Rule Library

Sigma Rules

12 rules found for "wagga"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Category

Detectionhightest

Possible Impacket SecretDump Remote Activity

Detect AD credential dumping using impacket secretdump HKTL

Windowssecurity

TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.004 · LSA SecretsT1003.003 · NTDS

Samir Bousseaden+1Wed Apr 03windows

Detectionhightest

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

Windowssecurity

TA0003 · PersistenceTA0005 · Defense EvasionT1562.001 · Disable or Modify ToolsT1112 · Modify Registry

Florian Roth (Nextron Systems)+1Tue Mar 20windows

Detectioncriticaltest

Potential DCOM InternetExplorer.Application DLL Hijack

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

WindowsFile Event

TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1021.003 · Distributed Component Object Model

Roberto Rodriguez (Cyb3rWard0g)+2Mon Oct 12windows

Detectioncriticaltest

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

WindowsImage Load (DLL)

TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1021.003 · Distributed Component Object Model

Roberto Rodriguez (Cyb3rWard0g)+2Mon Oct 12windows

Detectionhightest

HackTool - Koadic Execution

Detects command line parameters used by Koadic hack tool

WindowsProcess Creation

TA0002 · ExecutionT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScript

wagga+2Sun Jan 12windows

Detectionhightest

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

WindowsProcess Creation

T1505.003 · Web ShellT1190 · Exploit Public-Facing ApplicationTA0001 · Initial AccessTA0003 · Persistence+1

FPT.EagleEye Team+1Fri Dec 11windows

Detectionmediumtest

Windows Admin Share Mount Via Net.EXE

Detects when an admin share is mounted using net.exe

WindowsProcess Creation

TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares

oscd.community+3Mon Oct 05windows

Detectionhighstable

Potential Powershell ReverseShell Connection

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

WindowsProcess Creation

TA0002 · ExecutionT1059.001 · PowerShell

FPT.EagleEye+2Wed Mar 03windows

Detectionhightest

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

WindowsRegistry Event

TA0003 · PersistenceTA0005 · Defense EvasionT1562.001 · Disable or Modify ToolsT1112 · Modify Registry

Florian Roth (Nextron Systems)+2Tue Mar 20windows

Detectionmediumtest

Common Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set

TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder

Victor Sergeev+7Fri Oct 25windows

Emerging Threathightest

CVE-2020-0688 Exploitation via Eventlog

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Windowsapplication

TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-0688detection.emerging-threats

Florian Roth (Nextron Systems)+1Sat Feb 292020

Emerging Threatcriticaltest

Lazarus Group Activity

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

WindowsProcess Creation

G0032 · Lazarus GroupTA0002 · ExecutionT1059 · Command and Scripting Interpreterdetection.emerging-threats

Florian Roth (Nextron Systems)+1Wed Dec 232020