Sigma Rules
477 rules found for "François Hubaut"
Use of UltraVNC Remote Access Software
An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
Windows Credential Manager Access via VaultCmd
List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
Use of W32tm as Timer
When configured with suitable command line arguments, w32tm can act as a delay mechanism
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Windows Backup Deleted Via Wbadmin.EXE
Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Sensitive File Dump Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Sensitive File Recovery From Backup Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Suspicious Where Execution
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Compress Data and Lock With Password for Exfiltration With WINZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Wlrmdr.EXE Uncommon Argument Or Child Process
Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Process Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Service Reconnaissance Via Wmic.EXE
An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
WMIC Remote Command Execution
Detects the execution of WMIC to query information on a remote system
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
Removal Of AMSI Provider Registry Keys
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Registry Persistence Mechanisms in Recycle Bin
Detects persistence registry keys for Recycle Bin
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
Add Port Monitor Persistence in Registry
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Allow RDP Remote Assistance Feature
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Common Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Session Manager Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
System Scripts Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
WinSock2 Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Bypass UAC Using Event Viewer
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
IE Change Domain Zone
Hides the file extension through modification of the registry
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
Running Chrome VPN Extensions via the Registry 2 VPN Extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
Service Binary in Suspicious Folder
Detect the creation of a service with a service binary located in a suspicious directory
Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage