Sigma Rules
87 rules found for "Ecco"
Suspicious Plink Port Forwarding
Detects suspicious Plink tunnel port forwarding to a local port
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Potential Defense Evasion Via Binary Rename
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Renamed Cloudflared.EXE Execution
Detects the execution of a renamed "cloudflared" binary.
Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Suspicious Eventlog Clearing or Configuration Change Activity
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Psexec Execution
Detects user accept agreement execution in psexec commandline
Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
Sysprep on AppData Folder
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
Potential Persistence Via Outlook Today Page
Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
CVE-2023-23397 Exploitation Attempt
Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
SMB over QUIC Via PowerShell Script
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
Dynamic .NET Compilation Via Csc.EXE - Hunting
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
SMB over QUIC Via Net.EXE
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.