Rule Library
Sigma Rules
4 rules found for "Scoubi"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceTA0011 · Command and ControlT1137 · Office Application Startup+2
@scoubimtlMon Apr 05windows
Detectionmediumtest
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
WindowsFile Event
TA0005 · Defense EvasionT1564.004 · NTFS File Attributes
ScoubiMon Oct 09windows
Detectionmediumtest
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
WindowsProcess Creation
TA0005 · Defense EvasionT1564.004 · NTFS File Attributes
Nasreddine Bencherchali (Nextron Systems)+1Mon Oct 09windows
Detectionhightest
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceTA0011 · Command and ControlT1137 · Office Application Startup+2
@scoubimtlMon Apr 05windows