Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

3,332 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threatmediumtest

Defrag Deactivation

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

WindowsProcess Creation
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.005 · Scheduled Task+2
Florian Roth (Nextron Systems)+1Mon Mar 042018
Emerging Threatmediumtest

Defrag Deactivation - Security

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053 · Scheduled Task/Job+2
Florian Roth (Nextron Systems)+1Mon Mar 042018
Emerging Threathightest

Potential BearLPE Exploitation

Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par

WindowsProcess Creation
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1053.005 · Scheduled Task+2
Olaf HartongWed May 222019
Emerging Threathightest

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Windowssecurity
TA0008 · Lateral MovementT1210 · Exploitation of Remote Services2013-07-002 · CAR 2013-07-002detection.emerging-threats+1
Florian Roth (Nextron Systems)+1Sun Jun 022019
Emerging Threatmediumtest

Potential RDP Exploit CVE-2019-0708

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Windowssystem
TA0008 · Lateral MovementT1210 · Exploitation of Remote Services2013-07-002 · CAR 2013-07-002cve.2019-0708+1
Lionel PRAT+1Fri May 242019
Emerging Threatcriticaltest

Pulse Secure Attack CVE-2019-11510

Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2019-11510detection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 182019
Emerging Threathightest

Exploiting SetupComplete.cmd CVE-2019-1378

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation+5
Florian Roth (Nextron Systems)+2Fri Nov 152019
Emerging Threatcriticaltest

Sudo Privilege Escalation CVE-2019-14287 - Builtin

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Linuxsudo
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege EscalationT1548.003 · Sudo and Sudo Caching+2
Florian Roth (Nextron Systems)Tue Oct 152019
Emerging Threathightest

Sudo Privilege Escalation CVE-2019-14287

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

LinuxProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege EscalationT1548.003 · Sudo and Sudo Caching+2
Florian Roth (Nextron Systems)Tue Oct 152019
Emerging Threatcriticaltest

Citrix Netscaler Attack CVE-2019-19781

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2019-19781detection.emerging-threats
Arnim Rupp+1Thu Jan 022019
Emerging Threatcriticaltest

Confluence Exploitation CVE-2019-3398

Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2019-3398detection.emerging-threats
Florian Roth (Nextron Systems)Tue May 262019
Emerging Threathightest

Potential Baby Shark Malware Activity

Detects activity that could be related to Baby Shark malware

WindowsProcess Creation
TA0002 · ExecutionTA0005 · Defense EvasionTA0007 · DiscoveryT1012 · Query Registry+4
Florian Roth (Nextron Systems)Sun Feb 242019
Emerging Threathightest

Chafer Malware URL Pattern

Detects HTTP request used by Chafer malware to receive data from its C2.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocolsdetection.emerging-threats
Florian Roth (Nextron Systems)Thu Jan 312019
Emerging Threathightest

Formbook Process Creation

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

WindowsProcess Creation
TA0042 · Resource DevelopmentT1587.001 · Malwaredetection.emerging-threats
Florian Roth (Nextron Systems)+2Mon Sep 302019
Emerging Threathightest

Potential Ursnif Malware Activity - Registry

Detects registry keys related to Ursnif malware.

WindowsRegistry Add
TA0003 · PersistenceTA0005 · Defense EvasionTA0002 · ExecutionT1112 · Modify Registry+1
megan201296Wed Feb 132019
Emerging Threatmediumtest

Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32

Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local

WindowsProcess Creation
TA0005 · Defense EvasionT1218.010 · Regsvr32detection.emerging-threats
Florian Roth (Nextron Systems)+2Wed Oct 022019
Emerging Threatcriticaltest

APT31 Judgement Panda Activity

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

WindowsProcess Creation
TA0009 · CollectionTA0008 · Lateral MovementTA0006 · Credential AccessG0128 · GOLD SOUTHFIELD+3
Florian Roth (Nextron Systems)Thu Feb 212019
Emerging Threathightest

APT40 Dropbox Tool User Agent

Detects suspicious user agent string of APT40 Dropbox tool

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsTA0010 · ExfiltrationT1567.002 · Exfiltration to Cloud Storage+1
Thomas PatzkeTue Nov 122019
Emerging Threathightest

Potential EmpireMonkey Activity

Detects potential EmpireMonkey APT activity

WindowsProcess Creation
TA0005 · Defense EvasionT1218.010 · Regsvr32detection.emerging-threats
Markus Neis+1Tue Apr 022019
Emerging Threathightest

Mustang Panda Dropper

Detects specific process parameters as used by Mustang Panda droppers

WindowsProcess Creation
T1587.001 · MalwareTA0042 · Resource Developmentdetection.emerging-threats
Florian Roth (Nextron Systems)+1Wed Oct 302019
Emerging Threathightest

Operation Wocao Activity

Detects activity mentioned in Operation Wocao report

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0007 · DiscoveryT1012 · Query Registry+7
Florian Roth (Nextron Systems)+1Fri Dec 202019
Emerging Threathightest

Operation Wocao Activity - Security

Detects activity mentioned in Operation Wocao report

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceTA0007 · DiscoveryT1012 · Query Registry+7
Florian Roth (Nextron Systems)+1Fri Dec 202019
Emerging Threathightest

CVE-2020-0688 Exploitation Attempt

Detects CVE-2020-0688 Exploitation attempts

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-0688detection.emerging-threats
NVISOThu Feb 272020
Emerging Threatcriticaltest

CVE-2020-0688 Exchange Exploitation via Web Log

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-0688detection.emerging-threats
Florian Roth (Nextron Systems)Sat Feb 292020
Emerging Threathightest

CVE-2020-0688 Exploitation via Eventlog

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Windowsapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-0688detection.emerging-threats
Florian Roth (Nextron Systems)+1Sat Feb 292020
Emerging Threatcriticaltest

CVE-2020-10148 SolarWinds Orion API Auth Bypass

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-10148detection.emerging-threats
Bhabesh Raj+1Sun Dec 272020
Emerging Threathightest

Exploited CVE-2020-10189 Zoho ManageEngine

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

WindowsProcess Creation
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0002 · ExecutionT1059.001 · PowerShell+4
Florian Roth (Nextron Systems)Wed Mar 252020
Emerging Threathightest

Suspicious PrinterPorts Creation (CVE-2020-1048)

Detects new commands that add new printer port which point to suspicious file

WindowsProcess Creation
TA0003 · PersistenceTA0002 · ExecutionT1059.001 · PowerShellcve.2020-1048+1
EagleEye Team+1Wed May 132020
Emerging Threathightest

CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

WindowsRegistry Set
TA0003 · PersistenceTA0002 · ExecutionTA0005 · Defense EvasionT1112 · Modify Registry+2
EagleEye Team+2Wed May 132020
Emerging Threatcriticaltest

DNS RCE CVE-2020-1350

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

WindowsProcess Creation
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0002 · ExecutionT1569.002 · Service Execution+2
Florian Roth (Nextron Systems)Wed Jul 152020
Emerging Threathightest

Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC

Detects the execution of the commonly used ZeroLogon PoC executable.

WindowsProcess Creation
TA0002 · ExecutionTA0008 · Lateral MovementT1210 · Exploitation of Remote Servicescve.2020-1472+1
kostastsale+1Sat Feb 122020
Emerging Threathightest

Oracle WebLogic Exploit CVE-2020-14882

Detects exploitation attempts on WebLogic servers

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial Accesscve.2020-14882detection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 022020
Emerging Threathightest

TerraMaster TOS CVE-2020-28188

Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial Accesscve.2020-28188detection.emerging-threats
Bhabesh RajMon Jan 252020
Emerging Threathightest

Cisco ASA FTD Exploit CVE-2020-3452

Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial Accesscve.2020-3452detection.emerging-threats
Florian Roth (Nextron Systems)Thu Jan 072020
Emerging Threatcriticaltest

CVE-2020-5902 F5 BIG-IP Exploitation Attempt

Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-5902detection.emerging-threats
Florian Roth (Nextron Systems)Sun Jul 052020
Emerging Threatcriticaltest

Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-8193cve.2020-8195+1
Florian Roth (Nextron Systems)Fri Jul 102020
Emerging Threathightest

Blue Mockingbird

Attempts to detect system changes made by Blue Mockingbird

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0002 · ExecutionT1112 · Modify Registry+2
Trent LiffickThu May 142020
Emerging Threathightest

Blue Mockingbird - Registry

Attempts to detect system changes made by Blue Mockingbird

WindowsRegistry Set
TA0005 · Defense EvasionTA0002 · ExecutionTA0003 · PersistenceT1112 · Modify Registry+2
Trent LiffickThu May 142020
Emerging Threathightest

ComRAT Network Communication

Detects Turla ComRAT network communication.

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web ProtocolsG0010 · G0010+1
Florian Roth (Nextron Systems)Tue May 262020
Emerging Threatcriticaltest

Potential Emotet Rundll32 Execution

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
FPT.EagleEyeFri Dec 252020
Emerging Threatcriticaltest

FlowCloud Registry Markers

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

WindowsRegistry Event
TA0005 · Defense EvasionTA0003 · PersistenceT1112 · Modify Registrydetection.emerging-threats
NVISOTue Jun 092020
Emerging Threathightest

Potential Ke3chang/TidePool Malware Activity

Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020

WindowsProcess Creation
G0004 · G0004TA0005 · Defense EvasionT1562.001 · Disable or Modify Toolsdetection.emerging-threats
Markus Neis+1Thu Jun 182020
Emerging Threatcriticaltest

Potential Maze Ransomware Activity

Detects specific process characteristics of Maze ransomware word document droppers

WindowsProcess Creation
TA0002 · ExecutionT1204.002 · Malicious FileT1047 · Windows Management InstrumentationTA0040 · Impact+2
Florian Roth (Nextron Systems)Fri May 082020
Emerging Threatcriticaltest

EvilNum APT Golden Chickens Deployment Via OCX Files

Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report

WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32detection.emerging-threats
Florian Roth (Nextron Systems)Fri Jul 102020
Emerging Threathightest

GALLIUM IOCs

Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.

WindowsProcess Creation
TA0006 · Credential AccessTA0011 · Command and ControlT1212 · Exploitation for Credential AccessT1071 · Application Layer Protocol+2
Tim BurrellFri Feb 072020
Emerging Threathightest

GALLIUM Artefacts - Builtin

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

Windowsdns-server-analytic
TA0006 · Credential AccessTA0011 · Command and ControlT1071 · Application Layer Protocoldetection.emerging-threats
Tim BurrellFri Feb 072020
Emerging Threatcriticaltest

Greenbug Espionage Group Indicators

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

WindowsProcess Creation
G0049 · G0049TA0002 · ExecutionT1059.001 · PowerShellTA0011 · Command and Control+4
Florian Roth (Nextron Systems)Wed May 202020
Emerging Threatcriticaltest

Lazarus Group Activity

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

WindowsProcess Creation
G0032 · Lazarus GroupTA0002 · ExecutionT1059 · Command and Scripting Interpreterdetection.emerging-threats
Florian Roth (Nextron Systems)+1Wed Dec 232020
160616270