Rule Library
Sigma Rules
2 rules found for "@sam0x90"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
WindowsFile Event
TA0001 · Initial AccessT1566.001 · Spearphishing Attachment
@sam0x90Sat Jul 30windows
Detectionmediumtest
Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
WindowsProcess Creation
TA0006 · Credential AccessT1003 · OS Credential DumpingT1003.003 · NTDSS0404 · S0404
sam0x90Fri Aug 06windows