Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

6 rules found for "James Pemberton"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Potential Remote Desktop Connection to Non-Domain Host

Detects logons using NTLM to hosts that are potentially not part of the domain.

Windowsntlm
TA0011 · Command and Controlattack.t1219.002
James PembertonFri May 22windows
Detectionhightest

Suspicious Windows ANONYMOUS LOGON Local Account Created

Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.

Windowssecurity
TA0003 · PersistenceT1136.001 · Local AccountT1136.002 · Domain Account
James PembertonThu Oct 31windows
Detectionmediumtest

Usage Of Web Request Commands And Cmdlets - ScriptBlock

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
James PembertonThu Oct 24windows
Detectionmediumtest

Potential Defense Evasion Via Binary Rename

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

WindowsProcess Creation
TA0005 · Defense EvasionT1036.003 · Rename System Utilities
Matthew Green+4Sat Jun 15windows
Detectionmediumtest

Usage Of Web Request Commands And Cmdlets

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShell
James Pemberton+4Thu Oct 24windows
Threat Huntlowtest

Net.EXE Execution

Detects execution of "Net.EXE".

WindowsProcess Creation
TA0007 · DiscoveryT1007 · System Service DiscoveryT1049 · System Network Connections DiscoveryT1018 · Remote System Discovery+10
Michael Haag+2Wed Jan 16windows