Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

11 rules found for "omkar72"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Suspicious DotNET CLR Usage Log Artifact

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

WindowsFile Event
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
François Hubaut+3Fri Nov 18windows
Detectionhightest

DotNet CLR DLL Loaded By Scripting Applications

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0002 · ExecutionTA0004 · Privilege EscalationT1055 · Process Injection
omkar72+1Wed Oct 14windows
Detectionmediumtest

Uncommon Child Process Of Conhost.EXE

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

WindowsProcess Creation
TA0005 · Defense EvasionT1202 · Indirect Command Execution
omkar72Sun Oct 25windows
Detectionmediumtest

Domain Trust Discovery Via Dsquery

Detects execution of "dsquery.exe" for domain trust discovery

WindowsProcess Creation
TA0007 · DiscoveryT1482 · Domain Trust Discovery
E.M. Anhaus+3Thu Oct 24windows
Detectionhightest

Finger.EXE Execution

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

WindowsProcess Creation
TA0011 · Command and ControlT1105 · Ingress Tool Transfer
Florian Roth (Nextron Systems)+2Wed Feb 24windows
Detectionmediumtest

New Port Forwarding Rule Added Via Netsh.EXE

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

WindowsProcess Creation
TA0008 · Lateral MovementTA0005 · Defense EvasionTA0011 · Command and ControlT1090 · Proxy
Florian Roth (Nextron Systems)+3Tue Jan 29windows
Detectionmediumtest

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

WindowsProcess Creation
TA0007 · DiscoveryT1087.001 · Local AccountT1087.002 · Domain Account
Florian Roth (Nextron Systems)+2Wed Jan 16windows
Detectionhightest

PUA - AdFind Suspicious Execution

Detects AdFind execution with common flags seen used during attacks

WindowsProcess Creation
TA0007 · DiscoveryT1018 · Remote System DiscoveryT1087.002 · Domain AccountT1482 · Domain Trust Discovery+2
Janantha Marasinghe+3Tue Feb 02windows
Detectionmediumtest

Psexec Execution

Detects user accept agreement execution in psexec commandline

WindowsProcess Creation
TA0002 · ExecutionTA0008 · Lateral MovementT1569 · System ServicesT1021 · Remote Services
omkar72Fri Oct 30windows
Detectionmediumtest

Office Application Startup - Office Test

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

WindowsRegistry Event
TA0003 · PersistenceT1137.002 · Office Test
omkar72Sun Oct 25windows
Detectionhightest

WINEKEY Registry Modification

Detects potential malicious modification of run keys by winekey or team9 backdoor

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547 · Boot or Logon Autostart Execution
omkar72Fri Oct 30windows