Sigma Rules
22 rules found for "Oddvar Moe"
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
Network Connection Initiated By Regsvr32.EXE
Detects a network connection initiated by "Regsvr32.exe"
Suspicious Child Process Of BgInfo.EXE
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Uncommon Child Process Of BgInfo.EXE
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Potential CommandLine Path Traversal Via Cmd.EXE
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Computer Password Change Via Ksetup.EXE
Detects password change for the computer's domain account or host principal via "ksetup.exe"
Gpscript Execution
Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Execute Code with Pester.bat
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Abusing Print Executable
Attackers can use print.exe for remote file copy
Exports Critical Registry Keys To a File
Detects the export of a crital Registry key to a file.
Exports Registry Key To a File
Detects the export of the target Registry key to a file.
Imports Registry Key From a File
Detects the import of the specified file to the registry with regedit.exe.
Imports Registry Key From an ADS
Detects the import of a alternate datastream to the registry with regedit.exe.
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys