Rule Library

Sigma Rules

4 rules found for "Stephen Lincoln (AttackIQ)"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

System Information Discovery Using System_Profiler

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

macOSProcess Creation
TA0007 · DiscoveryTA0005 · Defense EvasionT1082 · System Information DiscoveryT1497.001 · System Checks
Stephen Lincoln (AttackIQ)Tue Jan 02macos
Detectionmediumtest

Potentially Suspicious Desktop Background Change Using Reg.EXE

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0040 · ImpactT1112 · Modify Registry+1
Stephen Lincoln (AttackIQ)Thu Dec 21windows
Detectionmediumtest

System Disk And Volume Reconnaissance Via Wmic.EXE

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the 'wmic' command-line utility and has been observed being used by threat actors such as Volt Typhoon.

WindowsProcess Creation
TA0002 · ExecutionTA0007 · DiscoveryT1047 · Windows Management InstrumentationT1082 · System Information Discovery
Stephen Lincoln (AttackIQ)Fri Feb 02windows
Detectionmediumtest

Potentially Suspicious Desktop Background Change Via Registry

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionTA0040 · ImpactT1112 · Modify Registry+1
Nasreddine Bencherchali (Nextron Systems)+1Thu Dec 21windows