Rule Library
Sigma Rules
4 rules found for "@harr0ey"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
Beyu Denis+2Sat Oct 26windows
Detectionhightest
OpenWith.exe Executes Specified Binary
The OpenWith.exe executes other binary
WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
Beyu Denis+2Sat Oct 12windows
Detectionmediumtest
Code Execution via Pcwutl.dll
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32
Julia Fomina+1Mon Oct 05windows
Detectionhightest
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control
Christian Burkard (Nextron Systems)Mon Aug 23windows