Sigma Rules
477 rules found for "François Hubaut"
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Disable Privacy Settings Experience in Registry
Detects registry modifications that disable Privacy Settings Experience
Disable Windows Security Center Notifications
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
Windows Defender Service Disabled - Registry
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
Registry Modification to Hidden File Extension
Hides the file extension through modification of the registry
Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
Registry Hide Function from User
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
RestrictedAdminMode Registry Value Tampering
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
Microsoft Office Protected View Disabled
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
Enable Microsoft Dynamic Data Exchange
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
Modification of IE Registry Settings
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
Potential Persistence Via Shim Database Modification
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
Potential Persistence Via Excel Add-in - Registry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Suspicious PowerShell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
ServiceDll Hijack
Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
Registry Explorer Policy Modification
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Activate Suppression of Windows Security Center Notifications
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Modify User Shell Folders Startup Value
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
New TimeProviders Registered With Uncommon DLL Name
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
COM Hijacking via TreatAs
Detect modification of TreatAs key to enable "rundll32.exe -sta" command
UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Sysmon Configuration Change
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
Sysmon Blocked File Shredding
Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
Sysmon File Executable Creation Detected
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report