Sigma Rules
52 rules found for "Huntress"
Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Potential BOINC Software Execution (UC-Berkeley Signature)
Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect