Rule Library

Sigma Rules

2 rules found for "@sam0x90"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

ISO File Created Within Temp Folders

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

WindowsFile Event

TA0001 · Initial AccessT1566.001 · Spearphishing Attachment

@sam0x90Sat Jul 30windows

Detectionmediumtest

Esentutl Gather Credentials

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

WindowsProcess Creation

TA0006 · Credential AccessT1003 · OS Credential DumpingT1003.003 · NTDSS0404 · S0404

sam0x90Fri Aug 06windows