Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

334 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionlowtest

System Integrity Protection (SIP) Enumeration

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

macOSProcess Creation
TA0007 · DiscoveryT1518.001 · Security Software Discovery
Joseliyo SanchezTue Jan 02macos
Detectionlowtest

GUI Input Capture - macOS

Detects attempts to use system dialog prompts to capture user credentials

macOSProcess Creation
TA0009 · CollectionTA0006 · Credential AccessT1056.002 · GUI Input Capture
remotephone+1Tue Oct 13macos
Detectionlowtest

JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

macOSProcess Creation
TA0002 · Execution
Jay PanditTue Aug 22macos
Detectionlowtest

Local System Accounts Discovery - MacOs

Detects enumeration of local systeam accounts on MacOS

macOSProcess Creation
TA0007 · DiscoveryT1087.001 · Local Account
Alejandro Ortuno+1Thu Oct 08macos
Detectionlowtest

MacOS Network Service Scanning

Detects enumeration of local or remote network services.

macOSProcess Creation
TA0007 · DiscoveryT1046 · Network Service Discovery
Alejandro Ortuno+1Wed Oct 21macos
Detectionlowtest

Remote Access Tool - Team Viewer Session Started On MacOS Host

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

macOSProcess Creation
TA0003 · PersistenceTA0001 · Initial AccessT1133 · External Remote Services
Josh Nickels+1Mon Mar 11macos
Detectionlowtest

Screen Capture - macOS

Detects attempts to use screencapture to collect macOS screenshots

macOSProcess Creation
TA0009 · CollectionT1113 · Screen Capture
remotephone+1Tue Oct 13macos
Detectionlowtest

Space After Filename - macOS

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

macOSProcess Creation
TA0005 · Defense EvasionT1036.006 · Space after Filename
remotephoneSat Nov 20macos
Detectionlowtest

Split A File Into Pieces

Detection use of the command "split" to split files into parts and possible transfer.

macOSProcess Creation
TA0010 · ExfiltrationT1030 · Data Transfer Size Limits
Igor Fits+2Thu Oct 15macos
Detectionlowtest

Guest Account Enabled Via Sysadminctl

Detects attempts to enable the guest account using the sysadminctl utility

macOSProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+2
Sohan G (D4rkCiph3r)Sat Feb 18macos
Detectionlowtest

Gatekeeper Bypass via Xattr

Detects macOS Gatekeeper bypass via xattr utility

macOSProcess Creation
TA0005 · Defense EvasionT1553.001 · Gatekeeper Bypass
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectionlowtest

Cisco Collect Data

Collect pertinent data from the configuration files

Ciscoaaa
TA0007 · DiscoveryTA0006 · Credential AccessTA0009 · CollectionT1087.001 · Local Account+2
Austin ClarkSun Aug 11network
Detectionlowtest

Cisco Discovery

Find information about network devices that is not stored in config files

Ciscoaaa
TA0007 · DiscoveryT1083 · File and Directory DiscoveryT1201 · Password Policy DiscoveryT1057 · Process Discovery+6
Austin ClarkMon Aug 12network
Detectionlowtest

Cisco Stage Data

Various protocols maybe used to put data on the device for exfil or infil

Ciscoaaa
TA0009 · CollectionTA0008 · Lateral MovementTA0011 · Command and ControlTA0010 · Exfiltration+3
Austin ClarkMon Aug 12network
Detectionlowtest

Cisco BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Ciscobgp
TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense Evasion+5
Tim BrownMon Jan 09network
Detectionlowtest

Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Ciscoldp
TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense Evasion+5
Tim BrownMon Jan 09network
Detectionlowstable

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Firewall
TA0006 · Credential Access
Alexandr Yampolskyi+2Tue Mar 26network
Detectionlowtest

Huawei BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

huaweibgp
TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense Evasion+5
Tim BrownMon Jan 09network
Detectionlowtest

Juniper BGP Missing MD5

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Juniperbgp
TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense Evasion+5
Tim BrownMon Jan 09network
Detectionlowtest

DNS Events Related To Mining Pools

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

Zeek (Bro)dns
TA0002 · ExecutionT1569.002 · Service ExecutionTA0040 · ImpactT1496 · Resource Hijacking
Saw Winn Naung+1Thu Aug 19network
Detectionlowtest

New Kind of Network (NKN) Detection

NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>

Zeek (Bro)dns
TA0011 · Command and Control
Michael PorteraThu Apr 21network
Detectionlowtest

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Zeek (Bro)http
TA0010 · ExfiltrationT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol
Roberto Rodriguez (Cyb3rWard0g)+1Sat May 02network
Detectionlowtest

Download From Suspicious TLD - Blacklist

Detects download of certain file types from hosts in suspicious TLDs

Proxy Log
TA0001 · Initial AccessT1566 · PhishingTA0002 · ExecutionT1203 · Exploitation for Client Execution+1
Florian Roth (Nextron Systems)Tue Nov 07web
Detectionlowtest

Download From Suspicious TLD - Whitelist

Detects executable downloads from suspicious remote systems

Proxy Log
TA0001 · Initial AccessT1566 · PhishingTA0002 · ExecutionT1203 · Exploitation for Client Execution+1
Florian Roth (Nextron Systems)Mon Mar 13web
Detectionlowtest

Suspicious Network Communication With IPFS

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Proxy Log
TA0009 · CollectionTA0006 · Credential AccessT1056 · Input Capture
Gavin KnappThu Mar 16web
Detectionlowtest

Application Uninstalled

An application has been removed. Check if it is critical.

Windowsapplication
TA0040 · ImpactT1489 · Service Stop
François HubautFri Jan 28windows
Detectionlowtest

MSSQL Server Failed Logon

Detects failed logon attempts from clients to MSSQL server.

Windowsapplication
TA0006 · Credential AccessT1110 · Brute Force
Nasreddine Bencherchali (Nextron Systems)+1Wed Oct 11windows
Detectionlowtest

Remote Access Tool - ScreenConnect Command Execution

Detects command execution via ScreenConnect RMM

Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionlowtest

Remote Access Tool - ScreenConnect File Transfer

Detects file being transferred via ScreenConnect RMM

Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionlowtest

Sysinternals Tools AppX Versions Execution

Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

Windowsappmodel-runtime
TA0005 · Defense EvasionTA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Mon Jan 16windows
Detectionlowtest

New BITS Job Created Via Bitsadmin

Detects the creation of a new bits job by Bitsadmin

Windowsbits-client
TA0005 · Defense EvasionTA0003 · PersistenceT1197 · BITS Jobs
François HubautTue Mar 01windows
Detectionlowtest

New BITS Job Created Via PowerShell

Detects the creation of a new bits job by PowerShell

Windowsbits-client
TA0005 · Defense EvasionTA0003 · PersistenceT1197 · BITS Jobs
François HubautTue Mar 01windows
Detectionlowexperimental

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Windowscodeintegrity-operational
TA0002 · Execution
Florian Roth (Nextron Systems)+1Thu Jan 20windows
Detectionlowtest

DNS Query To Ufile.io - DNS Client

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Windowsdns-client
TA0010 · ExfiltrationT1567.002 · Exfiltration to Cloud Storage
Nasreddine Bencherchali (Nextron Systems)Mon Jan 16windows
Detectionlowtest

USB Device Plugged

Detects plugged/unplugged USB devices

Windowsdriver-framework
TA0001 · Initial AccessT1200 · Hardware Additions
Florian Roth (Nextron Systems)Thu Nov 09windows
Detectionlowtest

The Windows Defender Firewall Service Failed To Load Group Policy

Detects activity when The Windows Defender Firewall service failed to load Group Policy

Windowsfirewall-as
TA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall
François HubautSat Feb 19windows
Detectionlowtest

Windows Defender Firewall Has Been Reset To Its Default Configuration

Detects activity when Windows Defender Firewall has been reset to its default configuration

Windowsfirewall-as
TA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall
François HubautSat Feb 19windows
Detectionlowtest

Windows Firewall Settings Have Been Changed

Detects activity when the settings of the Windows firewall have been changed

Windowsfirewall-as
TA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall
François Hubaut+1Sat Feb 19windows
Detectionlowtest

Previously Installed IIS Module Was Removed

Detects the removal of a previously installed IIS module.

Windowsiis-configuration
TA0005 · Defense EvasionTA0003 · PersistenceT1562.002 · Disable Windows Event LoggingT1505.004 · IIS Components
Nasreddine Bencherchali (Nextron Systems)Sun Oct 06windows
Detectionlowtest

NTLM Logon

Detects logons using NTLM, which could be caused by a legacy source or attackers

Windowsntlm
TA0005 · Defense EvasionTA0008 · Lateral MovementT1550.002 · Pass the Hash
Florian Roth (Nextron Systems)Fri Jun 08windows
Detectionlowtest

Admin User Remote Logon

Detect remote login by Administrator user (depending on internal pattern).

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0008 · Lateral Movement+5
juju4Sun Oct 29windows
Detectionlowstable

A Member Was Added to a Security-Enabled Global Group

Detects activity when a member is added to a security-enabled global group

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Alexandr Yampolskyi+1Wed Apr 26windows
Detectionlowstable

A Member Was Removed From a Security-Enabled Global Group

Detects activity when a member is removed from a security-enabled global group

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Alexandr Yampolskyi+1Wed Apr 26windows
Detectionlowstable

A Security-Enabled Global Group Was Deleted

Detects activity when a security-enabled global group is deleted

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Alexandr Yampolskyi+1Wed Apr 26windows
Detectionlowtest

Outgoing Logon with New Credentials

Detects logon events that specify new credentials

Windowssecurity
TA0005 · Defense EvasionTA0008 · Lateral MovementT1550 · Use Alternate Authentication Material
Max Altgelt (Nextron Systems)Wed Apr 06windows
Detectionlowstable

Successful Account Login Via WMI

Detects successful logon attempts performed with WMI

Windowssecurity
TA0002 · ExecutionT1047 · Windows Management Instrumentation
Thomas PatzkeWed Dec 04windows
Detectionlowtest

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

Windowssecurity
TA0004 · Privilege EscalationTA0006 · Credential Access
Orlinum+1Wed Nov 17windows
Detectionlowtest

Add or Remove Computer from DC

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Windowssecurity
TA0005 · Defense Evasionattack.t1207
François HubautFri Oct 14windows
1234567