Sigma Rules
46 rules found for "Daniil Yugoslavskiy"
Decode Base64 Encoded Text
Detects usage of base64 utility to decode arbitrary base64-encoded text
File and Directory Discovery - Linux
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Disable Security Tools
Detects disabling security tools
File and Directory Discovery - MacOS
Detects usage of system utilities to discover files and directories
Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
System Network Connections Discovery - MacOs
Detects usage of system utilities to discover system network connections
Gatekeeper Bypass via Xattr
Detects macOS Gatekeeper bypass via xattr utility
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
Tap Driver Installation - Security
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
Tap Driver Installation
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
Clear PowerShell History - PowerShell
Detects keywords that could indicate clearing PowerShell history
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
Start Windows Service Via Net.EXE
Detects the usage of the "net.exe" command to start a service using the "start" flag
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
Suspicious Encoded PowerShell Command Line
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
New Service Creation Using PowerShell
Detects the creation of a new service using powershell.
Direct Autorun Keys Modification
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Dumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
New Service Creation Using Sc.EXE
Detects the creation of a new service using the "sc.exe" utility.
Suspicious Eventlog Clearing or Configuration Change Activity
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Local Accounts Discovery
Local accounts, System Owner/User discovery using operating systems utilities
Shadow Copies Creation Using Operating Systems Utilities
Shadow Copies creation using operating systems utilities, possible credential access
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
Tap Installer Execution
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Common Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Session Manager Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
System Scripts Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
WinSock2 Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.