Sigma Rules
477 rules found for "François Hubaut"
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
ProxyLogon Reset Virtual Directories Based On IIS Log
When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
CVE-2021-31979 CVE-2021-33771 Exploits
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
Potential CVE-2021-42278 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Potential CVE-2021-42287 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Potential Conti Ransomware Database Dumping Activity Via SQLCmd
Detects a command used by conti to dump database
Potential CVE-2022-29072 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Firewall Rule Modified In The Windows Firewall Exception List
Detects when a rule has been modified in the Windows firewall exception list
Access To Browser Credential Files By Uncommon Applications
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To Windows Outlook Mail Files By Uncommon Applications
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To Sysvol Policies Share By Uncommon Process
Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
Access To .Reg/.Hive Files By Uncommon Applications
Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
Unattend.XML File Access Attempt
Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.
File Creation Date Changed to Another Year
Detects when the file creation time is changed to a year before 2020. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.
ADS Zone.Identifier Deleted
Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
Creation of an Executable by an Executable
Detects the creation of an executable by another executable.
Non-DLL Extension File Renamed With DLL Extension
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
Amsi.DLL Load By Uncommon Process
Detects loading of Amsi.dll by uncommon processes
Msiexec.EXE Initiated Network Connection Over HTTP
Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.
Windows Mail App Mailbox Access Via PowerShell Script
Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
SMB over QUIC Via PowerShell Script
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
Potential Registry Reconnaissance Via PowerShell Script
Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
Use Of Remove-Item to Delete File - ScriptBlock
PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Powershell Token Obfuscation - Powershell
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts. Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment. Once tested and tuned, consider deploying a production detection rule based on this hunting rule.
Set Files as System Files Using Attrib.EXE
Detects the execution of "attrib" with the "+s" flag to mark files as system files
CMD Shell Output Redirect
Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Curl.EXE Execution With Custom UserAgent
Detects execution of curl.exe with custom useragent options
Potential DLL Sideloading Activity Via ExtExport.EXE
Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". Arbitrary DLLs can also be loaded if a specific number of flags was provided.
Microsoft Workflow Compiler Execution
Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
SMB over QUIC Via Net.EXE
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
SC.EXE Query Execution
Detects execution of "sc.exe" to query information about registered services on the system
Potential CommandLine Obfuscation Using Unicode Characters
Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Elevated System Shell Spawned
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
Use Short Name Path in Command Line
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. When investigating, examine: - Commands using short paths to access sensitive directories or files - Web servers on Windows (especially Apache) where short filenames could bypass security controls - Correlation with other suspicious behaviors - baseline of short name usage in your environment and look for deviations
Potential Executable Run Itself As Sacrificial Process
Detects when an executable launches an identical instance of itself, a behavior often used to create a suspended “sacrificial” process for code injection or evasion. Investigate for indicators such as the process being started in suspended mode, rapid parent termination, memory manipulation (e.g., WriteProcessMemory, CreateRemoteThread), or unsigned binaries. Review command-line arguments, process ancestry, and network activity to confirm if this is legitimate behavior or process injection activity.
Process Terminated Via Taskkill
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
Suspicious Tasklist Discovery Command
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
FTP Connection Open Attempt Via Winscp CLI
Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
Winscp Execution From Non Standard Folder
Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable.