Rule Library
Sigma Rules
6 rules found for "Tom Ueltschi"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
WindowsFile Event
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScript
Florian Roth (Nextron Systems)+3Fri Nov 10windows
Detectionmediumtest
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
WindowsProcess Access
TA0006 · Credential AccessT1003.001 · LSASS MemoryS0002 · Mimikatz
Florian Roth (Nextron Systems)+9Mon Nov 22windows
Detectionhightest
Potential Persistence Via Logon Scripts - CommandLine
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceT1037.001 · Logon Script (Windows)
Tom UeltschiSat Jan 12windows
Detectionhightest
Uncommon Userinit Child Process
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
WindowsProcess Creation
TA0004 · Privilege EscalationT1037.001 · Logon Script (Windows)TA0003 · Persistence
Tom Ueltschi+1Sat Jan 12windows
Detectionmediumtest
Potential Persistence Via Logon Scripts - Registry
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
WindowsRegistry Set
TA0004 · Privilege EscalationT1037.001 · Logon Script (Windows)TA0003 · PersistenceTA0008 · Lateral Movement
Tom UeltschiSat Jan 12windows
Detectionmediumtest
WMI Event Subscription
Detects creation of WMI event subscription persistence method
WindowsWMI Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.003 · Windows Management Instrumentation Event Subscription
Tom UeltschiSat Jan 12windows