Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

19 rules found for "Bhabesh Raj"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Default Cobalt Strike Certificate

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Zeek (Bro)x509
TA0011 · Command and ControlS0154 · Cobalt Strike
Bhabesh RajWed Jun 23network
Detectionhightest

Atera Agent Installation

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

Windowsapplication
TA0011 · Command and Controlattack.t1219.002
Bhabesh RajWed Sep 01windows
Detectionhightest

Impacket PsExec Execution

Detects execution of Impacket's psexec.py.

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Bhabesh RajMon Dec 14windows
Detectionhightest

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Windowssecurity-mitigations
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajTue Aug 02windows
Detectioncriticaltest

Moriya Rootkit - System

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Windowssystem
TA0003 · PersistenceTA0004 · Privilege EscalationT1543.003 · Windows Service
Bhabesh RajThu May 06windows
Detectionhightest

PSExec and WMI Process Creations Block

Detects blocking of process creations originating from PSExec and WMI commands

Windowswindefend
TA0002 · ExecutionTA0008 · Lateral MovementT1047 · Windows Management InstrumentationT1569.002 · Service Execution
Bhabesh RajTue Jul 14windows
Detectionhighstable

Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

Windowswindefend
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Bhabesh RajMon Sep 14windows
Detectionhighstable

Microsoft Defender Tamper Protection Trigger

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Windowswindefend
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Bhabesh Raj+1Mon Jul 05windows
Detectionhightest

Potential Mpclient.DLL Sideloading

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajTue Aug 02windows
Detectionhightest

PowerShell ADRecon Execution

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

WindowsPowerShell Script
TA0007 · DiscoveryTA0002 · ExecutionT1059.001 · PowerShell
Bhabesh RajFri Jul 16windows
Detectionhightest

PowerView PowerShell Cmdlets - ScriptBlock

Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Bhabesh RajTue May 18windows
Detectionhightest

HackTool - HandleKatz Duplicating LSASS Handle

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

WindowsProcess Access
TA0002 · ExecutionT1106 · Native APITA0005 · Defense EvasionT1003.001 · LSASS Memory+1
Bhabesh RajMon Jun 27windows
Detectionhighstable

Credential Dumping Activity By Python Based Tool

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

WindowsProcess Access
TA0006 · Credential AccessT1003.001 · LSASS MemoryS0349 · S0349
Bhabesh Raj+1Mon Nov 27windows
Detectionmediumtest

Potentially Suspicious Cabinet File Expansion

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
Bhabesh Raj+1Fri Jul 30windows
Detectionhightest

Potential Mpclient.DLL Sideloading Via Defender Binaries

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajMon Aug 01windows
Detectionhightest

PUA - Rclone Execution

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

WindowsProcess Creation
TA0010 · ExfiltrationT1567.002 · Exfiltration to Cloud Storage
Bhabesh Raj+2Mon May 10windows
Detectionhightest

Suspicious UltraVNC Execution

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

WindowsProcess Creation
TA0008 · Lateral MovementG0047 · G0047T1021.005 · VNC
Bhabesh RajFri Mar 04windows
Detectionhightest

VMToolsd Suspicious Child Process

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

WindowsProcess Creation
TA0002 · ExecutionTA0003 · PersistenceT1059 · Command and Scripting Interpreter
bohops+1Fri Oct 08windows
Detectionmediumtest

Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

WindowsRegistry Set
T1137.006 · Add-insTA0003 · Persistence
Bhabesh RajSun Jan 10windows