Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

104 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhighstable

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

WindowsRemote Thread Creation
TA0006 · Credential AccessS0005 · S0005T1003.001 · LSASS Memory
Thomas PatzkeSun Feb 19windows
Detectionhighstable

Suspicious Unsigned Thor Scanner Execution

Detects loading and execution of an unsigned thor scanner binary.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Sun Oct 29windows
Detectionhighstable

Network Communication With Crypto Mining Pool

Detects initiated network connections to crypto mining pools

WindowsNetwork Connection
TA0040 · ImpactT1496 · Resource Hijacking
Florian Roth (Nextron Systems)+1Tue Oct 26windows
Detectionhighstable

Delete Volume Shadow Copies Via WMI With PowerShell

Shadow Copies deletion using operating systems utilities via PowerShell

WindowsPowerShell Classic
TA0040 · ImpactT1490 · Inhibit System Recovery
François HubautThu Jun 03windows
Detectionhighstable

CMSTP Execution Process Access

Detects various indicators of Microsoft Connection Manager Profile Installer execution

WindowsProcess Access
TA0005 · Defense EvasionT1218.003 · CMSTPTA0002 · ExecutionT1559.001 · Component Object Model+3
Nik SeetharamanMon Jul 16windows
Detectionhighstable

Credential Dumping Activity By Python Based Tool

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

WindowsProcess Access
TA0006 · Credential AccessT1003.001 · LSASS MemoryS0349 · S0349
Bhabesh Raj+1Mon Nov 27windows
Detectionhighstable

Remote LSASS Process Access Through Windows Remote Management

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

WindowsProcess Access
TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1059.001 · PowerShell+3
Patryk Prauze - ING TechMon May 20windows
Detectionhighstable

Boot Configuration Tampering Via Bcdedit.EXE

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

WindowsProcess Creation
TA0040 · ImpactT1490 · Inhibit System Recovery
E.M. Anhaus (originally from Atomic Blue Detections+2Thu Oct 24windows
Detectionhighstable

VolumeShadowCopy Symlink Creation Via Mklink

Shadow Copies storage symbolic link creation using operating systems utilities

WindowsProcess Creation
TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.003 · NTDS
Teymur Kheirkhabarov+1Tue Oct 22windows
Detectionhighstable

CMSTP Execution Process Creation

Detects various indicators of Microsoft Connection Manager Profile Installer execution

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.003 · CMSTPG0069 · G0069+1
Nik SeetharamanMon Jul 16windows
Detectionhighstable

Fsutil Suspicious Invocation

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

WindowsProcess Creation
TA0005 · Defense EvasionTA0040 · ImpactT1070 · Indicator RemovalT1485 · Data Destruction
Ecco+2Thu Sep 26windows
Detectionhighstable

HackTool - CrackMapExec Execution Patterns

Detects various execution patterns of the CrackMapExec pentesting framework

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionT1047 · Windows Management Instrumentation+4
Thomas PatzkeFri May 22windows
Detectioncriticalstable

HackTool - Empire PowerShell UAC Bypass

Detects some Empire PowerShell UAC bypass methods

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control2019-04-001 · CAR 2019-04-001
EccoFri Aug 30windows
Detectionhighstable

HackTool - Potential Impacket Lateral Movement Activity

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

WindowsProcess Creation
TA0002 · ExecutionT1047 · Windows Management InstrumentationTA0008 · Lateral MovementT1021.003 · Distributed Component Object Model
Ecco+3Tue Sep 03windows
Detectioncriticalstable

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

WindowsProcess Creation
TA0005 · Defense EvasionTA0006 · Credential AccessT1003 · OS Credential DumpingT1558.003 · Kerberoasting+2
Florian Roth (Nextron Systems)Wed Dec 19windows
Detectioncriticalstable

HackTool - SecurityXploded Execution

Detects the execution of SecurityXploded Tools

WindowsProcess Creation
TA0006 · Credential AccessT1555 · Credentials from Password Stores
Florian Roth (Nextron Systems)Wed Dec 19windows
Detectionlowstable

Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

WindowsProcess Creation
TA0007 · DiscoveryT1018 · Remote System Discovery
Endgame+1Tue Oct 30windows
Detectionhighstable

Potential Powershell ReverseShell Connection

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShell
FPT.EagleEye+2Wed Mar 03windows
Detectionhighstable

ShimCache Flush

Detects actions that clear the local ShimCache and remove forensic evidence

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Florian Roth (Nextron Systems)Mon Feb 01windows
Detectionhighstable

Potential Crypto Mining Activity

Detects command line parameters or strings often used by crypto miners

WindowsProcess Creation
TA0040 · ImpactT1496 · Resource Hijacking
Florian Roth (Nextron Systems)Tue Oct 26windows
Detectionhighstable

Suspicious Double Extension File Execution

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

WindowsProcess Creation
TA0001 · Initial AccessT1566.001 · Spearphishing Attachment
Florian Roth (Nextron Systems)+2Wed Jun 26windows
Detectionhighstable

Suspicious Eventlog Clearing or Configuration Change Activity

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

WindowsProcess Creation
TA0005 · Defense EvasionT1070.001 · Clear Windows Event LogsT1562.002 · Disable Windows Event Logging2016-04-002 · CAR 2016-04-002
Ecco+4Thu Sep 26windows
Detectionhighstable

Shadow Copies Deletion Using Operating Systems Utilities

Shadow Copies deletion using operating systems utilities

WindowsProcess Creation
TA0005 · Defense EvasionTA0040 · ImpactT1070 · Indicator RemovalT1490 · Inhibit System Recovery
Florian Roth (Nextron Systems)+5Tue Oct 22windows
Detectionhighstable

Potential LSASS Process Dump Via Procdump

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.

WindowsProcess Creation
TA0005 · Defense EvasionT1036 · MasqueradingTA0006 · Credential AccessT1003.001 · LSASS Memory+1
Florian Roth (Nextron Systems)Tue Oct 30windows
Detectionhighstable

CMSTP UAC Bypass via COM Object Access

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

WindowsProcess Creation
TA0002 · ExecutionTA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control+3
Nik Seetharaman+1Wed Jul 31windows
Detectionmediumstable

WmiPrvSE Spawned A Process

Detects WmiPrvSE spawning a process

WindowsProcess Creation
TA0002 · ExecutionT1047 · Windows Management Instrumentation
Roberto Rodriguez (Cyb3rWard0g)Thu Aug 15windows
Detectionmediumstable

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

WindowsProcess Creation
TA0002 · ExecutionT1047 · Windows Management InstrumentationT1059.001 · PowerShell
Markus NeisWed Apr 03windows
Detectionhighstable

CMSTP Execution Registry Event

Detects various indicators of Microsoft Connection Manager Profile Installer execution

WindowsRegistry Event
TA0005 · Defense EvasionTA0002 · ExecutionT1218.003 · CMSTPG0069 · G0069+1
Nik SeetharamanMon Jul 16windows
Detectionmediumstable

UAC Disabled

Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
François HubautWed Jan 05windows
Emerging Threatcriticalstable

Exploit for CVE-2015-1641

Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641

WindowsProcess Creation
TA0005 · Defense EvasionT1036.005 · Match Legitimate Name or Locationcve.2015-1641detection.emerging-threats
Florian Roth (Nextron Systems)Thu Feb 222015
Emerging Threatcriticalstable

Droppers Exploiting CVE-2017-11882

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

WindowsProcess Creation
TA0002 · ExecutionT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileTA0001 · Initial Access+3
Florian Roth (Nextron Systems)Thu Nov 232017
Emerging Threatcriticalstable

APT29 2018 Phishing Campaign File Indicators

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

WindowsFile Event
TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
@41thexplorerTue Nov 202018
Emerging Threatcriticalstable

APT29 2018 Phishing Campaign CommandLine Indicators

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32detection.emerging-threats
Florian Roth (Nextron Systems)Tue Nov 202018
Emerging Threathighstable

TropicTrooper Campaign November 2018

Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShelldetection.emerging-threats
@41thexplorer+1Tue Nov 122018
Emerging Threatcriticalstable

Exploiting CVE-2019-1388

Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM

WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2019-1388detection.emerging-threats
Florian Roth (Nextron Systems)Wed Nov 202019
Emerging Threatcriticalstable

Potential Dridex Activity

Detects potential Dridex acitvity via specific process patterns

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process InjectionTA0007 · Discovery+3
Florian Roth (Nextron Systems)+2Thu Jan 102019
Emerging Threatcriticalstable

Potential Dtrack RAT Activity

Detects potential Dtrack RAT activity via specific process patterns

WindowsProcess Creation
TA0040 · ImpactT1490 · Inhibit System Recoverydetection.emerging-threats
Florian Roth (Nextron Systems)+1Wed Oct 302019
Emerging Threathighstable

Potential Emotet Activity

Detects all Emotet like process executions that are not covered by the more generic rules

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellTA0005 · Defense EvasionT1027 · Obfuscated Files or Information+1
Florian Roth (Nextron Systems)Mon Sep 302019
Emerging Threatcriticalstable

LockerGoga Ransomware Activity

Detects LockerGoga ransomware activity via specific command line.

WindowsProcess Creation
TA0040 · ImpactT1486 · Data Encrypted for Impactdetection.emerging-threats
Vasiliy Burov+1Sun Oct 182019
Emerging Threatcriticalstable

Potential QBot Activity

Detects potential QBot activity by looking for process executions used previously by QBot

WindowsProcess Creation
TA0002 · ExecutionT1059.005 · Visual Basicdetection.emerging-threats
Florian Roth (Nextron Systems)Tue Oct 012019
Emerging Threathighstable

Potential Ryuk Ransomware Activity

Detects Ryuk ransomware activity

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folderdetection.emerging-threats
Florian Roth (Nextron Systems)+2Mon Dec 162019
Emerging Threathighstable

Potential Snatch Ransomware Activity

Detects specific process characteristics of Snatch ransomware word document droppers

WindowsProcess Creation
TA0002 · ExecutionT1204 · User Executiondetection.emerging-threats
Florian Roth (Nextron Systems)Wed Aug 262019
Emerging Threatcriticalstable

Ursnif Malware C2 URL Pattern

Detects Ursnif C2 traffic.

Proxy Log
TA0001 · Initial AccessT1566.001 · Spearphishing AttachmentTA0002 · ExecutionT1204.002 · Malicious File+3
Thomas PatzkeThu Dec 192019
Emerging Threathighstable

Ursnif Malware Download URL Pattern

Detects download of Ursnif malware done by dropper documents.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocolsdetection.emerging-threats
Thomas PatzkeThu Dec 192019
Emerging Threatcriticalstable

Potential Russian APT Credential Theft Activity

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

WindowsProcess Creation
TA0006 · Credential AccessT1552.001 · Credentials In FilesT1003.003 · NTDSdetection.emerging-threats
Florian Roth (Nextron Systems)Thu Feb 212019
Emerging Threatcriticalstable

Equation Group DLL_U Export Function Load

Detects a specific export function name used by one of EquationGroup tools

WindowsProcess Creation
G0020 · G0020TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
Florian Roth (Nextron Systems)Mon Mar 042019
Emerging Threathighstable

Trickbot Malware Activity

Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"

WindowsProcess Creation
TA0002 · ExecutionT1559 · Inter-Process Communicationdetection.emerging-threats
Florian Roth (Nextron Systems)Thu Nov 262020
Emerging Threatcriticalstable

Winnti Pipemon Characteristics

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Thu Jul 302020
123