Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

7 rules found for "Agro"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Group Has Been Deleted Via Groupdel

Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

LinuxProcess Creation
TA0040 · ImpactT1531 · Account Access Removal
Tuan Le (NCSGroup)Mon Dec 26linux
Detectionmediumtest

Extracting Information with PowerShell

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

WindowsPowerShell Script
TA0006 · Credential AccessT1552.001 · Credentials In Files
François HubautSun Dec 19windows
Detectionmediumtest

Detection of PowerShell Execution via Sqlps.exe

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellTA0005 · Defense EvasionT1127 · Trusted Developer Utilities Proxy Execution
Agro oscd.communitySat Oct 10windows
Detectionmediumtest

SQL Client Tools PowerShell Session Detection

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellTA0005 · Defense EvasionT1127 · Trusted Developer Utilities Proxy Execution
Agro oscd.communitlyTue Oct 13windows
Detectionlowtest

Malicious Windows Script Components File Execution by TAEF Detection

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
Agro oscd.communityTue Oct 13windows
Detectionmediumtest

Malicious PE Execution by Microsoft Visual Studio Debugger

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

WindowsProcess Creation
T1218 · System Binary Proxy ExecutionTA0005 · Defense Evasion
Agro+2Wed Oct 14windows
Detectionhightest

Potential PSFactoryBuffer COM Hijacking

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.015 · Component Object Model Hijacking
BlackBerry Threat Research and Intelligence TeamWed Jun 07windows