Sigma Rules
888 rules found for "persistence"
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Defrag Deactivation - Security
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Potential BearLPE Exploitation
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
FlowCloud Registry Markers
Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Potential PrintNightmare Exploitation Attempt
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
Windows Spooler Service Suspicious Binary Load
Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).
Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
Suspicious Computer Account Name Change CVE-2021-42287
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Goofy Guineapig Backdoor Service Creation
Detects service creation persistence used by the Goofy Guineapig backdoor
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Potential NetWire RAT Activity - Registry
Detects registry keys related to NetWire RAT
Pingback Backdoor File Indicators
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor DLL Loading Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
Small Sieve Malware Registry Persistence
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
SOURGUM Actor Behaviours
Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
Serpent Backdoor Payload Execution Via Scheduled Task
Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
MSSQL Extended Stored Procedure Backdoor Maggie
This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
Potential ACTINIUM Persistence Activity
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
Outlook Task/Note Reminder Received
Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.