Sigma Rules
9 rules found for "Conti"
Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Potential Conti Ransomware Database Dumping Activity Via SQLCmd
Detects a command used by conti to dump database
Griffon Malware Attack Pattern
Detects process execution patterns related to Griffon malware as reported by Kaspersky
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack. In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8). In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.