Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

8 rules found for "Bartlomiej Czyz"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1570 · Lateral Tool TransferTA0002 · Execution+1
Bartlomiej Czyz+1Thu Jan 21windows
Detectionmediumtest

PowerShell ICMP Exfiltration

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

WindowsPowerShell Script
TA0010 · ExfiltrationT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol
Bartlomiej Czyz+1Sat Oct 10windows
Detectionhightest

Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

WindowsPowerShell Script
TA0002 · ExecutionTA0007 · DiscoveryT1482 · Domain Trust DiscoveryT1087 · Account Discovery+6
Sean Metcalf+10Sun Mar 05windows
Detectionhightest

Rundll32 Execution Without Parameters

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

WindowsProcess Creation
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1570 · Lateral Tool TransferTA0002 · Execution+1
Bartlomiej Czyz+1Sun Jan 31windows
Detectionmediumtest

Path To Screensaver Binary Modified

Detects value modification of registry key containing path to binary used as screensaver.

WindowsRegistry Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1546.002 · Screensaver
Bartlomiej Czyz+1Sun Oct 11windows
Emerging Threathightest

Lazarus System Binary Masquerading

Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location

WindowsProcess Creation
TA0005 · Defense EvasionT1036.005 · Match Legitimate Name or Locationdetection.emerging-threats
Trent Liffick+1Wed Jun 032017
Emerging Threatmediumtest

Defrag Deactivation

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

WindowsProcess Creation
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.005 · Scheduled Task+2
Florian Roth (Nextron Systems)+1Mon Mar 042018
Emerging Threatmediumtest

Defrag Deactivation - Security

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053 · Scheduled Task/Job+2
Florian Roth (Nextron Systems)+1Mon Mar 042018