Rule Library

Sigma Rules

6 rules found for "Wojciech Lesicki"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

CobaltStrike Service Installations - Security

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Windowssecurity
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3
Florian Roth (Nextron Systems)+1Wed May 26windows
Detectioncriticaltest

CobaltStrike Service Installations - System

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Windowssystem
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3
Florian Roth (Nextron Systems)+1Wed May 26windows
Detectionhightest

Suspicious DotNET CLR Usage Log Artifact

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

WindowsFile Event
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
François Hubaut+3Fri Nov 18windows
Detectioncriticaltest

CobaltStrike Named Pipe

Detects the creation of a named pipe as used by CobaltStrike

WindowsNamed Pipe Created
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injection
Florian Roth (Nextron Systems)+1Tue May 25windows
Detectionhightest

CobaltStrike Load by Rundll32

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32
Wojciech LesickiTue Jun 01windows
Detectionhightest

Potential CobaltStrike Service Installations - Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

WindowsRegistry Set
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3
Wojciech LesickiTue Jun 29windows