Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

3,332 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

ProcessHacker Privilege Elevation

Detects a ProcessHacker tool that elevated privileges to a very high level

Windowssystem
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1543.003 · Windows Service+1
Florian Roth (Nextron Systems)Thu May 27windows
Detectionmediumtest

RemCom Service Installation

Detects RemCom service installation and execution events

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
Nasreddine Bencherchali (Nextron Systems)Mon Aug 07windows
Detectionmediumtest

Remote Access Tool Services Have Been Installed - System

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Windowssystem
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionT1543.003 · Windows Service+1
Connor Martin+1Fri Dec 23windows
Detectionmediumtest

Remote Utilities Host Service Install

Detects Remote Utilities Host service installation on the target system.

Windowssystem
TA0003 · Persistence
Nasreddine Bencherchali (Nextron Systems)Mon Oct 31windows
Detectionhightest

Sliver C2 Default Service Installation

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

Windowssystem
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1543.003 · Windows Service+1
Florian Roth (Nextron Systems)+1Thu Aug 25windows
Detectionhightest

Service Installed By Unusual Client - System

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Windowssystem
TA0003 · PersistenceTA0004 · Privilege EscalationT1543 · Create or Modify System Process
Tim Rauch+1Thu Sep 15windows
Detectionhightest

Suspicious Service Installation

Detects suspicious service installation commands

Windowssystem
TA0003 · PersistenceTA0004 · Privilege Escalation2013-09-005 · CAR 2013-09-005T1543.003 · Windows Service
Martin Mueller+1Fri Mar 18windows
Detectionmediumtest

PsExec Service Installation

Detects PsExec service installation and execution events

Windowssystem
TA0002 · ExecutionT1569.002 · Service ExecutionS0029 · S0029
Thomas PatzkeMon Jun 12windows
Detectionmediumtest

TacticalRMM Service Installation

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Windowssystem
TA0011 · Command and Controlattack.t1219.002
Nasreddine Bencherchali (Nextron Systems)Mon Nov 28windows
Detectionmediumtest

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Windowssystem
TA0010 · ExfiltrationT1048 · Exfiltration Over Alternative Protocol
Daniil Yugoslavskiy+2Thu Oct 24windows
Detectionmediumtest

Uncommon Service Installation Image Path

Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.

Windowssystem
TA0003 · PersistenceTA0004 · Privilege Escalation2013-09-005 · CAR 2013-09-005T1543.003 · Windows Service
Florian Roth (Nextron Systems)Fri Mar 18windows
Detectionlowtest

Windows Service Terminated With Error

Detects Windows services that got terminated for whatever reason

Windowssystem
TA0005 · Defense Evasion
Nasreddine Bencherchali (Nextron Systems)Fri Apr 14windows
Detectionhightest

Important Windows Service Terminated With Error

Detects important or interesting Windows services that got terminated for whatever reason

Windowssystem
TA0005 · Defense Evasion
Nasreddine Bencherchali (Nextron Systems)Fri Apr 14windows
Detectionhightest

Important Windows Service Terminated Unexpectedly

Detects important or interesting Windows services that got terminated unexpectedly.

Windowssystem
TA0005 · Defense Evasion
Nasreddine Bencherchali (Nextron Systems)Fri Apr 14windows
Detectionhightest

RTCore Suspicious Service Installation

Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse

Windowssystem
TA0003 · Persistence
Nasreddine Bencherchali (Nextron Systems)Tue Aug 30windows
Detectionmediumtest

Service Installation in Suspicious Folder

Detects service installation in suspicious folder appdata

Windowssystem
TA0003 · PersistenceTA0004 · Privilege Escalation2013-09-005 · CAR 2013-09-005T1543.003 · Windows Service
Martin MuellerFri Mar 18windows
Detectionhightest

Service Installation with Suspicious Folder Pattern

Detects service installation with suspicious folder patterns

Windowssystem
TA0003 · PersistenceTA0004 · Privilege Escalation2013-09-005 · CAR 2013-09-005T1543.003 · Windows Service
Martin MuellerFri Mar 18windows
Detectionhightest

Suspicious Service Installation Script

Detects suspicious service installation scripts

Windowssystem
TA0003 · PersistenceTA0004 · Privilege Escalation2013-09-005 · CAR 2013-09-005T1543.003 · Windows Service
Martin MuellerFri Mar 18windows
Detectionmediumtest

Scheduled Task Executed From A Suspicious Location

Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task

Windowstaskscheduler
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.005 · Scheduled Task
Nasreddine Bencherchali (Nextron Systems)Mon Dec 05windows
Detectionmediumtest

Scheduled Task Executed Uncommon LOLBIN

Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

Windowstaskscheduler
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.005 · Scheduled Task
Nasreddine Bencherchali (Nextron Systems)Mon Dec 05windows
Detectionhightest

Important Scheduled Task Deleted

Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Windowstaskscheduler
TA0040 · ImpactT1489 · Service Stop
François HubautFri Jan 13windows
Detectionhightest

Ngrok Usage with Remote Desktop Service

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Windowsterminalservices-localsessionmanager
TA0011 · Command and ControlT1090 · Proxy
Florian Roth (Nextron Systems)Fri Apr 29windows
Detectionhightest

Mimikatz Use

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Windows
S0002 · MimikatzTA0008 · Lateral MovementTA0006 · Credential Access2013-07-001 · CAR 2013-07-001+5
Florian Roth (Nextron Systems)+1Tue Jan 10windows
Detectionhightest

LSASS Access Detected via Attack Surface Reduction

Detects Access to LSASS Process

Windowswindefend
TA0006 · Credential AccessT1003.001 · LSASS Memory
Markus NeisSun Aug 26windows
Detectionhightest

PSExec and WMI Process Creations Block

Detects blocking of process creations originating from PSExec and WMI commands

Windowswindefend
TA0002 · ExecutionTA0008 · Lateral MovementT1047 · Windows Management InstrumentationT1569.002 · Service Execution
Bhabesh RajTue Jul 14windows
Detectionhightest

Windows Defender Exploit Guard Tamper

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

Windowswindefend
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Nasreddine Bencherchali (Nextron Systems)Fri Aug 05windows
Detectioninformationaltest

Windows Defender Malware Detection History Deletion

Windows Defender logs when the history of detected infections is deleted.

Windowswindefend
TA0005 · Defense Evasion
Cian HeasleyThu Aug 13windows
Detectionhightest

Win Defender Restored Quarantine File

Detects the restoration of files from the defender quarantine

Windowswindefend
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Nasreddine Bencherchali (Nextron Systems)Tue Dec 06windows
Detectionmediumtest

WMI Persistence

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Windowswmi
TA0003 · PersistenceTA0004 · Privilege EscalationT1546.003 · Windows Management Instrumentation Event Subscription
Florian Roth (Nextron Systems)+2Tue Aug 22windows
Detectionhightest

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0002 · ExecutionT1055.012 · Process Hollowing+3
Thomas PatzkeFri Feb 01windows
Detectionhightest

HackTool - Potential CobaltStrike Process Injection

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055.001 · Dynamic-link Library Injection
Olaf Hartong+3Fri Nov 30windows
Detectionhightest

Remote Thread Created In KeePass.EXE

Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

WindowsRemote Thread Creation
TA0006 · Credential AccessT1555.005 · Password Managers
Timon HackenjosFri Apr 22windows
Detectionhightest

Remote Thread Creation In Mstsc.Exe From Suspicious Location

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

WindowsRemote Thread Creation
TA0006 · Credential Access
Nasreddine Bencherchali (Nextron Systems)Fri Jul 28windows
Detectionhightest

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

WindowsRemote Thread Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
oscd.community+1Tue Oct 06windows
Detectionmediumtest

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

WindowsRemote Thread Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32T1059.001 · PowerShell
Florian Roth (Nextron Systems)Mon Jun 25windows
Detectionhightest

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection
Perez Diego+1Sun Oct 27windows
Detectionmediumtest

Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection
Perez Diego+1Sun Oct 27windows
Detectionmediumtest

Remote Thread Creation In Uncommon Target Image

Detects uncommon target processes for remote thread creation

WindowsRemote Thread Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055.003 · Thread Execution Hijacking
Florian Roth (Nextron Systems)Wed Mar 16windows
Detectionhightest

Remote Thread Creation Ttdinject.exe Proxy

Detects a remote thread creation of Ttdinject.exe used as proxy

WindowsRemote Thread Creation
TA0005 · Defense EvasionT1127 · Trusted Developer Utilities Proxy Execution
François HubautMon May 16windows
Detectionmediumtest

Hidden Executable In NTFS Alternate Data Stream

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

WindowsAlternate Data Stream
TA0005 · Defense EvasionS0139 · S0139T1564.004 · NTFS File Attributes
Florian Roth (Nextron Systems)Sun Jun 03windows
Detectionmediumtest

Creation Of a Suspicious ADS File Outside a Browser Download

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

WindowsAlternate Data Stream
TA0005 · Defense Evasion
François HubautSat Oct 22windows
Detectionhightest

Suspicious File Download From File Sharing Websites - File Stream

Detects the download of suspicious file type from a well-known file and paste sharing domain

WindowsAlternate Data Stream
TA0005 · Defense EvasionS0139 · S0139T1564.004 · NTFS File Attributes
Florian Roth (Nextron Systems)Wed Aug 24windows
Detectionmediumtest

Unusual File Download From File Sharing Websites - File Stream

Detects the download of suspicious file type from a well-known file and paste sharing domain

WindowsAlternate Data Stream
TA0005 · Defense EvasionS0139 · S0139T1564.004 · NTFS File Attributes
Florian Roth (Nextron Systems)Wed Aug 24windows
Detectionhightest

HackTool Named File Stream Created

Detects the creation of a named file stream with the imphash of a well-known hack tool

WindowsAlternate Data Stream
TA0005 · Defense EvasionS0139 · S0139T1564.004 · NTFS File Attributes
Florian Roth (Nextron Systems)Wed Aug 24windows
Detectionhightest

Exports Registry Key To an Alternate Data Stream

Exports the target Registry key and hides it in the specified alternate data stream.

WindowsAlternate Data Stream
TA0005 · Defense EvasionT1564.004 · NTFS File Attributes
Oddvar Moe+2Wed Oct 07windows
Detectionhightest

Unusual File Download from Direct IP Address

Detects the download of suspicious file type from URLs with IP

WindowsAlternate Data Stream
TA0005 · Defense EvasionT1564.004 · NTFS File Attributes
Nasreddine Bencherchali (Nextron Systems)+1Wed Sep 07windows
Detectionhightest

Potential Suspicious Winget Package Installation

Detects potential suspicious winget package installation from a suspicious source.

WindowsAlternate Data Stream
TA0005 · Defense EvasionTA0003 · Persistence
Nasreddine Bencherchali (Nextron Systems)Tue Apr 18windows
Detectionhightest

Potentially Suspicious File Download From ZIP TLD

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

WindowsAlternate Data Stream
TA0005 · Defense Evasion
Florian Roth (Nextron Systems)Thu May 18windows
119202170