Rule Library

Sigma Rules

3 rules found for "Sami Ruohonen"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Category

Detectionhightest

NTFS Alternate Data Stream

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

WindowsPowerShell Script

TA0005 · Defense EvasionT1564.004 · NTFS File AttributesTA0002 · ExecutionT1059.001 · PowerShell

Sami RuohonenTue Jul 24windows

Detectionmediumtest

Hiding Files with Attrib.exe

Detects usage of attrib.exe to hide files from users.

WindowsProcess Creation

TA0005 · Defense EvasionT1564.001 · Hidden Files and Directories

Sami RuohonenWed Jan 16windows

Detectionmediumtest

Suspicious XOR Encoded PowerShell Command

Detects presence of a potentially xor encoded powershell command

WindowsProcess Creation

TA0005 · Defense EvasionTA0002 · ExecutionT1059.001 · PowerShellT1140 · Deobfuscate/Decode Files or Information+1

Sami Ruohonen+6Wed Sep 05windows