Sigma Rules
14 rules found for "Beyu Denis"
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Potential Webshell Creation On Static Website
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
Uncommon Child Process Of BgInfo.EXE
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Potential Binary Proxy Execution Via Cdb.EXE
Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
Potential Application Whitelisting Bypass via Dnx.EXE
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
Devtoolslauncher.exe Executes Specified Binary
The Devtoolslauncher.exe executes other binary
Execute Files with Msdeploy.exe
Detects file execution using the msdeploy.exe lolbin
OpenWith.exe Executes Specified Binary
The OpenWith.exe executes other binary
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
Screen Capture Activity Via Psr.EXE
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.