Contact DMCA Privacy

Robuta

Sponsor of the Day: Jerkmate
https://detection.fyi/tags/data-source-elastic-endgame/ Data Source: Elastic Endgame | Detection.FYI data sourcedetection fyielasticendgame https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pua_webbrowserpassview/ PUA - WebBrowserPassView Execution | Detection.FYI Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer … execution detection fyipua https://detection.fyi/sigmahq/sigma/windows/builtin/security/account_management/win_security_susp_failed_logon_source/ Failed Logon From Public IP | Detection.FYI Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary. public ipdetection fyifailedlogon https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected/ Bitbucket User Login Failure | Detection.FYI Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on … bitbucket userfailure detectionfyi https://detection.fyi/sigmahq/sigma/macos/process_creation/proc_creation_macos_schedule_task_job_cron/ Scheduled Cron Task/Job - MacOs | Detection.FYI Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs... task jobdetection fyischeduledcronmacos https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_rundll32_spawn_explorer/ RunDLL32 Spawning Explorer | Detection.FYI Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way detection fyirundll32spawningexplorer https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_speechruntime_child_process/ Suspicious Speech Runtime Binary Child Process | Detection.FYI Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt... child process detectionsuspiciousspeechruntimebinary https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse/ AgentExecutor PowerShell Execution | Detection.FYI Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy execution detection fyipowershell https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature/ Potential Suspicious Windows Feature Enabled - ProcCreation | Detection.FYI Detects usage of the built-in PowerShell cmdlet potential suspiciouswindows featuredetection fyienabled https://detection.fyi/sigmahq/sigma/windows/network_connection/net_connection_win_regsvr32_network_activity/ Network Connection Initiated By Regsvr32.EXE | Detection.FYI Detects a network connection initiated by exe detection fyinetwork connectioninitiatedregsvr32 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/ Registry Persistence via Service in Safe Mode | Detection.FYI Detects the modification of the registry to allow a driver or service to persist in Safe Mode. persistence viasafe modedetection fyiregistryservice https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_kd_execution/ Windows Kernel Debugger Execution | Detection.FYI Detects execution of the Windows Kernel Debugger execution detection fyiwindows kerneldebugger https://detection.fyi/joesecurity/sigma-rules/wmiclaunchregsvr32/ Wmic Launch regsvr32 | Detection.FYI Wmic launch regsvr32 detection fyiwmiclaunchregsvr32 https://detection.fyi/sigmahq/sigma/emerging-threats/2021/exploits/cve-2021-26858/web_cve_2021_26858_iis_rce/ ProxyLogon Reset Virtual Directories Based On IIS Log | Detection.FYI When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories iis logdetection fyiproxylogonresetvirtual https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex/ Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module | Detection.FYI Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference... powershell module detectioninvoke obfuscationobfuscatediexinvocation https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_hydra/ HackTool - Hydra Password Bruteforce Execution | Detection.FYI Detects command line parameters used by Hydra password guessing hack tool execution detection fyihacktoolhydrapasswordbruteforce https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse/ Potential ShellDispatch.DLL Functionality Abuse | Detection.FYI abuse detectionpotentialdllfunctionalityfyi https://detection.fyi/sigmahq/sigma/windows/sysmon/sysmon_file_block_shredding/ Sysmon Blocked File Shredding | Detection.FYI Triggers on any Sysmon detection fyisysmonblockedfileshredding https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_create_non_existent_dlls/ Creation Of Non-Existent System DLL | Detection.FYI Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by … non existentdetection fyicreationsystemdll https://detection.fyi/sigmahq/sigma/windows/builtin/system/microsoft_windows_iphlpsvc/win_system_isatap_router_address_set/ ISATAP Router Address Was Set | Detection.FYI Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or … detection fyirouteraddressset https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin/ ESXi Admin Permission Assigned To Account Via ESXCLI | Detection.FYI Detects execution of the admin permissionaccount viadetection fyiesxiassigned https://detection.fyi/tags/attack.t1553/ attack.t1553 | Detection.FYI detection fyiattack https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_vscode_powershell_profile/ VsCode Powershell Profile Modification | Detection.FYI Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of … modification detection fyivscodepowershellprofile https://detection.fyi/tags/attack.t1587/ attack.t1587 | Detection.FYI detection fyiattackt1587 https://detection.fyi/tags/attack.t1203/ attack.t1203 | Detection.FYI detection fyiattack https://detection.fyi/sigmahq/sigma/emerging-threats/2021/exploits/cve-2021-26814/web_cve_2021_26814_wzuh_rce/ Exploitation of CVE-2021-26814 in Wazuh | Detection.FYI Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 cve 2021detection fyiexploitation26814wazuh https://detection.fyi/tags/attack.t1176/ attack.t1176 | Detection.FYI detection fyiattack https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_pcre_net_temp_file/ PCRE.NET Package Temp Files | Detection.FYI Detects processes creating temp files related to PCRE.NET package detection fyipcrepackagetempfiles https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char/ Potential Commandline Obfuscation Using Escape Characters | Detection.FYI Detects potential commandline obfuscation using known escape characters escape charactersdetection fyipotentialcommandlineobfuscation https://detection.fyi/tags/attack.lateral_movement/ attack.lateral_movement | Detection.FYI lateral movement detectionattackfyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_msra_process_injection/ Potential Process Injection Via Msra.EXE | Detection.FYI Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned … exe detection fyiprocess injectionpotentialvia https://detection.fyi/tags/attack.discovery/ attack.discovery | Detection.FYI discovery detection fyiattack https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll/ New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE | Detection.FYI Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server … exe detection fyinew dnsinstalledvia https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_remote_access_tools_logmein/ Remote Access Tool - LogMeIn Execution | Detection.FYI An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an … remote access toolexecution detection fyilogmein https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/ Potentially Suspicious EventLog Recon Activity Using Log Query Utilities | Detection.FYI Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This … potentially suspiciousactivity usingdetection fyieventlogrecon https://detection.fyi/sigmahq/sigma/emerging-threats/2021/malware/devil-bait/proc_creation_win_malware_devil_bait_output_redirect/ Potential Devil Bait Malware Reconnaissance | Detection.FYI Detects specific process behavior observed with Devil Bait samples detection fyipotentialdevilbaitmalware https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe/ SyncAppvPublishingServer Bypass Powershell Restriction - PS Module | Detection.FYI Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. module detection fyibypasspowershellrestrictionps https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process/ Uncommon Child Process Of Appvlp.EXE | Detection.FYI Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse … exe detection fyichild processuncommon https://detection.fyi/mbabinski/sigma-rules/2023_impacket/atexec/win_file_creation_impacket_atexec/ Impacket AtExec Suspicious Temp File Creation | Detection.FYI Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory. file creation detectionsuspicioustempfyi https://detection.fyi/sigmahq/sigma/linux/auditd/syscall/lnx_auditd_create_account/ Creation Of An User Account | Detection.FYI Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the … account detection fyicreationuser https://detection.fyi/sigmahq/sigma/emerging-threats/2024/exploits/cve-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect/ CVE-2024-1708 - ScreenConnect Path Traversal Exploitation | Detection.FYI This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions... cve 2024path traversaldetection fyi1708screenconnect https://detection.fyi/mbabinski/sigma-rules/2022_renamesystemutilities/file_creation_exe_in_temp_directories_4663/ File Creation of Executables in Temp Folders (Event 4663) | Detection.FYI Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage. file creationdetection fyiexecutablestempfolders https://detection.fyi/tags/attack.t1562/ attack.t1562 | Detection.FYI detection fyiattackt1562 https://detection.fyi/tags/attack.t1003/ attack.t1003 | Detection.FYI attack t1003detection fyi https://detection.fyi/tags/car.2022-03-001/ car.2022-03-001 | Detection.FYI 001 detection fyi2022 03car https://detection.fyi/sigmahq/sigma/emerging-threats/2021/exploits/cve-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange/ Potential CVE-2021-26857 Exploitation Attempt | Detection.FYI Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's … attempt detection fyipotential cve2021exploitation https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr/ New DLL Registered Via Odbcconf.EXE | Detection.FYI Detects execution of exe detection fyinewdllregisteredvia https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading/ Potential Binary Impersonating Sysinternals Tools | Detection.FYI Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named … tools detection fyipotentialbinaryimpersonatingsysinternals https://detection.fyi/tags/attack.t1490/ attack.t1490 | Detection.FYI detection fyiattack https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_qemu_suspicious_execution/ Potentially Suspicious Usage Of Qemu | Detection.FYI Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for … potentially suspiciousdetection fyiusageqemu https://detection.fyi/tags/attack.t1110/ attack.t1110 | Detection.FYI detection fyiattackt1110 https://detection.fyi/sigmahq/sigma/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted/ Azure Virtual Network Device Modified or Deleted | Detection.FYI Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual … deleted detection fyiazure virtualnetwork devicemodified https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hostname_execution/ Suspicious Execution of Hostname | Detection.FYI Use of hostname to get information suspicious executiondetection fyihostname https://detection.fyi/joesecurity/sigma-rules/officeproductdropsexecutableatsuspiciouslocation/ Office product drops executable at suspicious location | Detection.FYI Office product drops executable at suspicious location location detection fyioffice productdropsexecutablesuspicious https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec/ AddinUtil.EXE Execution From Uncommon Directory | Detection.FYI Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. detection fyiexeuncommondirectory https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install/ Meterpreter or Cobalt Strike Getsystem Service Installation - Security | Detection.FYI Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation cobalt strikeservice installationsecurity detectionmeterpretergetsystem https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_sysinternals_psexec_service/ PsExec Service File Creation | Detection.FYI Detects default PsExec service filename which indicates PsExec service installation and execution file creation detectionservicefyi https://detection.fyi/tags/attack.t1055.003/ attack.t1055.003 | Detection.FYI 003 detection fyiattackt1055 https://detection.fyi/sigmahq/sigma/emerging-threats/2018/ta/slingshot/proc_creation_win_apt_slingshot/ Defrag Deactivation | Detection.FYI Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group detection fyidefragdeactivation https://detection.fyi/tags/attack.t1543.003/ attack.t1543.003 | Detection.FYI 003 detection fyiattackt1543 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history/ Clearing Windows Console History | Detection.FYI Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken... windows consoledetection fyiclearinghistory https://detection.fyi/sigmahq/sigma/windows/file/file_access/file_access_win_susp_credential_manager_access/ Credential Manager Access By Uncommon Applications | Detection.FYI Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. … credential managerdetection fyiaccessuncommonapplications https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location/ Wab Execution From Non Default Location | Detection.FYI Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity location detection fyinon defaultwabexecution https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_antimalware_platform_expired/ Windows Defender Grace Period Expired | Detection.FYI Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is … windows defendergrace perioddetection fyiexpired https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_hktl_dumpert/ HackTool - Dumpert Process Dumper Default File | Detection.FYI Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory default filedetection fyihacktoolprocessdumper https://detection.fyi/sigmahq/sigma/emerging-threats/2021/exploits/cve-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit/ CVE-2021-21978 Exploitation Attempt | Detection.FYI Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978 attempt detection fyicve 2021exploitation https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages/ Unsigned AppX Installation Attempt Using Add-AppxPackage | Detection.FYI Detects usage of the using adddetection fyiunsignedappxinstallation https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location/ Potentially Suspicious Named Pipe Created Via Mkfifo | Detection.FYI Detects the creation of a new named pipe using the potentially suspiciousnamed pipecreated viadetection fyimkfifo https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process/ Potentially Suspicious Child Processes Spawned by ConHost | Detection.FYI Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe, which could indicate malicious activity using trusted system … potentially suspicious childprocesses spawneddetection fyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mshta_susp_child_processes/ Suspicious MSHTA Child Process | Detection.FYI Detects a suspicious process spawning from an child process detectionsuspiciousmshtafyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_bcp_export_data/ Data Export From MSSQL Table Via BCP.EXE | Detection.FYI Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and … exe detection fyidata exportmssqltablevia https://detection.fyi/tags/attack.t1546.008/ attack.t1546.008 | Detection.FYI attack t1546detection fyi008 https://detection.fyi/tags/attack.t1027/ attack.t1027 | Detection.FYI detection fyiattackt1027 https://detection.fyi/sigmahq/sigma/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal/ Azure Owner Removed From Application or Service Principal | Detection.FYI Identifies when a owner is was removed from a application or service principal in Azure. detection fyiazureownerremovedapplication https://detection.fyi/mbabinski/sigma-rules/2023_onenote_malware/win_proc_creation_regasm_process_injection/ Suspicious Process Injection to RegAsm | Detection.FYI Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT... process injectiondetection fyisuspicious https://detection.fyi/sigmahq/sigma/emerging-threats/2021/malware/pingback/file_event_win_malware_pingback_backdoor/ Pingback Backdoor File Indicators | Detection.FYI Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report indicators detection fyipingbackbackdoorfile https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_audit_log_cleared/ Security Eventlog Cleared | Detection.FYI One of the Windows Eventlogs has been cleared. e.g. caused by detection fyisecurityeventlogcleared https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_x509enrollment/ Suspicious X509Enrollment - Ps Script | Detection.FYI Detect use of X509Enrollment script detection fyisuspiciousps https://detection.fyi/tags/attack.t1003.001/ attack.t1003.001 | Detection.FYI 001 detection fyiattack t1003 https://detection.fyi/sigmahq/sigma/identity/okta/okta_fastpass_phishing_detection/ Okta FastPass Phishing Detection | Detection.FYI Detects when Okta FastPass prevents a known phishing site. okta fastpassphishing detectionfyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_invocation_specific/ Suspicious PowerShell Invocations - Specific - ProcessCreation | Detection.FYI Detects suspicious PowerShell invocation command parameters detection fyisuspiciouspowershellinvocationsspecific https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_presentationhost_download/ Arbitrary File Download Via PresentationHost.EXE | Detection.FYI arbitrary file downloadexe detection fyivia https://detection.fyi/tags/attack.command-and-control/ attack.command-and-control | Detection.FYI detection fyiattackcommandcontrol https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt/ UAC Secure Desktop Prompt Disabled | Detection.FYI Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the disabled detection fyisecure desktopuacprompt https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent/ Mstsc.EXE Execution From Uncommon Parent | Detection.FYI Detects potential RDP connection via Mstsc using a local detection fyiexeuncommonparent https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_hktl_safetykatz/ HackTool - SafetyKatz Dump Indicator | Detection.FYI Detects default lsass dump filename generated by SafetyKatz. detection fyihacktooldumpindicator https://detection.fyi/sigmahq/sigma/network/zeek/zeek_http_executable_download_from_webdav/ Executable from Webdav | Detection.FYI Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/ detection fyiexecutablewebdav https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded/ Scheduled Task Executing Encoded Payload from Registry | Detection.FYI Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. registry detection fyischeduled taskexecutingencodedpayload https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_persistence_office_vsto/ Potential Persistence Via Visual Studio Tools for Office | Detection.FYI Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. potential persistence viavisual studiodetection fyitoolsoffice https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_net_start_service/ Start Windows Service Via Net.EXE | Detection.FYI Detects the usage of the exe detection fyiwindows servicestartvia https://detection.fyi/loginsoft-research/detection-rules/active-exploits/cve-2021-22205/ CVE-2021-22205 | Detection.FYI Detection of CVE-2021-22205 observed from our Honeypots cve 2021detection fyi22205 https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_aspnet_temp_files/ Assembly DLL Creation Via AspNetCompiler | Detection.FYI Detects the creation of new DLL assembly files by creation viadetection fyiassemblydll https://detection.fyi/tags/attack.t1053.005/ attack.t1053.005 | Detection.FYI detection fyiattackt1053005 https://detection.fyi/sigmahq/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains/ Remote AppX Package Downloaded from File Sharing or CDN Domain | Detection.FYI Detects an appx package that was added to the pipeline of the file sharingdetection fyiremoteappxpackage https://detection.fyi/sigmahq/sigma/network/dns/net_dns_wannacry_killswitch_domain/ Wannacry Killswitch Domain | Detection.FYI Detects wannacry killswitch domain dns queries detection fyiwannacrykillswitchdomain https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_recon_group/ Local Groups Reconnaissance Via Wmic.EXE | Detection.FYI Detects the execution of exe detection fyilocal groupsreconnaissanceviawmic https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_side_load_smadhook/ Potential SmadHook.DLL Sideloading | Detection.FYI Detects potential DLL sideloading of dll sideloading detectionpotentialfyi https://detection.fyi/sigmahq/sigma/macos/process_creation/proc_creation_macos_disable_security_tools/ Disable Security Tools | Detection.FYI Detects disabling security tools tools detection fyidisablesecurity https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_frombase64string_archive/ Suspicious FromBase64String Usage On Gzip Archive - Process Creation | Detection.FYI Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. creation detection fyisuspicioususagegziparchive https://detection.fyi/sigmahq/sigma/windows/builtin/dns_client/win_dns_client_tor_onion/ Query Tor Onion Address - DNS Client | Detection.FYI Detects DNS resolution of an .onion address related to Tor routing networks client detection fyitor onionqueryaddressdns