Sigma Rules
431 rules found for "François Hubaut"
Use of TTDInject.exe
Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
Lolbin Unregmp2.exe Use As Proxy
Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
UtilityFunctions.ps1 Proxy Dll
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Windows Defender Definition Files Removed
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Suspicious Msbuild Execution By Uncommon Parent Process
Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
Suspicious Cabinet File Execution Via Msdt.EXE
Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
DllUnregisterServer Function Call Via Msiexec.EXE
Detects MsiExec loading a DLL and calling its DllUnregisterServer function
Suspicious MsiExec Embedding Parent
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Suspicious Msiexec Execute Arbitrary DLL
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Msiexec Quiet Installation
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
New Remote Desktop Connection Initiated Via Mstsc.EXE
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
System Network Connections Discovery Via Net.EXE
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Firewall Rule Deleted Via Netsh.EXE
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
Netsh Allow Group Policy on Microsoft Defender Firewall
Adversaries may modify system firewalls in order to bypass controls limiting network usage
Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
PDQ Deploy Remote Adminstartion Tool Execution
Detect use of PDQ Deploy remote admin tool
PktMon.EXE Execution
Detects execution of PktMon, a tool that captures network packets.
Suspicious Powercfg Execution To Change Lock Screen Timeout
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Potential COM Objects Download Cradles Usage - Process Creation
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
Suspicious Execution of Powershell with Base64
Commandline to launch powershell with a base64 payload
Powershell Inline Execution From A File
Detects inline execution of PowerShell code from a file
Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Suspicious X509Enrollment - Process Creation
Detect use of X509Enrollment
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
Detects active directory enumeration activity using known AdFind CLI flags
PUA - Fast Reverse Proxy (FRP) Execution
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
PUA - Netcat Suspicious Execution
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
PUA - Nimgrab Execution
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
PUA - Nmap/Zenmap Execution
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
PUA - PingCastle Execution
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
PUA - Radmin Viewer Utility Execution
Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
PUA - WebBrowserPassView Execution
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
PUA - Adidnsdump Execution
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Suspicious Reg Add BitLocker
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Dumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
RestrictedAdminMode Registry Value Tampering - ProcCreation
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise