Sigma Rules
431 rules found for "François Hubaut"
Greedy File Deletion Using Del
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
File And SubFolder Enumeration Via Dir Command
Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
Potential Dosfuscation Activity
Detects possible payload obfuscation via the commandline
Potential Privilege Escalation Using Symlink Between Osk and Cmd
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Directory Removal Via Rmdir
Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Read Contents From Stdin Via Cmd.EXE
Detect the use of "<" to read and potentially execute a file via cmd.exe
New Generic Credentials Added Via Cmdkey.EXE
Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Potential Arbitrary File Download Via Cmdl32.EXE
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
Arbitrary File Download Via ConfigSecurityPolicy.EXE
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Uncommon Child Process Of Defaultpack.EXE
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
DirLister Execution
Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
Dism Remove Online Package
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Esentutl Steals Browser Information
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
Findstr GPP Passwords
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
Recon Command Output Piped To Findstr.EXE
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
Portable Gpg.EXE Execution
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
HackTool - Hashcat Password Cracker Execution
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - Pypykatz Credentials Dumping Activity
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
HackTool - TruffleSnout Execution
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
Suspicious ZipExec Execution
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Suspicious Execution of Hostname
Use of hostname to get information
Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
C# IL Code Compilation Via Ilasm.EXE
Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
JScript Compiler Execution
Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Suspicious Diantz Alternate Data Stream Execution
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Suspicious Diantz Download and Compress Into a CAB File
Download and compress a remote file and store it in a cab file on local machine.
Suspicious Extrac32 Execution
Download or Copy file with Extrac32
Suspicious Extrac32 Alternate Data Stream Execution
Extract data from cab file and hide it in an alternate data stream
Gpscript Execution
Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
Ie4uinit Lolbin Use From Invalid Path
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
Mavinject Inject DLL Into Running Process
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Pubprn.vbs Proxy Execution
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
Replace.exe Usage
Detects the use of Replace.exe which can be used to replace file with another file
Lolbin Runexehelper Use As Proxy
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
SyncAppvPublishingServer Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs