Rule Library
Sigma Rules
2 rules found for "Ahmed Nosir"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumexperimental
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
WindowsDNS Query
TA0011 · Command and ControlT1071.004 · DNS
Ahmed NosirMon Jun 02windows
Detectionmediumexperimental
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
WindowsProcess Creation
TA0011 · Command and ControlT1219 · Remote Access SoftwareT1105 · Ingress Tool Transfer
Ahmed NosirThu May 29windows