Sigma Rules
10 rules found for "elhoim"
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Suspicious Files in Default GPO Folder
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
Security Service Disabled Via Reg.EXE
Detects execution of "reg.exe" to disable security services such as Windows Defender.
Renamed Vmnat.exe Execution
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
RunDLL32 Spawning Explorer
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way