Rule Library

Sigma Rules

4 rules found for "JHasenbusch"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Category

Detectionmediumtest

New User Created Via Net.EXE

Identifies the creation of local users via the net.exe command.

WindowsProcess Creation

TA0003 · PersistenceT1136.001 · Local Account

Endgame+1Tue Oct 30windows

Detectionlowstable

Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

WindowsProcess Creation

TA0007 · DiscoveryT1018 · Remote System Discovery

Endgame+1Tue Oct 30windows

Detectionhightest

Dumping of Sensitive Hives Via Reg.EXE

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

WindowsProcess Creation

TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.004 · LSA SecretsT1003.005 · Cached Domain Credentials+1

Teymur Kheirkhabarov+5Tue Oct 22windows

Detectionmediumtest

Usage Of Web Request Commands And Cmdlets

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

WindowsProcess Creation

TA0002 · ExecutionT1059.001 · PowerShell

James Pemberton+4Thu Oct 24windows