Sigma Rules
3,332 rules found
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
Log4j RCE CVE-2021-44228 Generic
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
Log4j RCE CVE-2021-44228 in Fields
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
Exchange ProxyShell Pattern
Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
Successful Exchange ProxyShell Attack
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
SonicWall SSL/VPN Jarrewrite Exploitation
Detects exploitation attempts of the SonicWall Jarrewrite Exploit
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Potential Conti Ransomware Database Dumping Activity Via SQLCmd
Detects a command used by conti to dump database
DarkSide Ransomware Pattern
Detects DarkSide Ransomware and helpers
Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
FoggyWeb Backdoor DLL Loading
Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
Goofy Guineapig Backdoor IOC
Detects malicious indicators seen used by the Goofy Guineapig malware
Potential Goofy Guineapig Backdoor Activity
Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
Goofy Guineapig Backdoor Potential C2 Communication
Detects potential C2 communication related to Goofy Guineapig backdoor
Goofy Guineapig Backdoor Service Creation
Detects service creation persistence used by the Goofy Guineapig backdoor
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Potential NetWire RAT Activity - Registry
Detects registry keys related to NetWire RAT
Pingback Backdoor File Indicators
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor DLL Loading Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
Small Sieve Malware Registry Persistence
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
SOURGUM Actor Behaviours
Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
Potential CVE-2022-21587 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service. During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives). Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
Zimbra Collaboration Suite Email Server Unauthenticated RCE
Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
Potential CVE-2022-29072 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.