Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/identity/okta/okta_user_session_start_via_anonymised_proxy/
Okta User Session Start Via An Anonymising Proxy Service | Detection.FYI
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
service detection fyiuser sessionoktastartvia
https://detection.fyi/sigmahq/sigma/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok/
Ngrok Usage with Remote Desktop Service | Detection.FYI
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
service detection fyiremote desktopngrokusage
https://detection.fyi/sigmahq/sigma/emerging-threats/2017/ta/turla/win_system_apt_turla_service_png/
Turla PNG Dropper Service | Detection.FYI
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
service detection fyiturlapngdropper
https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/
Registry Persistence via Service in Safe Mode | Detection.FYI
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
persistence viasafe modedetection fyiregistryservice
https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install/
Meterpreter or Cobalt Strike Getsystem Service Installation - Security | Detection.FYI
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
cobalt strikeservice installationsecurity detectionmeterpretergetsystem
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_sysinternals_psexec_service/
PsExec Service File Creation | Detection.FYI
Detects default PsExec service filename which indicates PsExec service installation and execution
file creation detectionservicefyi