Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/network_connection/net_connection_win_regsvr32_network_activity/
Network Connection Initiated By Regsvr32.EXE | Detection.FYI
Detects a network connection initiated by
exe detection fyinetwork connectioninitiatedregsvr32
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_msra_process_injection/
Potential Process Injection Via Msra.EXE | Detection.FYI
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned …
exe detection fyiprocess injectionpotentialvia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll/
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE | Detection.FYI
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server …
exe detection fyinew dnsinstalledvia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process/
Uncommon Child Process Of Appvlp.EXE | Detection.FYI
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse …
exe detection fyichild processuncommon
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr/
New DLL Registered Via Odbcconf.EXE | Detection.FYI
Detects execution of
exe detection fyinewdllregisteredvia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_bcp_export_data/
Data Export From MSSQL Table Via BCP.EXE | Detection.FYI
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and …
exe detection fyidata exportmssqltablevia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_presentationhost_download/
Arbitrary File Download Via PresentationHost.EXE | Detection.FYI
arbitrary file downloadexe detection fyivia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_net_start_service/
Start Windows Service Via Net.EXE | Detection.FYI
Detects the usage of the
exe detection fyiwindows servicestartvia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_recon_group/
Local Groups Reconnaissance Via Wmic.EXE | Detection.FYI
Detects the execution of
exe detection fyilocal groupsreconnaissanceviawmic
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share/
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE | Detection.FYI
Detects usage of the copy builtin cmd command to copy files with the
exe detection fyishare viacopydmpdump
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering/
Rebuild Performance Counter Values Via Lodctr.EXE | Detection.FYI
Detects the execution of
exe detection fyiperformance counterrebuildvaluesvia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_certutil_encode/
File Encoded To Base64 Via Certutil.EXE | Detection.FYI
Detects the execution of certutil with the
via certutil exedetection fyifileencodedbase64
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices/
Service DACL Abuse To Hide Services Via Sc.EXE | Detection.FYI
Detects usage of the
exe detection fyiservices viadaclabusehide
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/
Deleted Data Overwritten Via Cipher.EXE | Detection.FYI
Detects usage of the
exe detection fyideleted dataoverwrittenviacipher
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery/
Firewall Configuration Discovery Via Netsh.EXE | Detection.FYI
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
exe detection fyifirewall configurationdiscovery vianetsh
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_arcsoc_susp_file_created/
Suspicious File Created by ArcSOC.exe | Detection.FYI
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, …
exe detection fyisuspicious filecreated
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_cmd_stdin_redirect/
Read Contents From Stdin Via Cmd.EXE | Detection.FYI
exe detection fyivia cmdreadcontentsstdin
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_whoami_all_execution/
Enumerate All Information With Whoami.EXE | Detection.FYI
Detects the execution of
exe detection fyienumerateinformationwhoami
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_windows_defender_tamper/
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE | Detection.FYI
Detects the usage of
exe detection fyisuspicious windowsregistry keytampering viadefender
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_setspn_spn_enumeration/
Potential SPN Enumeration Via Setspn.EXE | Detection.FYI
Detects service principal name (SPN) enumeration used for Kerberoasting
exe detection fyienumeration viapotentialspn
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_certutil_encode_susp_location/
File In Suspicious Location Encoded To Base64 Via Certutil.EXE | Detection.FYI
Detects the execution of certutil with the
via certutil exesuspicious locationdetection fyifileencoded
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_certutil_download_direct_ip/
Suspicious File Downloaded From Direct IP Via Certutil.EXE | Detection.FYI
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
via certutil exesuspicious filedetection fyidownloadeddirect
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pua_adfind_enumeration/
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE | Detection.FYI
Detects active directory enumeration activity using known AdFind CLI flags
exe detection fyienumeration viapuasuspicious
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_recon_product_class/
Potential Product Class Reconnaissance Via Wmic.EXE | Detection.FYI
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed …
exe detection fyipotentialproductclassreconnaissance
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_enable_windows_recall/
Windows Recall Feature Enabled Via Reg.EXE | Detection.FYI
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing …
exe detection fyiwindows recallfeature enabledviareg
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_odbcconf_response_file/
Response File Execution Via Odbcconf.EXE | Detection.FYI
Detects execution of
exe detection fyiexecution viaresponsefile
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec/
AddinUtil.EXE Execution From Uncommon Directory | Detection.FYI
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
detection fyiexeuncommondirectory
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent/
Mstsc.EXE Execution From Uncommon Parent | Detection.FYI
Detects potential RDP connection via Mstsc using a local
detection fyiexeuncommonparent
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process/
Uncommon Sigverif.EXE Child Process | Detection.FYI
Detects uncommon child processes spawning from
child process detectionuncommonexefyi
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mftrace_child_process/
Potential Mftrace.EXE Abuse | Detection.FYI
Detects child processes of the
abuse detectionpotentialexefyi
https://detection.fyi/sigmahq/sigma/emerging-threats/2023/exploits/cve-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation/
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation | Detection.FYI
Detects the creation of a file named
creation detection fyipotential cve2023exploitationfake
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse/
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module | Detection.FYI
Detects PowerShell module creation where the module Contents are set to
powershell module detectionpotentialexeabusefyi
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_werfault_dll_hijacking/
Creation of WerFault.exe/Wer.dll in Unusual Folder | Detection.FYI
Detects the creation of a file named
detection fyicreationexewerdll
https://detection.fyi/mbabinski/sigma-rules/2024_redcanary_threatdetectionreport/threat_gamarue_rundll32_cmdline/
Gamarue Rundll32.exe Long Commandlines | Detection.FYI
Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority of Gamarue activity we see involves rundll32.exe executing with unusual …
detection fyirundll32exelong
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process/
Wlrmdr.EXE Uncommon Argument Or Child Process | Detection.FYI
Detects the execution of
child process detectionexeuncommonargumentfyi
https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_scrcons_wmi_scripteventconsumer/
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load | Detection.FYI
Detects signs of the WMI script host process
activity viadll loaddetection fyiwmiexe