Sigma Rules
13 rules found for "Sander Wiebing"
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
New Firewall Rule Added Via Netsh.EXE
Detects the addition of a new rule to the Windows firewall via netsh
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Exports Critical Registry Keys To a File
Detects the export of a crital Registry key to a file.
Exports Registry Key To a File
Detects the export of the target Registry key to a file.
Imports Registry Key From a File
Detects the import of the specified file to the registry with regedit.exe.
Imports Registry Key From an ADS
Detects the import of a alternate datastream to the registry with regedit.exe.
Suspicious Registry Modification From ADS Via Regini.EXE
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Registry Modification Via Regini.EXE
Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
Suspicious File Characteristics Due to Missing Fields
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
New RUN Key Pointing to Suspicious Folder
Detects suspicious new RUN key element pointing to an executable in a suspicious folder