Rule Library
Sigma Rules
5 rules found for "Olaf Hartong"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055.001 · Dynamic-link Library Injection
Olaf Hartong+3Fri Nov 30windows
Detectionhightest
Suspicious DotNET CLR Usage Log Artifact
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
WindowsFile Event
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
François Hubaut+3Fri Nov 18windows
Detectionhightest
Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Windowssysmon
TA0005 · Defense Evasion
Nasreddine Bencherchali (Nextron Systems)Tue Aug 16windows
Detectionmediumtest
Sysmon File Executable Creation Detected
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
Windowssysmon
TA0005 · Defense Evasion
François HubautThu Jul 20windows
Emerging Threathightest
Potential BearLPE Exploitation
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
WindowsProcess Creation
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1053.005 · Scheduled Task+2
Olaf HartongWed May 222019