Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading/
Potential Binary Impersonating Sysinternals Tools | Detection.FYI
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named …
tools detection fyipotentialbinaryimpersonatingsysinternals
https://detection.fyi/sigmahq/sigma/macos/process_creation/proc_creation_macos_disable_security_tools/
Disable Security Tools | Detection.FYI
Detects disabling security tools
tools detection fyidisablesecurity
https://detection.fyi/sigmahq/sigma/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools/
Outbound RDP Connections Over Non-Standard Tools | Detection.FYI
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this …
tools detection fyinon standardoutboundrdpconnections
https://detection.fyi/sigmahq/sigma/web/webserver_generic/web_susp_useragents/
Suspicious User-Agents Related To Recon Tools | Detection.FYI
Detects known suspicious (default) user-agents related to scanning/recon tools
tools detection fyiuser agentssuspiciousrelatedrecon
https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_persistence_office_vsto/
Potential Persistence Via Visual Studio Tools for Office | Detection.FYI
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
potential persistence viavisual studiodetection fyitoolsoffice
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution/
SQL Client Tools PowerShell Session Detection | Detection.FYI
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the …
sql clientdetection fyitoolspowershellsession