Rule Library
Sigma Rules
5 rules found for "Cian Heasley"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Webshell ReGeorg Detection Via Web Logs
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
Web Server Log
TA0003 · PersistenceT1505.003 · Web Shell
Cian HeasleyTue Aug 04web
Detectionmediumtest
Windows Pcap Drivers
Detects Windows Pcap driver installation based on a list of associated .sys files.
Windowssecurity
TA0007 · DiscoveryTA0006 · Credential AccessT1040 · Network Sniffing
Cian HeasleyWed Jun 10windows
Detectioninformationaltest
Windows Defender Malware Detection History Deletion
Windows Defender logs when the history of detected infections is deleted.
Windowswindefend
TA0005 · Defense Evasion
Cian HeasleyThu Aug 13windows
Detectionmediumtest
PUA - Mouse Lock Execution
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
WindowsProcess Creation
TA0006 · Credential AccessTA0009 · CollectionT1056.002 · GUI Input Capture
Cian HeasleyThu Aug 13windows
Detectionhightest
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
WindowsProcess Creation
TA0003 · PersistenceT1505.003 · Web Shell
Cian Heasley+1Wed Jul 22windows