creation detection fyi - Robuta Search

https://detection.fyi/mbabinski/sigma-rules/2023_impacket/atexec/win_file_creation_impacket_atexec/ Impacket AtExec Suspicious Temp File Creation | Detection.FYI Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory. file creation detection suspicious temp fyi https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_sysinternals_psexec_service/ PsExec Service File Creation | Detection.FYI Detects default PsExec service filename which indicates PsExec service installation and execution file creation detection service fyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_frombase64string_archive/ Suspicious FromBase64String Usage On Gzip Archive - Process Creation | Detection.FYI Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. creation detection fyi suspicious usage gzip archive https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_remcom_service/ RemCom Service File Creation | Detection.FYI Detects default RemCom service filename which indicates RemCom service installation and execution file creation detection service fyi https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_wdac_policy_creation/ Potentially Suspicious WDAC Policy File Creation | Detection.FYI Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV … file creation detection potentially suspicious wdac policy fyi https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/file_event_win_apt_forest_blizzard_constrained_js/ Forest Blizzard APT - JavaScript Constrained File Creation | Detection.FYI Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows … file creation detection forest blizzard apt javascript constrained https://detection.fyi/sigmahq/sigma/emerging-threats/2025/exploits/cve-2025-31324/file_event_win_sap_netweaver_webshell_creation/ Potential SAP NetWeaver Webshell Creation | Detection.FYI Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as … creation detection fyi sap netweaver potential webshell https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_download_com_cradles/ Potential COM Objects Download Cradles Usage - Process Creation | Detection.FYI Detects usage of COM objects that can be abused to download files in PowerShell by CLSID creation detection fyi objects download potential cradles usage https://detection.fyi/sigmahq/sigma/emerging-threats/2023/exploits/cve-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation/ Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation | Detection.FYI Detects the creation of a file named creation detection fyi potential cve 2023 exploitation fake https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_create_non_existent_dlls/ Creation Of Non-Existent System DLL | Detection.FYI Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by … non existent detection fyi creation system dll https://detection.fyi/sigmahq/sigma/linux/auditd/syscall/lnx_auditd_create_account/ Creation Of An User Account | Detection.FYI Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the … account detection fyi creation user https://detection.fyi/mbabinski/sigma-rules/2022_renamesystemutilities/file_creation_exe_in_temp_directories_4663/ File Creation of Executables in Temp Folders (Event 4663) | Detection.FYI Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage. file creation detection fyi executables temp folders https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_aspnet_temp_files/ Assembly DLL Creation Via AspNetCompiler | Detection.FYI Detects the creation of new DLL assembly files by creation via detection fyi assembly dll https://detection.fyi/sigmahq/sigma/cloud/azure/activity_logs/azure_creating_number_of_resources_detection/ Number Of Resource Creation Or Deployment Activities | Detection.FYI Number of VM creations or deployment activities occur in Azure via the azureactivity log. resource creation detection fyi number deployment activities https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo/ Scheduled Task Creation with Curl and PowerShell Execution Combo | Detection.FYI Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. … scheduled task detection fyi creation curl powershell https://detection.fyi/sigmahq/sigma/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image/ Remote Thread Creation By Uncommon Source Image | Detection.FYI Detects uncommon processes creating remote threads. source image detection fyi remote thread creation https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_administrative_share/ Disable Administrative Share Creation at Startup | Detection.FYI Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk … startup detection fyi disable administrative share creation https://detection.fyi/sigmahq/sigma/emerging-threats/2020/exploits/cve-2020-1048/proc_creation_win_exploit_cve_2020_1048/ Suspicious PrinterPorts Creation (CVE-2020-1048) | Detection.FYI Detects new commands that add new printer port which point to suspicious file cve 2020 detection fyi suspicious creation 1048 https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_werfault_dll_hijacking/ Creation of WerFault.exe/Wer.dll in Unusual Folder | Detection.FYI Detects the creation of a file named detection fyi creation exe wer dll https://detection.fyi/sigmahq/sigma/windows/sysmon/sysmon_file_executable_detected/ Sysmon File Executable Creation Detected | Detection.FYI Triggers on any Sysmon detected detection fyi file executable sysmon creation https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_desktop_txt/ Suspicious Creation TXT File in User Desktop | Detection.FYI Ransomware create txt file in the user Desktop txt file detection fyi suspicious creation user https://detection.fyi/sigmahq/sigma/emerging-threats/2025/exploits/cve-2025-31324/file_event_lnx_sap_netweaver_webshell_creation/ Potential SAP NetWeaver Webshell Creation - Linux | Detection.FYI Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as … linux detection fyi sap netweaver potential webshell creation https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_event_add_local_hidden_user/ Creation of a Local Hidden User Account by Registry | Detection.FYI Sysmon registry detection of a local hidden user account. registry detection fyi user account creation local hidden