Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

3,116 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

DNS TOR Proxies

Identifies IPs performing DNS lookups associated with common Tor proxies.

Zeek (Bro)dns
TA0010 · ExfiltrationT1048 · Exfiltration Over Alternative Protocol
Saw Winn Naung+1Sun Aug 15network
Detectionmediumtest

Executable from Webdav

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Zeek (Bro)http
TA0011 · Command and ControlT1105 · Ingress Tool Transfer
SOC Prime+1Fri May 01network
Detectionmediumexperimental

HTTP Request to Low Reputation TLD or Suspicious File Extension

Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.

Zeek (Bro)http
TA0001 · Initial AccessTA0011 · Command and Control
@signalblur+1Wed Feb 26network
Detectionlowtest

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Zeek (Bro)http
TA0010 · ExfiltrationT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol
Roberto Rodriguez (Cyb3rWard0g)+1Sat May 02network
Detectionhightest

Publicly Accessible RDP Service

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Zeek (Bro)rdp
TA0008 · Lateral MovementT1021.001 · Remote Desktop Protocol
Josh BrowerSat Aug 22network
Detectionmediumtest

Remote Task Creation via ATSVC Named Pipe - Zeek

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Zeek (Bro)smb_files
TA0004 · Privilege EscalationTA0002 · ExecutionTA0008 · Lateral MovementTA0003 · Persistence+3
Samir BousseadenFri Apr 03network
Detectionhightest

Possible Impacket SecretDump Remote Activity - Zeek

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Zeek (Bro)smb_files
TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.004 · LSA SecretsT1003.003 · NTDS
Samir BousseadenThu Mar 19network
Detectionhightest

First Time Seen Remote Named Pipe - Zeek

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Zeek (Bro)smb_files
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Samir Bousseaden+1Thu Apr 02network
Detectionhightest

Suspicious PsExec Execution - Zeek

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Zeek (Bro)smb_files
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Samir Bousseaden+1Thu Apr 02network
Detectionmediumtest

Suspicious Access to Sensitive File Extensions - Zeek

Detects known sensitive file extensions via Zeek

Zeek (Bro)smb_files
TA0009 · Collection
Samir BousseadenThu Apr 02network
Detectionmediumtest

Transferring Files with Credential Data via Network Shares - Zeek

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Zeek (Bro)smb_files
TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.001 · LSASS MemoryT1003.003 · NTDS
@neu5ron+2Thu Apr 02network
Detectionmediumtest

Kerberos Network Traffic RC4 Ticket Encryption

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

Zeek (Bro)kerberos
TA0006 · Credential AccessT1558.003 · Kerberoasting
sigmaWed Feb 12network
Detectionhightest

Apache Segmentation Fault

Detects a segmentation fault error message caused by a crashing apache worker process

apache
TA0040 · ImpactT1499.004 · Application or System Exploitation
Florian Roth (Nextron Systems)Tue Feb 28web
Detectionmediumtest

Apache Threading Error

Detects an issue in apache logs that reports threading related errors

apache
TA0001 · Initial AccessTA0008 · Lateral MovementT1190 · Exploit Public-Facing ApplicationT1210 · Exploitation of Remote Services
Florian Roth (Nextron Systems)Tue Jan 22web
Detectionhightest

Nginx Core Dump

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

nginx
TA0040 · ImpactT1499.004 · Application or System Exploitation
Florian Roth (Nextron Systems)Mon May 31web
Detectionmediumtest

Download from Suspicious Dyndns Hosts

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1105 · Ingress Tool TransferT1568 · Dynamic Resolution
Florian Roth (Nextron Systems)Wed Nov 08web
Detectionlowtest

Download From Suspicious TLD - Blacklist

Detects download of certain file types from hosts in suspicious TLDs

Proxy Log
TA0001 · Initial AccessT1566 · PhishingTA0002 · ExecutionT1203 · Exploitation for Client Execution+1
Florian Roth (Nextron Systems)Tue Nov 07web
Detectionlowtest

Download From Suspicious TLD - Whitelist

Detects executable downloads from suspicious remote systems

Proxy Log
TA0001 · Initial AccessT1566 · PhishingTA0002 · ExecutionT1203 · Exploitation for Client Execution+1
Florian Roth (Nextron Systems)Mon Mar 13web
Detectionhightest

Windows WebDAV User Agent

Detects WebDav DownloadCradle

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Fri Apr 06web
Detectionmediumtest

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Nasreddine Bencherchali (Nextron Systems)+1Wed Nov 08web
Detectionmediumexperimental

Potential Hello-World Scraper Botnet Activity

Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.

Proxy Log
TA0043 · ReconnaissanceT1595 · Active Scanning
Joseph A. M.Sat Aug 02web
Detectioncriticaltest

HackTool - BabyShark Agent Default URL Pattern

Detects Baby Shark C2 Framework default communication patterns

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Wed Jun 09web
Detectionhightest

HackTool - CobaltStrike Malleable Profile Patterns - Proxy

Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Markus Neis+1Thu Feb 15web
Detectionhightest

HackTool - Empire UserAgent URI Combo

Detects user agent and URI paths used by empire agents

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Mon Jul 13web
Detectionmediumtest

PUA - Advanced IP/Port Scanner Update Check

Detect the update check performed by Advanced IP/Port Scanner utilities.

Proxy Log
TA0007 · DiscoveryTA0043 · ReconnaissanceT1590 · Gather Victim Network Information
Axel OlssonSun Aug 14web
Detectioncriticaltest

PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsT1102.001 · Dead Drop ResolverT1102.003 · One-Way Communication
Florian Roth (Nextron Systems)Wed Apr 15web
Detectionhightest

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsT1102.001 · Dead Drop ResolverT1102.003 · One-Way Communication+1
Florian Roth (Nextron Systems)Thu Dec 05web
Detectionhightest

Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

Proxy Log
TA0001 · Initial AccessT1189 · Drive-by CompromiseTA0002 · ExecutionT1204.002 · Malicious File+2
Florian Roth (Nextron Systems)Wed Oct 25web
Detectionlowtest

Suspicious Network Communication With IPFS

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Proxy Log
TA0009 · CollectionTA0006 · Credential AccessT1056 · Input Capture
Gavin KnappThu Mar 16web
Detectionmediumtest

Telegram API Access

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web ProtocolsT1102.002 · Bidirectional Communication
Florian Roth (Nextron Systems)Tue Jun 05web
Detectionhightest

APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)+1Tue Nov 12web
Detectionmediumtest

Suspicious Base64 Encoded User-Agent

Detects suspicious encoded User-Agent strings, as seen used by some malware.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Nasreddine Bencherchali (Nextron Systems)Thu May 04web
Detectionhightest

Bitsadmin to Uncommon IP Server Address

Detects Bitsadmin connections to IP addresses instead of FQDN names

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsTA0005 · Defense EvasionTA0003 · Persistence+2
Florian Roth (Nextron Systems)Fri Jun 10web
Detectionhightest

Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsTA0005 · Defense EvasionTA0003 · Persistence+2
Florian Roth (Nextron Systems)+1Thu Mar 07web
Detectionhightest

Crypto Miner User Agent

Detects suspicious user agent strings used by crypto miners in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Mon Oct 21web
Detectionmediumtest

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionhightest

Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionhightest

Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0006 · Credential AccessT1110 · Brute Force
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionhightest

Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)+2Sat Jul 08web
Detectionmediumtest

Windows PowerShell User Agent

Detects Windows PowerShell Web Access

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Mon Mar 13web
Detectionmediumtest

Rclone Activity via Proxy

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Proxy Log
TA0010 · ExfiltrationT1567.002 · Exfiltration to Cloud Storage
Janantha MarasingheTue Oct 18web
Detectionhightest

Suspicious User Agent

Detects suspicious malformed user agent strings in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionmediumtest

Potential Base64 Encoded User-Agent

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)+1Fri Jul 08web
Detectionhightest

Suspicious External WebDAV Execution

Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.

Proxy Log
TA0001 · Initial AccessTA0042 · Resource DevelopmentT1584 · Compromise InfrastructureT1566 · Phishing
Ahmed FaroukFri May 10web
Detectionmediumtest

F5 BIG-IP iControl Rest API Command Execution - Webserver

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Web Server Log
TA0002 · ExecutionT1190 · Exploit Public-Facing ApplicationTA0001 · Initial Access
Nasreddine Bencherchali (Nextron Systems)+1Wed Nov 08web
Detectionmediumtest

Successful IIS Shortname Fuzzing Scan

When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
François HubautWed Oct 06web
Detectionhightest

Java Payload Strings

Detects possible Java payloads in web access logs

Web Server Log
cve.2022-26134cve.2021-26084TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
François Hubaut+2Sat Jun 04web
Detectionhightest

JNDIExploit Pattern

Detects exploitation attempt using the JNDI-Exploit-Kit

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Florian Roth (Nextron Systems)Sun Dec 12web
114151665