Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

171 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectioncriticaltest

Hacktool Execution - Imphash

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

WindowsProcess Creation
TA0006 · Credential AccessTA0042 · Resource DevelopmentT1588.002 · ToolT1003 · OS Credential Dumping
Florian Roth (Nextron Systems)Fri Mar 04windows
Detectioncriticaltest

HackTool - Inveigh Execution

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
Nasreddine Bencherchali (Nextron Systems)Mon Oct 24windows
Detectioncriticaltest

HackTool - PurpleSharp Execution

Detects the execution of the PurpleSharp adversary simulation tool

WindowsProcess Creation
T1587 · Develop CapabilitiesTA0042 · Resource Development
Florian Roth (Nextron Systems)Fri Jun 18windows
Detectioncriticaltest

Potential SMB Relay Attack Tool Execution

Detects different hacktools used for relay attacks on Windows for privilege escalation

WindowsProcess Creation
TA0009 · CollectionTA0002 · ExecutionTA0006 · Credential AccessT1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay
Florian Roth (Nextron Systems)Sat Jul 24windows
Detectioncriticalstable

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

WindowsProcess Creation
TA0005 · Defense EvasionTA0006 · Credential AccessT1003 · OS Credential DumpingT1558.003 · Kerberoasting+2
Florian Roth (Nextron Systems)Wed Dec 19windows
Detectioncriticaltest

HackTool - SafetyKatz Execution

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
Nasreddine Bencherchali (Nextron Systems)Thu Oct 20windows
Detectioncriticalstable

HackTool - SecurityXploded Execution

Detects the execution of SecurityXploded Tools

WindowsProcess Creation
TA0006 · Credential AccessT1555 · Credentials from Password Stores
Florian Roth (Nextron Systems)Wed Dec 19windows
Detectioncriticaltest

HackTool - SharpUp PrivEsc Tool Execution

Detects the use of SharpUp, a tool for local privilege escalation

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationTA0007 · Discovery+4
Florian Roth (Nextron Systems)Sat Aug 20windows
Detectioncriticaltest

HackTool - Sliver C2 Implant Activity Pattern

Detects process activity patterns as seen being used by Sliver C2 framework implants

WindowsProcess Creation
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Nasreddine Bencherchali (Nextron Systems)+1Thu Aug 25windows
Detectioncriticaltest

HackTool - SysmonEOP Execution

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

WindowsProcess Creation
cve.2022-41120T1068 · Exploitation for Privilege EscalationTA0004 · Privilege Escalation
Florian Roth (Nextron Systems)Sun Dec 04windows
Detectioncriticaltest

HackTool - Windows Credential Editor (WCE) Execution

Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.

WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS MemoryS0005 · S0005
Florian Roth (Nextron Systems)Tue Dec 31windows
Detectioncriticaltest

Potential Credential Dumping Via LSASS Process Clone

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

WindowsProcess Creation
TA0006 · Credential AccessT1003 · OS Credential DumpingT1003.001 · LSASS Memory
Florian Roth (Nextron Systems)+1Sat Nov 27windows
Detectioncriticaltest

Suspicious Child Process Of Veeam Dabatase

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

WindowsProcess Creation
TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege Escalation
Nasreddine Bencherchali (Nextron Systems)Thu May 04windows
Detectioncriticaltest

Suspicious PowerShell Mailbox Export to Share

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

WindowsProcess Creation
TA0010 · Exfiltration
Florian Roth (Nextron Systems)Sat Aug 07windows
Detectioncriticaltest

Renamed Whoami Execution

Detects the execution of whoami that has been renamed to a different name to avoid detection

WindowsProcess Creation
TA0007 · DiscoveryT1033 · System Owner/User Discovery2016-03-001 · CAR 2016-03-001
Florian Roth (Nextron Systems)Thu Aug 12windows
Detectioncriticaltest

DumpStack.log Defender Evasion

Detects the use of the filename DumpStack.log to evade Microsoft Defender

WindowsProcess Creation
TA0005 · Defense Evasion
Florian Roth (Nextron Systems)Thu Jan 06windows
Detectioncriticaltest

TrustedPath UAC Bypass Pattern

Detects indicators of a UAC bypass method by mocking directories

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
Florian Roth (Nextron Systems)Fri Aug 27windows
Detectioncriticaltest

WMI Backdoor Exchange Transport Agent

Detects a WMI backdoor in Exchange Transport Agents via WMI event filters

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.003 · Windows Management Instrumentation Event Subscription
Florian Roth (Nextron Systems)Fri Oct 11windows
Detectioncriticaltest

Windows Credential Editor Registry

Detects the use of Windows Credential Editor (WCE)

WindowsRegistry Event
TA0006 · Credential AccessT1003.001 · LSASS MemoryS0005 · S0005
Florian Roth (Nextron Systems)Tue Dec 31windows
Detectioncriticaltest

Registry Entries For Azorult Malware

Detects the presence of a registry key created during Azorult execution

WindowsRegistry Event
TA0005 · Defense EvasionTA0003 · PersistenceTA0002 · ExecutionT1112 · Modify Registry
Trent LiffickFri May 08windows
Detectioncriticaltest

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

WindowsRegistry Event
TA0006 · Credential AccessT1003.001 · LSASS Memory
Florian Roth (Nextron Systems)Fri Feb 26windows
Detectioncriticaltest

Sticky Key Like Backdoor Usage - Registry

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.008 · Accessibility Features2014-11-003 · CAR 2014-11-003+1
Florian Roth (Nextron Systems)+2Thu Mar 15windows
Emerging Threatcriticaltest

CVE-2010-5278 Exploitation Attempt

MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2010-5278detection.emerging-threats
Subhash PopuriWed Aug 252010
Emerging Threatcriticaltest

ZxShell Malware

Detects a ZxShell start by the called and well-known function name

WindowsProcess Creation
TA0002 · ExecutionT1059.003 · Windows Command ShellTA0005 · Defense EvasionT1218.011 · Rundll32+3
Florian Roth (Nextron Systems)+2Thu Jul 202014
Emerging Threatcriticaltest

Turla Group Lateral Movement

Detects automated lateral movement by Turla group

WindowsProcess Creation
G0010 · G0010TA0002 · ExecutionT1059 · Command and Scripting InterpreterTA0008 · Lateral Movement+5
Markus NeisTue Nov 072014
Emerging Threatcriticaltest

Turla Group Commands May 2020

Detects commands used by Turla group as reported by ESET in May 2020

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionG0010 · G0010+5
Florian Roth (Nextron Systems)Tue May 262014
Emerging Threatcriticalstable

Exploit for CVE-2015-1641

Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641

WindowsProcess Creation
TA0005 · Defense EvasionT1036.005 · Match Legitimate Name or Locationcve.2015-1641detection.emerging-threats
Florian Roth (Nextron Systems)Thu Feb 222015
Emerging Threatcriticalstable

Droppers Exploiting CVE-2017-11882

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

WindowsProcess Creation
TA0002 · ExecutionT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileTA0001 · Initial Access+3
Florian Roth (Nextron Systems)Thu Nov 232017
Emerging Threatcriticaltest

Exploit for CVE-2017-8759

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

WindowsProcess Creation
TA0002 · ExecutionT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileTA0001 · Initial Access+3
Florian Roth (Nextron Systems)Fri Sep 152017
Emerging Threatcriticaltest

CosmicDuke Service Installation

Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1543.003 · Windows Service+2
Florian Roth (Nextron Systems)+2Mon Mar 272017
Emerging Threatcriticaltest

NotPetya Ransomware Activity

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32T1070.001 · Clear Windows Event LogsTA0006 · Credential Access+3
Florian Roth (Nextron Systems)+1Wed Jan 162017
Emerging Threatcriticaltest

WannaCry Ransomware Activity

Detects WannaCry ransomware activity

WindowsProcess Creation
TA0008 · Lateral MovementT1210 · Exploitation of Remote ServicesTA0007 · DiscoveryT1083 · File and Directory Discovery+6
Florian Roth (Nextron Systems)+3Wed Jan 162017
Emerging Threatcriticaltest

Pandemic Registry Key

Detects Pandemic Windows Implant

WindowsRegistry Event
TA0011 · Command and ControlT1105 · Ingress Tool Transferdetection.emerging-threats
Florian Roth (Nextron Systems)Thu Jun 012017
Emerging Threatcriticaltest

Turla Group Named Pipes

Detects a named pipe used by Turla group samples

WindowsNamed Pipe Created
G0010 · G0010TA0002 · ExecutionT1106 · Native APIdetection.emerging-threats
Markus NeisMon Nov 062017
Emerging Threatcriticaltest

Turla PNG Dropper Service

This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018

Windowssystem
TA0004 · Privilege EscalationTA0003 · PersistenceG0010 · G0010T1543.003 · Windows Service+1
Florian Roth (Nextron Systems)Fri Nov 232017
Emerging Threatcriticaltest

Fortinet CVE-2018-13379 Exploitation

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2018-13379detection.emerging-threats
Bhabesh RajTue Dec 082018
Emerging Threatcriticaltest

Oracle WebLogic Exploit

Detects access to a webshell dropped into a keystore folder on the WebLogic server

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial AccessTA0003 · PersistenceT1505.003 · Web Shell+2
Florian Roth (Nextron Systems)Sun Jul 222018
Emerging Threatcriticaltest

Elise Backdoor Activity

Detects Elise backdoor activity used by APT32

WindowsProcess Creation
G0030 · G0030G0050 · APT32S0081 · S0081TA0002 · Execution+2
Florian Roth (Nextron Systems)+1Wed Jan 312018
Emerging Threatcriticaltest

APT27 - Emissary Panda Activity

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)Mon Sep 032018
Emerging Threatcriticalstable

APT29 2018 Phishing Campaign File Indicators

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

WindowsFile Event
TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
@41thexplorerTue Nov 202018
Emerging Threatcriticalstable

APT29 2018 Phishing Campaign CommandLine Indicators

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32detection.emerging-threats
Florian Roth (Nextron Systems)Tue Nov 202018
Emerging Threatcriticaltest

OceanLotus Registry Activity

Detects registry keys created in OceanLotus (also known as APT32) attacks

WindowsRegistry Event
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registrydetection.emerging-threats
megan201296+1Sun Apr 142018
Emerging Threatcriticaltest

OilRig APT Activity

Detects OilRig activity as reported by Nyotron in their March 2018 report

WindowsProcess Creation
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

WindowsRegistry Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - System

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssystem
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

Pulse Secure Attack CVE-2019-11510

Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2019-11510detection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 182019
Emerging Threatcriticalstable

Exploiting CVE-2019-1388

Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM

WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2019-1388detection.emerging-threats
Florian Roth (Nextron Systems)Wed Nov 202019
1234