Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

7 rules found for "Group-IB"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Prefetch File Deleted

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

WindowsFile Delete
TA0005 · Defense EvasionT1070.004 · File Deletion
Cedric MAURUGEONWed Sep 29windows
Detectioncriticaltest

Silence.EDA Detection

Detects Silence EmpireDNSAgent as described in the Group-IP report

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShellTA0011 · Command and ControlT1071.004 · DNS+5
Alina Stepchenkova+2Fri Nov 01windows
Detectionhightest

Shell32 DLL Execution in Suspicious Directory

Detects shell32.dll executing a DLL in a suspicious directory

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32
Christian Burkard (Nextron Systems)Wed Nov 24windows
Detectionmediumtest

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

WindowsProcess Creation
TA0006 · Credential AccessTA0007 · DiscoveryT1552 · Unsecured CredentialsT1087 · Account Discovery
Nasreddine Bencherchali (Nextron Systems)+1Fri Sep 09windows
Detectionmediumtest

Potentially Suspicious Child Process Of WinRAR.EXE

Detects potentially suspicious child processes of WinRAR.exe.

WindowsProcess Creation
TA0002 · ExecutionT1203 · Exploitation for Client Execution
Nasreddine Bencherchali (Nextron Systems)Thu Aug 31windows
Emerging Threathightest

CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File

Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331

WindowsFile Event
TA0002 · Executioncve.2023-38331detection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Wed Aug 302023
Emerging Threathightest

CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process

Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.

WindowsProcess Creation
detection.emerging-threatsTA0002 · ExecutionT1203 · Exploitation for Client Executioncve.2023-38331
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 302023