Rule Library

Sigma Rules

104 rules found

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Antivirus Alert

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injectiondetection.emerging-threats+2

Sittikorn S+2Thu Jul 012021

Emerging Threatmediumstable

Possible PrintNightmare Print Driver Install - CVE-2021-1675

Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

Zeek (Bro)dce_rpc

TA0002 · Executioncve.2021-1678cve.2021-1675cve.2021-34527+1

Mon Aug 232021

Emerging Threathighstable

Pulse Connect Secure RCE Attack CVE-2021-22893

This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)

Web Server Log

TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-22893detection.emerging-threats

Sittikorn STue Jun 292021

Emerging Threathighstable

Potential CVE-2021-26857 Exploitation Attempt

Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service

WindowsProcess Creation

T1203 · Exploitation for Client ExecutionTA0002 · Executioncve.2021-26857detection.emerging-threats

Bhabesh RajWed Mar 032021

Emerging Threathighstable

OMIGOD HTTP No Authentication RCE - CVE-2021-38647

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Zeek (Bro)http

TA0004 · Privilege EscalationTA0001 · Initial AccessTA0002 · ExecutionTA0008 · Lateral Movement+7

Nate Guagenti (neu5ron)Mon Sep 202021

Threat Huntlowstable

Process Discovery

Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

LinuxProcess Creation

TA0007 · DiscoveryT1057 · Process Discoverydetection.threat-hunting

Ömer Günal+2Tue Oct 06linux

Threat Huntmediumstable

DLL Call by Ordinal Via Rundll32.EXE

Detects calls of DLLs exports by ordinal numbers via rundll32.dll.

WindowsProcess Creation

TA0005 · Defense EvasionT1218.011 · Rundll32detection.threat-hunting

Florian Roth (Nextron Systems)Tue Oct 22windows

Compliancelowstable

Cleartext Protocol Usage Via Netflow

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

netflow

TA0006 · Credential Access

Alexandr Yampolskyi+1Tue Mar 26other

‹1 2 3 ›