Sigma Rules
44 rules found for "Jonhnathan Ribeiro"
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Clear PowerShell History - PowerShell
Detects keywords that could indicate clearing PowerShell history
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
File Decoded From Base64/Hex Via Certutil.EXE
Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
Suspicious Download Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files.
File Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
Certificate Exported Via Certutil.EXE
Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
Suspicious CodePage Switch Via CHCP
Detects a code page switch in command line or batch scripts to a rare language
Command Line Execution with Suspicious URL and AppData Strings
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
HackTool - Potential Impacket Lateral Movement Activity
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
HackTool - Koadic Execution
Detects command line parameters used by Koadic hack tool
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
Suspicious Encoded PowerShell Command Line
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
PowerShell Download Pattern
Detects a Powershell process that contains download commands in its command line string
PowerShell Script Run in AppData
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Suspicious Process Start Locations
Detects suspicious process run from unusual locations
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Process Proxy Execution Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Suspicious SYSVOL Domain Group Policy Access
Detects Access to Domain Group Policies stored in SYSVOL
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Formbook Process Creation
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.