Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

3,116 rules found for "sigma"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

T1047 Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.

Windowssecurity
TA0002 · ExecutionT1047 · Windows Management InstrumentationTA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Roberto Rodriguez (Cyb3rWard0g)+1Mon Oct 12windows
Detectioninformationalstable

Locked Workstation

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Windowssecurity
TA0040 · Impact
Alexandr Yampolskyi+1Tue Mar 26windows
Detectionhightest

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Windowssecurity-mitigations
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajTue Aug 02windows
Detectionhightest

Unsigned Binary Loaded From Suspicious Location

Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Windowssecurity-mitigations
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Wed Aug 03windows
Detectionhightest

HybridConnectionManager Service Running

Rule to detect the Hybrid Connection Manager service running on an endpoint.

Windowsmicrosoft-servicebus-client
TA0003 · PersistenceT1554 · Compromise Host Software Binary
Roberto Rodriguez (Cyb3rWard0g)+1Mon Apr 12windows
Detectionmediumtest

Suspicious Application Installed

Detects suspicious application installed by looking at the added shortcut to the app resolver cache

Windowsshell-core
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Sun Aug 14windows
Detectionmediumtest

Suspicious Rejected SMB Guest Logon From IP

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Windowssmbclient-security
TA0006 · Credential AccessT1110.001 · Password Guessing
Florian Roth (Nextron Systems)+2Wed Jun 30windows
Detectionmediumexperimental

Unsigned or Unencrypted SMB Connection to Share Established

Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.

Windowssmbserver-connectivity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Mohamed AbdelghaniSun Oct 19windows
Detectionhightest

Sysmon Application Crashed

Detects application popup reporting a failure of the Sysmon service

Windowssystem
TA0005 · Defense EvasionT1562 · Impair Defenses
Tim SheltonTue Apr 26windows
Detectionmediumtest

NTLMv1 Logon Between Client and Server

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

Windowssystem
TA0005 · Defense EvasionTA0008 · Lateral MovementT1550.002 · Pass the Hash
Tim Shelton+1Tue Apr 26windows
Detectionmediumexperimental

ISATAP Router Address Was Set

Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

Windowssystem
TA0040 · ImpactTA0006 · Credential AccessTA0009 · CollectionTA0001 · Initial Access+4
hamidSun Oct 19windows
Detectionlowtest

Active Directory Certificate Services Denied Certificate Enrollment Request

Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

Windowssystem
TA0006 · Credential AccessTA0005 · Defense EvasionT1553.004 · Install Root Certificate
@serkinvaleryThu Mar 07windows
Detectionhightest

DHCP Server Loaded the CallOut DLL

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Windowssystem
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Dimitrios SlamarisMon May 15windows
Detectionhightest

DHCP Server Error Failed Loading the CallOut DLL

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Windowssystem
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Dimitrios SlamarisMon May 15windows
Detectionhightest

Local Privilege Escalation Indicator TabTip

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Windowssystem
TA0009 · CollectionTA0002 · ExecutionTA0006 · Credential AccessT1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay
Florian Roth (Nextron Systems)Fri Oct 07windows
Detectionmediumtest

Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Windowssystem
TA0005 · Defense EvasionT1070.001 · Clear Windows Event Logs2016-04-002 · CAR 2016-04-002
Florian Roth (Nextron Systems)Tue Jan 10windows
Detectionhightest

Important Windows Eventlog Cleared

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Windowssystem
TA0005 · Defense EvasionT1070.001 · Clear Windows Event Logs2016-04-002 · CAR 2016-04-002
Florian Roth (Nextron Systems)+2Tue May 17windows
Detectionmediumtest

Certificate Use With No Strong Mapping

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Windowssystem
TA0004 · Privilege Escalation
@br4dy5Mon Oct 09windows
Detectionlowtest

No Suitable Encryption Key Found For Generating Kerberos Ticket

Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

Windowssystem
TA0006 · Credential AccessT1558.003 · Kerberoasting
@serkinvaleryThu Mar 07windows
Detectionhightest

Critical Hive In Suspicious Location Access Bits Cleared

Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

Windowssystem
TA0006 · Credential AccessT1003.002 · Security Account Manager
Florian Roth (Nextron Systems)Mon May 15windows
Detectionlowtest

Volume Shadow Copy Mount

Detects volume shadow copy mount via Windows event log

Windowssystem
TA0006 · Credential AccessT1003.002 · Security Account Manager
Roberto Rodriguez (Cyb3rWard0g)+1Tue Oct 20windows
Detectionmediumexperimental

Crash Dump Created By Operating System

Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.

Windowssystem
TA0006 · Credential AccessTA0009 · CollectionT1003.002 · Security Account ManagerT1005 · Data from Local System
Jason MullMon May 12windows
Detectioninformationalstable

Windows Update Error

Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Windowssystem
TA0040 · ImpactTA0042 · Resource DevelopmentT1584 · Compromise Infrastructure
François HubautSat Dec 04windows
Detectioncriticalstable

Zerologon Exploitation Using Well-known Tools

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Windowssystem
T1210 · Exploitation of Remote ServicesTA0008 · Lateral Movement
Demyan Sokolin+2Tue Oct 13windows
Detectionhightest

Vulnerable Netlogon Secure Channel Connection Allowed

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

Windowssystem
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548 · Abuse Elevation Control Mechanism
NVISOTue Sep 15windows
Detectionhightest

NTFS Vulnerability Exploitation

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

Windowssystem
TA0040 · ImpactT1499.001 · OS Exhaustion Flood
Florian Roth (Nextron Systems)Mon Jan 11windows
Detectioncriticaltest

CobaltStrike Service Installations - System

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Windowssystem
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3
Florian Roth (Nextron Systems)+1Wed May 26windows
Detectionmediumstable

Windows Defender Threat Detection Service Disabled

Detects when the "Windows Defender Threat Protection" service is disabled.

Windowssystem
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Ján Trenčanský+1Tue Jul 28windows
Detectionhightest

smbexec.py Service Installation

Detects the use of smbexec.py tool by detecting a specific service installation

Windowssystem
TA0008 · Lateral MovementTA0002 · ExecutionT1021.002 · SMB/Windows Admin SharesT1569.002 · Service Execution
Omer Faruk CelikTue Mar 20windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - System

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation - System

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or Information
Daniel Bohannon ( / )+1Fri Nov 08windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - System

Detects Obfuscated use of stdin to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - System

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - System

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - System

Detects Obfuscated Powershell via Stdin in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - System

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - System

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

KrbRelayUp Service Installation

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Windowssystem
TA0003 · PersistenceTA0004 · Privilege EscalationT1543 · Create or Modify System Process
Sittikorn S+1Wed May 11windows
Detectionhightest

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

Windowssystem
TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1003.002 · Security Account Manager+5
Florian Roth (Nextron Systems)+3Sun Mar 05windows
Detectionhightest

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Windowssystem
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1134.001 · Token Impersonation/TheftT1134.002 · Create Process with Token
Teymur Kheirkhabarov+2Sat Oct 26windows
Detectioncriticaltest

Moriya Rootkit - System

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Windowssystem
TA0003 · PersistenceTA0004 · Privilege EscalationT1543.003 · Windows Service
Bhabesh RajThu May 06windows
Detectionhightest

PowerShell Scripts Installed as Services

Detects powershell script installed as a Service

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionmediumtest

Anydesk Remote Access Software Service Installation

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Windowssystem
TA0003 · Persistence
Nasreddine Bencherchali (Nextron Systems)+1Thu Aug 11windows
Detectionmediumtest

CSExec Service Installation

Detects CSExec service installation and execution events

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
Nasreddine Bencherchali (Nextron Systems)Mon Aug 07windows
Detectionhightest

HackTool Service Registration or Execution

Detects installation or execution of services

Windowssystem
TA0002 · ExecutionT1569.002 · Service ExecutionS0029 · S0029
Florian Roth (Nextron Systems)Mon Mar 21windows
120212265