Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

2,839 rules found

3,731Total
3,132Detection
457Emerging
139Hunting
Threat Huntmediumtest

Cab File Extraction Via Wusa.EXE

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.

WindowsProcess Creation
TA0002 · Executiondetection.threat-hunting
Nasreddine Bencherchali (Nextron Systems)Thu Aug 04windows
Threat Huntlowtest

Scheduled Task Created - Registry

Detects the creation of a scheduled task via Registry keys.

WindowsRegistry Event
TA0002 · ExecutionTA0003 · PersistenceTA0004 · Privilege EscalationS0111 · schtasks+3
Center for Threat Informed Defense (CTID) Summiting the Pyramid TeamWed Sep 27windows
Threat Huntmediumtest

Microsoft Office Trusted Location Updated

Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.

WindowsRegistry Set
TA0005 · Defense EvasionTA0003 · PersistenceT1112 · Modify Registrydetection.threat-hunting
Nasreddine Bencherchali (Nextron Systems)Wed Jun 21windows
Threat Huntmediumtest

Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace

Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.

WindowsRegistry Set
TA0005 · Defense EvasionTA0002 · ExecutionTA0003 · PersistenceTA0004 · Privilege Escalation+4
Andreas Braathen (mnemonic.io)Fri Dec 01windows
Threat Huntlowtest

Command Executed Via Run Dialog Box - Registry

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

WindowsRegistry Set
detection.threat-huntingTA0002 · Execution
Ahmed Farouk+1Fri Nov 01windows
Threat Huntmediumtest

Service Binary in User Controlled Folder

Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.

WindowsRegistry Set
TA0005 · Defense EvasionTA0003 · PersistenceT1112 · Modify Registrydetection.threat-hunting
Nasreddine Bencherchali (Nextron Systems)+1Mon May 02windows
Threat Huntlowtest

Shell Context Menu Command Tampering

Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.

WindowsRegistry Set
TA0003 · Persistencedetection.threat-hunting
Nasreddine Bencherchali (Nextron Systems)Wed Mar 06windows
15960