Rule Library
Sigma Rules
5 rules found for "James Pemberton"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
Windowsntlm
TA0011 · Command and Controlattack.t1219.002
James PembertonFri May 22windows
Detectionhightest
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Windowssecurity
TA0003 · PersistenceT1136.001 · Local AccountT1136.002 · Domain Account
James PembertonThu Oct 31windows
Detectionmediumtest
Usage Of Web Request Commands And Cmdlets - ScriptBlock
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
James PembertonThu Oct 24windows
Detectionmediumtest
Potential Defense Evasion Via Binary Rename
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
WindowsProcess Creation
TA0005 · Defense EvasionT1036.003 · Rename System Utilities
Matthew Green+4Sat Jun 15windows
Detectionmediumtest
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShell
James Pemberton+4Thu Oct 24windows