Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_arcsoc_susp_file_created/
Suspicious File Created by ArcSOC.exe | Detection.FYI
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, …
exe detection fyisuspicious filecreated
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo/
Suspicious File Execution From Internet Hosted WebDav Share | Detection.FYI
Detects the execution of the
suspicious filedetection fyiexecutioninternethosted
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_certutil_download_direct_ip/
Suspicious File Downloaded From Direct IP Via Certutil.EXE | Detection.FYI
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
via certutil exesuspicious filedetection fyidownloadeddirect
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_extensions/
Regsvr32 DLL Execution With Suspicious File Extension | Detection.FYI
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
suspicious fileextension detectionregsvr32dllexecution
https://www.cftc.gov/LearnAndProtect/RedressReparations/index.htm
File Complaint or Report Suspicious Activities | CFTC
file complaintreport suspiciousactivitiescftc
https://detection.fyi/mbabinski/sigma-rules/2023_impacket/atexec/win_file_creation_impacket_atexec/
Impacket AtExec Suspicious Temp File Creation | Detection.FYI
Detects Atexec.py (Impacket) suspicious file creation in Windows temp directory.
file creation detectionsuspicioustempfyi
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations/
Publisher Attachment File Dropped In Suspicious Location | Detection.FYI
Detects creation of files with the
location detection fyipublisherattachmentfiledropped
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_wdac_policy_creation/
Potentially Suspicious WDAC Policy File Creation | Detection.FYI
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV …
file creation detectionpotentially suspiciouswdacpolicyfyi
https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename/
Password Protected ZIP File Opened (Suspicious Filenames) | Detection.FYI
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
password protectedzip filedetection fyiopenedsuspicious
https://detection.fyi/sigmahq/sigma/emerging-threats/2023/exploits/cve-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext/
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File | Detection.FYI
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
cve 2023exploitation attemptdetection fyisuspiciousdouble
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_certutil_encode_susp_location/
File In Suspicious Location Encoded To Base64 Via Certutil.EXE | Detection.FYI
Detects the execution of certutil with the
via certutil exesuspicious locationdetection fyifileencoded