Rule Library

Sigma Rules

13 rules found for "Endgame)"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

WindowsProcess Creation

TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1053.002 · At

E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows

Detectionhighstable

Boot Configuration Tampering Via Bcdedit.EXE

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

WindowsProcess Creation

TA0040 · ImpactT1490 · Inhibit System Recovery

E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows

Detectionmediumtest

Forfiles Command Execution

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

WindowsProcess Creation

TA0002 · ExecutionT1059 · Command and Scripting Interpreter

Tim Rauch+4Tue Jun 14windows

Detectionmediumtest

Use of Pcalua For Execution

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

WindowsProcess Creation

TA0002 · ExecutionT1059 · Command and Scripting Interpreter

Nasreddine Bencherchali (Nextron Systems)+3Tue Jun 14windows

Detectionhightest

Suspicious JavaScript Execution Via Mshta.EXE

Detects execution of javascript code using "mshta.exe".

WindowsProcess Creation

TA0005 · Defense EvasionT1218.005 · Mshta

E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows

Detectionmediumtest

New User Created Via Net.EXE

Identifies the creation of local users via the net.exe command.

WindowsProcess Creation

TA0003 · PersistenceT1136.001 · Local Account

Endgame+1Tue Oct 30windows

Detectionlowstable

Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

WindowsProcess Creation

TA0007 · DiscoveryT1018 · Remote System Discovery

Endgame+1Tue Oct 30windows

Detectionmediumtest

Audio Capture via PowerShell

Detects audio capture via PowerShell Cmdlet.

WindowsProcess Creation

TA0009 · CollectionT1123 · Audio Capture

E.M. Anhaus (originally from Atomic Blue Detections+3Thu Oct 24windows

Detectionhightest

Dumping of Sensitive Hives Via Reg.EXE

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

WindowsProcess Creation

TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.004 · LSA SecretsT1003.005 · Cached Domain Credentials+1

Teymur Kheirkhabarov+5Tue Oct 22windows

Detectionlowtest

Discovery of a System Time

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

WindowsProcess Creation

TA0007 · DiscoveryT1124 · System Time Discovery

E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows

Detectionmediumtest