Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

8 rules found for "Trent Liffick"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Findstr Launching .lnk File

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

WindowsProcess Creation
TA0005 · Defense EvasionT1036 · MasqueradingT1202 · Indirect Command ExecutionT1027.003 · Steganography
Trent LiffickFri May 01windows
Detectioncriticaltest

Registry Entries For Azorult Malware

Detects the presence of a registry key created during Azorult execution

WindowsRegistry Event
TA0005 · Defense EvasionTA0003 · PersistenceTA0002 · ExecutionT1112 · Modify Registry
Trent LiffickFri May 08windows
Detectionmediumtest

Windows Registry Trust Record Modification

Alerts on trust record modification within the registry, indicating usage of macros

WindowsRegistry Event
TA0001 · Initial AccessT1566.001 · Spearphishing Attachment
Antonlovesdnb+1Wed Feb 19windows
Detectionhightest

Trust Access Disable For VBApplications

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Trent Liffick+1Fri May 22windows
Detectionhightest

Office Macros Warning Disabled

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

WindowsRegistry Set
TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry
Trent Liffick+1Fri May 22windows
Emerging Threathightest

Lazarus System Binary Masquerading

Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location

WindowsProcess Creation
TA0005 · Defense EvasionT1036.005 · Match Legitimate Name or Locationdetection.emerging-threats
Trent Liffick+1Wed Jun 032017
Emerging Threathightest

Blue Mockingbird

Attempts to detect system changes made by Blue Mockingbird

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0002 · ExecutionT1112 · Modify Registry+2
Trent LiffickThu May 142020
Emerging Threathightest

Blue Mockingbird - Registry

Attempts to detect system changes made by Blue Mockingbird

WindowsRegistry Set
TA0005 · Defense EvasionTA0002 · ExecutionTA0003 · PersistenceT1112 · Modify Registry+2
Trent LiffickThu May 142020