Rule Library

Sigma Rules

2 rules found for "Ahmed Farouk"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Suspicious External WebDAV Execution

Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.

Proxy Log

TA0001 · Initial AccessTA0042 · Resource DevelopmentT1584 · Compromise InfrastructureT1566 · Phishing

Ahmed FaroukFri May 10web

Detectionhightest

Potentially Suspicious Command Executed Via Run Dialog Box - Registry

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

WindowsRegistry Set

TA0002 · ExecutionT1059.001 · PowerShell

Ahmed Farouk+1Fri Nov 01windows