Rule Library
Sigma Rules
4 rules found for "Tuan Le (NCSGroup)"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
Group Has Been Deleted Via Groupdel
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
LinuxProcess Creation
TA0040 · ImpactT1531 · Account Access Removal
Tuan Le (NCSGroup)Mon Dec 26linux
Detectionlowtest
Linux Package Uninstall
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
LinuxProcess Creation
TA0005 · Defense EvasionT1070 · Indicator Removal
Tuan Le (NCSGroup)+1Thu Mar 09linux
Detectionmediumtest
User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
LinuxProcess Creation
TA0040 · ImpactT1531 · Account Access Removal
Tuan Le (NCSGroup)Mon Dec 26linux
Detectionmediumtest
Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)+2Mon Feb 11windows