Home/Maze/Sigma rules
Sigma

Sigma rules for Maze

1 rules · scoped to tool · back to Maze
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

1 of 1
direct medium
Powershell Directory Enumeration
Detects technique used by MAZE ransomware to enumerate directories using Powershell
status test author frack113 id 162e69a7-7981-4344-84a9-0f1c9a217a52 license Sigma · DRL-1.1
view Sigma YAML 
title: Powershell Directory Enumeration
id: 162e69a7-7981-4344-84a9-0f1c9a217a52
status: test
description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
    - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1083
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - foreach
            - Get-ChildItem
            - '-Path '
            - '-ErrorAction '
            - SilentlyContinue
            - 'Out-File '
            - '-append'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin