Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

13 rules found for "E.M. Anhaus (originally from Atomic Blue Detections"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Modification of ld.so.preload

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Linuxauditd
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.006 · Dynamic Linker Hijacking
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24linux
Detectionhightest

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

WindowsProcess Creation
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1053.002 · At
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhighstable

Boot Configuration Tampering Via Bcdedit.EXE

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

WindowsProcess Creation
TA0040 · ImpactT1490 · Inhibit System Recovery
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Forfiles Command Execution

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

WindowsProcess Creation
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Tim Rauch+4Tue Jun 14windows
Detectionlowtest

HH.EXE Execution

Detects the execution of "hh.exe" to open ".chm" files.

WindowsProcess Creation
TA0005 · Defense EvasionT1218.001 · Compiled HTML File
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Use of Pcalua For Execution

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

WindowsProcess Creation
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Nasreddine Bencherchali (Nextron Systems)+3Tue Jun 14windows
Detectionhightest

Suspicious JavaScript Execution Via Mshta.EXE

Detects execution of javascript code using "mshta.exe".

WindowsProcess Creation
TA0005 · Defense EvasionT1218.005 · Mshta
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Audio Capture via PowerShell

Detects audio capture via PowerShell Cmdlet.

WindowsProcess Creation
TA0009 · CollectionT1123 · Audio Capture
E.M. Anhaus (originally from Atomic Blue Detections+3Thu Oct 24windows
Detectionlowtest

Discovery of a System Time

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

WindowsProcess Creation
TA0007 · DiscoveryT1124 · System Time Discovery
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionmediumtest

Audio Capture via SoundRecorder

Detect attacker collecting audio via SoundRecorder application.

WindowsProcess Creation
TA0009 · CollectionT1123 · Audio Capture
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhightest

Bypass UAC via CMSTP

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account ControlT1218.003 · CMSTP
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhightest

Bypass UAC via Fodhelper.exe

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhightest

Bypass UAC via WSReset.exe

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
E.M. Anhaus (originally from Atomic Blue Detections+3Thu Oct 24windows