Rule Library

Sigma Rules

4 rules found for "TropChaud"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Windows Default Domain GPO Modification via GPME

Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.

WindowsProcess Creation

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1484.001 · Group Policy Modification

TropChaudSat Nov 22windows

Detectionhightest

SQLite Chromium Profile Data DB Access

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

WindowsProcess Creation

TA0006 · Credential AccessT1539 · Steal Web Session CookieT1555.003 · Credentials from Web BrowsersTA0009 · Collection+1

TropChaudMon Dec 19windows

Detectionmediumtest

Uncommon System Information Discovery Via Wmic.EXE

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

WindowsProcess Creation

TA0007 · DiscoveryT1082 · System Information Discovery

TropChaudThu Jan 26windows

Emerging Threatmediumtest

Rhadamanthys Stealer Module Launch Via Rundll32.EXE

Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023

WindowsProcess Creation

TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats

TropChaudThu Jan 262023