Sigma Rules
1,701 rules found
Potential Qakbot Rundll32 Execution
Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
Qakbot Uninstaller Execution
Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
SNAKE Malware WerFault Persistence File Creation
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
Potential SNAKE Malware Installation CLI Arguments Indicator
Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Installation Binary Indicator
Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Persistence Service Execution
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
SNAKE Malware Covert Store Registry Key
Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
Ursnif Redirection Of Discovery Commands
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp Execution
Detects execution of known compromised version of 3CXDesktopApp
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
Potential Compromised 3CXDesktopApp Update Activity
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp ICO C2 File Download
Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
Hunts for known SVR-specific scheduled task names
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
Hunts for known SVR-specific scheduled task names
Diamond Sleet APT DNS Communication Indicators
Detects DNS queries related to Diamond Sleet APT activity
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT
Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Potential Operation Triangulation C2 Beaconing Activity - DNS
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
Potential Operation Triangulation C2 Beaconing Activity - Proxy
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
Potential APT FIN7 POWERHOLD Execution
Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
Potential POWERTRASH Script Execution
Detects potential execution of the PowerShell script POWERTRASH
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
Mint Sandstorm - Log4J Wstomcat Process Execution
Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
Potential APT Mustang Panda Activity Against Australian Gov
Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
Onyx Sleet APT File Creation Indicators
Detects file creation activity that is related to Onyx Sleet APT activity
PaperCut MF/NG Exploitation Related Indicators
Detects exploitation indicators related to PaperCut MF/NG Exploitation
PaperCut MF/NG Potential Exploitation
Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
Peach Sandstorm APT Process Activity Indicators
Detects process creation activity related to Peach Sandstorm APT
UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
UNC4841 - Barracuda ESG Exploitation Indicators
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
UNC4841 - Download Compressed Files From Temp.sh Using Wget
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.