Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

11 rules found for "MSFT"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

App Granted Microsoft Permissions

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Azureauditlogs
TA0006 · Credential AccessT1528 · Steal Application Access Token
Bailey Bercik+1Sun Jul 10cloud
Detectionmediumtest

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Windowsfirewall-as
TA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall
François Hubaut+1Fri May 10windows
Detectionmediumtest

ISO Image Mounted

Detects the mount of an ISO image on an endpoint

Windowssecurity
TA0001 · Initial AccessT1566.001 · Spearphishing Attachment
Syed HasanSat May 29windows
Detectionhightest

Suspicious Svchost Process Access

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

WindowsProcess Access
TA0005 · Defense EvasionT1562.002 · Disable Windows Event Logging
Tim BurrellThu Jan 02windows
Emerging Threathightest

Peach Sandstorm APT Process Activity Indicators

Detects process creation activity related to Peach Sandstorm APT

WindowsProcess Creation
TA0002 · Executiondetection.emerging-threats
X__Junior (Nextron Systems)Mon Jan 152023
Emerging Threatmediumtest

Potential Peach Sandstorm APT C2 Communication Activity

Detects potential C2 communication activity related to Peach Sandstorm APT

Proxy Log
TA0011 · Command and Controldetection.emerging-threats
X__Junior (Nextron Systems)Mon Jan 152023
Emerging Threathightest

Forest Blizzard APT - File Creation Activity

Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.

WindowsFile Event
TA0005 · Defense EvasionT1562.002 · Disable Windows Event Loggingdetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Tue Apr 232024
Emerging Threathighexperimental

Forest Blizzard APT - Process Creation Activity

Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · Executiondetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Tue Apr 232024
Emerging Threathightest

Forest Blizzard APT - Custom Protocol Handler Creation

Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folderdetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Tue Apr 232024
Emerging Threathightest

Forest Blizzard APT - Custom Protocol Handler DLL Registry Set

Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folderdetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Tue Apr 232024
Emerging Threathighexperimental

Potential Exploitation of GoAnywhere MFT Vulnerability

Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.

WindowsProcess Creation
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0002 · ExecutionT1059.001 · PowerShell+4
MSFT+1Tue Oct 072025