Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

2,824 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Registry Persistence Mechanisms in Recycle Bin

Detects persistence registry keys for Recycle Bin

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547 · Boot or Logon Autostart Execution
François HubautThu Nov 18windows
Detectionmediumtest

New PortProxy Registry Entry Added

Detects the modification of the PortProxy registry key which is used for port forwarding.

WindowsRegistry Event
TA0008 · Lateral MovementTA0005 · Defense EvasionTA0011 · Command and ControlT1090 · Proxy
Andreas HunkelerTue Jun 22windows
Detectionhightest

RedMimicry Winnti Playbook Registry Manipulation

Detects actions caused by the RedMimicry Winnti playbook

WindowsRegistry Event
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Alexander RauschWed Jun 24windows
Detectionhightest

WINEKEY Registry Modification

Detects potential malicious modification of run keys by winekey or team9 backdoor

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547 · Boot or Logon Autostart Execution
omkar72Fri Oct 30windows
Detectionmediumtest

Run Once Task Configuration in Registry

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

WindowsRegistry Event
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Avneet Singh+1Sun Nov 15windows
Detectionhightest

Shell Open Registry Keys Manipulation

Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)

WindowsRegistry Event
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control+1
Christian Burkard (Nextron Systems)Mon Aug 30windows
Detectioncriticaltest

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

WindowsRegistry Event
TA0006 · Credential AccessT1003.001 · LSASS Memory
Florian Roth (Nextron Systems)Fri Feb 26windows
Detectionhightest

Security Support Provider (SSP) Added to LSA Configuration

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.005 · Security Support Provider
iwillkeepwatchFri Jan 18windows
Detectioncriticaltest

Sticky Key Like Backdoor Usage - Registry

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1546.008 · Accessibility Features2014-11-003 · CAR 2014-11-003+1
Florian Roth (Nextron Systems)+2Thu Mar 15windows
Detectionmediumtest

Atbroker Registry Change

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

WindowsRegistry Event
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1218 · System Binary Proxy ExecutionTA0003 · Persistence+1
Mateusz Wydra+1Tue Oct 13windows
Detectionhightest

Suspicious Run Key from Download

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Florian Roth (Nextron Systems)+1Tue Oct 01windows
Detectionhightest

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

WindowsRegistry Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1547.008 · LSASS Driver
Florian Roth (Nextron Systems)Wed Oct 16windows
Detectionhightest

Suspicious Camera and Microphone Access

Detects Processes accessing the camera and microphone from suspicious folder

WindowsRegistry Event
TA0009 · CollectionT1125 · Video CaptureT1123 · Audio Capture
Den IuzvykSun Jun 07windows
Detectionmediumexperimental

Registry Tampering by Potentially Suspicious Processes

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

WindowsRegistry Event
TA0005 · Defense EvasionTA0003 · PersistenceTA0002 · ExecutionT1112 · Modify Registry+1
Swachchhanda Shrawan Poudel (Nextron Systems)Wed Aug 13windows
Detectionmediumtest

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

WindowsRegistry Set
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
X__Junior (Nextron Systems)Fri Nov 03windows
Detectionhightest

Registry Persistence via Service in Safe Mode

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

WindowsRegistry Set
TA0005 · Defense EvasionT1564.001 · Hidden Files and Directories
François HubautMon Apr 04windows
Detectionmediumtest

Add Port Monitor Persistence in Registry

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.010 · Port Monitors
François HubautThu Dec 30windows
Detectionmediumtest

Add Debugger Entry To AeDebug For Persistence

Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes

WindowsRegistry Set
TA0003 · Persistence
Nasreddine Bencherchali (Nextron Systems)Thu Jul 21windows
Detectionmediumtest

Allow RDP Remote Assistance Feature

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
François HubautFri Aug 19windows
Detectionhightest

Potential AMSI COM Server Hijacking

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

WindowsRegistry Set
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Nasreddine Bencherchali (Nextron Systems)Wed Jan 04windows
Detectionhighexperimental

AMSI Disabled via Registry Modification

Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.

WindowsRegistry Set
TA0005 · Defense EvasionT1562.001 · Disable or Modify ToolsT1562.006 · Indicator Blocking
Swachchhanda Shrawan Poudel (Nextron Systems)Thu Dec 25windows
Detectionmediumtest

Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Common Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+7Fri Oct 25windows
Detectionmediumtest

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

CurrentVersion NT Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Internet Explorer Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Session Manager Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup FolderT1546.009 · AppCert DLLs
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

System Scripts Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

WinSock2 Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Wow6432Node CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Wow6432Node Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Victor Sergeev+6Fri Oct 25windows
Detectionmediumtest

New BgInfo.EXE Custom DB Path Registry Configuration

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Nasreddine Bencherchali (Nextron Systems)Wed Aug 16windows
Detectionmediumtest

New BgInfo.EXE Custom VBScript Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Nasreddine Bencherchali (Nextron Systems)Wed Aug 16windows
Detectionmediumtest

New BgInfo.EXE Custom WMI Query Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Nasreddine Bencherchali (Nextron Systems)Wed Aug 16windows
Detectionhightest

Bypass UAC Using DelegateExecute

Bypasses User Account Control using a fileless method

WindowsRegistry Set
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
François HubautWed Jan 05windows
Detectionhightest

Bypass UAC Using Event Viewer

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.010 · Port Monitors
François HubautWed Jan 05windows
Detectionhightest

Bypass UAC Using SilentCleanup Task

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0005 · Defense EvasionT1548.002 · Bypass User Account Control
François Hubaut+1Thu Jan 06windows
Detectionhightest

Default RDP Port Changed to Non Standard Port

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.010 · Port Monitors
François HubautSat Jan 01windows
Detectionmediumtest

IE Change Domain Zone

Hides the file extension through modification of the registry

WindowsRegistry Set
TA0003 · PersistenceT1137 · Office Application Startup
François HubautSat Jan 22windows
Detectionhightest

Sysmon Driver Altitude Change

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

WindowsRegistry Set
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
B.TalebiThu Jul 28windows
Detectionhightest

Change Winevt Channel Access Permission Via Registry

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

WindowsRegistry Set
TA0005 · Defense EvasionT1562.002 · Disable Windows Event Logging
François HubautSat Sep 17windows
Detectionhightest

Running Chrome VPN Extensions via the Registry 2 VPN Extension

Running Chrome VPN Extensions via the Registry install 2 vpn extension

WindowsRegistry Set
TA0001 · Initial AccessTA0003 · PersistenceT1133 · External Remote Services
François HubautTue Dec 28windows
Detectionmediumtest

ClickOnce Trust Prompt Tampering

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
@serkinvalery+1Mon Jun 12windows
Detectionhightest

Potential CobaltStrike Service Installations - Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

WindowsRegistry Set
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3
Wojciech LesickiTue Jun 29windows
Detectionhightest

COM Hijack via Sdclt

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1546 · Event Triggered Execution+1
Omkar GudhateSun Sep 27windows
145464759