Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

4 rules found for "Sai Prashanth Pulisetti"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Nslookup PowerShell Download Cradle

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

WindowsPowerShell Classic
TA0002 · ExecutionT1059.001 · PowerShell
Sai Prashanth Pulisetti+1Sat Dec 10windows
Detectionmediumtest

HackTool - Impersonate Execution

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1134.001 · Token Impersonation/TheftT1134.003 · Make and Impersonate Token
Sai Prashanth PulisettiWed Dec 21windows
Detectionhightest

HackTool - SharpImpersonation Execution

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1134.001 · Token Impersonation/TheftT1134.003 · Make and Impersonate Token
Sai Prashanth Pulisetti+1Tue Dec 27windows
Detectionmediumtest

Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

WindowsProcess Creation
TA0002 · ExecutionTA0001 · Initial Access
Sai Prashanth Pulisetti+1Thu Feb 08windows