Rule Library
Sigma Rules
5 rules found for "Group-IB"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Prefetch File Deleted
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
WindowsFile Delete
TA0005 · Defense EvasionT1070.004 · File Deletion
Cedric MAURUGEONWed Sep 29windows
Detectioncriticaltest
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShellTA0011 · Command and ControlT1071.004 · DNS+5
Alina Stepchenkova+2Fri Nov 01windows
Detectionhightest
Shell32 DLL Execution in Suspicious Directory
Detects shell32.dll executing a DLL in a suspicious directory
WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32
Christian Burkard (Nextron Systems)Wed Nov 24windows
Detectionmediumtest
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
WindowsProcess Creation
TA0006 · Credential AccessTA0007 · DiscoveryT1552 · Unsecured CredentialsT1087 · Account Discovery
Nasreddine Bencherchali (Nextron Systems)+1Fri Sep 09windows
Detectionmediumtest
Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.
WindowsProcess Creation
TA0002 · ExecutionT1203 · Exploitation for Client Execution
Nasreddine Bencherchali (Nextron Systems)Thu Aug 31windows