Sigma Rules
6 rules found for "Furkan CALISKAN"
Control Panel Items
Detects the malicious use of a control panel item
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Abusing Print Executable
Attackers can use print.exe for remote file copy
PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
Potential Proxy Execution Via Explorer.EXE From Shell Process
Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. While this is often a legitimate action, this rule can be use to hunt for anomalies. Muddy Waters threat actor was seeing using this technique.