Rule Library
Sigma Rules
5 rules found for "Anton Kutepov"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionTA0005 · Defense Evasion+1
Anton Kutepov+1Wed Feb 05windows
Detectionhightest
Suspicious Encoded PowerShell Command Line
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)+5Mon Sep 03windows
Detectionhightest
Run PowerShell Script from Redirected Input Stream
Detects PowerShell script execution via input stream redirect
WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1059 · Command and Scripting Interpreter
Moriarty Meng+2Sat Oct 17windows
Detectionhightest
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
WindowsProcess Creation
TA0005 · Defense EvasionT1036 · Masquerading
Florian Roth (Nextron Systems)+4Mon Nov 27windows
Detectionhightest
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
WindowsProcess Creation
TA0003 · PersistenceTA0007 · DiscoveryT1505.003 · Web ShellT1018 · Remote System Discovery+2
Florian Roth (Nextron Systems)+5Sun Jan 01windows