Rule Library

Sigma Rules

10 rules found for "Tom Ueltschi"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Category

Detectionhightest

Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

WindowsFile Event

TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScript

Florian Roth (Nextron Systems)+3Fri Nov 10windows

Detectionmediumtest

Potentially Suspicious GrantedAccess Flags On LSASS

Detects process access requests to LSASS process with potentially suspicious access flags

WindowsProcess Access

TA0006 · Credential AccessT1003.001 · LSASS MemoryS0002 · Mimikatz

Florian Roth (Nextron Systems)+9Mon Nov 22windows

Detectionhightest

Potential Persistence Via Logon Scripts - CommandLine

Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence

WindowsProcess Creation

TA0004 · Privilege EscalationTA0003 · PersistenceT1037.001 · Logon Script (Windows)

Tom UeltschiSat Jan 12windows

Detectionhightest

Uncommon Userinit Child Process

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

WindowsProcess Creation

TA0004 · Privilege EscalationT1037.001 · Logon Script (Windows)TA0003 · Persistence

Tom Ueltschi+1Sat Jan 12windows

Detectionmediumtest

Potential Persistence Via Logon Scripts - Registry

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

WindowsRegistry Set

TA0004 · Privilege EscalationT1037.001 · Logon Script (Windows)TA0003 · PersistenceTA0008 · Lateral Movement

Tom UeltschiSat Jan 12windows

Detectionmediumtest

WMI Event Subscription

Detects creation of WMI event subscription persistence method

WindowsWMI Event

TA0004 · Privilege EscalationTA0003 · PersistenceT1546.003 · Windows Management Instrumentation Event Subscription

Tom UeltschiSat Jan 12windows

Emerging Threathightest

Adwind RAT / JRAT

Detects javaw.exe in AppData folder as used by Adwind / JRAT

WindowsProcess Creation

TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScriptdetection.emerging-threats

Florian Roth (Nextron Systems)+3Fri Nov 102017

Emerging Threatcriticaltest

NotPetya Ransomware Activity

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

WindowsProcess Creation

TA0005 · Defense EvasionT1218.011 · Rundll32T1070.001 · Clear Windows Event LogsTA0006 · Credential Access+3

Florian Roth (Nextron Systems)+1Wed Jan 162017

Threat Huntmediumtest

LSASS Access From Program In Potentially Suspicious Folder

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

WindowsProcess Access

TA0006 · Credential AccessT1003.001 · LSASS MemoryS0002 · Mimikatzdetection.threat-hunting

Florian Roth (Nextron Systems)Sat Nov 27windows

Threat Huntmediumtest

Uncommon GrantedAccess Flags On LSASS

Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410

WindowsProcess Access

TA0006 · Credential AccessT1003.001 · LSASS MemoryS0002 · Mimikatzdetection.threat-hunting

Florian Roth (Nextron Systems)Sun Mar 13windows