Rule Library

Sigma Rules

10 rules found for "Markus Neis"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Turla Group Lateral Movement

Detects automated lateral movement by Turla group

WindowsProcess Creation

G0010 · G0010TA0002 · ExecutionT1059 · Command and Scripting InterpreterTA0008 · Lateral Movement+5

Markus NeisTue Nov 072014

Emerging Threatcriticaltest

Turla Group Named Pipes

Detects a named pipe used by Turla group samples

WindowsNamed Pipe Created

G0010 · G0010TA0002 · ExecutionT1106 · Native APIdetection.emerging-threats

Markus NeisMon Nov 062017

Emerging Threatcriticaltest

OilRig APT Activity

Detects OilRig activity as reported by Nyotron in their March 2018 report

WindowsProcess Creation

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threatcriticaltest

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

WindowsRegistry Event

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssecurity

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - System

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssystem

TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8

Florian Roth (Nextron Systems)+4Fri Mar 232018

Emerging Threathightest

Potential EmpireMonkey Activity

Detects potential EmpireMonkey APT activity

WindowsProcess Creation

TA0005 · Defense EvasionT1218.010 · Regsvr32detection.emerging-threats

Markus Neis+1Tue Apr 022019

Emerging Threathightest

Potential Ke3chang/TidePool Malware Activity

Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020

WindowsProcess Creation

G0004 · G0004TA0005 · Defense EvasionT1562.001 · Disable or Modify Toolsdetection.emerging-threats

Markus Neis+1Thu Jun 182020

Emerging Threatcriticaltest

Winnti Malware HK University Campaign

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

WindowsProcess Creation

TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2

Florian Roth (Nextron Systems)+1Sat Feb 012020

Emerging Threatcriticaltest

PrinterNightmare Mimikatz Driver Name

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

WindowsRegistry Event

TA0002 · ExecutionT1204 · User Executioncve.2021-1675cve.2021-34527+1

Markus Neis+1Sun Jul 042021