Sigma Rules
114 rules found for "TheDFIRReport"
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
PUA - Advanced IP Scanner Execution
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
PUA - PingCastle Execution
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
PUA - PingCastle Execution From Potentially Suspicious Parent
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
PUA - Rclone Execution
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
PUA - Restic Backup Tool Execution
Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Suspicious Regsvr32 Execution From Remote Share
Detects REGSVR32.exe to execute DLL hosted on remote shares
Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
Suspicious Reg Add BitLocker
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
RestrictedAdminMode Registry Value Tampering - ProcCreation
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
LSA PPL Protection Disabled Via Reg.EXE
Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Remote Access Tool - AnyDesk Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - AnyDesk Silent Installation
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
Remote Access Tool - Anydesk Execution From Suspicious Folder
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Renamed AdFind Execution
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Renamed AutoHotkey.EXE Execution
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Rundll32 Spawned Via Explorer.EXE
Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task Name As GUID
Detects creation of a scheduled task with a GUID like name
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Detects dump of credentials in VeeamBackup dbo
Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Base64 MZ Header In CommandLine
Detects encoded base64 MZ header in the commandline
LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.