Sigma Rules
21 rules found for "SCYTHE"
Potential Bucket Enumeration on AWS
Looks for potential enumeration of AWS buckets via ListBuckets.
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Chmod Suspicious Directory
Detects chmod targeting files in abnormal directory paths.
SCR File Write Event
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
Potential Startup Shortcut Persistence Via PowerShell.EXE
Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
VHD Image Download Via Browser
Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Fsutil Drive Enumeration
Attackers may leverage fsutil to enumerated connected drives.
Use of Remote.exe
Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
Use of VisualUiaVerifyNative.exe
VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Use of Wfc.exe
The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
System Language Discovery via Reg.Exe
Detects the usage of Reg.Exe to query system language settings. Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions, or avoid targeting certain locales to evade detection.
Rundll32 InstallScreenSaver Execution
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Potential Process Hollowing Activity
Detects when a memory process image does not match the disk image, indicative of process hollowing.
Scripted Diagnostics Turn Off Check Enabled - Registry
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability