Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

9 rules found for "SOC Prime"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionlowstable

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Firewall
TA0006 · Credential Access
Alexandr Yampolskyi+2Tue Mar 26network
Detectionmediumtest

MITRE BZAR Indicators for Execution

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Zeek (Bro)dce_rpc
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionT1047 · Windows Management Instrumentation+2
@neu5ron+1Thu Mar 19network
Detectionmediumtest

MITRE BZAR Indicators for Persistence

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Zeek (Bro)dce_rpc
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.004 · Winlogon Helper DLL
@neu5ron+1Thu Mar 19network
Detectionmediumtest

Suspicious DNS Z Flag Bit Set

The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'

Zeek (Bro)dns
T1095 · Non-Application Layer ProtocolT1571 · Non-Standard PortTA0011 · Command and Control
@neu5ron+2Tue May 04network
Detectionmediumtest

Executable from Webdav

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Zeek (Bro)http
TA0011 · Command and ControlT1105 · Ingress Tool Transfer
SOC Prime+1Fri May 01network
Detectionlowstable

A Member Was Added to a Security-Enabled Global Group

Detects activity when a member is added to a security-enabled global group

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Alexandr Yampolskyi+1Wed Apr 26windows
Detectionlowstable

A Member Was Removed From a Security-Enabled Global Group

Detects activity when a member is removed from a security-enabled global group

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Alexandr Yampolskyi+1Wed Apr 26windows
Detectionlowstable

A Security-Enabled Global Group Was Deleted

Detects activity when a security-enabled global group is deleted

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Alexandr Yampolskyi+1Wed Apr 26windows
Detectioninformationalstable

Locked Workstation

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Windowssecurity
TA0040 · Impact
Alexandr Yampolskyi+1Tue Mar 26windows