Rule Library

Sigma Rules

11 rules found for "Jonhnathan Ribeiro"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Category

Emerging Threatcriticaltest

ZxShell Malware

Detects a ZxShell start by the called and well-known function name

WindowsProcess Creation

TA0002 · ExecutionT1059.003 · Windows Command ShellTA0005 · Defense EvasionT1218.011 · Rundll32+3

Florian Roth (Nextron Systems)+2Thu Jul 202014

Emerging Threathightest

Adwind RAT / JRAT

Detects javaw.exe in AppData folder as used by Adwind / JRAT

WindowsProcess Creation

TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScriptdetection.emerging-threats

Florian Roth (Nextron Systems)+3Fri Nov 102017

Emerging Threatcriticaltest

WannaCry Ransomware Activity

Detects WannaCry ransomware activity

WindowsProcess Creation

TA0008 · Lateral MovementT1210 · Exploitation of Remote ServicesTA0007 · DiscoveryT1083 · File and Directory Discovery+6

Florian Roth (Nextron Systems)+3Wed Jan 162017

Emerging Threathightest

Sofacy Trojan Loader Activity

Detects Trojan loader activity as used by APT28

WindowsProcess Creation

TA0005 · Defense EvasionTA0002 · ExecutionG0007 · APT28T1059.003 · Windows Command Shell+3

Florian Roth (Nextron Systems)+2Thu Mar 012018

Emerging Threatcriticaltest

OceanLotus Registry Activity

Detects registry keys created in OceanLotus (also known as APT32) attacks

WindowsRegistry Event

TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registrydetection.emerging-threats

megan201296+1Sun Apr 142018

Emerging Threatcriticaltest

OilRig APT Activity

Detects OilRig activity as reported by Nyotron in their March 2018 report

WindowsProcess Creation

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threatcriticaltest

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

WindowsRegistry Event

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssecurity

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - System

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threathightest

Exploiting SetupComplete.cmd CVE-2019-1378

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

WindowsProcess Creation

TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation+5

Florian Roth (Nextron Systems)+2Fri Nov 152019

Emerging Threathightest

Formbook Process Creation

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

WindowsProcess Creation

TA0042 · Resource DevelopmentT1587.001 · Malwaredetection.emerging-threats

Florian Roth (Nextron Systems)+2Mon Sep 302019