Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

14 rules found for "CISA"

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threathightest

TAIDOOR RAT DLL Load

Detects specific process characteristics of Chinese TAIDOOR RAT malware load

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0002 · ExecutionT1055.001 · Dynamic-link Library Injection+1
Florian Roth (Nextron Systems)Thu Jul 302020
Emerging Threathightest

ADSelfService Exploitation

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Web Server Log
cve.2021-40539detection.emerging-threatsTA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Tobias Michalski+1Mon Sep 202021
Emerging Threatcriticaltest

CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Web Server Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · PersistenceT1505.003 · Web Shell+2
Sittikorn S+1Fri Sep 102021
Emerging Threatlowtest

SNAKE Malware Installer Name Indicators

Detects filename indicators associated with the SNAKE malware as reported by CISA in their report

WindowsFile Event
TA0002 · Executiondetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Wed May 102023
Emerging Threathightest

Potential SNAKE Malware Installation CLI Arguments Indicator

Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report

WindowsProcess Creation
TA0002 · Executiondetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Thu May 042023
Emerging Threathightest

Potential SNAKE Malware Installation Binary Indicator

Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report

WindowsProcess Creation
TA0002 · Executiondetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Thu May 042023
Emerging Threathightest

Potential SNAKE Malware Persistence Service Execution

Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.

WindowsProcess Creation
TA0002 · Executiondetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Thu May 042023
Emerging Threathightest

SNAKE Malware Covert Store Registry Key

Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA

WindowsRegistry Event
TA0003 · Persistencedetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Thu May 112023
Emerging Threatmediumtest

Potential Encrypted Registry Blob Related To SNAKE Malware

Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA

WindowsRegistry Set
TA0003 · Persistencedetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Wed May 102023
Emerging Threatcriticaltest

SNAKE Malware Service Persistence

Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report

Windowssystem
TA0003 · Persistencedetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Wed May 102023
Emerging Threatmediumtest

DLL Names Used By SVR For GraphicalProton Backdoor

Hunts known SVR-specific DLL names.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking+1
CISAMon Dec 182023
Emerging Threathightest

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor

Hunts for known SVR-specific scheduled task names

Windowssecurity
TA0003 · Persistencedetection.emerging-threats
CISAMon Dec 182023
Emerging Threathightest

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler

Hunts for known SVR-specific scheduled task names

Windowstaskscheduler
TA0003 · Persistencedetection.emerging-threats
CISAMon Dec 182023
Emerging Threatmediumexperimental

Potential CVE-2024-35250 Exploitation Activity

Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2024-35250detection.emerging-threats
Isaac FernandesWed Feb 192024