Rule Library
Sigma Rules
5 rules found for "Tony Lambert)"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Linuxauditd
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.006 · Dynamic Linker Hijacking
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24linux
Detectionmediumtest
Domain Trust Discovery Via Dsquery
Detects execution of "dsquery.exe" for domain trust discovery
WindowsProcess Creation
TA0007 · DiscoveryT1482 · Domain Trust Discovery
E.M. Anhaus+3Thu Oct 24windows
Detectionhightest
LSASS Dump Keyword In CommandLine
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
E.M. Anhaus+3Thu Oct 24windows
Detectionhightest
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhightest
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
E.M. Anhaus (originally from Atomic Blue Detections+3Thu Oct 24windows