Sigma Rules
9 rules found
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Creation Of a Suspicious ADS File Outside a Browser Download
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.