Sigma Rules
9 rules found for "juju4"
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
Admin User Remote Logon
Detect remote login by Administrator user (depending on internal pattern).
Suspicious RASdial Activity
Detects suspicious process related to rasdial.exe
Suspicious Process Start Locations
Detects suspicious process run from unusual locations
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Potential Commandline Obfuscation Using Escape Characters
Detects potential commandline obfuscation using known escape characters
Potential RDP Session Hijacking Activity
Detects potential RDP Session Hijacking activity on Windows systems
New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.