Sponsor of the Day:
Jerkmate
https://detection.fyi/mbabinski/sigma-rules/2023_impacket/atexec/win_file_creation_impacket_atexec/
Impacket AtExec Suspicious Temp File Creation | Detection.FYI
Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory.
file creation detectionsuspicioustempfyi
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_sysinternals_psexec_service/
PsExec Service File Creation | Detection.FYI
Detects default PsExec service filename which indicates PsExec service installation and execution
file creation detectionservicefyi
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_remcom_service/
RemCom Service File Creation | Detection.FYI
Detects default RemCom service filename which indicates RemCom service installation and execution
file creation detectionservicefyi
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_wdac_policy_creation/
Potentially Suspicious WDAC Policy File Creation | Detection.FYI
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV …
file creation detectionpotentially suspiciouswdacpolicyfyi
https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/file_event_win_apt_forest_blizzard_constrained_js/
Forest Blizzard APT - JavaScript Constrained File Creation | Detection.FYI
Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows …
file creation detectionforest blizzardaptjavascriptconstrained
https://detection.fyi/mbabinski/sigma-rules/2022_renamesystemutilities/file_creation_exe_in_temp_directories_4663/
File Creation of Executables in Temp Folders (Event 4663) | Detection.FYI
Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage.
file creationdetection fyiexecutablestempfolders