Title : Access To Chromium Browsers Sensitive Files By Uncommon Applications
Rule id : c5f37810-a85f-4186-81e9-33f23abb4141
| Url |
|---|
Title : Access To Browser Credential Files By Uncommon Applications
Rule id : 91cb43db-302a-47e3-b3c8-7ede481e27bf
Title : Access To Windows Outlook Mail Files By Uncommon Applications
Rule id : fc3e237f-2fef-406c-b90d-b3ae7e02fa8f
Title : Credential Manager Access By Uncommon Applications
Rule id : 407aecb1-e762-4acf-8c7b-d087bcff3bb6
Title : Access To Windows Credential History File By Uncommon Applications
Rule id : 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
Title : Access To Crypto Currency Wallets By Uncommon Applications
Rule id : f41b0311-44f9-44f0-816d-dd45e39d4bc8
| Url |
|---|
Title : Access To Windows DPAPI Master Keys By Uncommon Applications
Rule id : 46612ae6-86be-4802-bc07-39b59feb1309
Title : Access To Sysvol Policies Share By Uncommon Process
Rule id : 8344c19f-a023-45ff-ad63-a01c5396aea0
| Url | |
|---|---|
| https://github.com/vletoux/pingcastle | pdf/07f58edf3b3f99eb1be2d6008ce4ea1b9950671a87f06c9d04cd39fea03c2a80.pdf |
Title : Access To Potentially Sensitive Sysvol Files By Uncommon Applications
Rule id : d51694fe-484a-46ac-92d6-969e76d60d10
| Url | |
|---|---|
| https://github.com/vletoux/pingcastle | pdf/07f58edf3b3f99eb1be2d6008ce4ea1b9950671a87f06c9d04cd39fea03c2a80.pdf |
Title : Access To .Reg/.Hive Files By Uncommon Applications
Rule id : 337a31c6-46c4-46be-886a-260d7aa78cac
| Url | |
|---|---|
| https://github.com/tccontre/Reg-Restore-Persistence-Mole | pdf/0971a077a83b9756335c592532101ff05083fa81d6be4d96ba3202747ac692c4.pdf |
Title : Unattend.XML File Access Attempt
Rule id : 76a26006-0942-430b-8249-bd51d448f8e5
Title : Microsoft Teams Sensitive File Access By Uncommon Applications
Rule id : 65744385-8541-44a6-8630-ffc824d7d4cc
Title : File Creation Date Changed to Another Year
Rule id : 558eebe5-f2ba-4104-b339-36f7902bcc1a
| Url | |
|---|---|
| https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html | pdf/a4ae2565fb7c169a136f004beee98a312636102e637ec201c2a5bba590b3627b.pdf |
Title : Unusual File Modification by dns.exe
Rule id : 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
| Url | |
|---|---|
| https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html | pdf/c321effd3d12ede1cd28e4d41a8622a63364af11360a5a7002bf7d7fb8d9443c.pdf |
Title : Potential PrintNightmare Exploitation Attempt
Rule id : 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
Title : Backup Files Deleted
Rule id : 06125661-3814-4e03-bfa2-1e4411c60ac3
Title : EventLog EVTX File Deleted
Rule id : 63c779ba-f638-40a0-a593-ddd45e8b1ddc
| Url |
|---|
Title : Exchange PowerShell Cmdlet History Deleted
Rule id : a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
| Url | |
|---|---|
| https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ | pdf/590410e47cb1aaf28145535d3c3a8e1ee48e946daf2b6849ba223ff7a71aefc1.pdf |
Title : IIS WebServer Access Logs Deleted
Rule id : 3eb8c339-a765-48cc-a150-4364c04652bf
| Url | |
|---|---|
| https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html | pdf/e797f1e60f7e9c0b5b71f02aeeb952fd1cb8650731448e3d7333ec86b4126825.pdf |
Title : Process Deletion of Its Own Executable
Rule id : f01d1f70-cd41-42ec-9c0b-26dd9c22bf29
| Url | |
|---|---|
| https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion | pdf/84a14949cf6001d9b2651e6448d0d56ea4fc6f053e1b5bad1f53f32506a3963d.pdf |
Title : PowerShell Console History Logs Deleted
Rule id : ff301988-c231-4bd0-834c-ac9d73b86586
| Url |
|---|
Title : Prefetch File Deleted
Rule id : 0a1f9d29-6465-4776-b091-7f43b26e4c89
| Url | |
|---|---|
| https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/ | pdf/d104e01312f8def72d1753af481457705160f2e0c44e85f5267c41d422c3b245.pdf |
Title : TeamViewer Log File Deleted
Rule id : b1decb61-ed83-4339-8e95-53ea51901720
Title : Tomcat WebServer Logs Deleted
Rule id : 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
| Url | |
|---|---|
| https://linuxhint.com/view-tomcat-logs-windows/ | pdf/8f6167d923e90c5fe848ccd145e10ab842d5e578710b267f3ad9ccd8490e5f2f.pdf |
Title : File Deleted Via Sysinternals SDelete
Rule id : 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
Title : Unusual File Deletion by Dns.exe
Rule id : 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
| Url | |
|---|---|
| https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html | pdf/c321effd3d12ede1cd28e4d41a8622a63364af11360a5a7002bf7d7fb8d9443c.pdf |
Title : ADS Zone.Identifier Deleted
Rule id : 7eac0a16-5832-4e81-865f-0268a6d19e4b
| Url | |
|---|---|
| https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ | pdf/5c59b23b3e9dd12497c219ddd92785098caf845185a9069bafdddebf92ddf7f9.pdf |
Title : ADS Zone.Identifier Deleted By Uncommon Application
Rule id : 3109530e-ab47-4cc6-a953-cac5ebcc93ae
| Url | |
|---|---|
| https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ | pdf/5c59b23b3e9dd12497c219ddd92785098caf845185a9069bafdddebf92ddf7f9.pdf |
Title : UNC4841 - Email Exfiltration File Pattern
Rule id : 0785f462-60b0-4031-9ff4-b4f3a0ba589a
| Url | |
|---|---|
| https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally | pdf/8d54089d8a14d4fb5c7cbd501bdd4c6c5737ab923ec110e44d3e59f9b58986b5.pdf |
Title : UNC4841 - Barracuda ESG Exploitation Indicators
Rule id : 5627c337-a9b2-407a-a82d-5fd97035ff39
| Url | |
|---|---|
| https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally | pdf/8d54089d8a14d4fb5c7cbd501bdd4c6c5737ab923ec110e44d3e59f9b58986b5.pdf |
Title : Linux Doas Conf File Creation
Rule id : 00eee2a5-fdb0-4746-a21d-e43fbdea5681
Title : Persistence Via Cron Files
Rule id : 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
Title : Persistence Via Sudoers Files
Rule id : ddb26b76-4447-4807-871f-1b035b2bfa5d
| Url | |
|---|---|
| https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh | pdf/c52ab80b8482636c8d5824eedd164438dd188eff2f790d6f821fca8c2880dba4.pdf |
Title : Python Path Configuration File Creation - Linux
Rule id : fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce
Title : Potentially Suspicious Shell Script Creation in Profile Folder
Rule id : 13f08f54-e705-4498-91fd-cce9d9cee9f1
Title : Triple Cross eBPF Rootkit Default LockFile
Rule id : c0239255-822c-4630-b7f1-35362bcb8f44
| Url | |
|---|---|
| https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 | pdf/a8313aa6cf90eb426067d1bc971374f244afbc04b4de4ac38ca0abfc2978a75c.pdf |
Title : Triple Cross eBPF Rootkit Default Persistence
Rule id : 1a2ea919-d11d-4d1e-8535-06cda13be20f
| Url | |
|---|---|
| https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh | pdf/d49b145979b007a628e1ef443dc18c81df6b9cc88671742e9466baed293dd57d.pdf |
Title : Wget Creating Files in Tmp Directory
Rule id : 35a05c60-9012-49b6-a11f-6bab741c9f74
Title : MacOS Emond Launch Daemon
Rule id : 23c43900-e732-45a4-8354-63e4a6c187ce
Title : Python Path Configuration File Creation - MacOS
Rule id : 4f394635-13ef-4599-b677-3353e0f84f55
Title : Startup Item File Created - MacOS
Rule id : dfe8b941-4e54-4242-b674-6b613d521962
Title : Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Rule id : bcd95697-e3e7-4c6f-8584-8e3503e6929f
Title : ADSI-Cache File Creation By Uncommon Tool
Rule id : 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
Title : Advanced IP Scanner - File Event
Rule id : fed85bf9-e075-4280-9159-fbe8a023d6fa
Title : Anydesk Temporary Artefact
Rule id : 0b9ad457-2554-44c1-82c2-d56a99c42377
Title : Suspicious Binary Writes Via AnyDesk
Rule id : 2d367498-5112-4ae5-a06a-96e7bc33a211
| Url | |
|---|---|
| https://redcanary.com/blog/misbehaving-rats/ | pdf/bce413b780067c758ce583c9a290eec4ec40f7c2be878de4d59e49b359dfc164.pdf |
Title : APT29 2018 Phishing Campaign File Indicators
Rule id : 3a3f81ca-652c-482b-adeb-b1c804727f74
Title : Diamond Sleet APT File Creation Indicators
Rule id : e1212b32-55ff-4dfb-a595-62b572248056
Title : Potential APT FIN7 Related PowerShell Script Created
Rule id : a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
| Url | |
|---|---|
| https://labs.withsecure.com/publications/fin7-target-veeam-servers | pdf/bcf09078cb6247a3ea928d485651fa6eb873bd5ff379fe4aa907c61f6f3096aa.pdf |
Title : Forest Blizzard APT - File Creation Activity
Rule id : b92d1d19-f5c9-4ed6-bbd5-7476709dc389
Title : Forest Blizzard APT - JavaScript Constrained File Creation
Rule id : ec7c4e9b-9bc9-47c7-a32f-b53b598da642
Title : Lace Tempest File Indicators
Rule id : e94486ea-2650-4548-bf25-88cbd0bb32d7
| Url | |
|---|---|
| https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification | pdf/2686c4b92c4166bd9d0af2e977485a734a145b4a254e438474766688aeb1eb00.pdf |
Title : Onyx Sleet APT File Creation Indicators
Rule id : 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
Title : ScreenConnect - SlashAndGrab Exploitation Indicators
Rule id : 05164d17-8e11-4d7d-973e-9e4962436b87
| Url | |
|---|---|
| https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 | pdf/db10fe51c56a21d1a65679761189968503094fc31c28113aaa26bd6b44436bc2.pdf |
Title : Assembly DLL Creation Via AspNetCompiler
Rule id : 4c7f49ee-2638-43bb-b85b-ce676c30b260
| Url |
|---|
Title : BloodHound Collection Files
Rule id : 02773bed-83bf-469f-b7ff-e676e7d78bab
| Url | |
|---|---|
| https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection | pdf/4c02b65fb5d63a4320bbc961d6c17bee2bb48540bb5765394771305c414cbfb4.pdf |
Title : EVTX Created In Uncommon Location
Rule id : 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
| Url | |
|---|---|
| https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key | pdf/ff925c3afeeb4892dc84ea766b7c4cfc72d57349a76bbd7088cceb33c39308c4.pdf |
Title : Creation Of Non-Existent System DLL
Rule id : df6ecb8b-7822-4f4b-b412-08f524b4576c
Title : New Custom Shim Database Created
Rule id : ee63c85c-6d51-4d12-ad09-04e25877a947
Title : Suspicious Screensaver Binary File Creation
Rule id : 97aa2e88-555c-450d-85a6-229bcd87efb8
Title : Files With System DLL Name In Unsuspected Locations
Rule id : 13c02350-4177-4e45-ac17-cf7ca628ff5e
| Url |
|---|
Title : Files With System Process Name In Unsuspected Locations
Rule id : d5866ddf-ce8f-4aea-b28e-d96485a20d3d
| Url |
|---|
Title : Creation Exe for Service with Unquoted Path
Rule id : 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
Title : Cred Dump Tools Dropped Files
Rule id : 8fbf3271-1ef6-4e94-8210-03c2317947f6
| Url | |
|---|---|
| https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment | pdf/52e26c81a11e8750dcb450054f7519ab7fa64b2a0e94d3c66075f12ea424e9d0.pdf |
Title : WScript or CScript Dropper - File
Rule id : 002bdb95-0cf1-46a6-9e08-d38c128a6127
| Url |
|---|
Title : CSExec Service File Creation
Rule id : f0e2b768-5220-47dd-b891-d57b96fc0ec1
| Url | |
|---|---|
| https://github.com/malcomvetter/CSExec | pdf/594bb84da93ca89f381037918ee9911b09388de75cbb80c7e2296250f0634dc6.pdf |
Title : Dynamic CSharp Compile Artefact
Rule id : e4a74e34-ecde-4aab-b2fb-9112dd01aed0
Title : CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Rule id : 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
Title : CVE-2021-26858 Exchange Exploitation
Rule id : b06335b3-55ac-4b41-937e-16b7f5d57dfd
| Url | |
|---|---|
| https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ | pdf/e389ec84e6194a795049c83849c056aed872ecedd4e19c9624d6092c9fa68421.pdf |
Title : CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
Rule id : ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
Title : InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Rule id : 3be82d5d-09fe-4d6a-a275-0d40d234d324
Title : CVE-2021-44077 POC Default Dropped File
Rule id : 7b501acf-fa98-4272-aa39-194f82edc8a3
Title : CVE-2022-24527 Microsoft Connected Cache LPE
Rule id : e0a41412-c69a-446f-8e6e-0e6d7483dad7
| Url | |
|---|---|
| https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ | pdf/97408688e0e85bf1df6151bcaadf69135ac9681e20965104cc75a4ec18af5724.pdf |
Title : Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Rule id : 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
Title : Potential DCOM InternetExplorer.Application DLL Hijack
Rule id : 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
| Url | |
|---|---|
| https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html | pdf/ba965214af2505144a26f6c901814ff29d26160ee8671d7a6cfe913b06bcc0e8.pdf |
Title : DLL Search Order Hijackig Via Additional Space in Path
Rule id : b6f91281-20aa-446a-b986-38a92813a18f
Title : DMP/HDMP File Creation
Rule id : 3a525307-d100-48ae-b3b9-0964699d7f97
| Url | |
|---|---|
| https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps | pdf/1aa9daa30ea513bc970ddf5693962cf0da290329074712bf3f95a4fe80909c29.pdf |
Title : Potentially Suspicious DMP/HDMP File Creation
Rule id : aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
| Url | |
|---|---|
| https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps | pdf/1aa9daa30ea513bc970ddf5693962cf0da290329074712bf3f95a4fe80909c29.pdf |
Title : Potential Persistence Attempt Via ErrorHandler.Cmd
Rule id : 15904280-565c-4b73-9303-3291f964e7f9
Title : Suspicious ASPX File Drop by Exchange
Rule id : bd1212e5-78da-431e-95fa-c58e3237a8e6
Title : Suspicious File Drop by Exchange
Rule id : 6b269392-9eba-40b5-acb6-55c882b20ba6
Title : Suspicious Word Cab File Write CVE-2021-40444
Rule id : 60c0a111-787a-4e8a-9262-ee485f3ef9d5
Title : Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Rule id : c3b2a774-3152-4989-83c1-7afc48fd1599
Title : Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Rule id : 92389a99-5215-43b0-a09f-e334453b2ed3
Title : Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Rule id : ad0960eb-0015-4d16-be13-b3d9f18f1342
Title : Potential CVE-2023-36884 Exploitation Dropped File
Rule id : 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
Title : CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Rule id : e4556676-fc5c-4e95-8c39-5ef27791541f
Title : CVE-2023-40477 Potential Exploitation - .REV File Creation
Rule id : c3bd6c55-d495-4c34-918e-e03e8828c074
Title : CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
Rule id : 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
Title : ScreenConnect User Database Modification
Rule id : 1a821580-588b-4323-9422-660f7e131020
Title : GoToAssist Temporary Installation Artefact
Rule id : 5d756aee-ad3e-4306-ad95-cb1abec48de2
Title : HackTool - CrackMapExec File Indicators
Rule id : 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
| Url | |
|---|---|
| https://github.com/byt3bl33d3r/CrackMapExec/ | pdf/7efced8a1ecea416b4c288d32f93eff6343643d68c5f2def8dd9180eaf0a19b7.pdf |
Title : HackTool - Dumpert Process Dumper Default File
Rule id : 93d94efc-d7ad-4161-ad7d-1638c4f908d8
Title : HackTool - Typical HiveNightmare SAM File Export
Rule id : 6ea858a8-ba71-4a12-b2cc-5d83312404c7
Title : HackTool - Inveigh Execution Artefacts
Rule id : bb09dd3e-2b78-4819-8e35-a7c1b874e449
Title : HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
Rule id : 3ab79e90-9fab-4cdf-a7b2-6522bc742adb
Title : HackTool - Mimikatz Kirbi File Creation
Rule id : 9e099d99-44c2-42b6-a6d8-54c3545cab29
Title : HackTool - NPPSpy Hacktool Usage
Rule id : cad1fe90-2406-44dc-bd03-59d0b58fe722
Title : HackTool - Powerup Write Hijack DLL
Rule id : 602a1f13-c640-4d73-b053-be9a2fa58b96
| Url | |
|---|---|
| https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ | pdf/44163eb48d2a27f40771286f5fd8f781e7c79cccd3e511fc3ec2305732b15ae4.pdf |
Title : HackTool - QuarksPwDump Dump File
Rule id : 847def9e-924d-4e90-b7c4-5f581395a2b4
| Url | |
|---|---|
| https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm | pdf/6c34b6d03ae45484d4f9d935c2f85fc177ad955f3e3a3dd8c7c38319aeef9d89.pdf |
Title : HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
Rule id : 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
Title : HackTool - SafetyKatz Dump Indicator
Rule id : e074832a-eada-4fd7-94a1-10642b130e16
Title : Potential Initial Access via DLL Search Order Hijacking
Rule id : dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
Title : Installation of TeamViewer Desktop
Rule id : 9711de76-5d4f-4c50-a94f-21e4e8f8384d
Title : Malicious DLL File Dropped in the Teams or OneDrive Folder
Rule id : 1908fcc1-1b92-4272-8214-0fbaf2fa5163
| Url | |
|---|---|
| https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ | pdf/735597318502c4a2b6debe84fb5a9b2e7241da1ae1a97309964cdc5369557f64.pdf |
Title : ISO File Created Within Temp Folders
Rule id : 2f9356ae-bf43-41b8-b858-4496d83b2acb
Title : ISO or Image Mount Indicator in Recent Files
Rule id : 4358e5a5-7542-4dcb-b9f3-87667371839b
Title : GatherNetworkInfo.VBS Reconnaissance Script Output
Rule id : f92a6f1e-a512-4a15-9735-da09e78d7273
Title : LSASS Process Memory Dump Files
Rule id : a5a2d357-1ab8-4675-a967-ef9990a59391
Title : LSASS Process Dump Artefact In CrashDumps Folder
Rule id : 6902955a-01b7-432c-b32a-6f5f81d8f625
| Url | |
|---|---|
| https://github.com/deepinstinct/Lsass-Shtinkering | pdf/7768bb500b70ef47545f6a638926e96ceb4a2d12afc15bf3a337fd90f415ee37.pdf |
Title : WerFault LSASS Process Memory Dump
Rule id : c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
| Url | |
|---|---|
| https://github.com/helpsystems/nanodump | pdf/ced65711fc744dd736ce6abf2bf660e58fb543503f1551af81143afe2eb1187e.pdf |
Title : Adwind RAT / JRAT File Artifact
Rule id : 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
Title : Octopus Scanner Malware
Rule id : 805c55d9-31e6-4846-9878-c34c75054fe9
| Url | |
|---|---|
| https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain | pdf/613e0e9f8d65589d1cf0c37aa73218509f4d2d34e68a2e388a543b018b059d7d.pdf |
Title : Potential COLDSTEEL RAT File Indicators
Rule id : c708a93f-46b4-4674-a5b8-54aa6219c5fa
| Url |
|---|
Title : Potential COLDSTEEL Persistence Service DLL Creation
Rule id : 1fea93a2-1524-4a3c-9828-3aa0c2414e27
| Url |
|---|
Title : DarkGate - Autoit3.EXE File Creation By Uncommon Process
Rule id : 1a433e1d-03d2-47a6-8063-ece992cf4e73
Title : DarkGate - Drop DarkGate Loader In C:\Temp Directory
Rule id : df49c691-8026-48dd-94d3-4ba6a79102a8
Title : Potential Devil Bait Related Indicator
Rule id : 93d5f1b4-36df-45ed-8680-f66f242b8415
| Url |
|---|
Title : Goofy Guineapig Backdoor IOC
Rule id : f0bafe60-1240-4798-9e60-4364b97e6bad
| Url |
|---|
Title : Potential Kapeka Decrypted Backdoor Indicator
Rule id : 20228d05-dd68-435d-8b4e-e7e64938880c
Title : Pingback Backdoor File Indicators
Rule id : 2bd63d53-84d4-4210-80ff-bf0658f1bf78
Title : Small Sieve Malware File Indicator Creation
Rule id : 39466c42-c189-476a-989f-8cdb135c163a
| Url |
|---|
Title : SNAKE Malware Kernel Driver File Indicator
Rule id : d6d9d23f-69c1-41b5-8305-fa8250bd027f
| Url |
|---|
Title : SNAKE Malware Installer Name Indicators
Rule id : 99eccc2b-7182-442f-8806-b76cc36d866b
| Url |
|---|
Title : SNAKE Malware WerFault Persistence File Creation
Rule id : 64827580-e4c3-4c64-97eb-c72325d45399
| Url |
|---|
Title : Moriya Rootkit File Created
Rule id : a1507d71-0b60-44f6-b17c-bf53220fdd88
| Url | |
|---|---|
| https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 | pdf/9b9d2e14613770cf3e9d3f40ac11d4517088422df28270a909bafcc9a25564f0.pdf |
Title : File Creation In Suspicious Directory By Msdt.EXE
Rule id : 318557a5-150c-4c8d-b70e-a9910e199857
Title : Uncommon File Creation By Mysql Daemon Process
Rule id : c61daa90-3c1e-4f18-af62-8f288b5c9aaf
Title : Suspicious DotNET CLR Usage Log Artifact
Rule id : e0b06658-7d1d-4cd3-bf15-03467507ff7c
Title : Suspicious File Creation In Uncommon AppData Folder
Rule id : d7b50671-d1ad-4871-aa60-5aa5b331fe04
| Url |
|---|
Title : SCR File Write Event
Rule id : c048f047-7e2a-4888-b302-55f509d4a91d
| Url | |
|---|---|
| https://lolbas-project.github.io/lolbas/Libraries/Desk/ | pdf/f4ed3bcb211e08c6a74d4dba0d182705987952b850465fee104d6181f3043e1b.pdf |
Title : Potential Persistence Via Notepad++ Plugins
Rule id : 54127bd4-f541-4ac3-afdb-ea073f63f692
| Url | |
|---|---|
| https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ | pdf/6138b83ca9e2ec6e699c450193486274b5c0051bfc11f4d95d300721a26622a2.pdf |
Title : NTDS.DIT Created
Rule id : 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
| Url |
|---|
Title : NTDS.DIT Creation By Uncommon Parent Process
Rule id : 4e7050dd-e548-483f-b7d6-527ab4fa784d
Title : NTDS.DIT Creation By Uncommon Process
Rule id : 11b1ed55-154d-4e82-8ad7-83739298f720
Title : NTDS Exfiltration Filename Patterns
Rule id : 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
Title : Potential Persistence Via Microsoft Office Add-In
Rule id : 8e1cb247-6cf6-42fa-b440-3f27d57e9936
Title : Office Macro File Creation
Rule id : 91174a41-dc8f-401b-be89-7bfc140612a0
Title : Office Macro File Download
Rule id : 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
Title : Office Macro File Creation From Suspicious Process
Rule id : b1c50487-1967-4315-a026-6491686d860e
Title : OneNote Attachment File Dropped In Suspicious Location
Rule id : 7fd164ba-126a-4d9c-9392-0d4f7c243df0
Title : Suspicious File Created Via OneNote Application
Rule id : fcc6d700-68d9-4241-9a1a-06874d621b06
Title : New Outlook Macro Created
Rule id : 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
| Url | |
|---|---|
| https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ | pdf/8c183e4ae347735fd20dad82d1c7e9eb6fdc434e9b393b4a035bd51d7506bc23.pdf |
Title : Potential Persistence Via Outlook Form
Rule id : c3edc6a5-d9d4-48d8-930e-aab518390917
Title : .RDP File Created by Outlook Process
Rule id : f748c45a-f8d3-4e6f-b617-fe176f695b8f
Title : Suspicious Outlook Macro Created
Rule id : 117d3d3a-755c-4a61-b23e-9171146d094c
Title : Publisher Attachment File Dropped In Suspicious Location
Rule id : 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
| Url | |
|---|---|
| https://twitter.com/EmericNasi/status/1623224526220804098 | pdf/27d8a973a35f31191997cbbb8c509353b3279d1a7b52f5c4f2c8dbd84dac431d.pdf |
Title : Potential Persistence Via Microsoft Office Startup Folder
Rule id : 0e20c89d-2264-44ae-8238-aeeaba609ece
Title : File With Uncommon Extension Created By An Office Application
Rule id : c7a74c80-ba5a-486e-9974-ab9e682bc5e4
Title : Uncommon File Created In Office Startup Folder
Rule id : a10a2c40-2c4d-49f8-b557-1a946bc55d9d
Title : PCRE.NET Package Temp Files
Rule id : 6e90ae7a-7cd3-473f-a035-4ebb72d961da
Title : Suspicious File Created In PerfLogs
Rule id : bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
| Url | |
|---|---|
| https://labs.withsecure.com/publications/fin7-target-veeam-servers | pdf/bcf09078cb6247a3ea928d485651fa6eb873bd5ff379fe4aa907c61f6f3096aa.pdf |
Title : Potential Binary Or Script Dropper Via PowerShell
Rule id : 7047d730-036f-4f40-b9d8-1c63e36d5e62
| Url | |
|---|---|
| https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution | pdf/e68de0b6374b2210244a6dac81211af1d15578900fe92e36b23b8911084ec116.pdf |
Title : PowerShell Script Dropped Via PowerShell.EXE
Rule id : 576426ad-0131-4001-ae01-be175da0c108
| Url | |
|---|---|
| https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution | pdf/e68de0b6374b2210244a6dac81211af1d15578900fe92e36b23b8911084ec116.pdf |
Title : Malicious PowerShell Scripts - FileCreation
Rule id : f331aa1f-8c53-4fc3-b083-cc159bc971cb
Title : PowerShell Module File Created
Rule id : e36941d0-c0f0-443f-bc6f-cb2952eb69ea
Title : Potential Suspicious PowerShell Module File Created
Rule id : e8a52bbd-bced-459f-bd93-64db45ce7657
Title : PowerShell Module File Created By Non-PowerShell Process
Rule id : e3845023-ca9a-4024-b2b2-5422156d5527
Title : Potential Startup Shortcut Persistence Via PowerShell.EXE
Rule id : 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
Title : PSScriptPolicyTest Creation By Uncommon Process
Rule id : 1027d292-dd87-4a1a-8701-2abe04d7783c
| Url | |
|---|---|
| https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ | pdf/66f2ab6c9bc31a74087d677bbc3a0f0dd16b92f244d3e7c010cd9f1555c3f38e.pdf |
Title : Python Path Configuration File Creation - Windows
Rule id : e3652ba3-0ad8-4010-a957-b7ba369e7bac
Title : Rclone Config File Creation
Rule id : 34986307-b7f4-49be-92f3-e7a4d01ac5db
| Url | |
|---|---|
| https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ | pdf/a20c1c3dd10d17d9a76ee91daaedab58a8b41d895dfc96c69b77a640f3a888b3.pdf |
Title : .RDP File Created By Uncommon Application
Rule id : fccfb43e-09a7-4bd2-8b37-a5a7df33386d
Title : Potential Winnti Dropper Activity
Rule id : 130c9e58-28ac-4f83-8574-0a4cc913b97e
| Url | |
|---|---|
| https://redmimicry.com/posts/redmimicry-winnti/#dropper | pdf/a9563c86d5c976775e4dad8d9bd8d5bcc5bb0ff6294f6c1e36f7bc892ce3a04f.pdf |
Title : PDF File Created By RegEdit.EXE
Rule id : 145095eb-e273-443b-83d0-f9b519b7867b
| Url | |
|---|---|
| https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ | pdf/99562dc885df22a21b7f1cbcb7172c23da2fceb6b5c2a79d25a59ffa7b2f1835.pdf |
Title : RemCom Service File Creation
Rule id : 7eff1a7f-dd45-4c20-877a-f21e342a7611
| Url | |
|---|---|
| https://github.com/kavika13/RemCom/ | pdf/4f00392024468ab4135cede5fa28aef297f5258c1947b1644f0ddd47f37926a2.pdf |
Title : ScreenConnect Temporary Installation Artefact
Rule id : fec96f39-988b-4586-b746-b93d59fd1922
Title : Remote Access Tool - ScreenConnect Temporary File
Rule id : 0afecb6e-6223-4a82-99fb-bf5b981e92a5
| Url | |
|---|---|
| SigmaHQ/sigma#4467 | pdf/059cd9eb70fefa147d3c1e2faf25caf4d562495a48da6bf4de2837c7502ac548.pdf |
Title : Potential RipZip Attack on Startup Folder
Rule id : a6976974-ea6f-4e97-818e-ea08625c52cb
| Url | |
|---|---|
| https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 | pdf/0db5c661d7b87039ff34be84f56ea5a49f928a9c0ab39a64c02c1dbdf30a6c4c.pdf |
Title : Potential SAM Database Dump
Rule id : 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
Title : Scheduled Task Created - FileCreation
Rule id : a762e74f-4dce-477c-b023-4ed81df600f9
Title : Self Extraction Directive File Created In Potentially Suspicious Location
Rule id : 760e75d8-c3b5-409b-a9bf-6130b4c4603f
Title : Windows Shell/Scripting Application File Write to Suspicious Folder
Rule id : 1277f594-a7d1-4f28-a2d3-73af5cbeab43
| Url |
|---|
Title : Windows Binaries Write Suspicious Extensions
Rule id : b8fd0e93-ff58-4cbd-8f48-1c114e342e62
| Url |
|---|
Title : Startup Folder File Write
Rule id : 2aa0a6b4-a865-495b-ab51-c28249537b75
Title : Creation of an Executable by an Executable
Rule id : 297afac9-5d02-4138-8c58-b977bac60556
| Url |
|---|
Title : Suspicious Creation with Colorcpl
Rule id : e15b518d-b4ce-4410-a9cd-501f23ce4a18
| Url | |
|---|---|
| https://twitter.com/eral4m/status/1480468728324231172?s=20 | pdf/7b094f46661774f07922a70f300122852b4f9d4ac5257e4bc74051898005ae54.pdf |
Title : Created Files by Microsoft Sync Center
Rule id : 409f8a98-4496-4aaa-818a-c931c0a8b832
| Url | |
|---|---|
| https://redcanary.com/blog/intelligence-insights-november-2021/ | pdf/3c7a07a61c263df2a4c2fdc639cc0f72e052d3c61d08141b26e42f1361ca7d9b.pdf |
Title : Suspicious Files in Default GPO Folder
Rule id : 5f87308a-0a5b-4623-ae15-d8fa1809bc60
| Url | |
|---|---|
| https://redcanary.com/blog/intelligence-insights-november-2021/ | pdf/3c7a07a61c263df2a4c2fdc639cc0f72e052d3c61d08141b26e42f1361ca7d9b.pdf |
Title : Suspicious desktop.ini Action
Rule id : 81315b50-6b60-4d8f-9928-3466e1022515
| Url | |
|---|---|
| https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ | pdf/c3db1bdf5748426cff03dbf7eca96f4fcac51d0894ecc7d2234225a9660e3cdf.pdf |
Title : Suspicious Creation TXT File in User Desktop
Rule id : caf02a0a-1e1c-4552-9b48-5e070bd88d11
Title : Suspicious Desktopimgdownldr Target File
Rule id : fc4f4817-0c53-4683-a4ee-b17a64bc1039
Title : Creation of a Diagcab
Rule id : 3d0ed417-3d94-4963-a562-4a92c940656a
| Url | |
|---|---|
| https://threadreaderapp.com/thread/1533879688141086720.html | pdf/0c2cb880bc6fd69df538f033671cb534d93417edb085c7ff8f588bda5baa3084.pdf |
Title : Suspicious Double Extension Files
Rule id : b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
Title : DPAPI Backup Keys And Certificate Export Activity IOC
Rule id : 7892ec59-c5bb-496d-8968-e5d210ca3ac4
Title : Suspicious MSExchangeMailboxReplication ASPX Write
Rule id : 7280c9f3-a5af-45d0-916a-bc01cb4151c9
| Url | |
|---|---|
| https://redcanary.com/blog/blackbyte-ransomware/ | pdf/10e22a00a87210c9408d2d71d5b9e9edd453474d1a6f03489ae2a410620a1986.pdf |
Title : Suspicious Executable File Creation
Rule id : 74babdd6-a758-4549-9632-26535279e654
Title : Suspicious Get-Variable.exe Creation
Rule id : 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
file_event_win_susp_hidden_dir_index_allocation
Title : Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Rule id : a8f866e1-bdd4-425e-a27a-37619238d9c7
Title : Potential Homoglyph Attack Using Lookalike Characters in Filename
Rule id : 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
Title : Legitimate Application Dropped Archive
Rule id : 654fcc6d-840d-4844-9b07-2c3300e54a26
Title : Legitimate Application Dropped Executable
Rule id : f0540f7e-2db3-4432-b9e0-3965486744bc
Title : Legitimate Application Dropped Script
Rule id : 7d604714-e071-49ff-8726-edeb95a70679
Title : Suspicious LNK Double Extension File Created
Rule id : 3215aa19-f060-4332-86d5-5602511f3ca8
Title : Suspicious PFX File Creation
Rule id : dca1b3e8-e043-4ec8-85d7-867f334b5724
Title : PowerShell Profile Modification
Rule id : b5b78988-486d-4a80-b991-930eff3ff8bf
Title : Suspicious PROCEXP152.sys File Created In TMP
Rule id : 3da70954-0f2c-4103-adff-b7440368f50e
| Url | |
|---|---|
| https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ | pdf/39f9e06b249cba1b01c10d09b9aa36e2e83dfa8dafeb31b1df72a64a6ecd9afb.pdf |
Title : Suspicious File Creation Activity From Fake Recycle.Bin Folder
Rule id : cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
Title : Drop Binaries Into Spool Drivers Color Folder
Rule id : ce7066a6-508a-42d3-995b-2952c65dc2ce
Title : Suspicious Startup Folder Persistence
Rule id : 28208707-fe31-437f-9a7f-4b1108b94d2e
| Url | |
|---|---|
| https://github.com/last-byte/PersistenceSniper | pdf/9894989623f57f0f9b9c1615be3ada4dbea3df0ce4c14683f2a141140b1a19c7.pdf |
Title : Suspicious Interactive PowerShell as SYSTEM
Rule id : 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
| Url | |
|---|---|
| https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm | pdf/94cc46fa857a50cb4ed48f675e2bc82d49db279b37d2417dab7ea3a4027c2f83.pdf |
Title : Suspicious Scheduled Task Write to System32 Tasks
Rule id : 80e1f67a-4596-4351-98f5-a9c3efabac95
| Url |
|---|
Title : TeamViewer Remote Session
Rule id : 162ab1e4-6874-4564-853c-53ec3ab8be01
| Url | |
|---|---|
| https://www.teamviewer.com/en-us/ | pdf/f573fa89a04980cfcad07e9e53abe622d4a65577b1f7beb0719069824a851467.pdf |
Title : VsCode Powershell Profile Modification
Rule id : 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
| Url | |
|---|---|
| https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 | pdf/19cabaec8c205116f651ab50f986d1418e9d55d60e1714d3366592d49715c6be.pdf |
Title : Windows Terminal Profile Settings Modification By Uncommon Process
Rule id : 9b64de98-9db3-4033-bd7a-f51430105f00
Title : WinSxS Executable File Creation By Non-System Process
Rule id : 34746e8c-5fb8-415a-b135-0abc167e912a
| Url |
|---|
Title : LiveKD Kernel Memory Dump File Created
Rule id : 814ddeca-3d31-4265-8e07-8cc54fb44903
| Url |
|---|
Title : LiveKD Driver Creation
Rule id : 16fe46bb-4f64-46aa-817d-ff7bec4a2352
| Url |
|---|
Title : LiveKD Driver Creation By Uncommon Process
Rule id : 059c5af9-5131-4d8d-92b2-de4ad6146712
| Url |
|---|
Title : Process Explorer Driver Creation By Non-Sysinternals Binary
Rule id : de46c52b-0bf8-4936-a327-aace94f94ac6
Title : Process Monitor Driver Creation By Non-Sysinternals Binary
Rule id : a05baa88-e922-4001-bc4d-8738135f27de
| Url |
|---|
Title : PsExec Service File Creation
Rule id : 259e5a6a-b8d2-4c38-86e2-26c5e651361d
Title : PSEXEC Remote Execution File Artefact
Rule id : 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
Title : Potential Privilege Escalation Attempt Via .Exe.Local Technique
Rule id : 07a99744-56ac-40d2-97b7-2095967b0e03
Title : LSASS Process Memory Dump Creation Via Taskmgr.EXE
Rule id : 69ca12af-119d-44ed-b50f-a47af0ebc364
Title : Hijack Legit RDP Session to Move Laterally
Rule id : 52753ea4-b3a0-4365-910d-36cff487b789
| Url |
|---|
Title : UAC Bypass Using Consent and Comctl32 - File
Rule id : 62ed5b55-f991-406a-85d9-e8e8fdf18789
| Url | |
|---|---|
| https://github.com/hfiref0x/UACME | pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf |
Title : UAC Bypass Using .NET Code Profiler on MMC
Rule id : 93a19907-d4f9-4deb-9f91-aac4692776a6
| Url | |
|---|---|
| https://github.com/hfiref0x/UACME | pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf |
Title : UAC Bypass Using EventVwr
Rule id : 63e4f530-65dc-49cc-8f80-ccfa95c69d43
Title : UAC Bypass Using IDiagnostic Profile - File
Rule id : 48ea844d-19b1-4642-944e-fe39c2cc1fec
| Url | |
|---|---|
| https://github.com/Wh04m1001/IDiagnosticProfileUAC | pdf/a6c3acd751f5259ad360bd5a21657c38841fb9c8950b510090a16f1927fd89a9.pdf |
Title : UAC Bypass Using IEInstal - File
Rule id : bdd8157d-8e85-4397-bb82-f06cc9c71dbb
| Url | |
|---|---|
| https://github.com/hfiref0x/UACME | pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf |
Title : UAC Bypass Using MSConfig Token Modification - File
Rule id : 41bb431f-56d8-4691-bb56-ed34e390906f
| Url | |
|---|---|
| https://github.com/hfiref0x/UACME | pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf |
Title : UAC Bypass Using NTFS Reparse Point - File
Rule id : 7fff6773-2baa-46de-a24a-b6eec1aba2d1
| Url | |
|---|---|
| https://github.com/hfiref0x/UACME | pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf |
Title : UAC Bypass Abusing Winsat Path Parsing - File
Rule id : 155dbf56-e0a4-4dd0-8905-8a98705045e8
| Url | |
|---|---|
| https://github.com/hfiref0x/UACME | pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf |
Title : UAC Bypass Using Windows Media Player - File
Rule id : 68578b43-65df-4f81-9a9b-92f32711a951
| Url | |
|---|---|
| https://github.com/hfiref0x/UACME | pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf |
Title : VHD Image Download Via Browser
Rule id : 8468111a-ef07-4654-903b-b863a80bbc95
Title : VsCode Code Tunnel Execution File Indicator
Rule id : 9661ec9d-4439-4a7a-abed-d9be4ca43b6d
Title : Visual Studio Code Tunnel Remote File Creation
Rule id : 56e05d41-ce99-4ecd-912d-93f019ee0b71
| Url |
|---|
Title : Renamed VsCode Code Tunnel Execution - File Indicator
Rule id : d102b8f5-61dc-4e68-bd83-9a3187c67377
Title : WebDAV Temporary Local File Creation
Rule id : 4c55738d-72d8-490e-a2db-7969654e375f
Title : Potential Webshell Creation On Static Website
Rule id : 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
Title : Creation of an WerFault.exe in Unusual Folder
Rule id : 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
| Url | |
|---|---|
| https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ | pdf/98ee9591f3f9db5d2cb8dc74cc4dab135feac15681f271898370ad313a6cce46.pdf |
Title : AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
Rule id : d353dac0-1b41-46c2-820c-d7d2561fc6ed
Title : WMI Persistence - Script Event Consumer File Write
Rule id : 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
| Url | |
|---|---|
| https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ | pdf/004ad9fb23567ac10f1e6fb8d05c093085a2265e916adb38e141b21aab7a1f43.pdf |
Title : Wmiexec Default Output File
Rule id : 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
Title : Wmiprvse Wbemcomn DLL Hijack - File
Rule id : 614a7e17-5643-4d89-b6fe-f9df1a79641c
| Url | |
|---|---|
| https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html | pdf/48fa2f0c27fb84efdab4a9f87c0c08dc3bbcbeed8ccb2e3cb0c99392188266c3.pdf |
Title : UEFI Persistence Via Wpbbin - FileCreation
Rule id : e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
Title : Writing Local Admin Share
Rule id : 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
Title : Potentially Suspicious Self Extraction Directive File Created
Rule id : ab90dab8-c7da-4010-9193-563528cfa347
Title : Non-DLL Extension File Renamed With DLL Extension
Rule id : bbfd974c-248e-4435-8de6-1e938c79c5c1
Title : Suspicious Appended Extension
Rule id : e3f673b3-65d1-4d80-9146-466f8b63fa99
Title : Exploitation Indicator Of CVE-2022-42475
Rule id : 293ccb8c-bed8-4868-8296-bef30e303b7e