Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

1,398 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Hacktool Execution - PE Metadata

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

WindowsProcess Creation
TA0006 · Credential AccessTA0042 · Resource DevelopmentT1588.002 · ToolT1003 · OS Credential Dumping
Florian Roth (Nextron Systems)Wed Apr 27windows
Detectionhightest

HackTool - GMER Rootkit Detector and Remover Execution

Detects the execution GMER tool based on image and hash fields.

WindowsProcess Creation
TA0005 · Defense Evasion
Nasreddine Bencherchali (Nextron Systems)Wed Oct 05windows
Detectionhightest

HackTool - HandleKatz LSASS Dumper Execution

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
Florian Roth (Nextron Systems)Thu Aug 18windows
Detectionhightest

HackTool - Hashcat Password Cracker Execution

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

WindowsProcess Creation
TA0006 · Credential AccessT1110.002 · Password Cracking
François HubautMon Dec 27windows
Detectionhighexperimental

HackTool - HollowReaper Execution

Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055.012 · Process Hollowing
Swachchhanda Shrawan Poudel (Nextron Systems)Tue Jul 01windows
Detectionhightest

HackTool - Htran/NATBypass Execution

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

WindowsProcess Creation
TA0011 · Command and ControlT1090 · ProxyS0040 · S0040
Florian Roth (Nextron Systems)Tue Dec 27windows
Detectionhightest

HackTool - Hydra Password Bruteforce Execution

Detects command line parameters used by Hydra password guessing hack tool

WindowsProcess Creation
TA0006 · Credential AccessT1110 · Brute ForceT1110.001 · Password Guessing
Vasiliy BurovMon Oct 05windows
Detectionhighstable

HackTool - Potential Impacket Lateral Movement Activity

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

WindowsProcess Creation
TA0002 · ExecutionT1047 · Windows Management InstrumentationTA0008 · Lateral MovementT1021.003 · Distributed Component Object Model
Ecco+3Tue Sep 03windows
Detectionhightest

HackTool - Impacket Tools Execution

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

WindowsProcess Creation
TA0009 · CollectionTA0002 · ExecutionTA0006 · Credential AccessT1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay
Florian Roth (Nextron Systems)Sat Jul 24windows
Detectionmediumtest

HackTool - Impersonate Execution

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1134.001 · Token Impersonation/TheftT1134.003 · Make and Impersonate Token
Sai Prashanth PulisettiWed Dec 21windows
Detectioncriticaltest

HackTool - Inveigh Execution

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
Nasreddine Bencherchali (Nextron Systems)Mon Oct 24windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher

Detects Obfuscated use of Clip.exe to execute PowerShell

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Daniel Bohannon ( / )+1Fri Nov 08windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher

Detects Obfuscated use of stdin to execute PowerShell

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher

Detects Obfuscated use of Environment Variables to execute PowerShell

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin

Detects Obfuscated Powershell via Stdin in Scripts

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip

Detects Obfuscated Powershell via use Clip.exe in Scripts

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA

Detects Obfuscated Powershell via use MSHTA in Scripts

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Thu Oct 08windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

Detects Obfuscated Powershell via VAR++ LAUNCHER

WindowsProcess Creation
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionmediumtest

HackTool - Jlaive In-Memory Assembly Execution

Detects the use of Jlaive to execute assemblies in a copied PowerShell

WindowsProcess Creation
TA0002 · ExecutionT1059.003 · Windows Command Shell
Jose Luis Sanchez MartinezTue May 24windows
Detectionhightest

HackTool - Koadic Execution

Detects command line parameters used by Koadic hack tool

WindowsProcess Creation
TA0002 · ExecutionT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScript
wagga+2Sun Jan 12windows
Detectionhightest

HackTool - KrbRelay Execution

Detects the use of KrbRelay, a Kerberos relaying tool

WindowsProcess Creation
TA0006 · Credential AccessT1558.003 · Kerberoasting
Florian Roth (Nextron Systems)Wed Apr 27windows
Detectionhightest

HackTool - KrbRelayUp Execution

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

WindowsProcess Creation
TA0005 · Defense EvasionTA0006 · Credential AccessT1558.003 · KerberoastingTA0008 · Lateral Movement+1
Florian Roth (Nextron Systems)Tue Apr 26windows
Detectionhightest

HackTool - RemoteKrbRelay Execution

Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.

WindowsProcess Creation
TA0006 · Credential AccessT1558.003 · Kerberoasting
Nasreddine Bencherchali (Nextron Systems)Thu Jun 27windows
Detectionmediumexperimental

HackTool - LaZagne Execution

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

WindowsProcess Creation
TA0006 · Credential Access
Nasreddine Bencherchali (Nextron Systems)+1Mon Jun 24windows
Detectionhightest

HackTool - LocalPotato Execution

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege Escalationcve.2023-21746
Nasreddine Bencherchali (Nextron Systems)Tue Feb 14windows
Detectionhightest

Potential Meterpreter/CobaltStrike Activity

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1134.001 · Token Impersonation/TheftT1134.002 · Create Process with Token
Teymur Kheirkhabarov+2Sat Oct 26windows
Detectionhightest

HackTool - Mimikatz Execution

Detection well-known mimikatz command line arguments

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS MemoryT1003.002 · Security Account ManagerT1003.004 · LSA Secrets+2
Teymur Kheirkhabarov+3Tue Oct 22windows
Detectionhightest

HackTool - PCHunter Execution

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

WindowsProcess Creation
TA0002 · ExecutionTA0007 · DiscoveryT1082 · System Information DiscoveryT1057 · Process Discovery+3
Florian Roth (Nextron Systems)+1Mon Oct 10windows
Detectionhightest

HackTool - Default PowerSploit/Empire Scheduled Task Creation

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

WindowsProcess Creation
TA0002 · ExecutionTA0003 · PersistenceTA0004 · Privilege EscalationS0111 · schtasks+5
Markus NeisTue Mar 06windows
Detectionhightest

HackTool - PowerTool Execution

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

WindowsProcess Creation
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Nasreddine Bencherchali (Nextron Systems)Tue Nov 29windows
Detectioncriticaltest

HackTool - PurpleSharp Execution

Detects the execution of the PurpleSharp adversary simulation tool

WindowsProcess Creation
T1587 · Develop CapabilitiesTA0042 · Resource Development
Florian Roth (Nextron Systems)Fri Jun 18windows
Detectionhightest

HackTool - Pypykatz Credentials Dumping Activity

Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored

WindowsProcess Creation
TA0006 · Credential AccessT1003.002 · Security Account Manager
François HubautWed Jan 05windows
Detectionhightest

HackTool - Quarks PwDump Execution

Detects usage of the Quarks PwDump tool via commandline arguments

WindowsProcess Creation
TA0006 · Credential AccessT1003.002 · Security Account Manager
Nasreddine Bencherchali (Nextron Systems)Mon Sep 05windows
Detectionhightest

HackTool - RedMimicry Winnti Playbook Execution

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

WindowsProcess Creation
TA0002 · ExecutionTA0005 · Defense EvasionT1106 · Native APIT1059.003 · Windows Command Shell+1
Alexander RauschWed Jun 24windows
Detectioncriticaltest

Potential SMB Relay Attack Tool Execution

Detects different hacktools used for relay attacks on Windows for privilege escalation

WindowsProcess Creation
TA0009 · CollectionTA0002 · ExecutionTA0006 · Credential AccessT1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay
Florian Roth (Nextron Systems)Sat Jul 24windows
Detectioncriticalstable

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

WindowsProcess Creation
TA0005 · Defense EvasionTA0006 · Credential AccessT1003 · OS Credential DumpingT1558.003 · Kerberoasting+2
Florian Roth (Nextron Systems)Wed Dec 19windows
Detectioncriticaltest

HackTool - SafetyKatz Execution

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
Nasreddine Bencherchali (Nextron Systems)Thu Oct 20windows
Detectioncriticalstable

HackTool - SecurityXploded Execution

Detects the execution of SecurityXploded Tools

WindowsProcess Creation
TA0006 · Credential AccessT1555 · Credentials from Password Stores
Florian Roth (Nextron Systems)Wed Dec 19windows
Detectionhightest

HackTool - PPID Spoofing SelectMyParent Tool Execution

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1134.004 · Parent PID Spoofing
Florian Roth (Nextron Systems)Sat Jul 23windows
Detectionhightest

HackTool - SharPersist Execution

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

WindowsProcess Creation
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053 · Scheduled Task/Job
Florian Roth (Nextron Systems)Thu Sep 15windows
Detectionhightest

HackTool - SharpEvtMute Execution

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

WindowsProcess Creation
TA0005 · Defense EvasionT1562.002 · Disable Windows Event Logging
Florian Roth (Nextron Systems)Wed Sep 07windows
Detectionhightest

HackTool - SharpLdapWhoami Execution

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

WindowsProcess Creation
TA0007 · DiscoveryT1033 · System Owner/User Discovery2016-03-001 · CAR 2016-03-001
Florian Roth (Nextron Systems)Mon Aug 29windows
Detectionhightest

HackTool - SharpMove Tool Execution

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

WindowsProcess Creation
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Luca Di Bartolomeo (CrimpSec)Mon Jan 29windows
Detectionhighexperimental

HKTL - SharpSuccessor Privilege Escalation Tool Execution

Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.

WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation
Swachchhanda Shrawan Poudel (Nextron Systems)Fri Jun 06windows
Detectioncriticaltest

HackTool - SharpUp PrivEsc Tool Execution

Detects the use of SharpUp, a tool for local privilege escalation

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationTA0007 · Discovery+4
Florian Roth (Nextron Systems)Sat Aug 20windows
Detectionhightest

HackTool - SharpView Execution

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

WindowsProcess Creation
TA0007 · DiscoveryT1049 · System Network Connections DiscoveryT1069.002 · Domain GroupsT1482 · Domain Trust Discovery+2
François HubautFri Dec 10windows
156730