references_c.md

Sigma rule references as PDF

cisco_bgp_md5_auth_failed

Title : Cisco BGP Authentication Failures

Rule id : 56fa3cd6-f8d6-4520-a8c7-607292971886

Url	Pdf

cisco_cli_clear_logs

Title : Cisco Clear Logs

Rule id : ceb407f6-8277-439b-951f-e4210e3ed956

Url	Pdf
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html	pdf/fd2e0d84bbbd0bacd0af5d3f4369c9a95009fc244b39f6b4d23fb35714f9393f.pdf
https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609	pdf/b2f737d59476648a8e657ba36f83025cb79474a137565a42a66e58bd717bce2f.pdf

cisco_cli_collect_data

Title : Cisco Collect Data

Rule id : cd072b25-a418-4f98-8ebc-5093fb38fe1a

Url	Pdf
https://blog.router-switch.com/2013/11/show-running-config/	pdf/fc80f594ccdc3de6bd767dd4d911da54fa694810c09d848d7b00b83f3c41291b.pdf
https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm	pdf/52d6662e94997494993d1e6136763282eb062955dfd3c46d207a0bfecf017e88.pdf
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html	pdf/6152f31ce310819cd21b2ea4d42cd722f8c76d5861b9414838cdb75a0a2916a3.pdf

cisco_cli_crypto_actions

Title : Cisco Crypto Commands

Rule id : 1f978c6a-4415-47fb-aca5-736a44d7ca3d

Url	Pdf
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html	pdf/2641cfe9dd79570c6b15bd5b7635c21893faf35bba956d38d8c89ba642fc19dc.pdf

cisco_cli_disable_logging

Title : Cisco Disabling Logging

Rule id : 9e8f6035-88bf-4a63-96b6-b17c0508257e

Url	Pdf

cisco_cli_discovery

Title : Cisco Discovery

Rule id : 9705a6a1-6db6-4a16-a987-15b7151e299b

Url	Pdf
https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html	pdf/e814ad3b206561fd7a83f7d90d7abeb09e47d31cbc918482948acf28cc92814a.pdf

cisco_cli_dos

Title : Cisco Denial of Service

Rule id : d94a35f0-7a29-45f6-90a0-80df6159967c

Url	Pdf

cisco_cli_file_deletion

Title : Cisco File Deletion

Rule id : 71d65515-c436-43c0-841b-236b1f32c21e

Url	Pdf

cisco_cli_input_capture

Title : Cisco Show Commands Input

Rule id : b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b

Url	Pdf

cisco_cli_local_accounts

Title : Cisco Local Accounts

Rule id : 6d844f0f-1c18-41af-8f19-33e7654edfc3

Url	Pdf

cisco_cli_modify_config

Title : Cisco Modify Configuration

Rule id : 671ffc77-50a7-464f-9e3d-9ea2b493b26b

Url	Pdf

cisco_cli_moving_data

Title : Cisco Stage Data

Rule id : 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59

Url	Pdf

cisco_cli_net_sniff

Title : Cisco Sniffing

Rule id : b9e1f193-d236-4451-aaae-2f3d2102120d

Url	Pdf

cisco_duo_mfa_bypass_via_bypass_code

Title : Cisco Duo Successful MFA Authentication Via Bypass Code

Rule id : 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8

Url	Pdf
https://duo.com/docs/adminapi#logs	pdf/e9fa29243ac7e31302ebdeb0c02007f0bacdd60ac78bee2b0a0fa36774298f6c.pdf
https://help.duo.com/s/article/6327?language=en_US	pdf/0c2ad247512bd8c99455c6f11f080a0723ea1cc019bbaede75bb56ad819be196.pdf

cisco_ldp_md5_auth_failed

Title : Cisco LDP Authentication Failures

Rule id : 50e606bf-04ce-4ca7-9d54-3449494bbd4b

Url	Pdf

cisco_syslog_cve_2023_20198_ios_xe_web_ui

Title : Exploitation Indicators Of CVE-2023-20198

Rule id : 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b

Url	Pdf
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z	pdf/f27edf2c09f5986e0abefbe8400ab06f9aac229fc21bb4f5b7890aa7b9512df5.pdf
https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/	pdf/ecc84b6f86e95d313eb8abefea60d2a2a98e9e1895b90f2f415c92b57f63c38e.pdf

create_remote_thread_win_hktl_cactustorch

Title : HackTool - CACTUSTORCH Remote Thread Creation

Rule id : 2e4e488a-6164-4811-9ea1-f960c7359c40

Url	Pdf
https://twitter.com/SBousseaden/status/1090588499517079552	pdf/8b5aebd509125c347b8323fbac8484d7f505f651138bdf689b2a5082a1a2ae1d.pdf
https://github.com/mdsecactivebreach/CACTUSTORCH	pdf/0a21cd1920ff1ed1e073490994446b41b189878823e39752d57770a4329df9bc.pdf

create_remote_thread_win_hktl_cobaltstrike

Title : HackTool - Potential CobaltStrike Process Injection

Rule id : 6309645e-122d-4c5b-bb2b-22e4f9c2fa42

Url	Pdf
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f	pdf/8d16458990c1a6fd7381a37b54cef6ca52339d751a38a6556305ac1a41d164f7.pdf
https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/	pdf/4146cd917c2fea3104a8a3140688747de2bd6c52e33b0b544a105127c71912b9.pdf

create_remote_thread_win_keepass

Title : Remote Thread Created In KeePass.EXE

Rule id : 77564cc2-7382-438b-a7f6-395c2ae53b9a

Url	Pdf
https://www.cisa.gov/uscert/ncas/alerts/aa20-259a	pdf/6ffc4d590403c41270e532f4d79e9eaf4b9b708b2d9e3592347814dc82b0bca7.pdf
https://github.com/denandz/KeeFarce	pdf/ca84632fc84be4c1bc181a1cac578405e29a779f350bf7a69fd9447aae67d968.pdf
https://github.com/GhostPack/KeeThief	pdf/51851a547210b93333de6e62f4a4faa096bcfd26296035b4d07a602041477a02.pdf

create_remote_thread_win_loadlibrary

Title : CreateRemoteThread API and LoadLibrary

Rule id : 052ec6f6-1adc-41e6-907a-f1c813478bee

Url	Pdf
https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html	pdf/f990bd14d8e1df0fb3fb4a16af53282199dec47e4b04efb6d10226a327585660.pdf

create_remote_thread_win_malware_bumblebee

Title : Potential Bumblebee Remote Thread Creation

Rule id : 994cac2b-92c2-44bf-8853-14f6ca39fbda

Url	Pdf
https://thedfirreport.com/2022/09/26/bumblebee-round-two/	pdf/6674231aab57d99d2c26780e67629657f514caf056d1782dac35cf6c7f57ecb2.pdf

create_remote_thread_win_mstsc_susp_location

Title : Remote Thread Creation In Mstsc.Exe From Suspicious Location

Rule id : c0aac16a-b1e7-4330-bab0-3c27bb4987c7

Url	Pdf
https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25	pdf/b7970cf3fb66e8f0fa7a86bec408f3afbdb6da2a20e3ae7fb7f88d3f4600661f.pdf

create_remote_thread_win_powershell_generic

Title : Remote Thread Creation Via PowerShell

Rule id : eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50

Url	Pdf
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse	pdf/0d238d8b4247a38432961d12fba04155db8526642f40d0aaf0c796cd13b85d64.pdf

create_remote_thread_win_powershell_lsass

Title : Potential Credential Dumping Attempt Via PowerShell Remote Thread

Rule id : fb656378-f909-47c1-8747-278bf09f4f4f

Url	Pdf
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse	pdf/0d238d8b4247a38432961d12fba04155db8526642f40d0aaf0c796cd13b85d64.pdf

create_remote_thread_win_powershell_susp_targets

Title : Remote Thread Creation Via PowerShell In Uncommon Target

Rule id : 99b97608-3e21-4bfe-8217-2a127c396a0e

Url	Pdf
https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html	pdf/0290911ac17eb6b9bd95ab228ba6632f060feb233a6322645c959855d26a36cc.pdf

create_remote_thread_win_susp_password_dumper_lsass

Title : Password Dumper Remote Thread in LSASS

Rule id : f239b326-2f41-4d6b-9dfa-c846a60ef505

Url	Pdf
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm	pdf/65622f579a7ec399cc204cf80ad30e60fdc23aa12b3f3646010bc5e1e49b5094.pdf

create_remote_thread_win_susp_relevant_source_image

Title : Rare Remote Thread Creation By Uncommon Source Image

Rule id : 02d1d718-dd13-41af-989d-ea85c7fab93f

Url	Pdf
https://lolbas-project.github.io	pdf/6ff4a3dea600d4a3da5e72f9a5ca22e3fb6d24b13a99840e90c5cec369c5bc39.pdf

create_remote_thread_win_susp_target_shell_application

Title : Remote Thread Created In Shell Application

Rule id : a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f

Url	Pdf
https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/	pdf/ff3f5e5d3ae88c2f840a40f2ce699185d11421687f9ad2d1cbb6bc2dd035a922.pdf
https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/	pdf/2ad2461657a65ef7bf8a7251834165c94c9609ef2d25605333a27d4f4ac8ed24.pdf

create_remote_thread_win_susp_uncommon_source_image

Title : Remote Thread Creation By Uncommon Source Image

Rule id : 66d31e5f-52d6-40a4-9615-002d3789a119

Url	Pdf
https://lolbas-project.github.io	pdf/6ff4a3dea600d4a3da5e72f9a5ca22e3fb6d24b13a99840e90c5cec369c5bc39.pdf

create_remote_thread_win_susp_uncommon_target_image

Title : Remote Thread Creation In Uncommon Target Image

Rule id : a1a144b7-5c9b-4853-a559-2172be8d4a03

Url	Pdf
https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection	pdf/3fb8384904d680203c2ba66a8992f034dd1d591648318746ca7eb535049c1582.pdf

create_remote_thread_win_ttdinjec

Title : Remote Thread Creation Ttdinject.exe Proxy

Rule id : c15e99a3-c474-48ab-b9a7-84549a7a9d16

Url	Pdf
https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/	pdf/f9f1c4bf6e5102389ff665c836c199c0ecf2607de83c7fb52b58e76dea2e3eb4.pdf

create_stream_hash_ads_executable

Title : Hidden Executable In NTFS Alternate Data Stream

Rule id : b69888d4-380c-45ce-9cf9-d9ce46e67821

Url	Pdf
https://twitter.com/0xrawsec/status/1002478725605273600?s=21	pdf/7da8166b7ec1e054fbea3243ce3fd1743acae7ed60d63c406a01aa3761da5090.pdf

create_stream_hash_creation_internet_file

Title : Creation Of a Suspicious ADS File Outside a Browser Download

Rule id : 573df571-a223-43bc-846e-3f98da481eca

Url	Pdf
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/	pdf/82ea96d29c33a92ab114b5ab47b1edb14a601f315b19c1627490a373a722e626.pdf

create_stream_hash_file_sharing_domains_download_susp_extension

Title : Suspicious File Download From File Sharing Websites - File Stream

Rule id : 52182dfb-afb7-41db-b4bc-5336cb29b464

Url	Pdf
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015	pdf/cbeebfc6ef40af2e88674d6814de2c52bc2eed2a2f9b933b1384974641ea320a.pdf
https://www.cisa.gov/uscert/ncas/alerts/aa22-321a	pdf/0267dbd14be7701b36d26ba060a471f44cedb5048b0cca702e5f9ed5459ca738.pdf
https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/	pdf/a39c35af1f8028121f6bcd5b8ac6c878f4bcffd5a041681cc201d3b19ff1a4cc.pdf
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/	pdf/2114e893697f5a54dd1ea3bfbf2e64adb250a41c185768b836ba10b882e4c914.pdf

create_stream_hash_file_sharing_domains_download_unusual_extension

Title : Unusual File Download From File Sharing Websites - File Stream

Rule id : ae02ed70-11aa-4a22-b397-c0d0e8f6ea99

Url	Pdf
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015	pdf/cbeebfc6ef40af2e88674d6814de2c52bc2eed2a2f9b933b1384974641ea320a.pdf
https://www.cisa.gov/uscert/ncas/alerts/aa22-321a	pdf/0267dbd14be7701b36d26ba060a471f44cedb5048b0cca702e5f9ed5459ca738.pdf
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/	pdf/2114e893697f5a54dd1ea3bfbf2e64adb250a41c185768b836ba10b882e4c914.pdf

create_stream_hash_hktl_generic_download

Title : HackTool Named File Stream Created

Rule id : 19b041f6-e583-40dc-b842-d6fa8011493f

Url	Pdf
https://github.com/gentilkiwi/mimikatz	pdf/931e1d77d626a3d42c3417b8436f778e03d9de01a10ce60f523c3a872c9de8eb.pdf
https://github.com/topotam/PetitPotam	pdf/01fb36616b16be1471e08d97d485d8c7f8fb699e75b818601e3027570eb2a0b3.pdf
https://github.com/ohpe/juicy-potato	pdf/a4477b226749ed74e75b1a1cbd4eccbabede8c1f29a6e63fcadb5db64f63497a.pdf
https://github.com/antonioCoco/RoguePotato	pdf/9383153978c06d9d7c558c6e3522f2d167165f32208ca9623a8af401afd00d65.pdf
https://www.tarasco.org/security/pwdump_7/	pdf/ea118bfb227f688e29f80db3c5d427388b7718a41e64db24a79236ce5bf4f355.pdf
https://github.com/fortra/nanodump	pdf/a8cc04ce234c7ee73fc306179e10a3ea5a891d0c0e6a21f736434c1e1b0030e2.pdf
https://github.com/codewhitesec/HandleKatz	pdf/01327cc10ea6a6f29439cf162b3a3c9a537a18fe8d8145bd1db510db1de00450.pdf
https://github.com/xuanxuan0/DripLoader	pdf/c024ed96513c6ce5a4097e17a3fe70940ea41036357ee46fa0287eaf26196121.pdf
https://github.com/hfiref0x/UACME	pdf/d83252bc27a4be387e3207cef6aa3e0a7433677c314506a6cdd0ad98d290043e.pdf
https://github.com/outflanknl/Dumpert	pdf/d028574bba29d066cf4ddb010321ff1595768b8df629cd86679aff1d0f8e1980.pdf
https://github.com/wavestone-cdt/EDRSandblast	pdf/bb2b58ea6a16fd8d488d3137310c10bfa309fe1aca46b9da58cadf128ea56402.pdf

create_stream_hash_regedit_export_to_ads

Title : Exports Registry Key To an Alternate Data Stream

Rule id : 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84

Url	Pdf
https://lolbas-project.github.io/lolbas/Binaries/Regedit/	pdf/e8f472f7f8cb0076a5b9101b6f3292848f62b25dd147441e73dea5fb7add0859.pdf
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f	pdf/e815e27473c7c680dcee4f45ba1fc8f1528f0e828e840ed3ed2af8c7551b45da.pdf

create_stream_hash_susp_ip_domains

Title : Unusual File Download from Direct IP Address

Rule id : 025bd229-fd1f-4fdb-97ab-20006e1a5368

Url	Pdf
https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md	pdf/fb6b85d18d6a12e538d01b318bb7ad1120723eb965af10d631a1c13d6011b77e.pdf
https://labs.withsecure.com/publications/detecting-onenote-abuse	pdf/87714e974170bb2e20943b631aec432662309e7ef635cf36fc6d7c777cb404d4.pdf

create_stream_hash_winget_susp_package_source

Title : Potential Suspicious Winget Package Installation

Rule id : a3f5c081-e75b-43a0-9f5b-51f26fe5dba2

Url	Pdf
https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget	pdf/934415afe6db703b32a687956220823295c5dedc50d1636b0392ead165642170.pdf

create_stream_hash_zip_tld_download

Title : Potentially Suspicious File Download From ZIP TLD

Rule id : 0bb4bbeb-fe52-4044-b40c-430a04577ebe

Url	Pdf
https://twitter.com/cyb3rops/status/1659175181695287297	pdf/508eafb18133e8e95931826cc3499ae9c15953ef5ff257e08dec0f02fbac1132.pdf
https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/	pdf/a39c35af1f8028121f6bcd5b8ac6c878f4bcffd5a041681cc201d3b19ff1a4cc.pdf