Rule Library
Sigma Rules
5 rules found for "Ali Alwashali"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionlowtest
Remote Access Tool - ScreenConnect Command Execution
Detects command execution via ScreenConnect RMM
Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionlowtest
Remote Access Tool - ScreenConnect File Transfer
Detects file being transferred via ScreenConnect RMM
Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionlowtest
Remote Access Tool - ScreenConnect Temporary File
Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
WindowsFile Event
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionhightest
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
WindowsPowerShell Script
TA0005 · Defense EvasionT1070.003 · Clear Command History
Ali AlwashaliSun Aug 21windows
Detectionlowtest
Remote Access Tool - ScreenConnect Remote Command Execution
Detects the execution of a system command via the ScreenConnect RMM service.
WindowsProcess Creation
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows