Sigma Rules
10 rules found for "Arnim Rupp"
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.