Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

352 rules found for "oscd.community"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Disable Security Tools

Detects disabling security tools

macOSProcess Creation
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectioninformationaltest

File and Directory Discovery - MacOS

Detects usage of system utilities to discover files and directories

macOSProcess Creation
TA0007 · DiscoveryT1083 · File and Directory Discovery
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectionhightest

Credentials In Files

Detecting attempts to extract passwords with grep and laZagne

macOSProcess Creation
TA0006 · Credential AccessT1552.001 · Credentials In Files
Igor Fits+2Mon Oct 19macos
Detectionlowtest

GUI Input Capture - macOS

Detects attempts to use system dialog prompts to capture user credentials

macOSProcess Creation
TA0009 · CollectionTA0006 · Credential AccessT1056.002 · GUI Input Capture
remotephone+1Tue Oct 13macos
Detectionlowtest

Local System Accounts Discovery - MacOs

Detects enumeration of local systeam accounts on MacOS

macOSProcess Creation
TA0007 · DiscoveryT1087.001 · Local Account
Alejandro Ortuno+1Thu Oct 08macos
Detectioninformationaltest

Local Groups Discovery - MacOs

Detects enumeration of local system groups

macOSProcess Creation
TA0007 · DiscoveryT1069.001 · Local Groups
Ömer Günal+2Sun Oct 11macos
Detectionlowtest

MacOS Network Service Scanning

Detects enumeration of local or remote network services.

macOSProcess Creation
TA0007 · DiscoveryT1046 · Network Service Discovery
Alejandro Ortuno+1Wed Oct 21macos
Detectioninformationaltest

Network Sniffing - MacOs

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

macOSProcess Creation
TA0007 · DiscoveryTA0006 · Credential AccessT1040 · Network Sniffing
Alejandro Ortuno+1Wed Oct 14macos
Detectioninformationaltest

Macos Remote System Discovery

Detects the enumeration of other remote systems.

macOSProcess Creation
TA0007 · DiscoveryT1018 · Remote System Discovery
Alejandro Ortuno+1Thu Oct 22macos
Detectionmediumtest

Scheduled Cron Task/Job - MacOs

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

macOSProcess Creation
TA0002 · ExecutionTA0003 · PersistenceTA0004 · Privilege EscalationT1053.003 · Cron
Alejandro Ortuno+1Tue Oct 06macos
Detectionlowtest

Screen Capture - macOS

Detects attempts to use screencapture to collect macOS screenshots

macOSProcess Creation
TA0009 · CollectionT1113 · Screen Capture
remotephone+1Tue Oct 13macos
Detectionmediumtest

Security Software Discovery - MacOs

Detects usage of system utilities (only grep for now) to discover security software discovery

macOSProcess Creation
TA0007 · DiscoveryT1518.001 · Security Software Discovery
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectionlowtest

Split A File Into Pieces

Detection use of the command "split" to split files into parts and possible transfer.

macOSProcess Creation
TA0010 · ExfiltrationT1030 · Data Transfer Size Limits
Igor Fits+2Thu Oct 15macos
Detectionmediumtest

Suspicious History File Operations

Detects commandline operations on shell history files

macOSProcess Creation
TA0006 · Credential AccessT1552.003 · Bash History
Mikhail Larin+1Sat Oct 17macos
Detectioninformationaltest

System Network Discovery - macOS

Detects enumeration of local network configuration

macOSProcess Creation
TA0007 · DiscoveryT1016 · System Network Configuration Discovery
remotephone+1Tue Oct 06macos
Detectioninformationaltest

System Network Connections Discovery - MacOs

Detects usage of system utilities to discover system network connections

macOSProcess Creation
TA0007 · DiscoveryT1049 · System Network Connections Discovery
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectioninformationaltest

System Shutdown/Reboot - MacOs

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

macOSProcess Creation
TA0040 · ImpactT1529 · System Shutdown/Reboot
Igor Fits+2Mon Oct 19macos
Detectionlowtest

Gatekeeper Bypass via Xattr

Detects macOS Gatekeeper bypass via xattr utility

macOSProcess Creation
TA0005 · Defense EvasionT1553.001 · Gatekeeper Bypass
Daniil Yugoslavskiy+1Mon Oct 19macos
Detectionmediumtest

Transferring Files with Credential Data via Network Shares - Zeek

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Zeek (Bro)smb_files
TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.001 · LSASS MemoryT1003.003 · NTDS
@neu5ron+2Thu Apr 02network
Detectionhightest

Powerview Add-DomainObjectAcl DCSync AD Extend Right

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Samir Bousseaden+4Wed Apr 03windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - Security

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation - Security

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or Information
Daniel Bohannon ( / )+1Fri Nov 08windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - Security

Detects Obfuscated use of stdin to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - Security

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - Security

Detects Obfuscated Powershell via Stdin in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - Security

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - Security

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

Windowssecurity
TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1003.002 · Security Account Manager+5
Florian Roth (Nextron Systems)+3Sun Mar 05windows
Detectionmediumtest

New or Renamed User Account with '$' Character

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

Windowssecurity
TA0005 · Defense EvasionT1036 · Masquerading
Ilyas Ochkov+1Fri Oct 25windows
Detectionmediumtest

Possible DC Shadow Attack

Detects DCShadow via create new SPN

Windowssecurity
TA0006 · Credential AccessTA0005 · Defense Evasionattack.t1207
Ilyas Ochkov+3Fri Oct 25windows
Detectionhightest

PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

Windowssecurity
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionhightest

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

Windowssecurity
TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0006 · Credential AccessT1558.003 · Kerberoasting
Roberto Rodriguez (Cyb3rWard0g)+2Thu Oct 24windows
Detectionmediumtest

Suspicious Remote Logon with Explicit Credentials

Detects suspicious processes logging on with explicit credentials

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceTA0001 · Initial AccessTA0005 · Defense Evasion+2
oscd.community+3Mon Oct 05windows
Detectionmediumtest

Potentially Suspicious AccessMask Requested From LSASS

Detects process handle on LSASS process with certain access mask

Windowssecurity
TA0006 · Credential Access2019-04-004 · CAR 2019-04-004T1003.001 · LSASS Memory
Roberto Rodriguez (Cyb3rWard0g)+5Fri Nov 01windows
Detectionhightest

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Windowssecurity
TA0007 · DiscoveryT1087.002 · Domain AccountT1069.002 · Domain GroupsS0039 · S0039
Florian Roth (Nextron Systems)+3Tue Mar 07windows
Detectionmediumtest

Uncommon Outbound Kerberos Connection - Security

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Windowssecurity
TA0008 · Lateral MovementTA0006 · Credential AccessT1558.003 · Kerberoasting
Ilyas Ochkov+1Thu Oct 24windows
Detectionlowtest

Tap Driver Installation - Security

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

Windowssecurity
TA0010 · ExfiltrationT1048 · Exfiltration Over Alternative Protocol
Daniil Yugoslavskiy+2Thu Oct 24windows
Detectionmediumtest

Transferring Files with Credential Data via Network Shares

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Windowssecurity
TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.001 · LSASS MemoryT1003.003 · NTDS
Teymur Kheirkhabarov+1Tue Oct 22windows
Detectionhightest

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Windowssecurity
TA0006 · Credential AccessTA0008 · Lateral MovementTA0004 · Privilege EscalationT1558.003 · Kerberoasting
Roberto Rodriguez (Cyb3rWard0g)+2Thu Oct 24windows
Detectionmediumtest

WMI Persistence - Security

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Windowssecurity
TA0003 · PersistenceTA0004 · Privilege EscalationT1546.003 · Windows Management Instrumentation Event Subscription
Florian Roth (Nextron Systems)+2Tue Aug 22windows
Detectioncriticalstable

Zerologon Exploitation Using Well-known Tools

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Windowssystem
T1210 · Exploitation of Remote ServicesTA0008 · Lateral Movement
Demyan Sokolin+2Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - System

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation - System

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or Information
Daniel Bohannon ( / )+1Fri Nov 08windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - System

Detects Obfuscated use of stdin to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
1238