Sigma Rules
1,398 rules found
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
Mustang Panda Dropper
Detects specific process parameters as used by Mustang Panda droppers
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
Potential Ke3chang/TidePool Malware Activity
Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
GALLIUM IOCs
Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
Potential CVE-2021-26857 Exploitation Attempt
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
Potential CVE-2021-40444 Exploitation Attempt
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
Potential Exploitation Attempt From Office Application
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Potential Conti Ransomware Database Dumping Activity Via SQLCmd
Detects a command used by conti to dump database
DarkSide Ransomware Pattern
Detects DarkSide Ransomware and helpers
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
Potential Goofy Guineapig Backdoor Activity
Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor