Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

3,707 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threatcriticaltest

Lazarus Group Activity

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

WindowsProcess Creation
G0032 · Lazarus GroupTA0002 · ExecutionT1059 · Command and Scripting Interpreterdetection.emerging-threats
Florian Roth (Nextron Systems)+1Wed Dec 232020
Emerging Threatcriticaltest

Leviathan Registry Key Activity

Detects registry key used by Leviathan APT in Malaysian focused campaign

WindowsRegistry Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folderdetection.emerging-threats
Aidan BracherTue Jul 072020
Emerging Threathightest

UNC2452 Process Creation Patterns

Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShelldetection.emerging-threats
Florian Roth (Nextron Systems)Fri Jan 222020
Emerging Threatcriticaltest

UNC2452 PowerShell Pattern

Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellT1047 · Windows Management Instrumentationdetection.emerging-threats
Florian Roth (Nextron Systems)Wed Jan 202020
Emerging Threathightest

Suspicious VBScript UN2452 Pattern

Detects suspicious inline VBScript keywords as used by UNC2452

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folderdetection.emerging-threats
Florian Roth (Nextron Systems)Fri Mar 052020
Emerging Threatcriticaltest

Solarwinds SUPERNOVA Webshell Access

Detects access to SUPERNOVA webshell as described in Guidepoint report

Web Server Log
TA0003 · PersistenceT1505.003 · Web Shelldetection.emerging-threats
Florian Roth (Nextron Systems)Thu Dec 172020
Emerging Threathightest

TAIDOOR RAT DLL Load

Detects specific process characteristics of Chinese TAIDOOR RAT malware load

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0002 · ExecutionT1055.001 · Dynamic-link Library Injection+1
Florian Roth (Nextron Systems)Thu Jul 302020
Emerging Threatcriticaltest

Winnti Malware HK University Campaign

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Sat Feb 012020
Emerging Threatcriticalstable

Winnti Pipemon Characteristics

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Thu Jul 302020
Emerging Threatcriticalstable

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Antivirus Alert
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injectiondetection.emerging-threats+2
Sittikorn S+2Thu Jul 012021
Emerging Threathightest

Potential PrintNightmare Exploitation Attempt

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

WindowsFile Delete
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+2
Bhabesh RajThu Jul 012021
Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation Filename Pattern

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

WindowsFile Event
TA0002 · ExecutionTA0004 · Privilege EscalationTA0042 · Resource DevelopmentT1587 · Develop Capabilities+2
Florian Roth (Nextron Systems)Tue Jun 292021
Emerging Threatinformationaltest

Windows Spooler Service Suspicious Binary Load

Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+3
FPT.EagleEye+1Tue Jun 292021
Emerging Threatcriticaltest

PrinterNightmare Mimikatz Driver Name

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

WindowsRegistry Event
TA0002 · ExecutionT1204 · User Executioncve.2021-1675cve.2021-34527+1
Markus Neis+1Sun Jul 042021
Emerging Threathightest

Possible CVE-2021-1675 Print Spooler Exploitation

Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675

Windowsprintservice-admin
TA0002 · ExecutionT1569 · System Servicescve.2021-1675detection.emerging-threats
Florian Roth (Nextron Systems)+3Wed Jun 302021
Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation

Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675

Windowsprintservice-operational
TA0002 · ExecutionT1569 · System Servicescve.2021-1675detection.emerging-threats
Florian Roth (Nextron Systems)Thu Jul 012021
Emerging Threatcriticaltest

CVE-2021-1675 Print Spooler Exploitation IPC Access

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Windowssecurity
TA0002 · ExecutionT1569 · System Servicescve.2021-1675cve.2021-34527+1
INIT_6Fri Jul 022021
Emerging Threatmediumstable

Possible PrintNightmare Print Driver Install - CVE-2021-1675

Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

Zeek (Bro)dce_rpc
TA0002 · Executioncve.2021-1678cve.2021-1675cve.2021-34527+1
Mon Aug 232021
Emerging Threatcriticaltest

Arcadyan Router Exploitations

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-20090cve.2021-20091+1
Bhabesh RajTue Aug 242021
Emerging Threatcriticaltest

Oracle WebLogic Exploit CVE-2021-2109

Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial Accesscve.2021-2109detection.emerging-threats
Bhabesh RajWed Jan 202021
Emerging Threathightest

CVE-2021-21972 VSphere Exploitation

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-21972detection.emerging-threats
Bhabesh RajWed Feb 242021
Emerging Threathightest

CVE-2021-21978 Exploitation Attempt

Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-21978detection.emerging-threats
Bhabesh RajTue Mar 102021
Emerging Threathightest

VMware vCenter Server File Upload CVE-2021-22005

Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-22005detection.emerging-threats
Sittikorn SFri Sep 242021
Emerging Threatcriticaltest

Fortinet CVE-2021-22123 Exploitation

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-22123detection.emerging-threats
Bhabesh Raj+1Thu Aug 192021
Emerging Threathighstable

Pulse Connect Secure RCE Attack CVE-2021-22893

This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-22893detection.emerging-threats
Sittikorn STue Jun 292021
Emerging Threathightest

Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

WindowsProcess Creation
TA0001 · Initial AccessTA0002 · ExecutionT1190 · Exploit Public-Facing ApplicationT1059 · Command and Scripting Interpreter+2
Bhabesh RajWed Sep 082021
Emerging Threathightest

Potential CVE-2021-26084 Exploitation Attempt

Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-26084detection.emerging-threats
Sittikorn S+1Tue Dec 132021
Emerging Threathightest

Exploitation of CVE-2021-26814 in Wazuh

Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-21978cve.2021-26814+1
Florian Roth (Nextron Systems)Sat May 222021
Emerging Threathighstable

Potential CVE-2021-26857 Exploitation Attempt

Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service

WindowsProcess Creation
T1203 · Exploitation for Client ExecutionTA0002 · Executioncve.2021-26857detection.emerging-threats
Bhabesh RajWed Mar 032021
Emerging Threathightest

CVE-2021-26858 Exchange Exploitation

Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content

WindowsFile Event
T1203 · Exploitation for Client ExecutionTA0002 · Executioncve.2021-26858detection.emerging-threats
Bhabesh RajWed Mar 032021
Emerging Threatcriticaltest

ProxyLogon Reset Virtual Directories Based On IIS Log

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Web Server Log
cve.2021-26858detection.emerging-threatsTA0001 · Initial AccessT1190 · Exploit Public-Facing Application
François HubautTue Aug 102021
Emerging Threatmediumtest

Potential CVE-2021-27905 Exploitation Attempt

Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-27905detection.emerging-threats
@gott_cyberSun Dec 112021
Emerging Threatcriticaltest

Exchange Exploitation CVE-2021-28480

Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-28480detection.emerging-threats
Florian Roth (Nextron Systems)Fri May 142021
Emerging Threatcriticaltest

CVE-2021-33766 Exchange ProxyToken Exploitation

Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-33766detection.emerging-threats
Florian Roth (Nextron Systems)+2Mon Aug 302021
Emerging Threatcriticaltest

CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

WindowsFile Event
TA0001 · Initial AccessTA0002 · ExecutionTA0006 · Credential AccessT1566 · Phishing+4
Sittikorn SFri Jul 162021
Emerging Threatcriticaltest

CVE-2021-31979 CVE-2021-33771 Exploits

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

WindowsRegistry Set
TA0001 · Initial AccessTA0002 · ExecutionTA0006 · Credential AccessT1566 · Phishing+4
Sittikorn S+1Fri Jul 162021
Emerging Threatcriticaltest

Serv-U Exploitation CVE-2021-35211 by DEV-0322

Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322

WindowsProcess Creation
TA0003 · PersistenceT1136.001 · Local Accountcve.2021-35211detection.emerging-threats
Florian Roth (Nextron Systems)Wed Jul 142021
Emerging Threathighstable

OMIGOD HTTP No Authentication RCE - CVE-2021-38647

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Zeek (Bro)http
TA0004 · Privilege EscalationTA0001 · Initial AccessTA0002 · ExecutionTA0008 · Lateral Movement+7
Nate Guagenti (neu5ron)Mon Sep 202021
Emerging Threathightest

PwnKit Local Privilege Escalation

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Linuxauth
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.001 · Setuid and Setgiddetection.emerging-threats+1
SreemanWed Jan 262021
Emerging Threathightest

Suspicious Word Cab File Write CVE-2021-40444

Detects file creation patterns noticeable during the exploitation of CVE-2021-40444

WindowsFile Event
TA0042 · Resource DevelopmentT1587 · Develop Capabilitiesdetection.emerging-threats
Florian Roth (Nextron Systems)+1Fri Sep 102021
Emerging Threathightest

Potential CVE-2021-40444 Exploitation Attempt

Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations

WindowsProcess Creation
TA0002 · ExecutionT1059 · Command and Scripting Interpretercve.2021-40444detection.emerging-threats
Florian Roth (Nextron Systems)Wed Sep 082021
Emerging Threathightest

Potential Exploitation Attempt From Office Application

Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)

WindowsProcess Creation
TA0002 · ExecutionTA0005 · Defense Evasioncve.2021-40444detection.emerging-threats
Christian Burkard (Nextron Systems)+1Thu Jun 022021
Emerging Threathightest

ADSelfService Exploitation

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Web Server Log
cve.2021-40539detection.emerging-threatsTA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Tobias Michalski+1Mon Sep 202021
Emerging Threatcriticaltest

CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · PersistenceT1505.003 · Web Shell+2
Sittikorn S+1Fri Sep 102021
Emerging Threatcriticaltest

InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file

WindowsFile Event
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationdetection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
Emerging Threatcriticaltest

Potential CVE-2021-41379 Exploitation Attempt

Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights

WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2021-41379detection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
Emerging Threathightest

LPE InstallerFileTakeOver PoC CVE-2021-41379

Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379

Windowsapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationdetection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
Emerging Threathightest

CVE-2021-41773 Exploitation Attempt

Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-41773detection.emerging-threats
daffainfo+1Tue Oct 052021
167686978