Rule Library
Sigma Rules
2 rules found for "Ilya Krestinichev"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Suspicious Ping/Del Command Combination
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
WindowsProcess Creation
TA0005 · Defense EvasionT1070.004 · File Deletion
Ilya KrestinichevThu Nov 03windows
Detectionhightest
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
WindowsProcess Creation
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Ilya Krestinichev+1Tue Sep 13windows