Sigma Rules
6 rules found for "Antonlovesdnb"
Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
CLR DLL Loaded Via Office Applications
Detects CLR DLL being loaded by an Office Product
GAC DLL Loaded Via Office Applications
Detects any GAC DLL being loaded by an Office Product
VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
Windows Registry Trust Record Modification
Alerts on trust record modification within the registry, indicating usage of macros