Rule Library

Sigma Rules

2 rules found for "Jason Rathbun (Blackpoint Cyber)"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Remote Access Tool - ScreenConnect Server Web Shell Execution

Detects potential web shell execution from the ScreenConnect server process.

WindowsProcess Creation

TA0001 · Initial AccessT1190 · Exploit Public-Facing Application

Jason Rathbun (Blackpoint Cyber)Mon Feb 26windows

Emerging Threathighexperimental

Suspicious Process Spawned by CentreStack Portal AppPool

Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)

WindowsProcess Creation

TA0003 · PersistenceTA0002 · ExecutionT1059.003 · Windows Command ShellT1505.003 · Web Shell+2

Jason Rathbun (Blackpoint Cyber)Thu Apr 172025