Rule Library
Sigma Rules
5 rules found for "Bartlomiej Czyz"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Metasploit Or Impacket Service Installation Via SMB PsExec
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1570 · Lateral Tool TransferTA0002 · Execution+1
Bartlomiej Czyz+1Thu Jan 21windows
Detectionmediumtest
PowerShell ICMP Exfiltration
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
WindowsPowerShell Script
TA0010 · ExfiltrationT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol
Bartlomiej Czyz+1Sat Oct 10windows
Detectionhightest
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
WindowsPowerShell Script
TA0002 · ExecutionTA0007 · DiscoveryT1482 · Domain Trust DiscoveryT1087 · Account Discovery+6
Sean Metcalf+10Sun Mar 05windows
Detectionhightest
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
WindowsProcess Creation
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1570 · Lateral Tool TransferTA0002 · Execution+1
Bartlomiej Czyz+1Sun Jan 31windows
Detectionmediumtest
Path To Screensaver Binary Modified
Detects value modification of registry key containing path to binary used as screensaver.
WindowsRegistry Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1546.002 · Screensaver
Bartlomiej Czyz+1Sun Oct 11windows