Sigma Rules
25 rules found for "Joseliyo Sanchez"
Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
Ufw Force Stop Using Ufw-Init
Detects attempts to force stop the ufw using ufw-init
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Execution Of Script Located In Potentially Suspicious Directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
Touch Suspicious Service File
Detects usage of the "touch" process in service file.
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
System Information Discovery Using sw_vers
Detects the use of "sw_vers" for system information discovery
Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
Self Extraction Directive File Created In Potentially Suspicious Location
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Potentially Suspicious Self Extraction Directive File Created
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
CodePage Modification Via MODE.COM To Russian Language
Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.