Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

38 rules found for "Bhabesh Raj"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Default Cobalt Strike Certificate

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Zeek (Bro)x509
TA0011 · Command and ControlS0154 · Cobalt Strike
Bhabesh RajWed Jun 23network
Detectionhightest

Atera Agent Installation

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

Windowsapplication
TA0011 · Command and Controlattack.t1219.002
Bhabesh RajWed Sep 01windows
Detectionhightest

Impacket PsExec Execution

Detects execution of Impacket's psexec.py.

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Bhabesh RajMon Dec 14windows
Detectionhightest

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Windowssecurity-mitigations
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajTue Aug 02windows
Detectioncriticaltest

Moriya Rootkit - System

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Windowssystem
TA0003 · PersistenceTA0004 · Privilege EscalationT1543.003 · Windows Service
Bhabesh RajThu May 06windows
Detectionhightest

PSExec and WMI Process Creations Block

Detects blocking of process creations originating from PSExec and WMI commands

Windowswindefend
TA0002 · ExecutionTA0008 · Lateral MovementT1047 · Windows Management InstrumentationT1569.002 · Service Execution
Bhabesh RajTue Jul 14windows
Detectionhighstable

Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

Windowswindefend
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Bhabesh RajMon Sep 14windows
Detectionhighstable

Microsoft Defender Tamper Protection Trigger

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Windowswindefend
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Bhabesh Raj+1Mon Jul 05windows
Detectionhightest

Potential Mpclient.DLL Sideloading

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajTue Aug 02windows
Detectionhightest

PowerShell ADRecon Execution

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

WindowsPowerShell Script
TA0007 · DiscoveryTA0002 · ExecutionT1059.001 · PowerShell
Bhabesh RajFri Jul 16windows
Detectionhightest

PowerView PowerShell Cmdlets - ScriptBlock

Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Bhabesh RajTue May 18windows
Detectionhightest

HackTool - HandleKatz Duplicating LSASS Handle

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

WindowsProcess Access
TA0002 · ExecutionT1106 · Native APITA0005 · Defense EvasionT1003.001 · LSASS Memory+1
Bhabesh RajMon Jun 27windows
Detectionhighstable

Credential Dumping Activity By Python Based Tool

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

WindowsProcess Access
TA0006 · Credential AccessT1003.001 · LSASS MemoryS0349 · S0349
Bhabesh Raj+1Mon Nov 27windows
Detectionmediumtest

Potentially Suspicious Cabinet File Expansion

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

WindowsProcess Creation
TA0005 · Defense EvasionT1218 · System Binary Proxy Execution
Bhabesh Raj+1Fri Jul 30windows
Detectionhightest

Potential Mpclient.DLL Sideloading Via Defender Binaries

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajMon Aug 01windows
Detectionhightest

PUA - Rclone Execution

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

WindowsProcess Creation
TA0010 · ExfiltrationT1567.002 · Exfiltration to Cloud Storage
Bhabesh Raj+2Mon May 10windows
Detectionhightest

Suspicious UltraVNC Execution

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

WindowsProcess Creation
TA0008 · Lateral MovementG0047 · G0047T1021.005 · VNC
Bhabesh RajFri Mar 04windows
Detectionhightest

VMToolsd Suspicious Child Process

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

WindowsProcess Creation
TA0002 · ExecutionTA0003 · PersistenceT1059 · Command and Scripting Interpreter
bohops+1Fri Oct 08windows
Detectionmediumtest

Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

WindowsRegistry Set
T1137.006 · Add-insTA0003 · Persistence
Bhabesh RajSun Jan 10windows
Emerging Threatcriticaltest

Fortinet CVE-2018-13379 Exploitation

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2018-13379detection.emerging-threats
Bhabesh RajTue Dec 082018
Emerging Threatcriticaltest

CVE-2020-10148 SolarWinds Orion API Auth Bypass

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-10148detection.emerging-threats
Bhabesh Raj+1Sun Dec 272020
Emerging Threathightest

TerraMaster TOS CVE-2020-28188

Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial Accesscve.2020-28188detection.emerging-threats
Bhabesh RajMon Jan 252020
Emerging Threathightest

Potential PrintNightmare Exploitation Attempt

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

WindowsFile Delete
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574 · Hijack Execution Flow+2
Bhabesh RajThu Jul 012021
Emerging Threatcriticaltest

Arcadyan Router Exploitations

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-20090cve.2021-20091+1
Bhabesh RajTue Aug 242021
Emerging Threatcriticaltest

Oracle WebLogic Exploit CVE-2021-2109

Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

Web Server Log
T1190 · Exploit Public-Facing ApplicationTA0001 · Initial Accesscve.2021-2109detection.emerging-threats
Bhabesh RajWed Jan 202021
Emerging Threathightest

CVE-2021-21972 VSphere Exploitation

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-21972detection.emerging-threats
Bhabesh RajWed Feb 242021
Emerging Threathightest

CVE-2021-21978 Exploitation Attempt

Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-21978detection.emerging-threats
Bhabesh RajTue Mar 102021
Emerging Threatcriticaltest

Fortinet CVE-2021-22123 Exploitation

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2021-22123detection.emerging-threats
Bhabesh Raj+1Thu Aug 192021
Emerging Threathightest

Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

WindowsProcess Creation
TA0001 · Initial AccessTA0002 · ExecutionT1190 · Exploit Public-Facing ApplicationT1059 · Command and Scripting Interpreter+2
Bhabesh RajWed Sep 082021
Emerging Threathighstable

Potential CVE-2021-26857 Exploitation Attempt

Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service

WindowsProcess Creation
T1203 · Exploitation for Client ExecutionTA0002 · Executioncve.2021-26857detection.emerging-threats
Bhabesh RajWed Mar 032021
Emerging Threathightest

CVE-2021-26858 Exchange Exploitation

Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content

WindowsFile Event
T1203 · Exploitation for Client ExecutionTA0002 · Executioncve.2021-26858detection.emerging-threats
Bhabesh RajWed Mar 032021
Emerging Threatcriticaltest

Moriya Rootkit File Created

Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1543.003 · Windows Servicedetection.emerging-threats
Bhabesh RajThu May 062021
Emerging Threathightest

Pingback Backdoor File Indicators

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

WindowsFile Event
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+1
Bhabesh RajWed May 052021
Emerging Threathightest

Pingback Backdoor DLL Loading Activity

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+1
Bhabesh RajWed May 052021
Emerging Threathightest

Pingback Backdoor Activity

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+1
Bhabesh RajWed May 052021
Emerging Threathightest

Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800

Detects potential exploitation attempts of Nimbuspwn vulnerabilities CVE-2022-29799 and CVE-2022-27800 in Linux systems.

Linux
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationdetection.emerging-threatscve.2022-29799+1
Bhabesh RajWed May 042022
Emerging Threathightest

Potential CVE-2023-23752 Exploitation Attempt

Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2023-23752detection.emerging-threats
Bhabesh RajThu Feb 232023
Threat Huntmediumtest

Potential Shellcode Injection

Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.

WindowsProcess Access
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injectiondetection.threat-hunting
Bhabesh RajFri Mar 11windows