Sigma Rules
7 rules found for "TheDFIRReport"
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Potential CSharp Streamer RAT Loading .NET Executable Image
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
Grixba Malware Reconnaissance Activity
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations. This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.