Contact DMCA Privacy

Robuta

Sponsor of the Day: Jerkmate
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pua_webbrowserpassview/ PUA - WebBrowserPassView Execution | Detection.FYI Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer … execution detection fyipua https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse/ AgentExecutor PowerShell Execution | Detection.FYI Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy execution detection fyipowershell https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_kd_execution/ Windows Kernel Debugger Execution | Detection.FYI Detects execution of the Windows Kernel Debugger execution detection fyiwindows kerneldebugger https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_hydra/ HackTool - Hydra Password Bruteforce Execution | Detection.FYI Detects command line parameters used by Hydra password guessing hack tool execution detection fyihacktoolhydrapasswordbruteforce https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_remote_access_tools_logmein/ Remote Access Tool - LogMeIn Execution | Detection.FYI An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an … remote access toolexecution detection fyilogmein https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_certipy/ HackTool - Certipy Execution | Detection.FYI Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line … execution detection fyihacktool https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_remote_access_tools_netsupport/ Remote Access Tool - NetSupport Execution | Detection.FYI An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an … remote access toolexecution detection fyinetsupport https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_renamed_dctask64/ Renamed ZOHO Dctask64 Execution | Detection.FYI execution detection fyirenamedzoho https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_renamed_createdump/ Renamed CreateDump Utility Execution | Detection.FYI Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory execution detection fyirenamedutility https://detection.fyi/sigmahq/sigma/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log/ MSSQL XPCmdshell Suspicious Execution | Detection.FYI Detects when the MSSQL execution detection fyimssqlsuspicious https://detection.fyi/sigmahq/sigma/emerging-threats/2023/malware/qakbot/proc_creation_win_malware_qakbot_rundll32_execution/ Potential Qakbot Rundll32 Execution | Detection.FYI Detects specific process tree behavior of a execution detection fyipotentialqakbotrundll32 https://detection.fyi/sigmahq/sigma/emerging-threats/2023/ta/lace-tempest/proc_creation_win_apt_lace_tempest_loader_execution/ Lace Tempest Malware Loader Execution | Detection.FYI Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team execution detection fyimalware loaderlacetempest https://detection.fyi/tags/attack.execution/ attack.execution | Detection.FYI execution detection fyiattack https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_ruby_inline_command_execution/ Ruby Inline Command Execution | Detection.FYI Detects execution of ruby using the command execution detectionrubyinlinefyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_renamed_netsupport_rat/ Renamed NetSupport RAT Execution | Detection.FYI Detects the execution of a renamed execution detection fyirenamednetsupportrat https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pua_frp/ PUA - Fast Reverse Proxy (FRP) Execution | Detection.FYI Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. execution detection fyireverse proxypuafastfrp https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_device_credential_deployment/ DeviceCredentialDeployment Execution | Detection.FYI Detects the execution of DeviceCredentialDeployment to hide a process from view. execution detection fyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_python_adidnsdump/ PUA - Adidnsdump Execution | Detection.FYI This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, … execution detection fyipua https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_hollowreaper/ HackTool - HollowReaper Execution | Detection.FYI Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a... execution detection fyihacktool https://detection.fyi/sigmahq/sigma/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec/ Remote Access Tool - ScreenConnect Command Execution | Detection.FYI Detects command execution via ScreenConnect RMM remote access toolcommand execution detectionscreenconnectfyi https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_sharp_chisel/ HackTool - SharpChisel Execution | Detection.FYI Detects usage of the Sharp Chisel via the commandline arguments execution detection fyihacktool https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_cloudflared_portable_execution/ Cloudflared Portable Execution | Detection.FYI Detects the execution of the execution detection fyicloudflaredportable https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_perl_inline_command_execution/ Perl Inline Command Execution | Detection.FYI Detects execution of perl using the command execution detectionperlinlinefyi https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script/ Veeam Backup Servers Credential Dumping Script Execution | Detection.FYI Detects execution of a PowerShell script that contains calls to the execution detection fyiveeam backupcredential dumpingserversscript https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect/ Remote Access Tool - ScreenConnect Execution | Detection.FYI An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an … remote access toolexecution detection fyiscreenconnect https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hostname_execution/ Suspicious Execution of Hostname | Detection.FYI Use of hostname to get information suspicious executiondetection fyihostname https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec/ AddinUtil.EXE Execution From Uncommon Directory | Detection.FYI Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. detection fyiexeuncommondirectory https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location/ Wab Execution From Non Default Location | Detection.FYI Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity location detection fyinon defaultwabexecution https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent/ Mstsc.EXE Execution From Uncommon Parent | Detection.FYI Detects potential RDP connection via Mstsc using a local detection fyiexeuncommonparent https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_pua_trufflehog/ PUA - TruffleHog Execution - Linux | Detection.FYI Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used … linux detection fyipuatrufflehogexecution https://detection.fyi/tsale/sigma_rules/malware/proc_creation_windows_raspberry_robin_mal-exec/ Raspberry Robin subsequent execution of commands | Detection.FYI Detects raspberry robin subsequent execution of commands from commands detection fyiraspberry robinsubsequentexecution https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/ Chromium Browser Headless Execution To Mockbin Like Site | Detection.FYI Detects the execution of a Chromium based browser process with the chromium browserlike sitedetection fyiheadlessexecution https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_filefix_execution_pattern/ Suspicious FileFix Execution Pattern | Detection.FYI Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This … pattern detection fyisuspiciousfilefixexecution https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_python_http_server_execution/ Python WebServer Execution - Linux | Detection.FYI Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in... linux detection fyipythonwebserverexecution https://detection.fyi/sigmahq/sigma/emerging-threats/2022/malware/raspberry-robin/proc_creation_win_malware_raspberry_robin_external_drive_exec/ Raspberry Robin Initial Execution From External Drive | Detection.FYI Detects the initial execution of the Raspberry Robin malware from an external drive using raspberry robinexternal drivedetection fyiinitialexecution https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo/ Scheduled Task Creation with Curl and PowerShell Execution Combo | Detection.FYI Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. … scheduled taskdetection fyicreationcurlpowershell https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wscript_cscript_dropper/ Potential Dropper Script Execution Via WScript/CScript | Detection.FYI Detects wscript/cscript executions of scripts located in user directories script executiondetection fyipotentialdroppervia https://detection.fyi/sigmahq/sigma/emerging-threats/2023/malware/icedid/proc_creation_win_malware_icedid_rundll32_dllregisterserver/ IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 | Detection.FYI Detects RunDLL32.exe executing a single digit DLL named single digitexecution viadetection fyimalwaresuspicious https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo/ Suspicious File Execution From Internet Hosted WebDav Share | Detection.FYI Detects the execution of the suspicious filedetection fyiexecutioninternethosted https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_instalutil_no_log_execution/ Suspicious Execution of InstallUtil Without Log | Detection.FYI Uses the .NET InstallUtil.exe application in order to execute image without log suspicious executionwithout logdetection fyi https://detection.fyi/mbabinski/sigma-rules/2023_redcanary_threatdetectionreport/technique_smb_win_admin_shares_process_execution/ Process Execution from Admin Share (RedCanary Threat Detection Report) | Detection.FYI Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report. redcanary threat detectionprocess executionadminsharereport https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_extensions/ Regsvr32 DLL Execution With Suspicious File Extension | Detection.FYI Detects the execution of REGSVR32.exe with DLL files masquerading as other files suspicious fileextension detectionregsvr32dllexecution https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_odbcconf_response_file/ Response File Execution Via Odbcconf.EXE | Detection.FYI Detects execution of exe detection fyiexecution viaresponsefile