Rule Library
Sigma Rules
5 rules found for "Trent Liffick"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
WindowsProcess Creation
TA0005 · Defense EvasionT1036 · MasqueradingT1202 · Indirect Command ExecutionT1027.003 · Steganography
Trent LiffickFri May 01windows
Detectioncriticaltest
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
WindowsRegistry Event
TA0005 · Defense EvasionTA0003 · PersistenceTA0002 · ExecutionT1112 · Modify Registry
Trent LiffickFri May 08windows
Detectionmediumtest
Windows Registry Trust Record Modification
Alerts on trust record modification within the registry, indicating usage of macros
WindowsRegistry Event
TA0001 · Initial AccessT1566.001 · Spearphishing Attachment
Antonlovesdnb+1Wed Feb 19windows
Detectionhightest
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Trent Liffick+1Fri May 22windows
Detectionhightest
Office Macros Warning Disabled
Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Trent Liffick+1Fri May 22windows