Rule Library

Sigma Rules

8 rules found for "Zach Mathis"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Audit CVE Event

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Windowsapplication

TA0002 · ExecutionT1203 · Exploitation for Client ExecutionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation+8

Florian Roth (Nextron Systems)+1Wed Jan 15windows

Detectionmediumtest

Certificate Private Key Acquired

Detects when an application acquires a certificate private key

Windowscapi2

TA0006 · Credential AccessT1649 · Steal or Forge Authentication Certificates

Zach MathisSat May 13windows

Detectionmediumtest

Certificate Exported From Local Certificate Store

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Windowscertificateservicesclient-lifecycle-system

TA0006 · Credential AccessT1649 · Steal or Forge Authentication Certificates

Zach MathisSat May 13windows

Detectionmediumtest

Failed DNS Zone Transfer

Detects when a DNS zone transfer failed.

Windowsdns-server

TA0043 · ReconnaissanceT1590.002 · DNS

Zach MathisWed May 24windows

Detectionmediumtest

Potential Access Token Abuse

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Windowssecurity

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1134.001 · Token Impersonation/Theftstp.4u

Michaela Adams+1Sun Nov 06windows

Detectionmediumtest