Sigma Rules
28 rules found for "Thomas Patzke"
Django Framework Exceptions
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
Python SQL Exceptions
Generic rule for SQL exceptions in Python according to PEP 249
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
Successful Account Login Via WMI
Detects successful logon attempts performed with WMI
Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
A New Trust Was Created To A Domain
Addition of domains is seldom and should be verified for legitimacy.
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
PsExec Service Installation
Detects PsExec service installation and execution events
HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Suspicious DNS Query for IP Lookup Service APIs
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
PsExec Service File Creation
Detects default PsExec service filename which indicates PsExec service installation and execution
WMI Persistence - Script Event Consumer File Write
Detects file writes of WMI script event consumer
WMI Persistence - Command Line Event Consumer
Detects WMI command line event consumers
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
HackTool - CrackMapExec Execution Patterns
Detects various execution patterns of the CrackMapExec pentesting framework
HackTool - CrackMapExec PowerShell Obfuscation
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Suspicious Spool Service Child Process
Detects suspicious print spool service (spoolsv.exe) child processes.
PsExec Service Execution
Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
WMI Persistence - Script Event Consumer
Detects WMI script event consumers