Rule Library
Sigma Rules
5 rules found for "GossiTheDog"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectioncriticaltest
Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Windowsmsexchange-management
TA0003 · PersistenceT1505.003 · Web Shell
Max Altgelt (Nextron Systems)Mon Aug 23windows
Detectionhightest
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
WindowsFile Event
TA0006 · Credential AccessT1552.001 · Credentials In Filescve.2021-36934
Florian Roth (Nextron Systems)Fri Jul 23windows
Detectionmediumtest
Suspicious Cabinet File Execution Via Msdt.EXE
Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
WindowsProcess Creation
TA0005 · Defense EvasionT1202 · Indirect Command Execution
Nasreddine Bencherchali (Nextron Systems)+2Tue Jun 21windows
Emerging Threatcriticaltest
Exchange Exploitation CVE-2021-28480
Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-28480detection.emerging-threats
Florian Roth (Nextron Systems)Fri May 142021
Emerging Threatcriticaltest
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationdetection.emerging-threats
Florian Roth (Nextron Systems)Wed Aug 112021