Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

12 rules found for "Ilyas Ochkov"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectioncriticaltest

Webshell Remote Command Execution

Detects possible command execution by web application/web shell

Linuxauditd
TA0003 · PersistenceT1505.003 · Web Shell
Ilyas Ochkov+2Sat Oct 12linux
Detectionmediumtest

New or Renamed User Account with '$' Character

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

Windowssecurity
TA0005 · Defense EvasionT1036 · Masquerading
Ilyas Ochkov+1Fri Oct 25windows
Detectionmediumtest

Possible DC Shadow Attack

Detects DCShadow via create new SPN

Windowssecurity
TA0006 · Credential AccessTA0005 · Defense Evasionattack.t1207
Ilyas Ochkov+3Fri Oct 25windows
Detectionhightest

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

Windowssecurity
TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0006 · Credential AccessT1558.003 · Kerberoasting
Roberto Rodriguez (Cyb3rWard0g)+2Thu Oct 24windows
Detectionmediumtest

Uncommon Outbound Kerberos Connection - Security

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Windowssecurity
TA0008 · Lateral MovementTA0006 · Credential AccessT1558.003 · Kerberoasting
Ilyas Ochkov+1Thu Oct 24windows
Detectionhightest

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Windowssecurity
TA0006 · Credential AccessTA0008 · Lateral MovementTA0004 · Privilege EscalationT1558.003 · Kerberoasting
Roberto Rodriguez (Cyb3rWard0g)+2Thu Oct 24windows
Detectionmediumtest

Uncommon Outbound Kerberos Connection

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

WindowsNetwork Connection
TA0005 · Defense EvasionTA0006 · Credential AccessT1558 · Steal or Forge Kerberos TicketsTA0008 · Lateral Movement+1
Ilyas Ochkov+1Thu Oct 24windows
Detectionmediumtest

Clear PowerShell History - PowerShell Module

Detects keywords that could indicate clearing PowerShell history

WindowsPowerShell Module
TA0005 · Defense EvasionT1070.003 · Clear Command History
Ilyas Ochkov+3Fri Oct 25windows
Detectionmediumtest

Clear PowerShell History - PowerShell

Detects keywords that could indicate clearing PowerShell history

WindowsPowerShell Script
TA0005 · Defense EvasionT1070.003 · Clear Command History
Ilyas Ochkov+3Tue Jan 25windows
Detectionhightest

Disable Security Events Logging Adding Reg Key MiniNt

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.

WindowsRegistry Event
TA0003 · PersistenceTA0005 · Defense EvasionT1562.002 · Disable Windows Event LoggingT1112 · Modify Registry+1
Ilyas Ochkov+1Fri Oct 25windows
Detectionmediumtest

New DLL Added to AppCertDlls Registry Key

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.009 · AppCert DLLs
Ilyas Ochkov+1Fri Oct 25windows
Detectionmediumtest

New DLL Added to AppInit_DLLs Registry Key

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.010 · AppInit DLLs
Ilyas Ochkov+2Fri Oct 25windows