Sigma Rules
11 rules found for "Micah Babinski"
Suspicious External WebDAV Execution
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
External Remote RDP Logon from Public IP
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Suspicious ArcSOC.exe Child Process
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
Suspicious Microsoft OneNote Child Process
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
PUA - Potential PE Metadata Tamper Using Rcedit
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
Potential Homoglyph Attack Using Lookalike Characters
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
Potentially Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.