Rule Library

Sigma Rules

11 rules found for "Jonhnathan Ribeiro"

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threatcriticaltest

ZxShell Malware

Detects a ZxShell start by the called and well-known function name

WindowsProcess Creation
TA0002 · ExecutionT1059.003 · Windows Command ShellTA0005 · Defense EvasionT1218.011 · Rundll32+3
Florian Roth (Nextron Systems)+2Thu Jul 202014
Emerging Threathightest

Adwind RAT / JRAT

Detects javaw.exe in AppData folder as used by Adwind / JRAT

WindowsProcess Creation
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScriptdetection.emerging-threats
Florian Roth (Nextron Systems)+3Fri Nov 102017
Emerging Threatcriticaltest

WannaCry Ransomware Activity

Detects WannaCry ransomware activity

WindowsProcess Creation
TA0008 · Lateral MovementT1210 · Exploitation of Remote ServicesTA0007 · DiscoveryT1083 · File and Directory Discovery+6
Florian Roth (Nextron Systems)+3Wed Jan 162017
Emerging Threathightest

Sofacy Trojan Loader Activity

Detects Trojan loader activity as used by APT28

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionG0007 · APT28T1059.003 · Windows Command Shell+3
Florian Roth (Nextron Systems)+2Thu Mar 012018
Emerging Threatcriticaltest

OceanLotus Registry Activity

Detects registry keys created in OceanLotus (also known as APT32) attacks

WindowsRegistry Event
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registrydetection.emerging-threats
megan201296+1Sun Apr 142018
Emerging Threatcriticaltest

OilRig APT Activity

Detects OilRig activity as reported by Nyotron in their March 2018 report

WindowsProcess Creation
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

WindowsRegistry Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - System

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssystem
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threathightest

Exploiting SetupComplete.cmd CVE-2019-1378

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation+5
Florian Roth (Nextron Systems)+2Fri Nov 152019
Emerging Threathightest

Formbook Process Creation

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

WindowsProcess Creation
TA0042 · Resource DevelopmentT1587.001 · Malwaredetection.emerging-threats
Florian Roth (Nextron Systems)+2Mon Sep 302019