Rule Library

Sigma Rules

9 rules found for "Mikhail Larin"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Suspicious History File Operations - Linux

Detects commandline operations on shell history files

Linuxauditd
TA0006 · Credential AccessT1552.003 · Bash History
Mikhail Larin+1Sat Oct 17linux
Detectionhightest

Auditing Configuration Changes on Linux Host

Detect changes in auditd configuration files

Linuxauditd
TA0005 · Defense EvasionT1562.006 · Indicator Blocking
Mikhail Larin+1Fri Oct 25linux
Detectionhightest

Logging Configuration Changes on Linux Host

Detect changes of syslog daemons configuration files

Linuxauditd
TA0005 · Defense EvasionT1562.006 · Indicator Blocking
Mikhail Larin+1Fri Oct 25linux
Detectionhightest

Binary Padding - MacOS

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

macOSProcess Creation
TA0005 · Defense EvasionT1027.001 · Binary Padding
Igor Fits+2Mon Oct 19macos
Detectionmediumtest

File Time Attribute Change

Detect file time attribute change to hide new or changes to existing files

macOSProcess Creation
TA0005 · Defense EvasionT1070.006 · Timestomp
Igor Fits+2Mon Oct 19macos
Detectionhightest

Credentials In Files

Detecting attempts to extract passwords with grep and laZagne

macOSProcess Creation
TA0006 · Credential AccessT1552.001 · Credentials In Files
Igor Fits+2Mon Oct 19macos
Detectionlowtest

Split A File Into Pieces

Detection use of the command "split" to split files into parts and possible transfer.

macOSProcess Creation
TA0010 · ExfiltrationT1030 · Data Transfer Size Limits
Igor Fits+2Thu Oct 15macos
Detectionmediumtest

Suspicious History File Operations

Detects commandline operations on shell history files

macOSProcess Creation
TA0006 · Credential AccessT1552.003 · Bash History
Mikhail Larin+1Sat Oct 17macos
Detectioninformationaltest

System Shutdown/Reboot - MacOs

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

macOSProcess Creation
TA0040 · ImpactT1529 · System Shutdown/Reboot
Igor Fits+2Mon Oct 19macos