Sigma Rules
91 rules found for "attack.T1036"
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Space After Filename - macOS
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Files With System DLL Name In Unsuspected Locations
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Windows Binaries Write Suspicious Extensions
Detects Windows executables that write files with suspicious extensions
Suspicious Files in Default GPO Folder
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Suspicious Double Extension Files
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Suspicious LNK Double Extension File Created
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Unsigned .node File Loaded
Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
Renamed Powershell Under Powershell Channel
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
Suspicious Start-Process PassThru
Powershell use PassThru option to start in background
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
Suspicious Download From Direct IP Via Bitsadmin
Detects usage of bitsadmin downloading a file using an URL that contains an IP
Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
File With Suspicious Extension Downloaded Via Bitsadmin
Detects usage of bitsadmin downloading a file with a suspicious extension
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Suspicious CodePage Switch Via CHCP
Detects a code page switch in command line or batch scripts to a rare language
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
DumpMinitool Execution
Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
Explorer Process Tree Break
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
MMC Executing Files with Reversed Extensions Using RTLO Abuse
Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
CodePage Modification Via MODE.COM To Russian Language
Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.
Suspicious MSDT Parent Process
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
Potential MsiExec Masquerading
Detects the execution of msiexec.exe from an uncommon directory
PUA - Potential PE Metadata Tamper Using Rcedit
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
Remote Access Tool - Renamed MeshAgent Execution - Windows
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Potential Defense Evasion Via Binary Rename
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Renamed BrowserCore.EXE Execution
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
Renamed CreateDump Utility Execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Renamed Jusched.EXE Execution
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Renamed Msdt.EXE Execution
Detects the execution of a renamed "Msdt.exe" binary