Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

15 rules found for "oscd.community"

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threatcriticaltest

ZxShell Malware

Detects a ZxShell start by the called and well-known function name

WindowsProcess Creation
TA0002 · ExecutionT1059.003 · Windows Command ShellTA0005 · Defense EvasionT1218.011 · Rundll32+3
Florian Roth (Nextron Systems)+2Thu Jul 202014
Emerging Threathightest

Adwind RAT / JRAT

Detects javaw.exe in AppData folder as used by Adwind / JRAT

WindowsProcess Creation
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScriptdetection.emerging-threats
Florian Roth (Nextron Systems)+3Fri Nov 102017
Emerging Threatcriticaltest

CosmicDuke Service Installation

Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1543.003 · Windows Service+2
Florian Roth (Nextron Systems)+2Mon Mar 272017
Emerging Threatcriticaltest

WannaCry Ransomware Activity

Detects WannaCry ransomware activity

WindowsProcess Creation
TA0008 · Lateral MovementT1210 · Exploitation of Remote ServicesTA0007 · DiscoveryT1083 · File and Directory Discovery+6
Florian Roth (Nextron Systems)+3Wed Jan 162017
Emerging Threathightest

Sofacy Trojan Loader Activity

Detects Trojan loader activity as used by APT28

WindowsProcess Creation
TA0005 · Defense EvasionTA0002 · ExecutionG0007 · APT28T1059.003 · Windows Command Shell+3
Florian Roth (Nextron Systems)+2Thu Mar 012018
Emerging Threatcriticaltest

OilRig APT Activity

Detects OilRig activity as reported by Nyotron in their March 2018 report

WindowsProcess Creation
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

WindowsRegistry Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threatcriticaltest

OilRig APT Schedule Task Persistence - System

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windowssystem
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceG0049 · G0049+8
Florian Roth (Nextron Systems)+4Fri Mar 232018
Emerging Threathightest

Exploiting SetupComplete.cmd CVE-2019-1378

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

WindowsProcess Creation
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation+5
Florian Roth (Nextron Systems)+2Fri Nov 152019
Emerging Threatcriticalstable

Potential Dridex Activity

Detects potential Dridex acitvity via specific process patterns

WindowsProcess Creation
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process InjectionTA0007 · Discovery+3
Florian Roth (Nextron Systems)+2Thu Jan 102019
Emerging Threathightest

Formbook Process Creation

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

WindowsProcess Creation
TA0042 · Resource DevelopmentT1587.001 · Malwaredetection.emerging-threats
Florian Roth (Nextron Systems)+2Mon Sep 302019
Emerging Threatcriticalstable

LockerGoga Ransomware Activity

Detects LockerGoga ransomware activity via specific command line.

WindowsProcess Creation
TA0040 · ImpactT1486 · Data Encrypted for Impactdetection.emerging-threats
Vasiliy Burov+1Sun Oct 182019
Emerging Threathightest

Mustang Panda Dropper

Detects specific process parameters as used by Mustang Panda droppers

WindowsProcess Creation
T1587.001 · MalwareTA0042 · Resource Developmentdetection.emerging-threats
Florian Roth (Nextron Systems)+1Wed Oct 302019
Emerging Threatcriticalstable

Winnti Pipemon Characteristics

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Thu Jul 302020