Sigma Rules
6 rules found for "Omar Khaled"
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Disk Image Creation Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to create a disk image.
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Driver Added To Disallowed Images In HVCI - Registry
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.