Sigma Rules
3,332 rules found
PaperCut MF/NG Exploitation Related Indicators
Detects exploitation indicators related to PaperCut MF/NG Exploitation
PaperCut MF/NG Potential Exploitation
Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
Peach Sandstorm APT Process Activity Indicators
Detects process creation activity related to Peach Sandstorm APT
Potential Peach Sandstorm APT C2 Communication Activity
Detects potential C2 communication activity related to Peach Sandstorm APT
UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
UNC4841 - Barracuda ESG Exploitation Indicators
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
UNC4841 - Download Compressed Files From Temp.sh Using Wget
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
ScreenConnect User Database Modification
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
ScreenConnect User Database Modification - Security
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Potential CSharp Streamer RAT Loading .NET Executable Image
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
DarkGate - Drop DarkGate Loader In C:\Temp Directory
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
Potential Kapeka Decrypted Backdoor Indicator
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
Kapeka Backdoor Loaded Via Rundll32.EXE
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
Kapeka Backdoor Execution Via RunDLL32.EXE
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
Kapeka Backdoor Autorun Persistence
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
Kapeka Backdoor Configuration Persistence
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
Kapeka Backdoor Scheduled Task Creation
Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
Potential Raspberry Robin Aclui Dll SideLoading
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
Potential Raspberry Robin CPL Execution Activity
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
Potential Raspberry Robin Registry Set Internet Settings ZoneMap
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
Potential APT FIN7 Exploitation Activity
Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
Forest Blizzard APT - File Creation Activity
Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.
Forest Blizzard APT - JavaScript Constrained File Creation
Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
Forest Blizzard APT - Custom Protocol Handler Creation
Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
ScreenConnect - SlashAndGrab Exploitation Indicators
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
Mail Forwarding/Redirecting Activity In O365
Detects email forwarding or redirecting activity in O365 Audit logs.
Okta Password Health Report Query
Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
Python Path Configuration File Creation - Linux
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Terminate Linux Process Via Kill
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
Python Path Configuration File Creation - MacOS
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).