Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

7 rules found for "Open Threat Research (OTR)"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1021.003 · Distributed Component Object Model
Roberto Rodriguez (Cyb3rWard0g)+1Mon Oct 12windows
Detectioninformationaltest

VSSAudit Security Event Source Registration

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Windowssecurity
TA0006 · Credential AccessT1003.002 · Security Account Manager
Roberto Rodriguez (Cyb3rWard0g)+1Tue Oct 20windows
Detectionhightest

T1047 Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.

Windowssecurity
TA0002 · ExecutionT1047 · Windows Management InstrumentationTA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Roberto Rodriguez (Cyb3rWard0g)+1Mon Oct 12windows
Detectionlowtest

Volume Shadow Copy Mount

Detects volume shadow copy mount via Windows event log

Windowssystem
TA0006 · Credential AccessT1003.002 · Security Account Manager
Roberto Rodriguez (Cyb3rWard0g)+1Tue Oct 20windows
Detectioncriticaltest

Potential DCOM InternetExplorer.Application DLL Hijack

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

WindowsFile Event
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1021.003 · Distributed Component Object Model
Roberto Rodriguez (Cyb3rWard0g)+2Mon Oct 12windows
Detectioncriticaltest

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

WindowsImage Load (DLL)
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1021.003 · Distributed Component Object Model
Roberto Rodriguez (Cyb3rWard0g)+2Mon Oct 12windows
Detectionhightest

Suspicious Child Process Created as System

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1134.002 · Create Process with Token
Teymur Kheirkhabarov+2Sat Oct 26windows