Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

17 rules found for "E.M. Anhaus"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Modification of ld.so.preload

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Linuxauditd
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.006 · Dynamic Linker Hijacking
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24linux
Detectionhightest

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

WindowsProcess Creation
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1053.002 · At
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhighstable

Boot Configuration Tampering Via Bcdedit.EXE

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

WindowsProcess Creation
TA0040 · ImpactT1490 · Inhibit System Recovery
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Domain Trust Discovery Via Dsquery

Detects execution of "dsquery.exe" for domain trust discovery

WindowsProcess Creation
TA0007 · DiscoveryT1482 · Domain Trust Discovery
E.M. Anhaus+3Thu Oct 24windows
Detectionmediumtest

Forfiles Command Execution

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

WindowsProcess Creation
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Tim Rauch+4Tue Jun 14windows
Detectionhighstable

Fsutil Suspicious Invocation

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

WindowsProcess Creation
TA0005 · Defense EvasionTA0040 · ImpactT1070 · Indicator RemovalT1485 · Data Destruction
Ecco+2Thu Sep 26windows
Detectionlowtest

HH.EXE Execution

Detects the execution of "hh.exe" to open ".chm" files.

WindowsProcess Creation
TA0005 · Defense EvasionT1218.001 · Compiled HTML File
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Use of Pcalua For Execution

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

WindowsProcess Creation
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Nasreddine Bencherchali (Nextron Systems)+3Tue Jun 14windows
Detectionhightest

Suspicious JavaScript Execution Via Mshta.EXE

Detects execution of javascript code using "mshta.exe".

WindowsProcess Creation
TA0005 · Defense EvasionT1218.005 · Mshta
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Audio Capture via PowerShell

Detects audio capture via PowerShell Cmdlet.

WindowsProcess Creation
TA0009 · CollectionT1123 · Audio Capture
E.M. Anhaus (originally from Atomic Blue Detections+3Thu Oct 24windows
Detectionlowtest

Files Added To An Archive Using Rar.EXE

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

WindowsProcess Creation
TA0009 · CollectionT1560.001 · Archive via Utility
Timur Zinniatullin+2Mon Oct 21windows
Detectionlowtest

Discovery of a System Time

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

WindowsProcess Creation
TA0007 · DiscoveryT1124 · System Time Discovery
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Audio Capture via SoundRecorder

Detect attacker collecting audio via SoundRecorder application.

WindowsProcess Creation
TA0009 · CollectionT1123 · Audio Capture
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhightest

LSASS Dump Keyword In CommandLine

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
E.M. Anhaus+3Thu Oct 24windows
Detectionhightest

Bypass UAC via CMSTP

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account ControlT1218.003 · CMSTP
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhightest

Bypass UAC via Fodhelper.exe

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhightest

Bypass UAC via WSReset.exe

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
E.M. Anhaus (originally from Atomic Blue Detections+3Thu Oct 24windows