Rule Library
Sigma Rules
4 rules found for "Perez Diego"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection
Perez Diego+1Sun Oct 27windows
Detectionmediumtest
Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection
Perez Diego+1Sun Oct 27windows
Detectionhightest
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
WindowsImage Load (DLL)
TA0006 · Credential AccessT1003.001 · LSASS Memory
Perez Diego+2Sun Oct 27windows
Detectionmediumtest
Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)+2Mon Feb 11windows