Back to binalyze.com

Sigma Templates

Selection of Sigma rules for use as guides or templates

  • Detection of Sysinternals Usage

description: Detects the usage of Sysinternals Tools
tags:
    - attack.t1588.002 
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' -accepteula'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools

  • LSASS Dump Detection

description: LSASS memory dump creation using operating systems utilities. 
tags:
    - attack.credential_access
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: 'lsass'
        TargetFilename|endswith: 'dmp'
    condition: selection
fields:
    - ComputerName
    - TargetFilename
falsepositives:
    - Admin activity
level: high

  • Suspicious Add Scheduled Task From User AppData Temp

  • Disable UAC Using Registry

  • Windows Defender Service Disabled

  • PowerShell Get-Clipboard Cmdlet Via CLI

  • User Account Hidden By Registry

PreviousHunt/Triage Rule TemplatesNextYARA Templates

Last updated

Was this helpful?