Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

67 rules found for "Tim Shelton"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Common Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+7Fri Oct 25windows
Detectionmediumtest

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

CurrentVersion NT Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Internet Explorer Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Session Manager Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup FolderT1546.009 · AppCert DLLs
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

System Scripts Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

WinSock2 Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Wow6432Node CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Wow6432Node Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Emerging Threatmediumtest

Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32

Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local

WindowsProcess Creation
TA0005 · Defense EvasionT1218.010 · Regsvr32detection.emerging-threats
Florian Roth (Nextron Systems)+2Wed Oct 022019
Emerging Threatcriticaltest

CVE-2020-10148 SolarWinds Orion API Auth Bypass

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-10148detection.emerging-threats
Bhabesh Raj+1Sun Dec 272020
Emerging Threatcriticalstable

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Antivirus Alert
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injectiondetection.emerging-threats+2
Sittikorn S+2Thu Jul 012021
Emerging Threathightest

Possible CVE-2021-1675 Print Spooler Exploitation

Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675

Windowsprintservice-admin
TA0002 · ExecutionT1569 · System Servicescve.2021-1675detection.emerging-threats
Florian Roth (Nextron Systems)+3Wed Jun 302021
Emerging Threathightest

Suspicious Sysmon as Execution Parent

Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2022-41120detection.emerging-threats
Florian Roth (Nextron Systems)+1Thu Nov 102022
Threat Huntlowtest

Scheduled Task Deletion

Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME

Windowssecurity
TA0002 · ExecutionTA0004 · Privilege EscalationTA0003 · Persistence2013-08-001 · CAR 2013-08-001+2
David Strassegger+1Fri Jan 22windows
Threat Huntmediumtest

Potentially Suspicious PowerShell Child Processes

Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShelldetection.threat-hunting
Florian Roth (Nextron Systems)+1Tue Apr 26windows
12