Sigma Rules
64 rules found
Remote Schedule Task Recon via ITaskSchedulerService
Detects remote RPC calls to read information about scheduled tasks
Remote Printing Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
Remote DCOM/WMI Lateral Movement
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
Remote Registry Lateral Movement
Detects remote RPC calls to modify the registry and possible execute code
Remote Registry Recon
Detects remote RPC calls to collect information
Remote Server Service Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
Remote Server Service Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
Recon Activity via SASec
Detects remote RPC calls to read information about scheduled tasks via SASec
SharpHound Recon Account Discovery
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
Suspicious SQL Error Messages
Detects SQL error messages that indicate probing for an injection attack
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.