Rule Library

Sigma Rules

9 rules found for "NVISO"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Category

Detectionmediumtest

Failed Logon From Public IP

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Windowssecurity

TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0003 · Persistence+3

NVISOWed May 06windows

Detectionhightest

Vulnerable Netlogon Secure Channel Connection Allowed

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548 · Abuse Elevation Control Mechanism

NVISOTue Sep 15windows

Detectionhightest

Octopus Scanner Malware

Detects Octopus Scanner Malware.

WindowsFile Event

TA0001 · Initial AccessT1195 · Supply Chain CompromiseT1195.001 · Compromise Software Dependencies and Development Tools

NVISOTue Jun 09windows

Detectionhightest

Potential Persistence Via Microsoft Office Add-In

Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).

WindowsFile Event

TA0003 · PersistenceT1137.006 · Add-ins

NVISOMon May 11windows

Detectionhightest

Fax Service DLL Search Order Hijack

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

WindowsImage Load (DLL)

TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking

NVISOMon May 04windows

Detectionhightest

WMImplant Hack Tool

Detects parameters used by WMImplant

WindowsPowerShell Script

TA0002 · ExecutionT1047 · Windows Management InstrumentationT1059.001 · PowerShell

NVISOThu Mar 26windows

Emerging Threathightest

CVE-2020-0688 Exploitation Attempt

Detects CVE-2020-0688 Exploitation attempts

TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2020-0688detection.emerging-threats

NVISOThu Feb 272020

Emerging Threathightest

CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry

Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.

WindowsRegistry Set

TA0003 · PersistenceTA0002 · ExecutionTA0005 · Defense EvasionT1112 · Modify Registry+2

EagleEye Team+2Wed May 132020

Emerging Threatcriticaltest

FlowCloud Registry Markers

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

WindowsRegistry Event

TA0005 · Defense EvasionTA0003 · PersistenceT1112 · Modify Registrydetection.emerging-threats

NVISOTue Jun 092020