Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

171 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threatcriticaltest

Sudo Privilege Escalation CVE-2019-14287 - Builtin

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Linuxsudo
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege EscalationT1548.003 · Sudo and Sudo Caching+2
Florian Roth (Nextron Systems)Tue Oct 152019
Emerging Threatcriticaltest

Citrix Netscaler Attack CVE-2019-19781

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2019-19781detection.emerging-threats
Arnim Rupp+1Thu Jan 022019
Emerging Threatcriticaltest

Confluence Exploitation CVE-2019-3398

Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2019-3398detection.emerging-threats
Florian Roth (Nextron Systems)Tue May 262019
Emerging Threatcriticalstable

Potential Dridex Activity

Detects potential Dridex acitvity via specific process patterns

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process InjectionTA0007 · Discovery+3
Florian Roth (Nextron Systems)+2Thu Jan 102019
Emerging Threatcriticalstable

Potential Dtrack RAT Activity

Detects potential Dtrack RAT activity via specific process patterns

WindowsProcess Creation
TA0040 · ImpactT1490 · Inhibit System Recoverydetection.emerging-threats
Florian Roth (Nextron Systems)+1Wed Oct 302019
Emerging Threatcriticalstable

LockerGoga Ransomware Activity

Detects LockerGoga ransomware activity via specific command line.

WindowsProcess Creation
TA0040 · ImpactT1486 · Data Encrypted for Impactdetection.emerging-threats
Vasiliy Burov+1Sun Oct 182019
Emerging Threatcriticalstable

Potential QBot Activity

Detects potential QBot activity by looking for process executions used previously by QBot

WindowsProcess Creation
TA0002 · ExecutionT1059.005 · Visual Basicdetection.emerging-threats
Florian Roth (Nextron Systems)Tue Oct 012019
Emerging Threatcriticalstable

Ursnif Malware C2 URL Pattern

Detects Ursnif C2 traffic.

Proxy Log
TA0001 · Initial AccessT1566.001 · Spearphishing AttachmentTA0002 · ExecutionT1204.002 · Malicious File+3
Thomas PatzkeThu Dec 192019
Emerging Threatcriticaltest

APT31 Judgement Panda Activity

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

WindowsProcess Creation
TA0009 · CollectionTA0008 · Lateral MovementTA0006 · Credential AccessG0128 · GOLD SOUTHFIELD+3
Florian Roth (Nextron Systems)Thu Feb 212019
Emerging Threatcriticalstable

Potential Russian APT Credential Theft Activity

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

WindowsProcess Creation
TA0006 · Credential AccessT1552.001 · Credentials In FilesT1003.003 · NTDSdetection.emerging-threats
Florian Roth (Nextron Systems)Thu Feb 212019
Emerging Threatcriticalstable

Equation Group DLL_U Export Function Load

Detects a specific export function name used by one of EquationGroup tools

WindowsProcess Creation
G0020 · G0020TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
Florian Roth (Nextron Systems)Mon Mar 042019
Emerging Threatcriticaltest

CVE-2020-0688 Exchange Exploitation via Web Log

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-0688detection.emerging-threats
Florian Roth (Nextron Systems)Sat Feb 292020
Emerging Threatcriticaltest

CVE-2020-10148 SolarWinds Orion API Auth Bypass

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-10148detection.emerging-threats
Bhabesh Raj+1Sun Dec 272020
Emerging Threatcriticaltest

DNS RCE CVE-2020-1350

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

WindowsProcess Creation
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0002 · ExecutionT1569.002 · Service Execution+2
Florian Roth (Nextron Systems)Wed Jul 152020
Emerging Threatcriticaltest

CVE-2020-5902 F5 BIG-IP Exploitation Attempt

Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-5902detection.emerging-threats
Florian Roth (Nextron Systems)Sun Jul 052020
Emerging Threatcriticaltest

Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-8193cve.2020-8195+1
Florian Roth (Nextron Systems)Fri Jul 102020
Emerging Threatcriticaltest

Potential Emotet Rundll32 Execution

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
FPT.EagleEyeFri Dec 252020
Emerging Threatcriticaltest

FlowCloud Registry Markers

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

WindowsRegistry Event
TA0005 · Defense EvasionTA0003 · PersistenceT1112 · Modify Registrydetection.emerging-threats
NVISOTue Jun 092020
Emerging Threatcriticaltest

Potential Maze Ransomware Activity

Detects specific process characteristics of Maze ransomware word document droppers

WindowsProcess Creation
TA0002 · ExecutionT1204.002 · Malicious FileT1047 · Windows Management InstrumentationTA0040 · Impact+2
Florian Roth (Nextron Systems)Fri May 082020
Emerging Threatcriticaltest

EvilNum APT Golden Chickens Deployment Via OCX Files

Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
Florian Roth (Nextron Systems)Fri Jul 102020
Emerging Threatcriticaltest

Greenbug Espionage Group Indicators

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

WindowsProcess Creation
G0049 · G0049TA0002 · ExecutionT1059.001 · PowerShellTA0011 · Command and Control+4
Florian Roth (Nextron Systems)Wed May 202020
Emerging Threatcriticaltest

Lazarus Group Activity

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

WindowsProcess Creation
G0032 · Lazarus GroupTA0002 · ExecutionT1059 · Command and Scripting Interpreterdetection.emerging-threats
Florian Roth (Nextron Systems)+1Wed Dec 232020
Emerging Threatcriticaltest

Leviathan Registry Key Activity

Detects registry key used by Leviathan APT in Malaysian focused campaign

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folderdetection.emerging-threats
Aidan BracherTue Jul 072020
Emerging Threatcriticaltest

UNC2452 PowerShell Pattern

Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellT1047 · Windows Management Instrumentationdetection.emerging-threats
Florian Roth (Nextron Systems)Wed Jan 202020
Emerging Threatcriticaltest

Solarwinds SUPERNOVA Webshell Access

Detects access to SUPERNOVA webshell as described in Guidepoint report

Web Server Log
TA0003 · PersistenceT1505.003 · Web Shelldetection.emerging-threats
Florian Roth (Nextron Systems)Thu Dec 172020
Emerging Threatcriticaltest

Winnti Malware HK University Campaign

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Sat Feb 012020
Emerging Threatcriticalstable

Winnti Pipemon Characteristics

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Thu Jul 302020
Emerging Threatcriticalstable

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Antivirus Alert
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injectiondetection.emerging-threats+2
Sittikorn S+2Thu Jul 012021
Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation Filename Pattern

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

WindowsFile Event
TA0002 · ExecutionTA0004 · Privilege EscalationTA0042 · Resource DevelopmentT1587 · Develop Capabilities+2
Florian Roth (Nextron Systems)Tue Jun 292021
Emerging Threatcriticaltest

PrinterNightmare Mimikatz Driver Name

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

WindowsRegistry Event
TA0002 · ExecutionT1204 · User Executioncve.2021-1675cve.2021-34527+1
Markus Neis+1Sun Jul 042021
Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation

Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675

Windowsprintservice-operational
TA0002 · ExecutionT1569 · System Servicescve.2021-1675detection.emerging-threats
Florian Roth (Nextron Systems)Thu Jul 012021
Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation IPC Access

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Windowssecurity
TA0002 · ExecutionT1569 · System Servicescve.2021-1675cve.2021-34527+1
INIT_6Fri Jul 022021
Emerging Threatcriticaltest

Arcadyan Router Exploitations

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-20090cve.2021-20091+1
Bhabesh RajTue Aug 242021
Emerging Threatcriticaltest

Oracle WebLogic Exploit CVE-2021-2109

Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial Accesscve.2021-2109detection.emerging-threats
Bhabesh RajWed Jan 202021
Emerging Threatcriticaltest

Fortinet CVE-2021-22123 Exploitation

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-22123detection.emerging-threats
Bhabesh Raj+1Thu Aug 192021
Emerging Threatcriticaltest

ProxyLogon Reset Virtual Directories Based On IIS Log

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Web Server Log
cve.2021-26858detection.emerging-threatsTA0001 · Initial AccessT1190 · Exploit Public-Facing Application
François HubautTue Aug 102021
Emerging Threatcriticaltest

Exchange Exploitation CVE-2021-28480

Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-28480detection.emerging-threats
Florian Roth (Nextron Systems)Fri May 142021
Emerging Threatcriticaltest

CVE-2021-33766 Exchange ProxyToken Exploitation

Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-33766detection.emerging-threats
Florian Roth (Nextron Systems)+2Mon Aug 302021
Emerging Threatcriticaltest

CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

WindowsFile Event
TA0001 · Initial AccessTA0002 · ExecutionTA0006 · Credential AccessT1566 · Phishing+4
Sittikorn SFri Jul 162021
Emerging Threatcriticaltest

CVE-2021-31979 CVE-2021-33771 Exploits

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

WindowsRegistry Set
TA0001 · Initial AccessTA0002 · ExecutionTA0006 · Credential AccessT1566 · Phishing+4
Sittikorn S+1Fri Jul 162021
Emerging Threatcriticaltest

Serv-U Exploitation CVE-2021-35211 by DEV-0322

Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322

WindowsProcess Creation
TA0003 · PersistenceT1136.001 · Local Accountcve.2021-35211detection.emerging-threats
Florian Roth (Nextron Systems)Wed Jul 142021
Emerging Threatcriticaltest

CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · PersistenceT1505.003 · Web Shell+2
Sittikorn S+1Fri Sep 102021
Emerging Threatcriticaltest

InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file

WindowsFile Event
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationdetection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
Emerging Threatcriticaltest

Potential CVE-2021-41379 Exploitation Attempt

Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights

WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2021-41379detection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
Emerging Threatcriticaltest

Grafana Path Traversal Exploitation CVE-2021-43798

Detects a successful Grafana path traversal exploitation

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-43798detection.emerging-threats
Florian Roth (Nextron Systems)Wed Dec 082021
Emerging Threatcriticaltest

Successful Exchange ProxyShell Attack

Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers

Web Server Log
TA0001 · Initial Accessdetection.emerging-threats
Florian Roth (Nextron Systems)+1Mon Aug 092021
Emerging Threatcriticaltest

Potential SystemNightmare Exploitation Attempt

Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM

WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationdetection.emerging-threats
Florian Roth (Nextron Systems)Wed Aug 112021
Emerging Threatcriticaltest

Potential Conti Ransomware Activity

Detects a specific command used by the Conti ransomware group

WindowsProcess Creation
TA0040 · ImpactS0575 · S0575T1486 · Data Encrypted for Impactdetection.emerging-threats
François HubautTue Oct 122021
1234