Robuta

https://detection.fyi/sigmahq/sigma/emerging-threats/2020/ta/lazarus/proc_creation_win_apt_lazarus_group_activity/ Lazarus Group Activity | Detection.FYI Detects different process execution behaviors as described in various threat reports on Lazarus group activity activity detection fyilazarus group https://detection.fyi/sigmahq/sigma/emerging-threats/2017/malware/plugx/proc_creation_win_malware_plugx_susp_exe_locations/ Potential PlugX Activity | Detection.FYI Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location activity detection fyipotentialplugx https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint/ AWS Glue Development Endpoint Activity | Detection.FYI Detects possible suspicious glue development endpoint activity. activity detection fyiaws gluedevelopmentendpoint https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_rasdial_execution/ Suspicious RASdial Activity | Detection.FYI Detects suspicious process related to rasdial.exe activity detection fyisuspicious https://detection.fyi/sigmahq/sigma/emerging-threats/2021/malware/conti/proc_creation_win_malware_conti_ransomware_commands/ Potential Conti Ransomware Activity | Detection.FYI Detects a specific command used by the Conti ransomware group activity detection fyiconti ransomwarepotential https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_crypto_mining_monero/ Potential Crypto Mining Activity | Detection.FYI Detects command line parameters or strings often used by crypto miners activity detection fyicrypto miningpotential https://detection.fyi/sigmahq/sigma/emerging-threats/2018/ta/apt32-oceanlotus/registry_event_apt_oceanlotus_registry/ OceanLotus Registry Activity | Detection.FYI Detects registry keys created in OceanLotus (also known as APT32) attacks activity detection fyiregistry https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity/ AWS Key Pair Import Activity | Detection.FYI Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead … activity detection fyiaws keypairimport https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/ Potentially Suspicious EventLog Recon Activity Using Log Query Utilities | Detection.FYI Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This … potentially suspiciousactivity usingdetection fyieventlogrecon https://detection.fyi/sigmahq/sigma/emerging-threats/2023/ta/equationgroup/proxy_apt_equation_group_triangulation_c2_coms/ Potential Operation Triangulation C2 Beaconing Activity - Proxy | Detection.FYI Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB operation triangulationproxy detectionpotentialc2activity https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_gather_network_info_execution/ Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS | Detection.FYI Detects execution of the built-in script located in activity viadetection fyisuspiciousreconnaissancevbs https://detection.fyi/loginsoft-research/detection-rules/threat-detection/cve-2022-26134/cve-2022-26134_confluence_exploit_activity_webserver/ Confluence Exploit Activity on Webserver Logs | Detection.FYI Detection for Confluence server activity found on webserver logs detection fyiconfluenceexploitactivitywebserver https://detection.fyi/sigmahq/sigma/web/proxy_generic/proxy_ua_rclone/ Rclone Activity via Proxy | Detection.FYI Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string activity viaproxy detectionrclonefyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern/ HackTool - Sliver C2 Implant Activity Pattern | Detection.FYI Detects process activity patterns as seen being used by Sliver C2 framework implants pattern detection fyihacktoolsliverc2implant https://detection.fyi/sigmahq/sigma/emerging-threats/2023/exploits/cve-2023-46747/web_cve_2023_46747_f5_remote_code_execution/ CVE-2023-46747 Exploitation Activity - Webserver | Detection.FYI Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. cve 2023detection fyiexploitationactivitywebserver https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_secedit_execution/ Potential Suspicious Activity Using SeCEdit | Detection.FYI Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy potential suspiciousactivity usingdetection fyi https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc/ DPAPI Backup Keys And Certificate Export Activity IOC | Detection.FYI Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and... backup keysdetection fyicertificateexportactivity https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_susp_lsass_dump/ Password Dumper Activity on LSASS | Detection.FYI Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN detection fyipassworddumperactivitylsass https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_scrcons_wmi_scripteventconsumer/ WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load | Detection.FYI Detects signs of the WMI script host process activity viadll loaddetection fyiwmiexe https://detection.fyi/sigmahq/sigma/emerging-threats/2025/exploits/cve-2025-59287/win_wsus_exploit_cve_2025_59287/ Exploitation Activity of CVE-2025-59287 - WSUS Deserialization | Detection.FYI Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a … cve 2025detection fyiexploitationactivitywsus