Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

380 rules found for "oscd.community"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - System

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - System

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - System

Detects Obfuscated Powershell via Stdin in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - System

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - System

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

Windowssystem
TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1003.002 · Security Account Manager+5
Florian Roth (Nextron Systems)+3Sun Mar 05windows
Detectionhightest

PowerShell Scripts Installed as Services

Detects powershell script installed as a Service

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionmediumtest

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Windowssystem
TA0010 · ExfiltrationT1048 · Exfiltration Over Alternative Protocol
Daniil Yugoslavskiy+2Thu Oct 24windows
Detectionmediumtest

WMI Persistence

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Windowswmi
TA0003 · PersistenceTA0004 · Privilege EscalationT1546.003 · Windows Management Instrumentation Event Subscription
Florian Roth (Nextron Systems)+2Tue Aug 22windows
Detectionhightest

HackTool - Potential CobaltStrike Process Injection

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055.001 · Dynamic-link Library Injection
Olaf Hartong+3Fri Nov 30windows
Detectionhightest

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

WindowsRemote Thread Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
oscd.community+1Tue Oct 06windows
Detectionhightest

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection
Perez Diego+1Sun Oct 27windows
Detectionmediumtest

Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection
Perez Diego+1Sun Oct 27windows
Detectionhightest

Exports Registry Key To an Alternate Data Stream

Exports the target Registry key and hides it in the specified alternate data stream.

WindowsAlternate Data Stream
TA0005 · Defense EvasionT1564.004 · NTFS File Attributes
Oddvar Moe+2Wed Oct 07windows
Detectionmediumtest

DNS Query Request By Regsvr32.EXE

Detects DNS queries initiated by "Regsvr32.exe"

WindowsDNS Query
TA0002 · ExecutionT1559.001 · Component Object ModelTA0005 · Defense EvasionT1218.010 · Regsvr32
Dmitriy Lifanov+1Fri Oct 25windows
Detectionhightest

Cred Dump Tools Dropped Files

Files with well-known filenames (parts of credential dump software or files produced by them) creation

WindowsFile Event
TA0006 · Credential AccessT1003.001 · LSASS MemoryT1003.002 · Security Account ManagerT1003.003 · NTDS+2
Teymur Kheirkhabarov+1Fri Nov 01windows
Detectionhightest

Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

WindowsFile Event
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScript
Florian Roth (Nextron Systems)+3Fri Nov 10windows
Detectionhightest

Suspicious DotNET CLR Usage Log Artifact

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

WindowsFile Event
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
François Hubaut+3Fri Nov 18windows
Detectionmediumtest

Potential Webshell Creation On Static Website

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

WindowsFile Event
TA0003 · PersistenceT1505.003 · Web Shell
Beyu Denis+3Tue Oct 22windows
Detectionmediumtest

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

WindowsFile Event
TA0005 · Defense EvasionT1216 · System Script Proxy Execution
Julia Fomina+1Tue Oct 06windows
Detectionhightest

Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

WindowsImage Load (DLL)
TA0006 · Credential AccessT1003.001 · LSASS Memory
Perez Diego+2Sun Oct 27windows
Detectionmediumtest

PowerShell Core DLL Loaded By Non PowerShell Process

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

WindowsImage Load (DLL)
T1059.001 · PowerShellTA0002 · Execution
Tom Kern+5Thu Nov 14windows
Detectionhightest

HackTool - SILENTTRINITY Stager DLL Load

Detects SILENTTRINITY stager dll loading activity

WindowsImage Load (DLL)
TA0011 · Command and ControlT1071 · Application Layer Protocol
Aleksey Potapov+1Tue Oct 22windows
Detectionmediumtest

Unsigned Image Loaded Into LSASS Process

Loading unsigned image (DLL, EXE) into LSASS process

WindowsImage Load (DLL)
TA0006 · Credential AccessT1003.001 · LSASS Memory
Teymur Kheirkhabarov+1Tue Oct 22windows
Detectionhightest

DotNet CLR DLL Loaded By Scripting Applications

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0002 · ExecutionTA0004 · Privilege EscalationT1055 · Process Injection
omkar72+1Wed Oct 14windows
Detectionhightest

UAC Bypass With Fake DLL

Attempts to load dismcore.dll after dropping it

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control+1
oscd.community+1Tue Oct 06windows
Detectionmediumtest

Network Connection Initiated By Regsvr32.EXE

Detects a network connection initiated by "Regsvr32.exe"

WindowsNetwork Connection
TA0002 · ExecutionT1559.001 · Component Object ModelTA0005 · Defense EvasionT1218.010 · Regsvr32
Dmitriy Lifanov+1Fri Oct 25windows
Detectionhightest

Silenttrinity Stager Msbuild Activity

Detects a possible remote connections to Silenttrinity c2

WindowsNetwork Connection
TA0002 · ExecutionTA0005 · Defense EvasionT1127.001 · MSBuild
Kiran kumar s+1Sun Oct 11windows
Detectionmediumtest

Uncommon Outbound Kerberos Connection

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

WindowsNetwork Connection
TA0005 · Defense EvasionTA0006 · Credential AccessT1558 · Steal or Forge Kerberos TicketsTA0008 · Lateral Movement+1
Ilyas Ochkov+1Thu Oct 24windows
Detectioncriticaltest

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

WindowsNamed Pipe Created
TA0006 · Credential AccessT1003.001 · LSASS MemoryT1003.002 · Security Account ManagerT1003.004 · LSA Secrets+1
Teymur Kheirkhabarov+1Fri Nov 01windows
Detectionmediumtest

PUA - CSExec Default Named Pipe

Detects default CSExec pipe creation

WindowsNamed Pipe Created
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesTA0002 · ExecutionT1569.002 · Service Execution
Nikita Nazarov+2Mon Aug 07windows
Detectionmediumtest

PUA - RemCom Default Named Pipe

Detects default RemCom pipe creation

WindowsNamed Pipe Created
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesTA0002 · ExecutionT1569.002 · Service Execution
Nikita Nazarov+2Mon Aug 07windows
Detectioncriticaltest

Bad Opsec Powershell Code Artifacts

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShell
ok invrep_de+1Fri Oct 09windows
Detectionmediumtest

Clear PowerShell History - PowerShell Module

Detects keywords that could indicate clearing PowerShell history

WindowsPowerShell Module
TA0005 · Defense EvasionT1070.003 · Clear Command History
Ilyas Ochkov+3Fri Oct 25windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - PowerShell Module

Detects Obfuscated use of Clip.exe to execute PowerShell

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Daniel Bohannon ( / )+1Fri Nov 08windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - PowerShell Module

Detects Obfuscated use of stdin to execute PowerShell

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - PowerShell Module

Detects Obfuscated use of Environment Variables to execute PowerShell

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module

Detects Obfuscated Powershell via RUNDLL LAUNCHER

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - PowerShell Module

Detects Obfuscated Powershell via Stdin in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - PowerShell Module

Detects Obfuscated Powershell via use Clip.exe in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - PowerShell Module

Detects Obfuscated Powershell via use MSHTA in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Thu Oct 08windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Detects Obfuscated Powershell via use Rundll32 in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Tue Oct 08windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via VAR++ LAUNCHER

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
12348