Rule Library
Sigma Rules
6 rules found for "NVISO"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Windowssecurity
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0003 · Persistence+3
NVISOWed May 06windows
Detectionhightest
Vulnerable Netlogon Secure Channel Connection Allowed
Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
Windowssystem
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548 · Abuse Elevation Control Mechanism
NVISOTue Sep 15windows
Detectionhightest
Octopus Scanner Malware
Detects Octopus Scanner Malware.
WindowsFile Event
TA0001 · Initial AccessT1195 · Supply Chain CompromiseT1195.001 · Compromise Software Dependencies and Development Tools
NVISOTue Jun 09windows
Detectionhightest
Potential Persistence Via Microsoft Office Add-In
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
WindowsFile Event
TA0003 · PersistenceT1137.006 · Add-ins
NVISOMon May 11windows
Detectionhightest
Fax Service DLL Search Order Hijack
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
NVISOMon May 04windows
Detectionhightest
WMImplant Hack Tool
Detects parameters used by WMImplant
WindowsPowerShell Script
TA0002 · ExecutionT1047 · Windows Management InstrumentationT1059.001 · PowerShell
NVISOThu Mar 26windows