Sigma Rules
477 rules found for "François Hubaut"
Suspicious Query of MachineGUID
Use of reg to get MachineGuid information
Modify Group Policy Settings
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
Suspicious ScreenSave Change by Reg.exe
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
Remote Access Tool - AnyDesk Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - GoToAssist Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - LogMeIn Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - NetSupport Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - ScreenConnect Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - UltraViewer Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Renamed Gpg.EXE Execution
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Renamed Mavinject.EXE Execution
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Rundll32 Registered COM Objects
load malicious registered COM objects
Suspicious Workstation Locking via Rundll32
Detects a suspicious call to the user32.dll function that locks the user workstation
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Suspicious Execution of Shutdown
Use of the commandline to shutdown or reboot windows
Suspicious Execution of Shutdown to Log Out
Detects the rare use of the command line tool shutdown to logoff a user
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Detects dump of credentials in VeeamBackup dbo
SQLite Firefox Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Program Executed Using Proxy/Local Command Via SSH.EXE
Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
Start of NT Virtual DOS Machine
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Suspicious Parent Double Extension File Execution
Detect execution of suspicious double extension files in ParentCommandLine
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Elevated System Shell Spawned From Uncommon Parent Location
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Suspicious Scan Loop Network
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Private Keys Reconnaissance Via CommandLine Tools
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Recon Information for Export with Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Potential File Overwrite Via Sysinternals SDelete
Detects the use of SDelete to erase a file not the free space
Uninstall Sysinternals Sysmon
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
Potential Binary Impersonating Sysinternals Tools
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
Suspicious Execution of Systeminfo
Detects usage of the "systeminfo" command to retrieve information
Suspicious Recursive Takeown
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders