Sponsor of the Day:
Jerkmate
https://detection.fyi/joesecurity/sigma-rules/officeproductdropsexecutableatsuspiciouslocation/
Office product drops executable at suspicious location | Detection.FYI
Office product drops executable at suspicious location
location detection fyioffice productdropsexecutablesuspicious
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location/
Wab Execution From Non Default Location | Detection.FYI
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
location detection fyinon defaultwabexecution
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations/
Publisher Attachment File Dropped In Suspicious Location | Detection.FYI
Detects creation of files with the
location detection fyipublisherattachmentfiledropped
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/
Legitimate Application Writing Files In Uncommon Location | Detection.FYI
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. …
location detection fyiapplication writinglegitimatefilesuncommon
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_certutil_encode_susp_location/
File In Suspicious Location Encoded To Base64 Via Certutil.EXE | Detection.FYI
Detects the execution of certutil with the
via certutil exesuspicious locationdetection fyifileencoded