stable

Detects system information discovery commands

System Information Discovery
level
status experimental

Detects System Information Discovery commands

Suspicious Query of MachineGUID
level
status experimental

Use of reg to get MachineGuid information

Network Reconnaissance Activity
level
status experimental

Detects a set of suspicious network related commands often used in recon stages

Domain User Enumeration Network Recon 01
level
status experimental

Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.