Sigma Rules
3,707 rules found
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
Formbook Process Creation
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
Ursnif Malware Download URL Pattern
Detects download of Ursnif malware done by dropper documents.
Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
APT40 Dropbox Tool User Agent
Detects suspicious user agent string of APT40 Dropbox tool
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
Mustang Panda Dropper
Detects specific process parameters as used by Mustang Panda droppers
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-10148 SolarWinds Orion API Auth Bypass
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
ComRAT Network Communication
Detects Turla ComRAT network communication.
Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
FlowCloud Registry Markers
Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
Potential Ke3chang/TidePool Malware Activity
Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
GALLIUM IOCs
Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
GALLIUM Artefacts - Builtin
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec