Sigma Rules
32 rules found for "@sbousseaden"
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Hidden Local User Creation
Detects the creation of a local hidden user account which should not happen for event ID 4720.
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
Service Installed By Unusual Client - Security
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
HackTool - EfsPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool EfsPotato
Suspicious LSASS Access Via MalSecLogon
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Suspicious ZipExec Execution
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Potential Regsvr32 Commandline Flag Anomaly
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
Renamed Office Binary Execution
Detects the execution of a renamed office binary
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
Suspicious Userinit Child Process
Detects a suspicious child process of userinit
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value