Rule Library

Sigma Rules

4 rules found for "Swisscom"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

MMC Spawning Windows Shell

Detects a Windows command line executable started from MMC

WindowsProcess Creation

TA0008 · Lateral MovementT1021.003 · Distributed Component Object Model

Karneades+1Mon Aug 05windows

Detectionhightest

MSHTA Execution with Suspicious File Extensions

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

WindowsProcess Creation

TA0005 · Defense EvasionT1140 · Deobfuscate/Decode Files or InformationT1218.005 · MshtaTA0002 · Execution+2

Diego Perez+3Fri Feb 22windows

Detectionhightest

Renamed Jusched.EXE Execution

Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group

WindowsProcess Creation

TA0002 · ExecutionTA0005 · Defense EvasionT1036.003 · Rename System Utilities

Markus Neis+1Tue Jun 04windows

Detectionhightest

Potential Renamed Rundll32 Execution

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

WindowsProcess Creation

TA0002 · Execution

Nasreddine Bencherchali (Nextron Systems)Mon Aug 22windows