Rule Library

Sigma Rules

9 rules found for "Natalia Shornikova"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

Windowssecurity
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionhightest

PowerShell Scripts Installed as Services

Detects powershell script installed as a Service

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionhightest

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

WindowsRemote Thread Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
oscd.community+1Tue Oct 06windows
Detectionmediumtest

PowerShell Core DLL Loaded By Non PowerShell Process

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

WindowsImage Load (DLL)
T1059.001 · PowerShellTA0002 · Execution
Tom Kern+5Thu Nov 14windows
Detectionhightest

Potential Manage-bde.wsf Abuse To Proxy Execution

Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution

WindowsProcess Creation
TA0005 · Defense EvasionT1216 · System Script Proxy Execution
oscd.community+2Tue Oct 13windows
Detectionmediumtest

Potential Process Execution Proxy Via CL_Invocation.ps1

Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"

WindowsProcess Creation
TA0005 · Defense EvasionT1216 · System Script Proxy Execution
Nasreddine Bencherchali (Nextron Systems)+2Wed Oct 14windows
Detectionmediumtest

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands

WindowsProcess Creation
TA0005 · Defense EvasionT1216 · System Script Proxy Execution
Nasreddine Bencherchali (Nextron Systems)+3Sat May 21windows
Detectionhightest

PowerShell as a Service in Registry

Detects that a powershell code is written to the registry as a service.

WindowsRegistry Set
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionhightest

Execution DLL of Choice Using WAB.EXE

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

WindowsRegistry Set
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
oscd.community+1Tue Oct 13windows