Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

28 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectioninformationaltest

New Github Organization Member Added

Detects when a new member is added or invited to a github organization.

githubaudit
TA0003 · PersistenceT1136.003 · Cloud Account
Muhammad FaisalSun Jan 29application
Detectioninformationaltest

New Okta User Created

Detects new user account creation

Oktaokta
TA0006 · Credential Access
Nasreddine Bencherchali (Nextron Systems)Wed Oct 25identity
Detectioninformationaltest

System Shutdown/Reboot - Linux

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Linuxauditd
TA0040 · ImpactT1529 · System Shutdown/Reboot
Igor Fits+1Thu Oct 15linux
Detectioninformationalstable

System and Hardware Information Discovery

Detects system information discovery commands

Linuxauditd
TA0007 · DiscoveryT1082 · System Information Discovery
Ömer Günal+1Thu Oct 08linux
Detectioninformationaltest

File and Directory Discovery - Linux

Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.

LinuxProcess Creation
TA0007 · DiscoveryT1083 · File and Directory Discovery
Daniil Yugoslavskiy+2Mon Oct 19linux
Detectioninformationalstable

File Deletion

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

LinuxProcess Creation
TA0005 · Defense EvasionT1070.004 · File Deletion
Ömer Günal+1Wed Oct 07linux
Detectioninformationalstable

System Information Discovery

Detects system information discovery commands

LinuxProcess Creation
TA0007 · DiscoveryT1082 · System Information Discovery
Ömer Günal+1Thu Oct 08linux
Detectioninformationaltest

System Network Discovery - Linux

Detects enumeration of local network configuration

LinuxProcess Creation
TA0007 · DiscoveryT1016 · System Network Configuration Discovery
Ömer Günal and remotephone+1Tue Oct 06linux
Detectioninformationaltest

File and Directory Discovery - MacOS

Detects usage of system utilities to discover files and directories

macOSProcess Creation
TA0007 · DiscoveryT1083 · File and Directory Discovery
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectioninformationaltest

Local Groups Discovery - MacOs

Detects enumeration of local system groups

macOSProcess Creation
TA0007 · DiscoveryT1069.001 · Local Groups
Ömer Günal+2Sun Oct 11macos
Detectioninformationaltest

Network Sniffing - MacOs

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

macOSProcess Creation
TA0007 · DiscoveryTA0006 · Credential AccessT1040 · Network Sniffing
Alejandro Ortuno+1Wed Oct 14macos
Detectioninformationaltest

Macos Remote System Discovery

Detects the enumeration of other remote systems.

macOSProcess Creation
TA0007 · DiscoveryT1018 · Remote System Discovery
Alejandro Ortuno+1Thu Oct 22macos
Detectioninformationaltest

System Network Discovery - macOS

Detects enumeration of local network configuration

macOSProcess Creation
TA0007 · DiscoveryT1016 · System Network Configuration Discovery
remotephone+1Tue Oct 06macos
Detectioninformationaltest

System Network Connections Discovery - MacOs

Detects usage of system utilities to discover system network connections

macOSProcess Creation
TA0007 · DiscoveryT1049 · System Network Connections Discovery
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectioninformationaltest

System Shutdown/Reboot - MacOs

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

macOSProcess Creation
TA0040 · ImpactT1529 · System Shutdown/Reboot
Igor Fits+2Mon Oct 19macos
Detectioninformationalstable

Failed Code Integrity Checks

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Windowssecurity
TA0005 · Defense EvasionT1027.001 · Binary Padding
Thomas PatzkeTue Dec 03windows
Detectioninformationaltest

User Logoff Event

Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

Windowssecurity
TA0040 · ImpactT1531 · Account Access Removal
François HubautFri Oct 14windows
Detectioninformationaltest

VSSAudit Security Event Source Registration

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Windowssecurity
TA0006 · Credential AccessT1003.002 · Security Account Manager
Roberto Rodriguez (Cyb3rWard0g)+1Tue Oct 20windows
Detectioninformationalstable

Locked Workstation

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Windowssecurity
TA0040 · Impact
Alexandr Yampolskyi+1Tue Mar 26windows
Detectioninformationalstable

Windows Update Error

Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Windowssystem
TA0040 · ImpactTA0042 · Resource DevelopmentT1584 · Compromise Infrastructure
François HubautSat Dec 04windows
Detectioninformationaltest

Windows Defender Malware Detection History Deletion

Windows Defender logs when the history of detected infections is deleted.

Windowswindefend
TA0005 · Defense Evasion
Cian HeasleyThu Aug 13windows
Detectioninformationaltest

New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

WindowsNamed Pipe Created
TA0002 · ExecutionT1059.001 · PowerShell
Roberto Rodriguez (Cyb3rWard0g)+1Thu Sep 12windows
Detectioninformationaltest

PowerShell Decompress Commands

A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.

WindowsPowerShell Module
TA0005 · Defense EvasionT1140 · Deobfuscate/Decode Files or Information
Roberto Rodriguez (Cyb3rWard0g)+1Sat May 02windows
Detectioninformationaltest

Suspicious High IntegrityLevel Conhost Legacy Option

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

WindowsProcess Creation
TA0005 · Defense EvasionT1202 · Indirect Command Execution
François HubautFri Dec 09windows
Detectioninformationaltest

New Application in AppCompat

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

WindowsRegistry Set
TA0002 · ExecutionT1204.002 · Malicious File
Roberto Rodriguez (Cyb3rWard0g)+1Sat May 02windows
Emerging Threatinformationaltest

Windows Spooler Service Suspicious Binary Load

Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+3
FPT.EagleEye+1Tue Jun 292021
Threat Huntinformationaltest

Potential BOINC Software Execution (UC-Berkeley Signature)

Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.

WindowsProcess Creation
TA0002 · ExecutionTA0005 · Defense EvasionT1553 · Subvert Trust Controlsdetection.threat-hunting
Matt Anderson (Huntress)Tue Jul 23windows
Threat Huntinformationaltest

Suspicious Tasklist Discovery Command

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

WindowsProcess Creation
TA0007 · DiscoveryT1057 · Process Discoverydetection.threat-hunting
François HubautSat Dec 11windows