Scribd
Upload
1K views156 pages

Instapdf - in Sigma Rules List 949

This document contains a list of rules from the Sigma rule project on GitHub. It includes 51 rules from sources like Sigma Integrated Rule Set, SOC Prime Threat Detection, and individual authors. The rules detect various suspicious behaviors like autorun key modifications, suspicious Windows processes, and malware like Swisyn Trojan and Nibiru. The list provides details on each rule like title, author, ID number, number of detections, and number of undetected instances.

Uploaded by

Noble Rajey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views156 pages

Instapdf - in Sigma Rules List 949

This document contains a list of rules from the Sigma rule project on GitHub. It includes 51 rules from sources like Sigma Integrated Rule Set, SOC Prime Threat Detection, and individual authors. The rules detect various suspicious behaviors like autorun key modifications, suspicious Windows processes, and malware like Swisyn Trojan and Nibiru. The list provides details on each rule like title, author, ID number, number of detections, and number of undetected instances.

Uploaded by

Noble Rajey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 156

Sigma Rule List

Rule Title Rule Author Ruleset Name ID #Files #Undetected Files


Victor Sergeev, Daniil Yugoslavskiy,
c654002dc2859e8a2f74ec87
Autorun Keys Gleb Sukhodolskiy, Timur Sigma Integrated
ad6ff4deaaf0f42f99603aa964 21401557 53952
Modification Zinniatullin, oscd.community, Tim Rule Set (GitHub)
e30ed1b1f01cc1
Shelton
Suspicious Run 9bc88dec9bf37149ee55ca53
Sigma Integrated
Key from Florian Roth 2e26602ba2ef11e86aa846ab 8252741 5330
Rule Set (GitHub)
Download 6e0e461f12768b4c
9afc79c8a56e6e5c4cbd55d20
Stop Windows Sigma Integrated
Jakob Weinzettl, oscd.community 3a7dce8efc4ed28aa315b736 6831397 38789
Service Rule Set (GitHub)
c842a88b1d3dd0e
Michael Haag, Mark Woan
f1048c602439313e72f67c634
Net.exe (improvements), James Pemberton Sigma Integrated
350106ba7b709512529457a 6451515 35190
Execution / @4A616D6573 / oscd.community Rule Set (GitHub)
6f0a5eca6835bc89
(improvements)
Milum malware
SOC Prime Threat 30fcf3924a898a9d1747e890
detection
Ariel Millahuel Detection 68ab2990c77ca3914a94aa78 6291968 24

.in
(WildPressure
Marketplace 466d28a9d9da32bb
APT)
Roberto Rodriguez @Cyb3rWard0g 1c2e4db94ca79f939e94e29c
Non Interactive Sigma Integrated
(rule), oscd.community 04fb3b71467fc6f5b9c31db34 3991193 105250
PowerShell Rule Set (GitHub)
(improvements) df fcce5a2fb3b856f
Always Install
Teymur Kheirkhabarov (idea), b7188ffaa64031d83c409b51
Elevated Sigma Integrated
Mangatas Tondang (rule), 10885c29570d52a6ba3bacae 3025326 55602
Windows Rule Set (GitHub)
oscd.community e0392371cf071016
Installer
ap
File Created with e13498937de9343f50c1e8f3
Sigma Integrated
System Process Sander Wiebing 15ce602aa238e37e21f3dbb1 2284944 13926
Rule Set (GitHub)
Name 5d3403c25afafe3e
Windows
afd546ea5eff265c454f77f6e7
Processes Sigma Integrated
st

vburov 641ade6e5a791d79de155fa2 1851752 92


Suspicious Rule Set (GitHub)
7d377be1581535
Parent Directory
Shade
SOC Prime Threat d8f0141497fc47a78fbf41591
Ransomware
In

Ariel Millahuel Detection 174881fdf0e85f2937b08befe 1673840 16


(Sysmon
Marketplace c5c6273f8867d2
detection)
Suspicious cdd5a8ff564f3632d9613d1f4
Sigma Integrated
desktop.ini Maxime Thiebaut (@0xThiebaut) 925baca8be40a01fe14c7ba3 1397422 161
Rule Set (GitHub)
Action e30f51bf1ff3829
System File
25fc56c1bee673d7ff3edcf37
Execution Florian Roth, Patrick Bareiss, Anton Sigma Integrated
1e4d2a36c0af83222da34896 1386967 622
Location Kutepov, oscd.community Rule Set (GitHub)
1b87735c8efa61f
Anomaly
Nibiru detection
(Registry event SOC Prime Threat 8bbea961d969188574b7fe95
and Ariel Millahuel Detection 8c971caadd38b955cc77f210 1147667 54640
CommandLine Marketplace 93d7d5d266e4d697
parameters)

File deletion via SOC Prime Threat f9333cf120369debd56e4e23


CMD (via Ariel Millahuel Detection 8fffa10bdb2a1497c11e08a08 923890 9083
cmdline) Marketplace 2befd02f9f3bdf2
a0daa529834b3c5230b4524d
Suspicious Sigma Integrated
Florian Roth a005a6b6503e7cb061e298a8 845991 133
Svchost Process Rule Set (GitHub)
f74e0dc1fee0a008
Windows 2637f98feb69311f94822998e
Sigma Integrated
PowerShell Web James Pemberton / @4A616D6573 b3c8b8d217e6c5767e071536 805020 104
Rule Set (GitHub)
Request ca54f9da830e236
f8d48ec1128b00975e61e063
Execution from Sigma Integrated
Florian Roth 93f6bb04a1d033a94c556d21 643979 5419
Suspicious Folder Rule Set (GitHub)
3b3bcb78a80589d8
dc04e64e69f5446c2a31920e
Suspect Svchost Sigma Integrated
David Burkett e22415626307d5f3d0fb73ad 568031 87
Activity Rule Set (GitHub)
81b9d3301a41000a
Direct Autorun b5f76af9d8101930af8d4fee7
Victor Sergeev, Daniil Yugoslavskiy, Sigma Integrated
Keys 1f3a5395b47eff6bb88e581db 549037 130
oscd.community Rule Set (GitHub)
Modification 02bf890242d79b
CSRSS.exe
spawned from
SOC Prime Threat c3e407003db6c8b95e5a7dcb
unusual location
SOC Prime Team Detection ea08bddf8b53b265400c2feb 531710 11
(possible
Marketplace 32abfa523336257c
mimicking) (via

.in
cmdline)

Swisyn Trojan SOC Prime Threat 173f49a095aef2bc0480b5f8a


(Sysmon Ariel Millahuel Detection 8ae6c2d0e4125f9096d618a3 494316 108
detection) Marketplace
df 865346b34d726fa
Suspicious
Program 01b1cc2515aec2562e5e8cd3
Sigma Integrated
Location with Florian Roth c88a60677a1acd2d680b289c 482076 5335
Rule Set (GitHub)
ap
Network f67fa493abe433d2
Connections
3bc9d14114a6b67367a24df2
Scheduled Task Sigma Integrated
Florian Roth 1134d0564d6f08a0ad903d68 431585 473
Creation Rule Set (GitHub)
f9b25e9d8b7f0790
st

56b8c79acb8e444c2b00be5c
Startup Folder Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
9d3cb8e33e863ccb3506d635 323029 118
File Write OTR (Open Threat Research) Rule Set (GitHub)
f907a49cd053c84f

Executables 934747e347848f3bf5d2222f0
In

Sigma Integrated
Started in Florian Roth c29c4c6e42831b94a6e0ce77f 318156 2408
Rule Set (GitHub)
Suspicious Folder f40017e5f11fd2
Suspicious
c593fd1eac248d2f05a155e6c
Program Sigma Integrated
Florian Roth 8ef2682b9022a12bc03104ff8 315071 2406
Location Process Rule Set (GitHub)
e9e7c40f585268
Starts
Execution File 2104d1ee1ce64e7aa3dbd368
Sigma Integrated
Type Other Than Max Altgelt 652a54ce160e6a5751019af1 314199 3369
Rule Set (GitHub)
.exe 4601fc8fd1df8086
b9996fdb64c94bd97526744b
Possible Sigma Integrated
juju4 8287a3b3b02ac4eceff0980c6 264915 225
Applocker Bypass Rule Set (GitHub)
72209adae0be6e5
d2b7b95657238f7c078b9a6a
Execution Of Not Sigma Integrated
Max Altgelt 17689a6184c1cf349ffb183b1 264483 3363
Existing File Rule Set (GitHub)
74ad2bd84681b08
Nymaim Trojan SOC Prime Threat a9d7fe3dd2aa50123d54b48a
(Sysmon Ariel Millahuel Detection 488447b37091616c00667ae7 259838 1
detection) Marketplace c459bf19dd1ad2e0
Netsh Port or 7b1f3cd9ca9b55feb5fdd5c8e
Sigma Integrated
Application Markus Neis, Sander Wiebing 1821348f2d78745282b41055 231089 34167
Rule Set (GitHub)
Allowed af44f88df612112
aa87efb252a9cf7bb1fb01143
Sigma Integrated
Reg Add RUN Key Florian Roth 36bd08c338bc9046dd498d18 212751 94
Rule Set (GitHub)
7c209cd94ddbc6a
Suspicious Script 96d2c399118cab5d249093ba
Sigma Integrated
Execution From Florian Roth, Max Altgelt df4a85f0ef1889872b0191bdf 191135 351
Rule Set (GitHub)
Temp Folder 131bcabc0994681
5c3ea6806114163b8cdf5735
Hiding Files with Sigma Integrated
Sami Ruohonen aeb07e702ab63e0e486f721d 185112 3217
Attrib.exe Rule Set (GitHub)
f84cf675e2b0a04b
5ead81ee12f2097316af3527
Suspicious Florian Roth (rule), @blu3_team Sigma Integrated
0a1ac0f8623db054349c52ef3 178102 89
Double Extension (idea) Rule Set (GitHub)
66fc42a4b7d2de2
2020feadc9b3cf47558c21994

.in
WScript or Margaritis Dimitrios (idea), Florian Sigma Integrated
8361d9d3eb5347af91135f21 164507 301
CScript Dropper Roth (rule), oscd.community Rule Set (GitHub)
bf711f6032bc817
3edfb66bbbe5056c7df0064e
Timur Zinniatullin, Daniil Sigma Integrated
Service Execution d6164a68632d8d476ab0150 162753 34088
Yugoslavskiy, oscd.community Rule Set (GitHub)
df 91e0e33f5159d9052
Suspicious 709fa572c6d4a06b81742c9c
Sigma Integrated
MsiExec Florian Roth efd264b1debafc1f9b2aedc97 152899 119421
Rule Set (GitHub)
Directory 98d5cb749d52458
ap
E.M. Anhaus (originally from Atomic 18ed38c04ceafb2aa0b9dcb1
Discovery of a Sigma Integrated
Blue Detections, Endgame), 06310ce76cb1473a4109b6a4 145178 33768
System Time Rule Set (GitHub)
oscd.community 89663f5c250bd2a6
89f260c1bb244a6c153a5d3a
Suspicious Sigma Integrated
Victor Sergeev, oscd.community 5951ec6f517e5e846823da8b 140392 5
ftp.exe Rule Set (GitHub)
st

22d1b5192f798e62

HanaLoader SOC Prime Threat 38853c8efaf750ffd744961eb


(Sysmon Ariel Millahuel Detection cbeb037146acaabb9ca85c44 136734 2377
detection) Marketplace 5af59f87e98e44d
In

DropboxAES RAT SOC Prime Threat 8c558244a29064b6842314ce


(Sysmon Ariel Millahuel Detection 986116d2007b1087f6f8bb45 136723 2377
detection) Marketplace ae883911d0155549
Suspicious
b8f19be4c7bf862dce0d4d1f7
Eventlog Clear or Ecco, Daniil Yugoslavskiy, Sigma Integrated
885f2207ddf93b3a33d8a6e1 134152 33764
Configuration oscd.community Rule Set (GitHub)
6f3968c4fbb6491
Using Wevtutil
80e21a1883c10ba77d6f4a1b
Root Certificate oscd.community, @redcanary, Zach Sigma Integrated
0b6903e9ba65d57e1874d2cd 133987 33777
Installed Stanford @svch0st Rule Set (GitHub)
81b121f762481c64
@neu5ron, Florian Roth, d85308a28516fa075ee74a4ff
Disable of ETW Sigma Integrated
Jonhnathan Ribeiro, d11aea2be1f15add944422ad 133800 33759
Trace Rule Set (GitHub)
oscd.community e0969027648a3fa
E.M. Anhaus (originally from Atomic c288d5891a082dd1f38d14b8
Interactive AT Sigma Integrated
Blue Detections, Endgame), 32960d7e1b88651dc301c698 131707 4
Job Rule Set (GitHub)
oscd.community 5be8e66b561bf95d
Notepad Making eebf53f371a18d7f8d6992a93
Sigma Integrated
Network EagleEye Team 5d2fbfe811f3d78552949a059 131538 1303
Rule Set (GitHub)
Connection 7456693cffd553
Suspicious File
608e0e17d25bcba31de60855
Characteristics Sigma Integrated
Markus Neis, Sander Wiebing 2a073a6677d4f626ab55bce3 129037 4440
Due to Missing Rule Set (GitHub)
53a686eda3f60bcc
Fields

Victor Sergeev, Daniil Yugoslavskiy,


CurrentVersion d706314122bff93e0dbdf079f
Gleb Sukhodolskiy, Timur Sigma Integrated
NT Autorun Keys 1d1904d2f00407f34a893487 123393 3
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification d70105b1dc5b9ed
Shelton, frack113 (split)
Malicious
payloads that are SOC Prime Threat e55945cd70c0ffa247fd76996
hidden in fake Ariel Millahuel Detection 326089548147e223588b2b6 116466 180
Windows error Marketplace aeef053c1c0ce613
logs

New RUN Key 27b72c2678411f21ba21bd10


Florian Roth, Markus Neis, Sander Sigma Integrated

.in
Pointing to b44b7e9c45594d5a5f61f142 112716 4928
Wiebing Rule Set (GitHub)
Suspicious Folder 23b81a8906675039
Matthew Green - @mgreen27,
Ecco, James Pemberton / 686a5b6d5e098e507256a720
Sigma Integrated
df
Renamed Binary @4A616D6573, oscd.community 7e9e4a237bb378c824f67f13 111591 758
Rule Set (GitHub)
(improvements), Andreas Hunkeler ee0402525833b257
(@Karneades)
Suspicious 7776601555567f764fc3e227
juju4, Jonhnathan Ribeiro, Sigma Integrated
ap
Process Start 22bef1fdde521b5bdff9fff38f 98830 5
oscd.community Rule Set (GitHub)
Locations 9031e9a3f7ce54
File or Folder d1b3909fc498977f2008254e
Sigma Integrated
Permissions Jakob Weinzettl, oscd.community 9e38903c16568e7a8aaaeb2e 93093 6027
Rule Set (GitHub)
Modifications b0d1d4f155373408
st

Windows 7cb4a3985bd24a137550fa4c
Endgame, JHasenbusch (ported for Sigma Integrated
Network 49b1da3fb949c3cf182a90950 88344 121
oscd.community) Rule Set (GitHub)
Enumeration 438e97aaad46378
SideWinder
SOC Prime Threat 1f154d23ec03058edb48ed33
In

Ransomware
Ariel Millahuel Detection 80f862daca50719af728e0660 87686 6
(Sysmon
Marketplace a5dc14a5ab5b867
detection)
FlowCloud RAT SOC Prime Threat 159df9b8abe4902ba69f2445
(TA410 Ariel Millahuel Detection 5a788a64edcec473e20be350 87014 225
Campaign) Marketplace 469118e1c586299d
Suspicious DNS
3a2766a08d32a855b604a786
Query for IP Brandon George (blog post), Sigma Integrated
cddc0f76fee13e6ccd22e01d4 86020 19
Lookup Service Thomas Patzke (rule) Rule Set (GitHub)
878150f0ef1eebc
APIs
02b55b29ddf740930b68c311
Schedule system Joe Security Rule
Joe Security ca7cd59354f8c35ceda86d09a 85097 8
process Set (GitHub)
3fb06f08b760857
Suspicious f1e311405e4ccc1c99ed8213
Sigma Integrated
Certutil Florian Roth, juju4, keepwatch bdc24b813560700daa47ca78 80567 33
Rule Set (GitHub)
Command 033edd0d8993ba04
a9fd3d8b393121d910bdb641
Regsvr32 Sigma Integrated
Dmitriy Lifanov, oscd.community 6807881b8e231fde412098c4 72807 11342
Network Activity Rule Set (GitHub)
6594fc45821d23ce
e7df5abed193d7732536dcfe
Regsvr32 Sigma Integrated
Dmitriy Lifanov, oscd.community b0d58fbdfd844ab7c3ddd618 72807 11342
Network Activity Rule Set (GitHub)
6f9afa9ced7a6f61
8c09b5d8aeac44d4ad6b7633
Windows Sigma Integrated
Florian Roth 3ab77edf4453d9c7f7db00d8 72337 2
Credential Editor Rule Set (GitHub)
79591acfc9f98479
d807dbfa78ad565695bdfaa5
Maze Sigma Integrated
Florian Roth 793858aa25a153091a49b554 71958 0
Ransomware Rule Set (GitHub)
975f48182344c78f

SOC Prime Threat 17affcf8751489416a8bdd1c7


CoViper Malware Ariel Millahuel Detection 819271220bd9bdd11f595b64 70300 176
Marketplace 4b2966c3e3b1b80
Compression
Utility Passed SOC Prime Threat f4fe24c510771cfebac8ea12b
Uncommon SOC Prime Team Detection 6e86858e92ee0807f17f8dd0 69677 282
Directory (via Marketplace e23e2dc5e1b8049

.in
cmdline)

SOC Prime Threat 98d1e74d54870538bf25e555


Floxif Trojan Ariel Millahuel Detection 22e0e31814ceaa32679120ff6 69390 174
Marketplace
df 6addce78f4c461d

SOC Prime Threat e3cdbb4de2c006685f06e358


TAIDOOR -
Ariel Millahuel Detection 196d7f41ab1098005328b93d 69031 1384
Chinese RAT
Marketplace 9834acae72ddaef0
ap
CLOP
SOC Prime Threat 94b16fc40ce61b0527bd124b
Ransomware
Ariel Millahuel Detection 84d6a631649e579c2c571a3d 64529 87
detection
Marketplace c68d4f0f9ee4aa76
(Sysmon)
st

LOLBAS rundll32
without SOC Prime Threat 2fd6d2b16365ba7157eee493
expected SOC Prime Team Detection 4b406ac7d530b4ec62cc1b45 63006 2241
arguments (via Marketplace c69ee4f07989f139
In

cmdline)
K8h3d campaign SOC Prime Threat 2e5a93340aede0794b671d3
(Sysmon Ariel Millahuel Detection b3d020fb719a3985e78a9697 58981 448
detection) Marketplace 0d36c5c326f2fef34
0e01e0ac3c9d7b292996c004
New Service Timur Zinniatullin, Daniil Sigma Integrated
66851ff64ca8e3aabb384b09 56999 391
Creation Yugoslavskiy, oscd.community Rule Set (GitHub)
6bddba88aa769464

Frat Trojan SOC Prime Threat e5340d719fcf66efd2a0ce9db


(Loader Ariel Millahuel Detection 73895f3154a53e10e72e0017 55186 0
detection) Marketplace 60230ca6aa22057

SOC Prime Threat f5653d51811614b162ab7311


LatentBot
Ariel Millahuel Detection b24033c85bf166bbc322d83f 54554 7424
malware
Marketplace 4f72d0b9a366a01f
CARROTBAT SOC Prime Threat e5937a80eca18cdaa94adaf0
Malware Ariel Millahuel Detection 2b89a4af91bb9605d3236af1 53520 6
detection Marketplace 3685c8b481d9b1b1

SOC Prime Threat a5470af7af21c2bc99ebc438f


BackSwap Trojan
Ariel Millahuel Detection e841b20ec62f530e6540dc01 53464 2
detection
Marketplace ce42deed3ffb1eb

SOC Prime Threat f09d5248ed8fc1a93251158bf


Suspicious
Florian Roth Detection da71f8144ccaf37fa922416cc 53350 138
Process Creation
Marketplace d897498bff7c55
Suspicious
ad081ff821748a3cd86b5954
Screensaver Sigma Integrated
frack113 ef5c3d7d2a6602fe0b6e50ed 51963 2
Binary File Rule Set (GitHub)
47938b98bc184122
Creation

SOC Prime Threat 1c2774ed7c4cad91219d007a


Sakula RAT Ariel Millahuel Detection a7101b09d19b442613cd2e3f 50916 0
Marketplace c453726a7abd1b1a

.in
dc313eb40a68f81f4e6cc8b46
Regsvr32 Sigma Integrated
Dmitriy Lifanov, oscd.community 58215600b2bac992cb67ea87 50411 233
Network Activity Rule Set (GitHub)
3d40ba70e41b7b3

Victor Sergeev, Daniil Yugoslavskiy,


df
CurrentControlSe 5bddd3dd0944d27f3ff8b03e
Gleb Sukhodolskiy, Timur Sigma Integrated
t Autorun Keys 8a8a01f5a9d14540ea1779da 45233 1
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification 5683fe601557a364
Shelton, frack113 (split)
ap
Microsoft Office
6a6edfdea6536f74ea66bf736
Product Michael Haag, Florian Roth, Markus Sigma Integrated
82ed52f4b86435793ed76ff38 43326 11
Spawning Neis, Elastic, FPT.EagleEye Team Rule Set (GitHub)
e3ab0523f029f5
Windows Shell

SOC Prime Threat 7f5e752d29abb27ef7222f517


st

vbc.exe
Den iuzvyk Detection 1fe6719092aa64cb1a11187e 39753 1
execution.
Marketplace 75e3efd277216b3
c9f2b527fcecda6141fde1cae
Joe Security Rule
In

Xmrig Joe Security e187052676355bc055141a8c 38496 2


Set (GitHub)
aa6c22482fca3ad
Suspicious 31e1f4457871d51593456a43
Sigma Integrated
MSHTA Process Florian Roth 31811513af82fe4e36d2b26a 35389 61
Rule Set (GitHub)
Patterns 582dd6baa180a91d
196a9c9222e3b003ccb0caad
Drops script at Joe Security Rule
Joe Security c29931d851129ba863f99545 33944 32
startup location Set (GitHub)
299786a032864d12
Visual Basic 5cde8271bb36c24d7ac552a1
Ensar Şamil, @sblmsrsn, Sigma Integrated
Command Line d30127f3f00a08a681a90eff1 31223 1
@oscd_initiative Rule Set (GitHub)
Compiler Usage 2e3eac68b72bf47
ec63f6d5ea6cf1a23c7c491b2
Local Accounts Timur Zinniatullin, Daniil Sigma Integrated
8d6b350219d23a95ea95516c 28130 367
Discovery Yugoslavskiy, oscd.community Rule Set (GitHub)
e0256730fb7912c
Powershell 7e416af5a1bb67fdbd2f30ae3
Sigma Integrated
Defender Florian Roth f5da7f74583460b36546527c 24546 39
Rule Set (GitHub)
Exclusion 909c354fb5dcd00
Suspicious c4e0758476210a09a3e470db
Sigma Integrated
Splwow64 Florian Roth 05d2cbec0aebd511e48d3516 23455 52
Rule Set (GitHub)
Without Params 85c75970566f894f

SOC Prime Threat c01baa2540aeb8f23c067318


Oilrig Ariel Millahuel Detection 100db0ab3618e37acf7e2193 22856 1687
Marketplace 72e750398969c606

ChChes Trojan SOC Prime Threat a515be8db5d265bf43ba29f2


(Sysmon Ariel Millahuel Detection 1c53f4e482fa0f7db4acc1005 22196 1465
detection) Marketplace 4e85bc0c516a7ba
134564d292d785dff102940b
Failed Code Sigma Integrated
Thomas Patzke 8a1ee06dba2d462c5fb85212 20435 77
Integrity Checks Rule Set (GitHub)
4b3771a49d7885f1
Suspicious b39586c79bf4d0d43c937efa
Sigma Integrated
Csc.exe Source Florian Roth 6129ebb6f0b2cf03b7038a3a 20269 413
Rule Set (GitHub)
File Folder 8234f84c147600f7

Dot net compiler


76e8bb8877ab40bd84b14fc9
compiles file Joe Security Rule
Joe Security 3daffe9ff7ebe9440ce09916b 19905 302

.in
from suspicious Set (GitHub)
5c63a302d62c918
location

SOC Prime Threat daabc950b44baa5580ce5e56


Pykspa Malware Ariel Millahuel Detection
df de6f2f363ce1854a5273ffd3a 19171 4
Marketplace c321453e35a83b0

SOC Prime Threat a9e98f5066d90fefc6c08a2a9


PoetRAT
Ariel Millahuel Detection 8baaaeecc9dcfccf65c961701 18654 1
ap
detection
Marketplace 28a898353b6d50
Scheduled temp 90af0ea1f6d871f169dfb41b1
Joe Security Rule
file as task from Joe Security 8545bf456f980c5d75f60f129 17165 37
Set (GitHub)
temp location 3c34f071f6a31c
st

Suspicious 9ffd116f512698b4f9b310ee5
Sigma Integrated
Compression Florian Roth, Samir Bousseaden 526625ddf70dc16d7e3a87e7 16633 48
Rule Set (GitHub)
Tool Parameters 44f709c8b537b2e
In

Executable Used
660cdd939969505754f58fd8
by PlugX in Sigma Integrated
Florian Roth 1c22dc2f313f6b7a8fcfcc55f0 16402 17
Uncommon Rule Set (GitHub)
a45d62d879734f
Location

Windows
f92451c8957e89bb4e61e684
Suspicious Use Sigma Integrated
James Pemberton / @4A616D6573 33faeb8d7c1461c3b90d06b3 16231 53
Of Web Request Rule Set (GitHub)
403c8f3d87c728b8
in CommandLine
c1c4c35f46055951f3124f8f5
Suspicious Del in Sigma Integrated
frack113 791b474f919c9dee2a42d1e7 16109 2
CommandLine Rule Set (GitHub)
37590c5eb7169a4
Netsh Program
Sander Wiebing, Jonhnathan adbbf1b1fe76c2a86e148fcc6
Allowed with Sigma Integrated
Ribeiro, Daniil Yugoslavskiy, 6a37c2f361f6d40ce55e510f7 16091 36
Suspcious Rule Set (GitHub)
oscd.community 0409c09d434ea2
Location
HVNC Attack SOC Prime Threat 0643197645f9051600e63151
(Sysmon Ariel Millahuel Detection 5cbe8f526e02ae4556e6125c 13490 4
detection) Marketplace 8f9bf640dcc17849
Wmiprvse 1429a6819ff25aad68fb09601
Sigma Integrated
Spawning Roberto Rodriguez @Cyb3rWard0g fb0b63c4be24919adfd25c4a 12984 11
Rule Set (GitHub)
Process d925ef8d47d8f22
WSF/JSE/JS/VBA/ 8b884f70bb47a8e06faf8f548
Sigma Integrated
VBE File Michael Haag fcfef77fe3802d22c310c4cdfa 12346 118
Rule Set (GitHub)
Execution 01f35cb030bac
11ef2fbb89770dbec860f5548
Dridex Process Sigma Integrated
Florian Roth, oscd.community 10a4e34a33e1326589f9eaf5 11688 100
Pattern Rule Set (GitHub)
62412ceba567f00
Too Long 4b2c1a09ad8532fd7bf380fee
oscd.community, Natalia Sigma Integrated
PowerShell a00e848eb5daf3d246d1f4da 10540 28
Shornikova Rule Set (GitHub)
Commandlines c0ef853f29bc01c
b7eb83db20f6f8b5f580e107c
Suspicious Call by Sigma Integrated
Florian Roth 2b6816110a31869a94de5e27 10444 3184
Ordinal Rule Set (GitHub)
97d917335d9fbc0
Florian Roth (rule), Tom U.

.in
b8a9a3d755cac11238eb37aa
WannaCry @c_APT_ure (collection), Sigma Integrated
06d27255714356075872c2e2 9898 19
Ransomware oscd.community, Jonhnathan Rule Set (GitHub)
e140acfb3e8ab8b0
Ribeiro
e80db9df819552f83bb1bc54
XSL Script Sigma Integrated
df
Timur Zinniatullin, oscd.community 2be2503390d7a47f3c26ea4d 9806 55
Processing Rule Set (GitHub)
b86797b530411d2c
6143134666e4626abac4d906
Change Default Sigma Integrated
Timur Zinniatullin, oscd.community c673c60d7fdb48a48b44f281 9599 10
File Association Rule Set (GitHub)
ap
7af790432cae836f
29ea4c436137aafe4f4ab08ff
Suspicious WMI Michael Haag, Florian Roth, juju4, Sigma Integrated
716f2a03e416beb0802c5a00 9567 5
Execution oscd.community Rule Set (GitHub)
9cfb266b5d948c6
Suspicius Add a219a0bf27f7f5f1acdc1fbdd8
Sigma Integrated
st

Task From User frack113 3ff3d3f3711edd5b8111b967 9262 14


Rule Set (GitHub)
AppData Temp d8eb1575aa3b85
4975d97d556849fe2e336bf1
PowerShell Script Florian Roth, Jonhnathan Ribeiro, Sigma Integrated
c8a5012b84eefe1d4059c527 8899 30
Run in AppData oscd.community Rule Set (GitHub)
In

aaa8ec3f903022b2
MSHTA b9bc90b7745bcb3a2cf9de40
Sigma Integrated
Spawning Michael Haag d1d419d18ead6650040015c7 8438 41
Rule Set (GitHub)
Windows Shell f4755848e9bfdb05
Suspicious Florian Roth, Markus Neis,
09a6527b05920e47aecbebf5
Encoded Jonhnathan Ribeiro, Daniil Sigma Integrated
df306d1c194b850076e73d74 8365 25
PowerShell Yugoslavskiy, Anton Kutepov, Rule Set (GitHub)
c3b9ead23b654425
Command Line oscd.community
0d7b38274ada42870a9b5fe5
Suspicious juju4, Jonhnathan Ribeiro, Sigma Integrated
9433cc701b21c18ef543b8c6 8215 329
Rundll32 Activity oscd.community Rule Set (GitHub)
53d2e5dae0f93c0e
Windows Shell
80bbf1ed6106205ab2926430
Spawning Sigma Integrated
Florian Roth c9634286f976b2fee4357dbac 7971 151
Suspicious Rule Set (GitHub)
ddec45b979a4422
Program
e75e9983c2277304aa1294c0
FromBase64Strin Sigma Integrated
Florian Roth b077a3139a8405cd1661ccf5 7710 12
g Command Line Rule Set (GitHub)
13a6c05a002acacf
SOC Prime Threat 1b78637b79c8dffe83e4631ca
Pyvil RAT Ariel Millahuel Detection 8812c2cab4799547d30fb65d 7701 136
Marketplace f21e42f1894053f
Suspicious ecf07e5502e8c93b8a8359e6
Sigma Integrated
Service Binary Florian Roth bde14af9098293d382223c0e 7618 5
Rule Set (GitHub)
Directory cf59834a37cac953
464455b93d1b76acf868754c
Mshta Spawning Sigma Integrated
Florian Roth ca0e609af558267671ad6417 7370 50
Windows Shell Rule Set (GitHub)
14ca27a923efb9ba
Shadow Copies Florian Roth, Michael Haag, Teymur
ad5e4d4b939797a70a9aa742
Deletion Using Kheirkhabarov, Daniil Yugoslavskiy, Sigma Integrated
d979a4742c2cfedddd663fb1 7221 4
Operating oscd.community, Andreas Hunkeler Rule Set (GitHub)
a43b2795c1e6054b
Systems Utilities (@Karneades)
Windows
baa17a6a8681c2a3d925f497f
Defender Threat Sigma Integrated
Ján Trenčanský, frack113, AlertIQ 9c81458eab98535fd28d8909 7020 5
Detection Rule Set (GitHub)
861aece2b9cb901
Disabled
Regsvr32 c0cdd12b4805f2aebecbc041
Sigma Integrated
Command Line Florian Roth 5332f2594acf1ae6d8d82da0 6882 280

.in
Rule Set (GitHub)
Without DLL 86eeac9a84bf0c37
MSHTA Diego Perez (@darkquassar), 7a63d1c1bf6ebb277b02d489
Sigma Integrated
Suspicious Markus Neis, Swisscom (Improve 3066d3732e3d7df562cfdbfee 6793 74
Rule Set (GitHub)
Execution 01 Rule) 275bbc5c4de0951

Highly Relevant Matthew Green - @mgreen27,


Renamed Binary Florian Roth
df
Sigma Integrated
Rule Set (GitHub)
6a0e84509806d4477d42410f
b267c817a01015e3dcc33e48
330f8db0ba9709da
6695 136

539dcb36e9155d97ed39c681
Suspicious Driver Sigma Integrated
ap
Florian Roth 82bde1733b86e2785cbef705 6625 2100
Load from Temp Rule Set (GitHub)
86ce6a771645c425
Conhost Parent 7b87fbdccf3c12011b709aab8
Sigma Integrated
Process omkar72 b9bd4642bd61dc9880e0e1ce 6397 102
Rule Set (GitHub)
Executions 9ebb9901e2a3497
st

d17374b215c7dec3cfb7a758
Imports Registry Oddvar Moe, Sander Wiebing, Sigma Integrated
8c3e1ba10e710be57c039282 6341 208
Key From a File oscd.community Rule Set (GitHub)
75fcfd3c65bd187b

LOLBAS SOC Prime Threat b29d2dfc7edb1018f0384c6a


In

conhost.exe (via SOC Prime Team Detection 0606a6f59a25bb2e9e1ff8a0f 6226 47


cmdline) Marketplace a4bad79d7d4121e
Windows
19a5c3cad343931aed1e013c
Defender Real- Sigma Integrated
AlertIQ fe07ab95ba7b853ee5b40c68 6140 1
Time Protection Rule Set (GitHub)
28fc766529e602bf
Disabled
Suspicious Copy de683a6054ff03b9c12e58c84
Sigma Integrated
From or To Florian Roth, Markus Neis 2648f759cfcf797f91dc01078 5853 49
Rule Set (GitHub)
System32 d285e8f3f8e856
Windows 226bf9a98dfb94416c0f984ec
Sigma Integrated
PowerShell Web James Pemberton / @4A616D6573 fd7e566a55fd0efe2af425705 5780 65
Rule Set (GitHub)
Request 5b1f1be1501377
Suspicious
PowerShell c089503ba0204ebcc3605f01
Sigma Integrated
Invocation Based Florian Roth ef3ba76dfff60846f2bad81faf 5133 37
Rule Set (GitHub)
on Parent 9eae455e81921b
Process
Created Files by 5c100e376f43b26c0279b6ec
Vadim Khrykov (ThreatIntel), Sigma Integrated
Office ab437d35499a64f73cd9c1b1 5103 3
Cyb3rEng (Rule) Rule Set (GitHub)
Applications 80f62e840eebd2a6
MS Office
fb4acb832d8776634f7ad5e6
Product Sigma Integrated
Jason Lynch 0b2ae16c329118186cc8dcf0 5034 2
Spawning Exe in Rule Set (GitHub)
4d1ce959185c6264
User Dir
Windows
fd0a272556e2d962e1ecfb8d
Defender Threat Sigma Integrated
Ján Trenčanský, frack113 8fa8ab6f1d728c870db382b0 4975 4
Detection Rule Set (GitHub)
b56dc04e7bf20317
Disabled
455818bf9dc4423de74cdfa3
Regsvr32 Sigma Integrated
Florian Roth, oscd.community 96a0735e0fd29acee7f476325 4795 643
Anomaly Rule Set (GitHub)
75decb468b11cb5
Suspicious a4d012f0f7c21ebed94f8e82f
Teymur Kheirkhabarov, Harish Sigma Integrated
PowerShell 4910702fcbcd9d21bf70e4b1 4774 8
Segar (rule) Rule Set (GitHub)
Parent Process b039f48970d1bbc

Add file from


ab2075510415e5fab5635dc3
suspicious Joe Security Rule
Joe Security 0ecec20ea16d6bead9c43972 4348 1

.in
location to Set (GitHub)
97335c9520922561
autostart registry
Windows 6291f85314c7d9966be831c5
Sigma Integrated
PowerShell Web James Pemberton / @4A616D6573 6d3cdfb30f42c84f599273e73 4225 32
Rule Set (GitHub)
df
Request dac5c95e1122abf
Copy itself to
ca9a79f8e23430115778a41a
suspicious Joe Security Rule
Joe Security a4671433713b393278e1a603 4222 4
location via type Set (GitHub)
31cbb991a0f30f82
ap
command
Possible
Ransomware or 388ce51cb79d4deced7fce86
Sigma Integrated
Unauthorized @neu5ron e5dcf1e2eec1c04720fb2fc7e 4095 578
Rule Set (GitHub)
MBR 451d12abbd53416
st

Modifications
Shell Open cd6c2801be2f14154f961643
Sigma Integrated
Registry Keys Christian Burkard 5303948eacedd79025bd0646 4082 2
Rule Set (GitHub)
Manipulation cb3c34bb536b7cab
In

PowerShell 24c9049c81b149aa4537cce1
Florian Roth, oscd.community, Sigma Integrated
Download from 66e36f3697878dcdad3fab8b 4039 41
Jonhnathan Ribeiro Rule Set (GitHub)
URL 662889d154056d7c

Suspicious SOC Prime Threat 2493810bc5072dfb469437cf


command Den Iuzvyk Detection e4848e404b84ec5690670b79 3813 0
execution Marketplace ab60bdf138d06139

Glupteba SOC Prime Threat f75c71f7be8a63670e0c606b5


malware Ariel Millahuel Detection 82900d5a921916b46408da3 3805 0
detection Marketplace 83beb0786cb5588f
Bad Opsec
Defaults
Oleg Kolesnikov @securonix 53f67594c85a67cef198b525b
Sacrificial Sigma Integrated
invrep_de, oscd.community, Florian 556658fa4e46d1e49901472a 3627 0
Processes With Rule Set (GitHub)
Roth, Christian Burkard dbc8b7f0ba475a8
Improper
Arguments
Windows
Registry 7f5d257abc981b5eddb52d4a
Maxime Thiebaut (@0xThiebaut), Sigma Integrated
Persistence COM 9a02fb66201226935cf3d391 3575 2435
oscd.community, Cédric Hien Rule Set (GitHub)
Search Order 77c8a81c3a3e8dd4
Hijacking
Suspicious XOR
312888984ff0222cd7bd4593
Encoded Sami Ruohonen, Harish Segar Sigma Integrated
6afd14feea146948ac0e6941f 3438 58
PowerShell (improvement) Rule Set (GitHub)
3e0513e56d51e65
Command Line
Wuauclt 797b0bc9c2136612087c0b95
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Network b2f7917f60d1429162e72a72 3428 3
OTR (Open Threat Research) Rule Set (GitHub)
Connection 07861e247618dae3
E.M. Anhaus (originally from Atomic 4793e3844bd4ee212795ee4a
Bypass UAC via Sigma Integrated
Blue Detections, Tony Lambert), 6bf167b869d51840732845bf 3398 2
Fodhelper.exe Rule Set (GitHub)
oscd.community 0d2aa41f7481e6d7
Group 48fbab3f0d31a3776ce8099e
Sigma Integrated
Modification Alexandr Yampolskyi, SOC Prime 24b7c20af280fc9952c2d83fb 3379 10
Rule Set (GitHub)
Logging 8e54e4808a7d506
a0cf7d21374ebc3567492775f
Suspcious CLR omkar72, oscd.community, Sigma Integrated
48033b67b0a81b95521f405e 3356 204

.in
Logs Creation Wojciech Lesicki Rule Set (GitHub)
5be52f2950f9d18
96b3df20cf0336e4751b0a85
Xwizard DLL Sigma Integrated
Christian Burkard d9786ada6ce7185e05988a51 3298 3
Sideloading Rule Set (GitHub)
1f646967e712cc1d

Suspicious Florian Roth, Daniil Yugoslavskiy,


Process Creation oscd.community (update)
df
Sigma Integrated
Rule Set (GitHub)
b902e441638f8747df97dc2c
59508d1d39ca9ab179b28132
c51cee02b1d19152
3239 120

Windows Shell 248820e948efae04f89b5243


ap
Sigma Integrated
File Write to Florian Roth 48c8398f0b278befcaec4fafdd 3084 31
Rule Set (GitHub)
Suspicious Folder f73e9c5dda0353
Suspicious Teymur Kheirkhabarov (idea), e6fdb32f143bba16a3ea0624
Sigma Integrated
PowerShell Vasiliy Burov (rule), 7ced55b7b90f8b5b5c6c26dd 3002 15
Rule Set (GitHub)
st

Command Line oscd.community b95cdcf23908af8a


80708cad12d59acde6c91bdf
Disable UAC Sigma Integrated
frack113 bb0ed867ffd0538e97f962f2ff 2917 0
Using Registry Rule Set (GitHub)
d72040a66ecb6b
In

Emotet 4e5ef297fadbdf1fbd3c57b71
Sigma Integrated
RunDLL32 FPT.EagleEye 841275af9687495d2f45e59fc 2792 0
Rule Set (GitHub)
Process Creation babdba98315434
Suspicious cd06da2f3978bdb24b3f3c8f8
Sigma Integrated
Execution of frack113 3c7df917a910c6b29921d0e3 2704 11
Rule Set (GitHub)
Taskkill 75e418f340d8f3d
Powershell Used
To Disable
78a8ebe85ceee09aa63f018d
Windows ok @securonix invrep-de, Sigma Integrated
b033f8616308e95816c4f742 2662 1
Defender AV oscd.community, frack113 Rule Set (GitHub)
9ba0bafe2d0995b9
Security
Monitoring

UNC2452 f282a8660328d20195770b77
Sigma Integrated
Process Creation Florian Roth f51561e6885408fc2136a691 2610 0
Rule Set (GitHub)
Patterns 6d0380839cf39301
d83c79bbca4183561b4591dd
Net.exe User Endgame, JHasenbusch (adapted to Sigma Integrated
3ce69faed2e6cfed3217f2658 2600 15
Account Creation Sigma for oscd.community) Rule Set (GitHub)
b85c237af7aceea
Indirect E.M. Anhaus (originally from Atomic 949493fff309832e61eefbc15
Sigma Integrated
Command Blue Detections, Endgame), 17c38dc21116f3e97310be0d 2599 2
Rule Set (GitHub)
Execution oscd.community fd27ee7544382e1
Suspicious
Scheduled Task c81c0126a6006ad9dbec7215
Sigma Integrated
Creation Florian Roth 030642dac0a918f133b33aa4 2592 0
Rule Set (GitHub)
Involving Temp c077f9676d84cd58
Folder
Suspicious
Rundll32 87574dead19ceb246e10ccb4
Sigma Integrated
Without Any Florian Roth cb4fd5009c71c46de0d77965 2575 0
Rule Set (GitHub)
CommandLine d2170bfafc2c3b14
Params
c04f755b9283e9e31eead770
Stealthy VSTO Sigma Integrated
Bhabesh Raj 7a061225ee4da75cf49c9182 2535 535
Persistence Rule Set (GitHub)
3ff8aa1d7e026551
E.M. Anhaus (originally from Atomic b0b20b09dd98169c1af4e864

.in
HH.exe Sigma Integrated
Blue Detections, Dan Beavin), 3b69d1bbe0cb12c553056b15 2342 514
Execution Rule Set (GitHub)
oscd.community d64e45d7726ff1b4
f0282b9dc90a1761ed8cfb90
PowerShell Sigma Integrated
Florian Roth b52bc5f53c2c8ccbff1ca29790 2240 10
DownloadFile Rule Set (GitHub)
df e8d17c7eae56dd
Powershell
d77da6b7c1a6f6530b4eb82c
Decrypt And Joe Security Rule
Joe Security a84407ff02947b235ab29c94 2100 2
Execute Base64 Set (GitHub)
eade944c4f51e499
ap
Data
be6d29855558a0e8c404486d
Delete shadow Joe Security Rule
Joe Security 8f1838ce35594866f126f9c1c 1961 0
copy via WMIC Set (GitHub)
62a9792e9c76be2
b32b8c78e20435f731c3241f
Proxy Execution Furkan CALISKAN, Sigma Integrated
st

bfb6354a0b9f86ec81cc5ee20 1955 3
Via Explorer.exe @caliskanfurkan_, @oscd_initiative Rule Set (GitHub)
2e0f0cf13bf110c
aca8c04f52d20c1f8ac7c5fda7
Bitsadmin Sigma Integrated
Michael Haag, FPT.EagleEye 686124759166ab943914535 1941 9
Download Rule Set (GitHub)
In

4e331faaf792bb9
47fed78a8bb63a7dee467bd2
Tap Installer Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
5acd7bbfb704d602012f1a22 1830 161
Execution oscd.community Rule Set (GitHub)
28eb56c9f6760b7a
Shell32 DLL
fbd6086058f7f1742827e4bf3
Execution in Sigma Integrated
Christian Burkard 9c6a7b3d7cc32120c2f2cd39a 1770 0
Suspicious Rule Set (GitHub)
924363da2fe8f6
Directory

Valak Behavior SOC Prime Threat 95388dc52565d97f01bb4784


(Sysmon and Ariel Millahuel Detection 63530fac5eb3a7197bbf17fcc 1726 38
Cmdline) Marketplace bd415b4a10a7055
Powershell 1fd2d09eff791a970cc2ad6da
Joe Security Rule
download and Joe Security 0820134ef9d52d4341ab3202 1722 0
Set (GitHub)
execute file 8edd04e8dd158bd
Usage of 35df1aeee1f1078e25bb64a8
Sigma Integrated
Sysinternals Markus Neis af513db99a7df8736e484704 1656 15
Rule Set (GitHub)
Tools 1fddacedf6b747c9
Suspicious 942c07d4243aed525402c1e4
Sigma Integrated
Extexport frack113 e2f9880b477ba72abc7023c3 1644 0
Rule Set (GitHub)
Execution 0c9c10737399e077
232de5bd44720ce2fb34b305
rundll32 run dll Joe Security Rule
Joe Security f8385e685f63ee5e14d88453 1612 245
from internet Set (GitHub)
68072b2fa100a5f6

SOC Prime Threat 08655a77d7ea003dba35be47


Nocturnal Stealer Ariel Millahuel Detection 75284dd12a24f9469c9e93ad 1595 14
Marketplace 2d085afe3f4e91d8
Suspicious
Florian Roth (rule), Daniel 1929e853315b3b5398e0837
PowerShell Sigma Integrated
Bohannon (idea), Roberto b2b8928a28ae8eec0611ebb4 1538 6
Parameter Rule Set (GitHub)
Rodriguez (Fix) 1efc5e6b33e78cd6c
Substring
2e31c80fe0affb3753d745688
Capture Wi-Fi Joe Security Rule
Joe Security 3282043c5795a0abd5906589 1506 5
password Set (GitHub)
d7b67f0eb04076e
CMSTP UAC a30845acd045e920f165087e
Sigma Integrated
Bypass via COM Nik Seetharaman, Christian Burkard 59ac6d9461f6c4bfadfa52e4c 1424 2
Rule Set (GitHub)
Object Access 518e3bcb9d8cb0c

.in
Modification of E.M. Anhaus (originally from Atomic 2da0b3cba5dc2b56e1426049
Sigma Integrated
Boot Blue Detections, Endgame), 598590c54a224e6d15740b9b 1409 7
Rule Set (GitHub)
Configuration oscd.community 07c108e089c84520
4f50c176af3c65d3b67381b2e
Whoami Sigma Integrated
df
Florian Roth b36baf45f7c58aa2934ba1b9 1395 102
Execution Rule Set (GitHub)
d94703fb60d977c
Esentutl Volume e49ec9683ea49e495920eaed
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Shadow Copy 6f515ba9a16d6329c30e123a 1236 16
OTR (Open Threat Research) Rule Set (GitHub)
ap
Service Keys 1b7fb158f03004fc
Accessing 6c44b18934e9ddd288d035d
Sigma Integrated
WinAPI in Nikita Nazarov, oscd.community 35a258c41fce2d5f5ebafc55ff 1234 31
Rule Set (GitHub)
PowerShell 866a95fb78db9c2
Usage of 1e33259c56ec61269739a1b6
Sigma Integrated
st

Sysinternals Markus Neis f2e7e13760703a505f60b194 1225 110


Rule Set (GitHub)
Tools 702ff716a6fe0fbc
6bbafdf03b2a79de4fa71f3fec
Windows Crypto Sigma Integrated
Florian Roth 777333b907de6172939c7a35 1217 1
Mining Indicators Rule Set (GitHub)
In

b5bed23d4a4b82
Rundll32 de72fd0fbb1418b8eddde849
Sigma Integrated
Without Bartlomiej Czyz, Relativity 2f15f221fc84e0ca0d3ca576c 1202 0
Rule Set (GitHub)
Parameters cd0ff897fb98037
379786e3d43f4df15525494f0
Suspicious Sigma Integrated
Florian Roth 22a5e59f58acf961a0f2536f2 1168 13
Calculator Usage Rule Set (GitHub)
0ae374717a9fa0
fa6fe737f5145762e909801e3
BlueMashroom Sigma Integrated
Florian Roth 1b442ca6e73fb112f2617976 1163 285
DLL Load Rule Set (GitHub)
2cd60b5c64a4867

SOC Prime Threat f47281ceea7e998eb629b82b


Bladabindi
Ariel Millahuel Detection 6be68c1aaa23f6b18111420b 1153 0
backdoor
Marketplace 7a52cd72b575f527
395d81f2cea49ebe846ec75b
Renamed Sigma Integrated
Markus Neis, Swisscom 230f6e7f8ff1541f56a65ee0ca 1153 3
jusched.exe Rule Set (GitHub)
6336a3730a5af3
E.M. Anhaus (originally from Atomic f6f3741fe7124168764638673
Mshta JavaScript Sigma Integrated
Blue Detections, Endgame), 1e58cbb9eb5dd4b8db836bb 1137 5
Execution Rule Set (GitHub)
oscd.community 8840c3d02e5462b8

LOLBAS rundll32
with unexpected SOC Prime Threat 4df0b9d85eb21989ce009f13
forward slash SOC Prime Team, @SBousseaden Detection 4a8fae2edde67a305237b09a 1128 165
paths (via Marketplace 9daae0c40abae0ac
cmdline)

SOC Prime Threat cc37d2c965977a035bf3e0e5


Brontok Trojan Ariel Millahuel Detection adc5d1ad561e00eeecc80cde 1127 1
Marketplace 19feb01566a5fa61

Drops fake 4754f502f65f5684ed3a2e0c3


Joe Security Rule
system file at Joe Security b8615d89d16535a2ad1fe25a 1126 3
Set (GitHub)
system root drive c93f82423267ae1
a5e61828c15a99ec1e32a76e
Exports Registry Oddvar Moe, Sander Wiebing, Sigma Integrated
1f2d9bca2eba0d5d62d10197 1093 6
Key To a File oscd.community Rule Set (GitHub)
c69a8988b85c445a

.in
Possible new SOC Prime Threat 3cb32dc8f1ba61964f235761e
Cobalt Strike Ariel Millahuel Detection ac5b49d22264f521e003ce64 1017 48
dropper Marketplace 1a508eaff8d0eec

Cabinet File
Expansion
Bhabesh Raj
df
Sigma Integrated
Rule Set (GitHub)
2c33916c73b8057eb865f965
b0e9e05fddeae85fa5405eee
775a7df4cd58173d
1012 18

0595fd00a8b7a34a40b618e9
Hurricane Panda Sigma Integrated
ap
Florian Roth 649d81ef7256ae0a3b3ceefe7 996 18
Activity Rule Set (GitHub)
0821decfce1feb7
Karneades / Markus Neis, 556a1aa7c513ecf9a4f6edfb0
Sigma Integrated
Squirrel Lolbin Jonhnathan Ribeiro, 176deb074a2cf1447650e017 985 440
Rule Set (GitHub)
oscd.community 66fe9efee338c35
st

338397ed109954fb8f766d68
Mimikatz Teymur Kheirkhabarov, Sigma Integrated
49691b20570aadf79c77ac55 983 10
Command Line oscd.community Rule Set (GitHub)
09047b25b9af2859
Schedule c26e0207e75a84b37249afa1
Joe Security Rule
In

REGSVR windows Joe Security 4659448c57c0203d2220e804 981 1


Set (GitHub)
binary 9b52775ab00538dc
c1a07dc6104bfa9dcd638f1c9
RDP Sensitive Sigma Integrated
Samir Bousseaden f04504dafbbb28fdf3a4f36dc 959 17
Settings Changed Rule Set (GitHub)
6af48802194787
Logon Scripts 91fdd3ec700c41d38dcb9127
Sigma Integrated
(UserInitMprLog Tom Ueltschi (@c_APT_ure) 772f866ad831ade83c48c413 951 50
Rule Set (GitHub)
onScript) 1aee4842d77be561
Suspicious d473f1a87cdfa8e30ccefdd18
Sigma Integrated
Process Start Florian Roth 3b775109bfb012796c04ab06 950 0
Rule Set (GitHub)
Without DLL be794c4b74ba1eb
db74c62019a53e7519a73922
Renamed Sigma Integrated
Florian Roth 15062ee6be4525e5374b419 939 28
ProcDump Rule Set (GitHub)
1fb8eeffc81cb981f

SOC Prime Threat c2a677a155b0fd75d813c22a


Tycoon
Ariel Millahuel Detection 6dc0d1632310c42fafb3c2d5c 933 55
Ransomware
Marketplace b08090c75ce491e
530f42d2839f1cd12564a374
Register Wscript Joe Security Rule
Joe Security 3f6b294d960920a76da960e2 926 1
In Run Key Set (GitHub)
c17e5337c43df9c4
Suspicious 84a714b787a32a4edd32972c
Endgame, JHasenbusch (ported to Sigma Integrated
Bitsadmin Job via 4a71a7d66d4a250549ad6c4b 920 10
sigma for oscd.community) Rule Set (GitHub)
PowerShell 1a3faeb077c0bce6
Schedule 5afe0a8f1f7fbc102dbeb6382
Joe Security Rule
CERTUTIL Joe Security c6e3e9702f05c872dee6c830 904 0
Set (GitHub)
windows binary 9d805831b7dbbe2

Winrar Execution 99b7b3abf0ce8f702d10cc3f1


Sigma Integrated
in Non-Standard Florian Roth, Tigzy 20ed16591df3c13fbda30b46 899 2
Rule Set (GitHub)
Folder e0623d93cdac439
e52de558a2f45ea0c3633bf9
Suspicious GUP Sigma Integrated
Florian Roth 7f5181779246c0964d7003bd 860 0
Usage Rule Set (GitHub)
012f344221f012ba
Suspicious 5242ae9a7c0bb9967f443e59
Perez Diego (@darkquassar), Sigma Integrated
Remote Thread 8ba4d27edfa69ca76b6fbb7a 859 22
oscd.community Rule Set (GitHub)
Created d0d569f7e9067668
User Added to 534ecedeba777d436d378887

.in
Sigma Integrated
Local Florian Roth 57fcae6c00842f791bdcb6c39 849 3
Rule Set (GitHub)
Administrators d8c804ab3c6a535
20135d843bc80e241d98b14c
Tap Driver Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
fdd38a8e122b0a032b2edd8e 842 45
Installation oscd.community Rule Set (GitHub)
df 2dc631c53b5632ca

Copying Sensitive 8712e0baf2cbfba40ac1ad185


Teymur Kheirkhabarov, Daniil Sigma Integrated
Files with 4da93829b0f78d6eba117de0 826 2
Yugoslavskiy, oscd.community Rule Set (GitHub)
Credential Data 3912aa985d46a79
ap
07b95c7eb376ac65a345dc6a
WMI Event Sigma Integrated
Tom Ueltschi (@c_APT_ure) 2c1cb03732e085818d93bd1e 818 4
Subscription Rule Set (GitHub)
a2e7d3706619d78e

SOC Prime Threat 7c58e06f9c4bfbbca18106234


st

DUNIHI Malware Ariel Millahuel Detection f802a2f21fcd03ca11bcc0d10 793 0


Marketplace c040d1e451d4b1
29112c1d912aafdd95b322ff1
ScreenConnect Sigma Integrated
In

Florian Roth 127f1fde6560b1d2e3dc1484 763 8


Remote Access Rule Set (GitHub)
d11d9d222af7435
7aaf54115e7c0d8450b85852
RDP Registry Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 0101c04264b58e033da253ad 759 15
Modification Rule Set (GitHub)
20a672a00b52b5ae
8a5a3c45e4c0e75583d9be0a
Local User Sigma Integrated
Patrick Bareiss a76f935e9be8f878840cdddb 753 10
Creation Rule Set (GitHub)
49890be7a65180a6
DarkSide 5c4ba608ec7db931a6491db1
Sigma Integrated
Ransomware Florian Roth 4857b098a88caf78b2c28087f 733 0
Rule Set (GitHub)
Pattern 16fa4aeeb05c8d0
Powershell
d933fed60e38128e7e358636
adding suspicious Joe Security Rule
Joe Security 1ae42b885a5285e04ab14da9 732 2
path to exclusion Set (GitHub)
97282550a77a9059
list
62e99f238afed27b43182594
Florian Roth (rule), David ANDRE Sigma Integrated
Mimikatz Use e90243db3ec17324c819a349 724 0
(additional keywords) Rule Set (GitHub)
f12ed55c015e5a71
ab8ea26663a3935bd7f17834
Tasks Folder Sigma Integrated
Sreeman 55f465a74c106836d5a68c19 689 0
Evasion Rule Set (GitHub)
a61dec68dd2596c0
Modifies the 876619ed554fa68bef3ccfc88
Eli Salem, Sander Wiebing, Sigma Integrated
Registry From a d359efb8c1f05d0781e13279f 686 13
oscd.community Rule Set (GitHub)
File f3c4ff29f4989d
2120dcc15751868d99ce91b7
Windows Sigma Integrated
Florian Roth 721c2a27b2b8b8d542b4621a 671 0
Credential Editor Rule Set (GitHub)
0ece4594a4cd73b2
Abused Debug
9d455dd5e2e653e4afbec915
Privilege by Semanur Guneysu @semanurtg, Sigma Integrated
a896019f9ca31a26fba6e2ba4 648 2
Arbitrary Parent oscd.community Rule Set (GitHub)
7b2a380780ed090
Processes
1e88d14fe153e2c630eb9bdd
AdFind Usage Janantha Marasinghe Sigma Integrated
7e321d7dc3d82670a31f1b36 641 3
Detection (https://github.com/blueteam0ps) Rule Set (GitHub)
fc90cb6cbc362136
Suspicious
f85bfb745e5bbdd54cf800d8d
Rundll32 Konstantin Grishchenko, Sigma Integrated
7e40f16b02685138c1383098 641 159
Setupapi.dll oscd.community Rule Set (GitHub)
6a050536d69aa0d
Activity

.in
0cc6e99f887ebd84bef65b69e
Verclsid.exe Runs Sigma Integrated
Victor Sergeev, oscd.community 0c64f654364e79f53cf546f89 641 3
COM Object Rule Set (GitHub)
d1507edd3bbb6b
a92c2c006c3ed7f60668afcb7
CobaltStrike Sigma Integrated
df
Wojciech Lesicki 7342db1049d166af7ab991eb 628 10
Load by Rundll32 Rule Set (GitHub)
0d6cd8c3e2b2a59
Execute DLL with 90c63349e180656f865f6206
Joe Security Rule
spoofed Joe Security a06dbee57bd3226b32eb61fb 614 146
Set (GitHub)
ap
extension a3e6c7c4452d4e1d
WMI Spawning 1ca8739651295d88708cb5dd
Sigma Integrated
Windows Markus Neis / @Karneades fb7a115ae0d202152a80ee4c 596 0
Rule Set (GitHub)
PowerShell 7871e62f3509c938
f1f1e749b0e91b9e079a2fb92
Joe Security Rule
st

NetWire Joe Security be3e128291eda84c02064028 589 0


Set (GitHub)
a1d037f450f864c
Droppers ea2bef709a3e478516f91493
Sigma Integrated
Exploiting CVE- Florian Roth 8492950992d22f0077ede5a5 587 0
Rule Set (GitHub)
In

2017-11882 61e60f2c092f4dec
Powershell 317ff64a1d49452191210f7b5
Joe Security Rule
Download and Joe Security 5d7201e483352440ec851a9c 583 4
Set (GitHub)
Execute IEX 716f6be7cfb7ec9

Suspicious Listing 90412c9cf799f0ce454d95cf6


Sigma Integrated
of Network frack113 bdbef8b1264fbcde3cd6b065 580 2
Rule Set (GitHub)
Connections ae6aee265882a86
Suspicious a5f575ade1f2aaba452086d3
Florian Roth, Perez Diego Sigma Integrated
PowerShell 418d8a893e94b28e30da42ad 576 13
(@darkquassar) Rule Set (GitHub)
Keywords 98b58df4a4fe9c2d
7bd4ba31d00dc2c285a409cd
Tap Driver Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
7939611accc6c2934992f8e9c 568 15
Installation oscd.community Rule Set (GitHub)
d0ce8c32ad0c40c
Logon Scripts
eb5ac2a9453d625eabdbb6cd
(UserInitMprLog Sigma Integrated
Tom Ueltschi (@c_APT_ure) 9f3d499dc7ab375f902ebd8f9 565 50
onScript) Rule Set (GitHub)
15d5a3d033693ed
Registry
Suspicious 9e7977461c567e8bfbcdd316
Sigma Integrated
PowerShell Florian Roth 661d9ef710694b3de751c6ad 559 13
Rule Set (GitHub)
Download 76cf0dae3749c57b
E.M. Anhaus (originally from Atomic ae5debad574fb4590d5efc9d
Bypass UAC via Sigma Integrated
Blue Detections, Endgame), 2e3614bb603a5670f3f9f926a 554 3
CMSTP Rule Set (GitHub)
oscd.community 42d2ecbf0de0291
North Korean
RAT - SOC Prime Threat 6bb61b38bbb774f185f535caf
BLINDINGCAN Ariel Millahuel Detection e7a2fc3b848377409dde9963 553 1
(Sysmon Marketplace a571d825562c79a
detection)
a251b526d9024ed7f489fe7b
Register Jar In Joe Security Rule
Joe Security 9c2182080e067f2d35068063 544 0
Run Key Set (GitHub)
c5fd326283d9b1ba
1e58f3b3a12845dad6be8bef
Pass the Hash Dave Kennedy, Jeff Warren Sigma Integrated
e76f8a0368d994ad5b069e67 523 0
Activity 2 (method) / David Vassallo (rule) Rule Set (GitHub)
2ac85d329bf336ed
Encoded Teymur Kheirkhabarov (idea), 157d3e7415430b97001871f8
Sigma Integrated
PowerShell Vasiliy Burov (rule), aecb592075581e0518745014 522 5
Rule Set (GitHub)
Command Line oscd.community 1e56c252318f2b26

.in
Unauthorized fd18f89d9ade39f1b15ef9cc3
Sigma Integrated
System Time @neu5ron 1ce8423991e3c873567ec9ed 516 2
Rule Set (GitHub)
Modification c2cb1a45ac79f69
Suspicious
df 5d6d29828f1f8db072b666bd
PowerShell Florian Roth (rule), Jonhnathan Sigma Integrated
85ae7074ac349c49205087a9 515 12
Invocations - Ribeiro Rule Set (GitHub)
2da4084700e50657
Specific
7cbbf00cea5dc446cd78a75bf
Suspicious xknow (@xknow_infosec), xorxes Sigma Integrated
ap
887ac0cc4816a0c14fb2fc31c 513 0
Service Installed (@xor_xes) Rule Set (GitHub)
b6c2e5043641e3
Suspicious 1170a97b19098b92c7fea421
Florian Roth (rule), Samir Sigma Integrated
Userinit Child 765b81d0cea10e0140d9fed3 506 0
Bousseaden (idea) Rule Set (GitHub)
Process c4d0769718c4b248
st

Application
Whitelisting e7b216cf44265cf356b01276
Kirill Kiryanov, Beyu Denis, Daniil Sigma Integrated
Bypass via DLL 0fb4e0a6e04289ad81a1fe18 487 0
Yugoslavskiy, oscd.community Rule Set (GitHub)
Loaded by 0bdb6b75c59729a0
In

odbcconf.exe
Suspicious Curl d86dfee683d0e96803dc8a15
Sigma Integrated
Usage on Florian Roth 3d15f7208afc774045e2d885c 474 27
Rule Set (GitHub)
Windows caec10bdcef7831
ffeb4d256edb1234faf30da37
CMSTP Execution Sigma Integrated
Nik Seetharaman a584025d92817eb5a21c5394 468 5
Registry Event Rule Set (GitHub)
c4c6d78e3922d95

SOC Prime Threat 58d4fbfb0b53744348e77deb


CMSTP Execution Nik Seetharaman Detection a3d12df957601d7b27fda30a 460 3
Marketplace bc676523e9634cda

Remote
9c155c1f00478f6dbc65e449b
PowerShell Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g b4e1ee8d14ca444d40cbb52b 456 0
Session Host Rule Set (GitHub)
d6406320ff20282
Process (WinRM)
218d6661cbefbe4342fb5e6f0
Sigma Integrated
Query Registry Timur Zinniatullin, oscd.community aa14df5602a3a39691bb19b2 448 55
Rule Set (GitHub)
46644804e6d341f
CVE-2021-1675
873bf5dd3d347e031a1a45c3
Print Spooler Sigma Integrated
Florian Roth c7da75768415ed8da25fe613 436 116
Exploitation Rule Set (GitHub)
6b24881f29b6ba3b
Filename Pattern
295f36b4fe50737f7d27a3862
Joe Security Rule
Quasar Joe Security ea45297f78efdf77ab2decd50 421 0
Set (GitHub)
1b4a852765ceaf
c182c186baaff4acc155d390d
Suspicious Sigma Integrated
juju4 a0732179995f7767ef1710ca 419 6
RASdial Activity Rule Set (GitHub)
041111414a157f6
Malicious Base64
Encoded 2741e38c5a55999659c8e2ffe
Sigma Integrated
PowerShell John Lambert (rule) 6365a21db8ec070e03a5a2f7 418 3
Rule Set (GitHub)
Keywords in 8326209ada99b63
Command Lines
Suspicious 4e8b6e96f08290c2d17de566
Jonhnathan Ribeiro, Sigma Integrated
Service DACL 22ea6ab96e4e69ac05b74c3f 416 0
oscd.community Rule Set (GitHub)
Modification 70d52ed74f859533
Suspicious

.in
b33ac74e3c46a62df1698c5e
PROCEXP152.sys xknow (@xknow_infosec), xorxes Sigma Integrated
bafdc2ab3f5907feff6e6ec1f7 403 0
File Created In (@xor_xes) Rule Set (GitHub)
3d273465b4aa5a
TMP
Florian Roth, @twjackomo, bec9d927518cb9af8ee98a6c
Sticky Key Like Sigma Integrated
df
Jonhnathan Ribeiro, de08e6a1f05090534e3b3c24 402 3
Backdoor Usage Rule Set (GitHub)
oscd.community e8ced8ae93e15311
Microsoft 360867571c752aa9ec6da95a
Sigma Integrated
Workflow Nik Seetharaman, frack113 6c3db7a37dda60e6627df594 392 0
Rule Set (GitHub)
ap
Compiler f31f89692b8063d0
667c9dcf6079fd28997e3e2b
Joe Security Rule
LimeRAT Joe Security 10b629c8ddbbd7bdffee1889 381 0
Set (GitHub)
aef6476277791e13
bd4c20ecc3fa26779f917ddf7
Taskmgr as Sigma Integrated
st

Florian Roth cd594af5a64805084e11c2a6 370 1


Parent Rule Set (GitHub)
80ade82d77b01ed
c3f48ada664e96b916cbb2ed
Sigma Integrated
Procdump Usage Florian Roth 88c7f622ced143f3f9e2c039b 365 1
Rule Set (GitHub)
In

d4516f81e1c1e4a

Suspicious d0b906c9286d892a8434845a
Florian Roth (rule), David ANDRE Sigma Integrated
SYSTEM User fa7551135e37841bdace5aa7f 361 14
(additional keywords) Rule Set (GitHub)
Process Creation df1c6bd9a823c73

Malicious
behaviour on
user login SOC Prime Threat bf0f7d2a84916abcc597e4a38
(Microsoft Ariel Millahuel Detection a6231519b38af0223147ef15 355 6
Windows - Marketplace e28c7ab83f47c7d
c0d0s0 group
behavior)
52606fbb97633e0a2c2581ff3
Renamed Sigma Integrated
Florian Roth, frack113 3bcb2bb212da3c00b02cbf97 340 4
PowerShell Rule Set (GitHub)
1e5a0aa2f7b4cab

SOC Prime Threat 7d8b8c88008f45dc07b07590


CMSTP Execution Nik Seetharaman Detection cdf039437686d441d35e7204 338 1
Marketplace ba91a632ebc9439c
Florian Roth, @twjackomo, dd211e6e9cebdae07f1d14d6
Sticky Key Like Sigma Integrated
Jonhnathan Ribeiro, 1650061c791829402d134a1a 337 0
Backdoor Usage Rule Set (GitHub)
oscd.community 9e064ae72b6c4cd9
38e5073851afbf6c39ea3097
Ryuk Sigma Integrated
Florian Roth 03c229e83988c6d3548896a3 329 0
Ransomware Rule Set (GitHub)
89e9ef8795917947
4740c645e33c5fbe1595ad95
File Dropped By Joe Security Rule
Joe Security 3f030f0aa29f78fcbd1412825 327 0
EQNEDT32EXE Set (GitHub)
36d02587eb05d0f
Shadow Copies
16e1527c32b0f67a6b8e3dfa
Creation Using Teymur Kheirkhabarov, Daniil Sigma Integrated
a73ba62c13f73f46a6b0d596 327 1
Operating Yugoslavskiy, oscd.community Rule Set (GitHub)
2dd823d9ecac933c
Systems Utilities

4ef4d3aed2ed44386659d6ae
CMSTP Execution Sigma Integrated
Nik Seetharaman fb7649de9568189358f367fb8 318 1
Process Creation Rule Set (GitHub)
708d1870d19fdc7
Command Line
Execution with 0585dd5b67e1bced48ad1dc8
Florian Roth, Jonhnathan Ribeiro, Sigma Integrated
Suspicious URL f9e0b66fd4e44c6e7c14dd5b 317 0

.in
oscd.community Rule Set (GitHub)
and AppData 385950c97e15b768
Strings

SOC Prime Threat 2d552bed0d3218f870cdd17a


Qealler
Ariel Millahuel Detection
df bb035a0f71ec2c158035fe612 316 34
Detection Rule
Marketplace e2476aec61930f4
Steal Google acba408186cae97e9de5ad46
Joe Security Rule
chrome login Joe Security ba35ffdf61f94f181c5287bfd9 315 0
Set (GitHub)
ap
data e76aa1e5293b1b
b097e888f96f943b0d94d783
SecurityXploded Sigma Integrated
Florian Roth 5326dbbc76b3cf117fd94078 311 3
Tool Rule Set (GitHub)
32fbace74cb60f48
Suspicious c72e2995683af253e803fa2fe
Sigma Integrated
st

aspnet_compiler. frack113 4fb02eab21f864cf7e63657b4 303 0


Rule Set (GitHub)
exe Execution c1f5a21e5cd421
e6b2d2b9d4348a8c3ab98583
TA505 Dropper Sigma Integrated
Florian Roth 2a818688f8ed2f19e9f03c588 300 36
Load Pattern Rule Set (GitHub)
In

67656810da91ae4

RDP Hijacking. SOC Prime Threat a917e763c89ea31922fe3ded


RDP port Den Iuzvyk Detection e8cc03c807a8b52f1a6f9eb01 298 1
changed. Marketplace 52291fea14c9416
8652ffc2b3174864b7f93e265
False Sysinternals Sigma Integrated
frack113 2bbeaa97cba1ce3a0949c10a 292 0
Suite Tools Rule Set (GitHub)
85ea086c2478680
Suspicious Driver Hai Vaknin @LuxNoBulIshit, Avihay 8fd9d688a4929d85f6ba829cc
Sigma Integrated
Install by eldad @aloneliassaf, Austin Songer f0fe235ff5f6bcc6ac25306e64 286 3
Rule Set (GitHub)
pnputil.exe @austinsonger 25671b81eaa80
Successful e0a74a014c641b36f56f6bab
Roberto Rodriguez (source), Sigma Integrated
Overpass the 87d33f003162f1e4a4e97882 285 0
Dominik Schaudel (rule) Rule Set (GitHub)
Hash Attempt d055aa0c2fbc4064

Registry 1e3577ce99797b69eb40df7b
Sigma Integrated
Persistence via Florian Roth, oscd.community 9839ea82c3529cc36c44fdf5f 277 0
Rule Set (GitHub)
Explorer Run Key 4966c1966c44799
Suspicious Teymur Kheirkhabarov (idea), 474582c275339926ac17574a
Sigma Integrated
PowerShell Vasiliy Burov (rule), b90c8246d89014d6b66a4312 271 4
Rule Set (GitHub)
Cmdline oscd.community e8e3edb7277ffba0
c50b384b3d0f5d468c48abf6
Powerup Write Sigma Integrated
Subhash Popuri (@pbssubhash) ac8fd6095727405ed00d170a 265 11
Hijack DLL Rule Set (GitHub)
eadf0fc1b4add34b

SOC Prime Threat 4dce473be53cdc44d945acff8


Spora
Ariel Millahuel Detection 2c6e5ef53b3304748f9aebc8d 265 45
Ransomware
Marketplace 4f586230520785
735c9c8d6f2afa0f395d670a4
Sigma Integrated
Lazarus Activity Bhabesh Raj d21f211de96cbab610a1a63b 256 36
Rule Set (GitHub)
20bcc981d975f0f
ada08103432e4112d167b1d
Emotet Process Sigma Integrated
Florian Roth 10f0fc02281936c8fcb181de1 242 3
Creation Rule Set (GitHub)
7d5bca07755bac84
Register DLL with ff70195d476ffa7a3d8e0b150
Joe Security Rule
spoofed Joe Security 3ffeca1e8707431b00403dfa6 242 14
Set (GitHub)
extension 95732599b571f5
ec56e35983955cbc753846d0

.in
Suspicious PFX Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
6d67ba2cf88a10a498711ceb 238 13
File Creation OTR (Open Threat Research) Rule Set (GitHub)
84afe1322ca958a1
1a2c4b1ffc8f65b4edf9020cfc
Ryuk Sigma Integrated
Vasiliy Burov 1b6203854d1359253975271 231 4
Ransomware Rule Set (GitHub)
df 7c107cd6357489f
c5d484cc0502bed15307c6bc
wagga, Jonhnathan Ribeiro, Sigma Integrated
Koadic Execution c483ba03518aaa99ca3cca09 230 0
oscd.community Rule Set (GitHub)
b01da3ea57317777
ap
CreateRemoteTh 7b3a31059be73d0a2a66f619
Sigma Integrated
read API and Roberto Rodriguez @Cyb3rWard0g 15b2e5a4f5a37cea4d4de5e3 228 4
Rule Set (GitHub)
LoadLibrary cc8c24f5e2a310f1
Empire
dae7277357ad237d5dfceb98
PowerShell Sigma Integrated
Florian Roth 5bdbbaffa777a494f5cab14f0 228 0
st

Launch Rule Set (GitHub)


67003795d395650
Parameters
Office product
67124e7349285a993dc33173
drops script at Joe Security Rule
Joe Security 8db576ef56c6cb9724bf1cea7 228 6
In

suspicious Set (GitHub)


695561498a0fb35
location
Mounted
oscd.community, Teymur 816c82737c8262b4f167d02b
Windows Admin Sigma Integrated
Kheirkhabarov @HeirhabarovT, 04198105def46bd23ea282a6 222 2
Shares with Rule Set (GitHub)
Zach Stanford @svch0st, wagga 55786d387e88118c
net.exe
Whoami 05b85f64fdf521b059aab9daf
Sigma Integrated
Execution Florian Roth 9d75829fa4a5febd27fe09ac0 221 10
Rule Set (GitHub)
Anomaly 224e405b57a654
Suspicious 2db1db0eb3649cc130ae953a
Sigma Integrated
PowerShell Florian Roth 4803853a8ff8e44f3c4a06d42 215 5
Rule Set (GitHub)
Download ed49eb3cabfb696
Operation
SOC Prime Threat cf68f11f087c4b3b504b67cb0
Vicious Panda
Ariel Millahuel Detection a9e4a499e486a6de10aee081 213 0
(COVID-19
Marketplace 1ab515d3336d7f1
Campaign)
PowerShell 7d4fc33c33fc31d17a2c9ee04
oscd.community, @redcanary, Zach Sigma Integrated
Deleted cb6e1114c58cbeec3fa2b7cd4 211 3
Stanford @svch0st Rule Set (GitHub)
Mounted Share f5502b2d28d6ba
Usage of c718a898b26d6c8f64602f1b
Sigma Integrated
Sysinternals Markus Neis 33c49df17864599a9ba4a879 211 0
Rule Set (GitHub)
Tools a1ac22848dbda174

Password Filter
SOC Prime Threat cdcaebb2c5505eed7b1cf8cba
DLL Modification
Den Iuzvyk Detection ff3316fe62d1be1354a3d77d6 210 5
(Sysmon
Marketplace e25bca67c753d6
Behavior)
Bad Opsec c5b3ab9b3a0221a66b1da487
ok @securonix invrep_de, Sigma Integrated
Powershell Code bf7bd851b4f9cf0a8e2b7b22e 209 6
oscd.community Rule Set (GitHub)
Artifacts 659e5fd42b40815
CrackMapExec c5f36e07dfb01984d08d19db
Sigma Integrated
PowerShell Thomas Patzke 1fe7f194936f079b371ab900d 205 1
Rule Set (GitHub)
Obfuscation 58eff493b972744

SOC Prime Threat 382ffab0f18db16a9fabc5be9


ilasm.exe
Den iuzvyk Detection 4893af76646b4a1c35d436ba 203 0
execution
Marketplace 2ae16961943008e
Windows a52a436bb2117d8c22878afc
Sigma Integrated
Webshell Beyu Denis, oscd.community 1facac963ffa5feca0046433c9 195 40

.in
Rule Set (GitHub)
Creation 4396c44991c948
Always Install
Teymur Kheirkhabarov (idea), 742d7b1dbef016ab3810ec50
Elevated MSI Sigma Integrated
Mangatas Tondang (rule), 354e231948fa035c8cacfec6b 191 15
Spawned Cmd Rule Set (GitHub)
oscd.community df 18f3a8fba03c2dc
And Powershell
3c4f6f1af78c01c8d7d6fcdd27
UAC Bypass Tool Sigma Integrated
Christian Burkard c3167044933fcdf73f667e973 191 0
UACMe Rule Set (GitHub)
ce1068765ea16
ap
Malicious Sean Metcalf (source), Florian Roth bbb841b3f1cb3bdb122737ca
Sigma Integrated
PowerShell (rule), Bartlomiej Czyz @bczyz1 0755cb93d982ecca4651de28 190 10
Rule Set (GitHub)
Commandlets (update), oscd.community (update) 22af469b59071f87

SOC Prime Threat 4e8573bf949d0f277bff56a18


st

DUNIHI Malware Ariel Millahuel Detection b256181b950262693a43cfad 178 0


Marketplace 1d247e035aec8b5
4b3ac3a4fac3672c92791075c
Check external IP Joe Security Rule
In

Joe Security 26f1e10555eb3385628b923b 174 0


via Powershell Set (GitHub)
ccd8cbbd5dc83a1
MSBuild 86905c36f5c4e855311f70272
Joe Security Rule
connects to smtp Joe Security 3eec0c6a4dc9e9992fcec9b2d 169 0
Set (GitHub)
port dcce685b7c2e09
Malicious 5bd56545b7e384edee75e37
Sean Metcalf (source), Florian Roth Sigma Integrated
PowerShell 8b7ee025e05f6bcb012607cb 159 9
(rule) Rule Set (GitHub)
Keywords 6425ccedd54fdb070
Powershell 1b46ecd9aa9660208e7f7cbb
Sigma Integrated
Reverse Shell FPT.EagleEye, wagga 3e4ad79d7fc469adb5c2c5dc 159 6
Rule Set (GitHub)
Connection 81af712ebce9b80c
Covenant 2957c0808592ab632134afd6
Florian Roth, Jonhnathan Ribeiro, Sigma Integrated
Launcher 3650be8c47697a8350bb5cb1 156 0
oscd.community Rule Set (GitHub)
Indicators 9a8272b9da595777

SOC Prime Threat 44649563045e4b39ea5ec24c


NjRat Detection
Ariel Millahuel Detection 20ca7aa44cde80384aa9b3de 156 0
Rule
Marketplace 04a8bb30862d934e
Usage of c2020adce966e19fbcd161d9
Sigma Integrated
Sysinternals Markus Neis dfee7f79c0db26018d089ec9 154 10
Rule Set (GitHub)
Tools 5e78e41a583fe0bd
Florian Roth, oscd.community,
253df726683ee378cff180cb3
Copy from Teymur Kheirkhabarov Sigma Integrated
2526ec9f10b897edda084113 152 0
Admin Share @HeirhabarovT, Zach Stanford Rule Set (GitHub)
b11cbeba118fbe3
@svch0st

Suspicious SOC Prime Threat 2f0a10e6befc35eb8cf3d8af8


exeplorer.exe Den Iuzvyk Detection 9b1db1a84a53b5aff114a90c 152 4
execution Marketplace 2d1b0a3a697d1ac
0c3e5c376a4a569ab4a4f321
Reg Disable Sigma Integrated
Florian Roth, John Lambert (idea) 7dd009bb34e695e5fa82da85 151 2
Security Service Rule Set (GitHub)
111db47f2b801bc9
Office
58a51088691ea6b0bb320e6
Applications Vadim Khrykov (ThreatIntel), Sigma Integrated
1f961a96216f54913353095e 144 0
Spawning Wmi Cyb3rEng (Rule) Rule Set (GitHub)
97a5b5c6e94ce74fa
Cli
d1138c20627ece208ac94864
Sigma Integrated
Use of CLIP frack113 7342866415641b065108304 144 0

.in
Rule Set (GitHub)
49eb2bf7d2f32e4af

Detect
3cbde0faee76f7509cfde702c
Virtualbox Driver Sigma Integrated
Janantha Marasinghe 1c324a83ac88cb58f0e0f74b2 143 2
Installation OR Rule Set (GitHub)
df 682a9b60369b1e
Starting Of VMs
0febc469c613c6ae3155a46fb
Regsvr32 Flags Sigma Integrated
Florian Roth 291f1ebf74d38c09b1dbb547 142 6
Anomaly Rule Set (GitHub)
ap
8c2f9f36af7b599
1c7a83aaaaf300f7e44e59746
Trickbot Sigma Integrated
Florian Roth 5797c7e812cc0c684756d1be 141 0
Malware Activity Rule Set (GitHub)
37d0ac7acf0dc5c
c70694dd88c0a5a32ad8a52e
Run temp file via Joe Security Rule
st

Joe Security f4ad97a6525c281308ba84e7 140 17


regsvr32 Set (GitHub)
91661580aab19264

SOC Prime Threat aa09c929bbf92e934dc58432


MZRevenge
Ariel Millahuel Detection 4a80a81643f2c336dba38293 139 25
In

Ransomware
Marketplace 142077f86bdde84b
Suspicious
comandline SOC Prime Threat c6bf20aec5b9dd748265363c
paramethers(she Den Iuzvyk Detection 7d01846ca0a5fc666f1114770 139 5
llcode in the Marketplace a8bb7f5e764e4e2
command line)
Possible Shim
f228d8546016f76e5942e382
Database Sigma Integrated
Markus Neis 08fa8a55735339d54ec3f56e 134 2
Persistence via Rule Set (GitHub)
63b2b9133b037a7c
sdbinst.exe
Delete Shadow d91fb994dcf44dbdd52950e6
Joe Security Rule
Copy Via Joe Security db5cdf99eba912926494deb2 131 0
Set (GitHub)
Powershell f92f3f2dbf232740
Malicious
a76fa0f689961152a23aa5f20
PowerShell Sigma Integrated
Markus Neis 9a6af1314317a976fc0ce87fc 131 2
Commandlet Rule Set (GitHub)
515430cd043c5a
Names
Exfiltration and 6ba70df29bf2469a0e793122
Daniil Yugoslavskiy, Sigma Integrated
Tunneling Tools 6da06a144c5e9044543a14e1 129 1
oscd.community Rule Set (GitHub)
Execution fae2bcd6c17f9374
Finger.exe 7014c2ce26877573641173ba
Florian Roth, omkar72, Sigma Integrated
Suspicious 99dcd8d8af4f637986c42be1 129 0
oscd.community Rule Set (GitHub)
Invocation 9651a8a37c5ead6f
1d6ad51b3643427cc3820deb
UAC Bypass via Sigma Integrated
Florian Roth c181e8c8a71afff1bee864263 128 2
Event Viewer Rule Set (GitHub)
2fd392fde905cf6
d37f057d76500ae8527178a9
UAC Bypass via Sigma Integrated
Florian Roth ea367395f2bde798f1cd0486 128 0
Event Viewer Rule Set (GitHub)
21be74f915b28aa7
4b8a086b898ff9eb51b0489b
Fsutil Suspicious Sigma Integrated
Ecco, E.M. Anhaus, oscd.community 98e2619d0c9fe2cd94e29325 127 0
Invocation Rule Set (GitHub)
ec8a4c2250220b8e

SOC Prime Threat be942c1d0e5d410fdd49ca40


Lokibot
Ariel Millahuel Detection 7572405db53d2cebec6927a5 126 0
Detection Rule
Marketplace 6b86b1bf02d58983
63ca787b0e9b439877ff8598

.in
Suspicious Curl Sigma Integrated
Florian Roth 51c650e60a39c37447b6c964 123 7
File Upload Rule Set (GitHub)
20cafc38d94331db
Vulnerable Dell 10577bdb5cec4b94b7c1d5dd
Sigma Integrated
BIOS Update Florian Roth cb04041555da105e51850313 123 18
Rule Set (GitHub)
df
Driver Load 907d995a05c68dee
Removal of
85b8f7bd2db84db2632bf9e5
Potential COM Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
b9b9402e829785f546868fe1 122 1
Hijacking OTR (Open Threat Research) Rule Set (GitHub)
a62c7a6002a6eb60
ap
Registry Keys
ce4fb10349cd95756b2f98a27
Sigma Integrated
Raccine Uninstall Florian Roth b259d71c99ec9e0323815f2e 120 0
Rule Set (GitHub)
916737fcbd1d4ba
Remove
bde07bc9414d410eaf67f994
st

Windows Sigma Integrated


frack113 08a24b51b4b8d186451e641 120 0
Defender Rule Set (GitHub)
a9a90076cfac22613
Definition Files
Suspicious WMI 97abad7c8edb5cdf286b4571
Sigma Integrated
In

Execution Using Florian Roth 2f14b577d1653fa738d3d330 120 0


Rule Set (GitHub)
Rundll32 a0473a1d48e5aac4
0edbdff715350e06427add8d
Netsh RDP Port Sigma Integrated
Sander Wiebing 168d0d14de79ec048ea17f4a 119 3
Opening Rule Set (GitHub)
243589e2ccdc63df
Renamed 1de55c288a6fd75ce590378b
Sigma Integrated
SysInternals Florian Roth cc3b9bf02a66b8d45de5928d 119 2
Rule Set (GitHub)
Debug View 17d08339f5182586
Socelars
SOC Prime Threat 3b19facf348c1fe8db6607332
Malware
Ariel Millahuel Detection 98928cb749e5dafe84ca3025f 119 0
(Sysmon
Marketplace 86b31129352e51
detection)

SOC Prime Threat d83f2abd95409ecc8fb4d493


credwiz.exe DLL
Den Iuzvyk Detection 0072a48b4a677def3d31b022 117 1
side loading
Marketplace a95e99d5873fc27a
SOC Prime Threat 9a24e548df204cab86a6489b
Ramsay Malware
Ariel Millahuel Detection 32a696d4f00e8933893536c5 116 0
Behavior
Marketplace 18bc73e457c7f3a0
Suspicious aa9824d65395eec625b66585
Sigma Integrated
Scripting in a Florian Roth, Jonhnathan Ribeiro 1ca4456503a8111e058eab94 115 0
Rule Set (GitHub)
WMI Consumer 87c34500b30ee31f
bf45bfecf2446b7f2b7904bc3
Suspicious Use of Sigma Integrated
Florian Roth 5a7006ea9bfae3e8ba4d6ab3 115 17
Procdump Rule Set (GitHub)
5dfcb00095b0b9d
d945c7338838af1692c329f71
Lazarus Session Trent Liffick (@tliffick), Bartlomiej Sigma Integrated
f050302338029127281ca660 114 0
Highjacker Czyz (@bczyz1) Rule Set (GitHub)
06ba926c9a9d854
Logon Scripts 72753d1df5ca47138f6ac3de8
Sigma Integrated
(UserInitMprLog Tom Ueltschi (@c_APT_ure) 0cfbfccccb39052c6331addbb 113 0
Rule Set (GitHub)
onScript) 419e2b4a2f9752
d266707276cd7f46b3d33b3a
Sigma Integrated
Renamed PsExec Florian Roth 78f17f69e9160d8f795bf07d8 113 4
Rule Set (GitHub)
c7020b49aad1da3
Command Line 2a64ca949e5ce433b70a21b4

.in
Sigma Integrated
Path Traversal Christian Burkard be0e71e5ad0cd2465395fd09 112 0
Rule Set (GitHub)
Evasion 3410ce2d33177cdc
North Korean
RAT - SOC Prime Threat e8ccfecc9a57c342fda105daa
BLINDINGCAN
(Sysmon
detection)
Ariel Millahuel df
Detection
Marketplace
1ce14b8913cb320d668dec39
aa2e246fd6edbe7
111 0

868e81758b31ab7d5c37adbd
Kill multiple Joe Security Rule
ap
Joe Security 3798dbc1effacb9eeaad44e5f 109 0
process Set (GitHub)
6c5f41c409fb786
2319d1843957b572c6e41e1d
Stop multiple Joe Security Rule
Joe Security 83656e12eac1e5e75f59ac1cc 106 0
services Set (GitHub)
c309c2b00e9ef86
st

Registry 94ec0949b00016f88171e5d4
Sigma Integrated
Persistence Karneades, Jonhnathan Ribeiro 6125aad5bcbd3980d50085c2 105 11
Rule Set (GitHub)
Mechanisms ae009dcd34e39190
Suspicious Shells b7e93e0475f0c46a1c6bfd3f1
Sigma Integrated
In

Spawn by Java Andreas Hunkeler (@Karneades) f401e0a34bb9c8d73e230810 103 0


Rule Set (GitHub)
Utility Keytool 1ed1368b5189de0
Writing Of
50cc064f594178311fd316bf2
Malicious Files Sigma Integrated
Sreeman 96afdcb85c962c45cbc15ab09 101 0
To The Fonts Rule Set (GitHub)
84ca5de2940d67
Folder
5a783ec4b26d8a6276f21c12
Firewall Disabled Sigma Integrated
Fatih Sirin 26c5896266e2591f44f079ca9 99 2
via Netsh Rule Set (GitHub)
950892310b00429
VSSAudit
82ec398800a85ecb732c9154
Security Event Roberto Rodriguez @Cyb3rWard0g, Sigma Integrated
86c59e1a4abe901700e658cc 99 1
Source Open Threat Research (OTR) Rule Set (GitHub)
ab6308f47245e33e
Registration
78dc71a5599dc85b3d37a6ab
Curl Start Sigma Integrated
Sreeman 0f014aa5110b2ce1b2346c8f2 98 2
Combination Rule Set (GitHub)
730e0c481977781
eba28e9e2b6ff9e170e3534e
Advanced IP @ROxPinTeddy, Nasreddine Sigma Integrated
a8b1e863757d5c976a9a84e4 97 57
Scanner Bencherchali @nas_bench Rule Set (GitHub)
bbf5bd6ffeea5325
9277300d8dfe7cfc29e411295
Shedule hidden Joe Security Rule
Joe Security 53c4d7c59c4b709d4b1716c8 94 3
powershell script Set (GitHub)
fe9cc037c9bc29d
SoreFang
SOC Prime Threat ef69867dec66e047e8894803
Malware
Ariel Millahuel Detection bca76813e63b7a2f0d2bc693 94 16
(Sysmon
Marketplace 8e903f4accf5ae76
detection)
Bloodhound and cfc47087b4c2d98cee5d80b1
Sigma Integrated
Sharphound Florian Roth 383b55212d8fe298ebc880e1 93 0
Rule Set (GitHub)
Hack Tool 5c894f55123fa95a
0eced37f0ea111b4f9b0de81c
Shells Spawn by Sigma Integrated
Andreas Hunkeler (@Karneades) ecda56610adc30fad4061274 93 2
Java Rule Set (GitHub)
a488187f71b395d
7695d2af7ecb7540baa69cd6
Joe Security Rule
Wake-On-Lan Joe Security 442745f2c3bdd83d21c904b7 93 0
Set (GitHub)
a09b2d560c123439
Security Support
303ed88ac4fc55c5f589ac993
Provider (SSP) Sigma Integrated
iwillkeepwatch 88d35769e708b361f23a7675 92 1
Added to LSA Rule Set (GitHub)
23b143a6751efc0
Configuration

.in
Greenbug f29ccc5a8616c9c1119e794b8
Sigma Integrated
Campaign Florian Roth 57a0425268bf5ee86863b612 90 1
Rule Set (GitHub)
Indicators 092ec5e045863ed
Malicious
df b80c35f99523537c476487e5
Nishang Sigma Integrated
Alec Costello 05edb0c210eea308fa18707f 90 1
PowerShell Rule Set (GitHub)
dcd5aa54d136e3ce
Commandlets
843024550fd9239f814fd3dcd
Suspicious Code Florian Roth, Jonhnathan Ribeiro, Sigma Integrated
ap
7f1f768fe7316501173bb485e 88 1
Page Switch oscd.community Rule Set (GitHub)
673bdb9abf1d63
59bdcb50161e15e215ceab8d
Powershell Joe Security Rule
Joe Security 779ba112cc633a8bde418fc8 86 2
launch regsvr32 Set (GitHub)
7d450d05d5e78a78
st

Harvesting of 9d07a4fa9892ca001b30724f
Andreas Hunkeler (@Karneades), Sigma Integrated
Wifi Credentials d1594eff85b72585c8f110688 83 0
oscd.community Rule Set (GitHub)
Using netsh.exe 9da7e97608509b4
6af189a96d12cb443ce812c5
Run Whoami as Sigma Integrated
In

Teymur Kheirkhabarov 07e6b5326d70cc43e4f8a8b1 82 4


SYSTEM Rule Set (GitHub)
79fd45d5acee44bd
2f683c72a6ae438b4161918b
Control Panel Kyaw Min Thein, Furkan Caliskan Sigma Integrated
9e82bb9c7e09f701f65f85be9 80 4
Items (@caliskanfurkan_) Rule Set (GitHub)
231ced52084f219
c56598b1a4dc67703e332a7d
MsiExec Web Sigma Integrated
Florian Roth f820b31b6690ea40d2352aea 80 0
Install Rule Set (GitHub)
d9f77f441f6f5b2d
764276dba9654bf07d000fa3
Dynamic C Sharp Sigma Integrated
frack113 90ae98de360ac172927cf3ef6 79 0
Compile Artefact Rule Set (GitHub)
4f2db6c5b9be3b2

Saefko RAT SOC Prime Threat e036021928c6159521691ec6


(Sysmon Ariel Millahuel Detection 551a2b2c660a651ff2c69171b 78 0
detection) Marketplace b3db4fc676b2e17
9076ea2849a39de53427fc7d
High Integrity Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
336a9132ac1d6dea68e77efa 77 0
Sdclt Process OTR (Open Threat Research) Rule Set (GitHub)
6abafebd89ee90c9
UAC Bypass 5b0ad2dce2b0a9bde121d501
Sigma Integrated
Using PkgMgr Christian Burkard 6b3379c08f507ccce3f43e43a 76 1
Rule Set (GitHub)
and DISM 65fe518a16ba50c

E.M. Anhaus (originally from Atomic e5bf067d8fc5f77622680e942


Domain Trust Sigma Integrated
Blue Detections, Tony Lambert), 156a44de63eda6026750ac80 74 0
Discovery Rule Set (GitHub)
oscd.community, omkar72 c29d0304dca435e
Modification Of 01b2124bf0e9019139ef617d
Sigma Integrated
Existing Services Sreeman 15b67080610ffd3584d4fa0cf 73 0
Rule Set (GitHub)
For Persistence 7c646bd3f11853b
Suspicious f2a81aa24c1d19a09711179a
Sigma Integrated
Execution of frack113 71cd58fe057ab277cbef8632c 73 4
Rule Set (GitHub)
Systeminfo c6a9281d5cf87dd
b7ad594d8528d4ee4c0201b1
WinDivert Driver Sigma Integrated
Florian Roth a0852d42e9fc45976e984ed5 71 4
Load Rule Set (GitHub)
34f502290031e73a

Victor Sergeev, Daniil Yugoslavskiy,


Office Autorun 0533bf39f662d089d6f317f51
Gleb Sukhodolskiy, Timur Sigma Integrated
Keys a9329a2865ffc0d84552c58c3 70 11
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification 9a8d35672474a4

.in
Shelton, frack113 (split)
Abusing Findstr 47d19568dce3538a5fd8f2dd
Furkan CALISKAN, Sigma Integrated
for Defense bd8388f28dbd91d200dc9a91 68 4
@caliskanfurkan_, @oscd_initiative Rule Set (GitHub)
Evasion d8166cb957ace155

Sdclt Child
Processes OTR (Open Threat Research)
df
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Rule Set (GitHub)
440b98d4bf30e3c39e7c17aa
21aaa561647a4230e418cf90
1961b1604e27877c
68 0

c2e9abacba241e42d67c8d6a
Sigma Integrated
ap
Ngrok Usage Florian Roth e1523533d3cb9769cf7315d4 67 3
Rule Set (GitHub)
01744e4266f91ffc
1419b2c28c143f7062ef95f94
Recon Activity Craig Young, oscd.community, Sigma Integrated
1065d5327c65890cab58ade4 67 0
with NLTEST Georg Lauenstein Rule Set (GitHub)
1efd168132d8b3b
st

d702a3f44f93b4f3f9c5cd7b7
SMB Relay Sigma Integrated
Florian Roth 3d3901b2db7d1b3db3e051b 66 0
Attack Tools Rule Set (GitHub)
5135849e3f812ecb
Application
da46c4a25c9b1a9291dd79b4
In

Whitelisting Sigma Integrated


Beyu Denis, oscd.community 539957b5ab71a6f2d75da9a9 65 0
Bypass via Rule Set (GitHub)
0cfe48f74048a9a9
Dnx.exe
Data e5fedf5f2a45c0555943282d3
Timur Zinniatullin, E.M. Anhaus, Sigma Integrated
Compressed - dd05186495acc374df19f773 65 0
oscd.community Rule Set (GitHub)
rar.exe 5f92d6d648dd1bb
Malicious
c9a0fa3e3f43c8762528ddcca
PowerView Sigma Integrated
Bhabesh Raj 56a26673a3f37eb9077f2657 63 10
PowerShell Rule Set (GitHub)
884e8b847fb9ba8
Commandlets
Suspicious 6782835a8af9329207a47fe5
Sigma Integrated
Reconnaissance Florian Roth, omkar72 076c3dff20a8803bafbda97dd 62 0
Rule Set (GitHub)
Activity c938ae379eaf8df
ba18b1afcbf41aa13fd2cd7dc
Sigma Integrated
CMSTP Execution Nik Seetharaman 8e323b09854c6f046b4a98d0 61 0
Rule Set (GitHub)
7c2ea5d751d7584
Victor Sergeev, Daniil Yugoslavskiy,
Internet Explorer 11ecb99add36c59a082a478e
Gleb Sukhodolskiy, Timur Sigma Integrated
Autorun Keys 7c117545e6404a0b28c77c00 61 3
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification 7c135739df91a489
Shelton, frack113 (split)

Malicious
Windows Script 1aed5dfd628d749d7b679eef
Sigma Integrated
Components File Agro (@agro_sev) oscd.community e579532b3ff3ca46fecf65776 61 0
Rule Set (GitHub)
Execution by 910e7de7aaa6148
TAEF Detection
c1db9b15fbf203a696f2047d6
MSHTA Spwaned Sigma Integrated
Markus Neis ce2c7c32283587487a72c433 60 1
by SVCHOST Rule Set (GitHub)
3b63b8005e6a37c

WMI Persistence - 3b638ebc248d5ac99c1adb40


Sigma Integrated
Script Event Thomas Patzke 4e0b5f4adc3784b9af6f02b29 60 0
Rule Set (GitHub)
Consumer 6381a950e9e8fdf

WMI Persistence -
f4ab9cd44db2481795fe0edd

.in
Script Event Sigma Integrated
Thomas Patzke 858471bda0d0b73d8e40612 60 0
Consumer File Rule Set (GitHub)
4bf76a2a074ac5360
Write
Powershell add
df 177e7b167f988da0ec82090f
exclusion path, Joe Security Rule
Joe Security 6aaaa1ad7e74609b6832a0ab 59 0
extension and Set (GitHub)
b8759bc9e652fee2
process
Windows 6ebbbc78481d8b5c75483ddb
Sigma Integrated
ap
Credential Editor Florian Roth 2c7045a006678cbfbd915c2e 59 0
Rule Set (GitHub)
Registry 6d0c0e5d2dfb736d

SOC Prime Threat c388ee7bf8678acd149ab04cc


CoViper Malware Ariel Millahuel Detection 3dc6f3d923b3c2a7684f42de 58 0
Marketplace 0c984c16de1c023
st

Invoke-
40db318f5624034dad47f954f
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community e3a2bc47f2e09bc7d14e2311 58 0
COMPRESS Rule Set (GitHub)
481d406665bde6a
In

OBFUSCATION
Suspicious
bf194ab090c7130529a9fd6a
Debugger Florian Roth, oscd.community, Sigma Integrated
7f876d5fc008ceecf627db81e 57 1
Registration Jonhnathan Ribeiro Rule Set (GitHub)
ef41431ffaa3c53
Cmdline
Rar with
02930d34935e0616b271179
Password or Sigma Integrated
@ROxPinTeddy 0272271498e2a5a03bcf6637 55 7
Compression Rule Set (GitHub)
2f0985d2e89cee1af
Level
Encoded b079b9bebaa7ac01f379d6d8
Sigma Integrated
FromBase64Strin Florian Roth 3aa123ec20bc9068b9a097e0 54 2
Rule Set (GitHub)
g 9aec5f87b42d91d1
Suspicious
20f6c9f89613e81c3c83ed81e
PowerShell Sigma Integrated
Florian Roth (rule) e4dd3f5793d5910ebc8fbc53 54 0
Invocations - Rule Set (GitHub)
30174a7a74ecb54
Generic
db1e0cf723dcd4169ac8bc1fb
MMC Spawning Sigma Integrated
Karneades, Swisscom CSIRT 3f0679715ccb323d3a3e42e2 53 0
Windows Shell Rule Set (GitHub)
3cc811efa0d9e98
7e4741cdaf6a396a8d975ad5
PsExec Service Sigma Integrated
Florian Roth 42687436b6beda2f0282db17 53 0
Start Rule Set (GitHub)
805ebf9b52098289

SOC Prime Threat bc9b5e9188d37350da57ebc0


CertReq.exe
Den Iuzvyk Detection b5b9ccc8a2ee828e827a15ed 50 0
Lolbin
Marketplace b38904b64317a291
DNS Exfiltration b5eeb195cf8da826ce096525
Daniil Yugoslavskiy, Sigma Integrated
and Tunneling 56c789913808b5869a15ad6d 50 0
oscd.community Rule Set (GitHub)
Tools Execution 6771d084721b65e0

Victor Sergeev, Daniil Yugoslavskiy,


WinSock2 688632515df3a00cecdf2ee4e
Gleb Sukhodolskiy, Timur Sigma Integrated
Autorun Keys 9316bea52edf73c9cb0889c1 50 1
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification 0d336de857c293c
Shelton, frack113 (split)
PipeMon
SOC Prime Threat 7f7471486789b0240cf2b952
malware
Ariel Millahuel Detection 71088889269baee8e3fb42b0 49 17
detection
Marketplace cdb6d71d7d37588d
(Winnti Group)
cfb3049a2fd55cd1ff6721dc9

.in
Suspicious Netsh Sigma Integrated
Victor Sergeev, oscd.community b502008c4449922474c40b20 46 1
DLL Persistence Rule Set (GitHub)
b8f6fab4f51ce02
Suspicious 27f312fa081c26ea0c76a26a3
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
WebDav Client 1e9c6fe7a974b36000c89db9 46 1
OTR (Open Threat Research) Rule Set (GitHub)
df
Execution e288fd1ca3a6e9e
Schedule script a3c2a24a999f3a9870f6ace27
Joe Security Rule
from internet via Joe Security e73e7bdf30d18dcf0bc4873bf 45 0
Set (GitHub)
mshta e196f5bec81ad4
ap
Automated
511fcd38b1cd4057f3b35687
Collection Sigma Integrated
frack113 07032548bac72899a4b3c932 44 0
Command Rule Set (GitHub)
f3614c6d89d417bd
Prompt
Explorer Root d44e9b6572a6737a34b18fd8
Sigma Integrated
st

Flag Process Tree Florian Roth 9f757237729293ed9959e5be 44 4


Rule Set (GitHub)
Break 7dd05d63e7f78622

Execute Scriptlet 1dfe86ef579952e7d83c7cab8


Joe Security Rule
from internet Via Joe Security 4e28986946f0660fc39224c8c 43 0
In

Set (GitHub)
Regsvr32 471d29300a9885
Run Whoami a9f6af870a74ed20bfbc78498
Sigma Integrated
Showing Florian Roth 3dc7fa8aae28d336e2f79a8fa 43 1
Rule Set (GitHub)
Privileges 8b72c32d6a9fa0
Cmdkey Cached 396c0639fa0d38dbd62b1c1b
Sigma Integrated
Credentials jmallette aa0fae0b008178fb81dfebaf1 42 3
Rule Set (GitHub)
Recon cc70a858c610190
@2xxeformyshirt (Security Risk 047087ddae3ef4f27e871131
MMC20 Lateral Sigma Integrated
Advisors) - rule; Teymur c79addb166cb71593c4fb795 42 2
Movement Rule Set (GitHub)
Kheirkhabarov (idea) a5d119d4d78cd0a7
407e4bde1473325159e680d
Mounted Share oscd.community, @redcanary, Zach Sigma Integrated
149f0f254239a0a299c46a436 42 1
Deleted Stanford @svch0st Rule Set (GitHub)
35758710d7592f65
0846916c3d5af2a322cf42210
PsExec Tool Sigma Integrated
Thomas Patzke 119c1d28945f9733c842830a 42 0
Execution Rule Set (GitHub)
4caf16597462ac0
Monitoring For f9b2dcdba235a40678fcd441
Sigma Integrated
Persistence Via Sreeman 1540f98adc4caca054a24705 41 0
Rule Set (GitHub)
BITS 4eba6b040b37243e
9e30ed5d0167ae542ae090b3
UAC Bypass via Sigma Integrated
Omer Yampel, Christian Burkard 0e0049496a63c5c9c63bb37e 41 0
Sdclt Rule Set (GitHub)
80d62532640cfc6b
Powershell
f05d1fcd81ae053d34629eef4
downloading file Joe Security Rule
Joe Security e2f082dd51622b2535713f47 40 1
from url Set (GitHub)
860649c3619d085
shortener site
2638e4eb6733f565f75759fc7
PsExec Tool Sigma Integrated
Thomas Patzke f3c7b2ce2d92f7a231f14859c 39 0
Execution Rule Set (GitHub)
ad11aa82b929e9
b16d941c7cf2248881a4d3da
Schedule VBS Joe Security Rule
Joe Security 266d63655713389cafe7f260 39 0
From Appdata Set (GitHub)
6ceb2b73fbace067
071f1cce27ada52da178afa07
Winlogon Helper Sigma Integrated
Timur Zinniatullin, oscd.community fd609ed14967f9058b386611 39 1
DLL Rule Set (GitHub)
411962f4c56b665
Automated

.in
beee5a67cef9cbdfd4d0e1db0
Collection Sigma Integrated
frack113 dc60dff160df233b0948d9988 38 4
Command Rule Set (GitHub)
a2ca819a41727c
PowerShell
8a27ef77773c5b6e0ce2da04
PowerShell Get Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
df cdccf4f14f01015bd4dfadcb9f 38 1
Clipboard OTR (Open Threat Research) Rule Set (GitHub)
07ab0905d766a0
293439c3a9a4af09073b0549
Sigma Integrated
SquiblyTwo Markus Neis / Florian Roth 53f425c95028a6ac98eddc61 38 0
Rule Set (GitHub)
ap
1a461090bd1f3373

Victor Sergeev, Daniil Yugoslavskiy,


Commun aa1c4ee10caaa9d521b34246
Gleb Sukhodolskiy, Timur Sigma Integrated
Autorun Keys c51e0c22c8af0a4b7fdb1cdd9 37 0
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification faf1182ef6dd14c
Shelton, frack113 (split)
st

7752bbd4e940ef58081260cf
Suspicious DIR Sigma Integrated
frack113 a45b4ac6b149e2cecb836d79 37 0
Execution Rule Set (GitHub)
f5e61bfbdc237105
In

Suspicious 157ee4e95270f64481c50464
Sigma Integrated
Execution of frack113 c0e4766830e1e2b38b214a98 36 0
Rule Set (GitHub)
Shutdown f9e3f977857c6c69
76d39c4238c645e864f00640
Sysprep on Sigma Integrated
Florian Roth 0ab59ebda393cfe12db20d6f 36 0
AppData Folder Rule Set (GitHub)
7ec44eac3b27f6b3
91a0bf780670902c97c569d4
PsExec Tool Sigma Integrated
Thomas Patzke 6226158bdd49738004799b5 35 0
Execution Rule Set (GitHub)
8cd63cc4c9d63ea55

RDP Hijacking. SOC Prime Threat 3d69986e07af4e5398ea63ef


Terminal Services Den Iuzvyk Detection 3256bdbbd6215aa1823e591 35 0
Manipulation. Marketplace de5088f16896f0c5d
850ce3b49e2fc441426c3b9e
MSBuild execute Joe Security Rule
Joe Security c59e195d417194b461fe480e 34 0
suspicous task Set (GitHub)
76d2482bcd20112d
omkar72 -
Psexec https://www.fireeye.com/blog/thre 38908b57fac2bfb8f5f8466c6
Sigma Integrated
Accepteula at-research/2020/10/kegtap-and- 4aa654432aa3d6f14700b122 34 0
Rule Set (GitHub)
Condition singlemalt-with-a-ransomware- a4c4afb85f51879
chaser.html
TAINTEDSCRIBE -
SOC Prime Threat 97f6a22231c4c8e243c104bf2
North Korean
Ariel Millahuel Detection 26d8fd3875f335f00fc724750 34 9
Trojan (Hidden
Marketplace e6b691770fbc5a
Cobra)
Suspicious Use of a6a60c80601bd33b44e65b55
Sigma Integrated
Procdump on Florian Roth 9f9e53c0b9237ab7f54ca9753 33 0
Rule Set (GitHub)
LSASS 0065cd494662e3b
LSASS Memory b0e4aa7c882545a1b46a09c3
Teymur Kheirkhabarov, Sigma Integrated
Dump File 73f3abc99ee9ad92c5cb99e1 31 0
oscd.community Rule Set (GitHub)
Creation b8764356501b3059
Meterpreter or
22ddfce5e8a79e957f4dbdceb
Cobalt Strike Teymur Kheirkhabarov, Ecco, Sigma Integrated
97e27d764b010d395a20fd45 31 0
Getsystem Florian Roth Rule Set (GitHub)
cf95a20d02b53e9
Service Start
00fb9d21500af7c2b136a91e

.in
Netsh Port Florian Roth, omkar72, Sigma Integrated
80c983e8f98843c063a63898 31 0
Forwarding oscd.community Rule Set (GitHub)
c2775d7a5a91efa9
Powershell 32fcfd50f2fcf0aa58bebfbfb0
Joe Security Rule
download and Joe Security 9b7e32b7349a17a5c1aaea5b 31 0
Set (GitHub)
df
load assembly 18783f458c4e9d
Suspicious
eb75f9de2201bfad4ef177dca
Execution of Sigma Integrated
frack113 85b0b8fa8e5a86ba2357af53 31 0
Powershell with Rule Set (GitHub)
01f72acbc5eb144
ap
Base64
b0e07fc365ce0d0690c84a20
Suspicious Sigma Integrated
Florian Roth e3467a5be2301d1c4de1e87b 31 0
Parent of Csc.exe Rule Set (GitHub)
cbb9cb9ea841222c
Possible Process
SOC Prime Threat 1b3947466060dff55a89da9e
st

Enumeration
Roman Ranskyi Detection 24ec34cca8df9c4dbf704a3b3 30 1
(Sysmon/Windo
Marketplace a9120eb3df96e3a
ws Logs).
8d5d550c1852a70e22df7942
Turla Service Sigma Integrated
In

Florian Roth 41027e8fda50a74f9c87728f6 30 0


Install Rule Set (GitHub)
3752437404f20a8
Detected
2f2546b453b2e10b60c4d6b1
Windows Sigma Integrated
Nikita Nazarov, oscd.community 345bc05c2dc99e42daef2e23 29 2
Software Rule Set (GitHub)
6a11005d772937ad
Discovery
bcdf3f22e3474c8f1ea65e450
Impacket Tool Sigma Integrated
Florian Roth 422f64bc2fb74de766f420de7 29 0
Execution Rule Set (GitHub)
cd57827679d7f7
c64577166c54aa12e6fafe932
Suspicious WMI Sigma Integrated
frack113 2a15fd35e2e359c52a4b545c 29 3
Reconnaissance Rule Set (GitHub)
470853d848557ec
804e7993351b779b371021d
TrustedPath UAC Sigma Integrated
Florian Roth 0b762692107233efc595e117 29 0
Bypass Pattern Rule Set (GitHub)
1e5f9ebc62b851247
Malicious
behaviour on
user login SOC Prime Threat 27774785c899a25659566662
(Microsoft Ariel Millahuel Detection ca41aadd02b66d6eb7288119 28 1
Windows - Marketplace 37ebaae069d82f5a
c0d0s0 group
behavior)
Suspicious 842f615741b9cfb621f4ae3f9
Sigma Integrated
Atbroker Mateusz Wydra, oscd.community 5d42e256251fe082e0f4c533c 28 0
Rule Set (GitHub)
Execution 1633ffcc70adb8
0453733ce01d4d10623584c3
QBot Process Sigma Integrated
Florian Roth 42bf2a905ff761f1fb7b0bfbad 27 0
Creation Rule Set (GitHub)
cb80e8d940c32b
Sysinternals d5a8c01fb27702ba8f9e0abb
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
SDelete Registry 5ca03c7c11b6bbf635c3e083 27 2
OTR (Open Threat Research) Rule Set (GitHub)
Keys 54c5106eb06c1c85
065b49beca5cc42953a5612a
PowerShell Sigma Integrated
@ROxPinTeddy 7a5342fd18266f128a46b1a7 26 1
Create Local User Rule Set (GitHub)
88c3f358f775a191
Invoke-

.in
2cf6294605b971d082366887
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community fa44157d3f99e7552181ee73 25 0
COMPRESS Rule Set (GitHub)
14a2ba598a2e5d66
OBFUSCATION
Operation
SOC Prime Threat ed562e5af5aba4e5887ef8b6
df
Vicious Panda
Ariel Millahuel Detection 9c3f8410480a32e19b5c9e3f3 25 2
(COVID-19
Marketplace fcd9bd0fd33a447
Campaign)
PowerShell 537a092527e25f9e54a3ddb6
Christopher Peacock Sigma Integrated
ap
Writing Startup 667c0303fbda5891d2f933ec0 25 0
'@securepeacock', SCYTHE Rule Set (GitHub)
Shortcuts fc62bd4a5572cb4
Remote acad8e3e215caeb927f20d92
Sigma Integrated
PowerShell Roberto Rodriguez @Cyb3rWard0g 96b9e48f54d909e55d58cb5b 25 2
Rule Set (GitHub)
Session 27bb4d334ab477a6
st

568224310775bb02fb9ae53d
Execute Scriptlet Joe Security Rule
Joe Security 55d8f7c8bc1daf93e73db767 24 0
Via Regsvr32 Set (GitHub)
0b15f8b6f421f00d

SOC Prime Threat 55bd30964b2c80cd229425cd


In

LOLBAS wsl.exe
Den Iuzvyk Detection 10828e1b7c89462547581eb0 24 0
(via cmdline)
Marketplace c4a907c55c87f0a6
E.M. Anhaus (originally from Atomic 5e648013d43c5992b13c647c
LSASS Memory Sigma Integrated
Blue Detections, Tony Lambert), 1b522a289f737e3c1ef66557 24 0
Dumping Rule Set (GitHub)
oscd.community 2f75f913fde57c5a
Powershell 22f5c0268236153aea7f17b7f
Joe Security Rule
execute code Joe Security cb4e9a2ef903343534a9c2a9 24 0
Set (GitHub)
from registry 8b5c1f8918bb9a5
Suspicious 8583e6aef0800332fe3fd7177
Sigma Integrated
Service Path Victor Sergeev, oscd.community 1daa3901bacd1a4e3b8ae123 24 1
Rule Set (GitHub)
Modification 33da5f445913332
bitsadmin 613bbc724cd17594b42667a8
Joe Security Rule
download and Joe Security a5c4df0dff074adfb53a590f30 24 2
Set (GitHub)
execute f86743bc9b5b47
PowerShell as a edeb7efda75eef0c30275df11
oscd.community, Natalia Sigma Integrated
Service in 48d63a2707963d2d9735d44 23 0
Shornikova Rule Set (GitHub)
Registry 4a56536df2161a9e
Renamed f22be736aa7b4ddd0d6ce96e
Sigma Integrated
Whoami Florian Roth 785fbb7adbcb991517763b72 23 0
Rule Set (GitHub)
Execution a098333df9610f14
ca0321ec695742141eb7a3fb
Shells Spawned Sigma Integrated
Thomas Patzke 00dfc04170d24e00d3f02180 23 0
by Web Servers Rule Set (GitHub)
3c488451d9c4648f
2a86897d4c284135c8e21105
Discover Private Sigma Integrated
frack113 377149da6e12d9f57525bfdc 22 0
Keys Rule Set (GitHub)
cdfb55cf4b3425fc
82119a59aede1b373e13f532
Fireball Archer Sigma Integrated
Florian Roth ace644de8571caff9f0486937 22 0
Install Rule Set (GitHub)
8270de5b5881bc6
39e7fb552f1143dc6ba79ca29
Relevant Anti- Sigma Integrated
Florian Roth 3aaea514c20448ec6241a53cf 22 0
Virus Event Rule Set (GitHub)
150f29298b942d
04a0af687c3b9094f9252dc38
Winword Drops Joe Security Rule
Joe Security ead308fae7facf86cb7e4bf72 22 1
Script In Startup Set (GitHub)
8075c9b17ed9dc
b0407739067c1a391ad55a8b
CreateMiniDump Sigma Integrated
Florian Roth 30a1c8109e9239a36d94cf38 21 0

.in
Hacktool Rule Set (GitHub)
9a4f842a53e36f73
Execute Script 206390e3b1deba575d9f4b3f
Joe Security Rule
with spoofed Joe Security 8321fd015223f5177a8f486a5 21 0
Set (GitHub)
extension 6f6d74cd51afab4
Grabbing
Sensitive Hives
via Reg Utility
Teymur Kheirkhabarov, Endgame,
JHasenbusch, Daniil Yugoslavskiy,
oscd.community
df
Sigma Integrated
Rule Set (GitHub)
4caa5ae7b301d0b7382caf52
5ab9dead072ea9efadc1f7cc5
9d8a59c20b0fe57
21 0

NetNTLM 567e3d1c926bd9cf6698fc92a
Sigma Integrated
ap
Downgrade Florian Roth, wagga 1b61254aa80f7d149c421f1d 21 2
Rule Set (GitHub)
Attack 6acbf4fc8492e5f

Victor Sergeev, Daniil Yugoslavskiy,


System Scripts e508e0cd0078f2c99fa9a8744
Gleb Sukhodolskiy, Timur Sigma Integrated
Autorun Keys 8bebda5652165ba069b1c9c4 21 0
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
st

Modification a89ecc4a2b385ca
Shelton, frack113 (split)
Bazar Loader
SOC Prime Threat 6e25203533b4bcc3b9ce1805
Detection
Ariel Millahuel Detection fbf4ec196d2fd6139dcf17880 20 0
In

(Sysmon
Marketplace caf0e2952c3ebfe
detection)
Exchange a53120d1ec17fbf608c6da8cb
Sigma Integrated
Exploitation Florian Roth 88f544b76206e830dd4ec171 20 0
Rule Set (GitHub)
Activity 55f718bf5851d0f
Execute dll with
d8d01ff318fd81c3e8579c3f1
txt extension Joe Security Rule
Joe Security dbc420f408beb4b67bc9be1a 20 0
from temp Set (GitHub)
4bbdc759dce812a
location
373890127a34a7d314b3d10
Suspicious Sc Sigma Integrated
frack113 d451aaacb806579ec3e9ed25 20 2
Query Rule Set (GitHub)
15dbdd0a4d4bf7860

Wow6432Node Victor Sergeev, Daniil Yugoslavskiy,


3e5fe19fbbb767b861e93022
CurrentVersion Gleb Sukhodolskiy, Timur Sigma Integrated
c3f95d25e1618fc86be75b05 20 1
Autorun Keys Zinniatullin, oscd.community, Tim Rule Set (GitHub)
326ee57b2f75633c
Modification Shelton, frack113 (split)
45248d2871f8e9f12191effed
Cred Dump Tools Teymur Kheirkhabarov, Sigma Integrated
010f35a307cc4e1eb1350ad7 19 0
Dropped Files oscd.community Rule Set (GitHub)
dd486fc07bc0bdb
f7c48f991deaa5a1f44d21dc1
Defrag Florian Roth, Bartlomiej Czyz Sigma Integrated
56d1989c5c383f971da93ecc 19 0
Deactivation (@bczyz1) Rule Set (GitHub)
1eaf11928860293
NetNTLM 5bced7470eb37ada15efd448
Sigma Integrated
Downgrade Florian Roth, wagga b0a87615727c93557e648e22 19 0
Rule Set (GitHub)
Attack 5c3ee894c4b0ff08
65ffc0ddb80d953bb500276c
Sigma Integrated
CMSTP Execution Nik Seetharaman 61b57ba48cb45df5128bb826 18 1
Rule Set (GitHub)
4ab47e7f48b2c9ec

SOC Prime Threat b74bcba954f168601bf9276a


ExtExport.exe
Den Iuzvyk Detection bbb38f732599a67e11aa264c 18 0
abuse
Marketplace e29f8bc3f056aed3
535b54123e1e90e346eb487
NTFS Alternate Sigma Integrated
Sami Ruohonen 79d2bdc19508f9a3aef7f7cf4 18 1
Data Stream Rule Set (GitHub)
8bddbbd43f953478
fde7c67804bf2f25cc674d242

.in
Root Certificate oscd.community, @redcanary, Zach Sigma Integrated
987b96bb244126d9568bceb 18 1
Installed Stanford @svch0st Rule Set (GitHub)
7c9a208193fe66a6
CVE-2021-26858 bea74b1863b1262ffbfa6ffd2
Sigma Integrated
Exchange Bhabesh Raj 9da720d86bdcd7ad6ea4a27a 17 17
Rule Set (GitHub)
df
Exploitation 2da1c563fcb5093
8428866bf6cbf8ea04c18dc9a
Defrag Florian Roth, Bartlomiej Czyz Sigma Integrated
8ebd493a8a882a9b706b557f 17 0
Deactivation (@bczyz1) Rule Set (GitHub)
71d376cd69fda79
ap
Possible
SOC Prime Threat 0fe11fe110197a5d21d1f4c9b
Exchange CVE-
SOC Prime Team, Microsoft Detection 2fed3e8f8afe8066ffa9242e24 17 17
2021-26858 (via
Marketplace a9a95abe2516a
file_event)
Possible
1649fcc98b56dc9cfc742a4a6
st

InstallerFileTake Sigma Integrated


Florian Roth df24ac3e91123ac466268300 17 0
Over LPE CVE- Rule Set (GitHub)
afc87e3f91191e2
2021-41379
5b5656801277c44d48ce3c9f
Powershell Sigma Integrated
In

frack113 4c8c393d55f8c0943d2c641d 17 1
Timestomp Rule Set (GitHub)
4968a012bd160f38
Sage
SOC Prime Threat 71d449cc65c29ab2e4fee214
Ransomware
Ariel Millahuel Detection 298f208b87225361a0f65f0f2 17 0
(Sysmon
Marketplace e73bfd7875b1ef7
detection)
Suspicious Plink fd6a0f7521cf3dabf0d2ac45a
Sigma Integrated
Remote Florian Roth 1aed9f2e2029daa9d1fba9f71 17 0
Rule Set (GitHub)
Forwarding 905bb34aa427ca
1d1e002f037bffd9b91901474
Taskmgr as Sigma Integrated
Florian Roth efbd1036622a788849898b81 17 0
LOCAL_SYSTEM Rule Set (GitHub)
570d37d3ba34513
8c68ebe0db23e4f70c3621d5
AnyDesk Silent Sigma Integrated
Ján Trenčanský 6e4ce298dcf255e61288342e 16 0
Installation Rule Set (GitHub)
6b4760dd0af96c85
Powershell fd5c77e4a6ca9deb325d7525
Joe Security Rule
create lnk in Joe Security e8219d80cc70e6bbf765e2d7 16 0
Set (GitHub)
startup 5ab4f30f6be7cc9a
33a4a18ae1a3802586c239be
Suspicious Janantha Marasinghe Sigma Integrated
79075294541594b5b603c230 16 0
Auditpol Usage (https://github.com/blueteam0ps) Rule Set (GitHub)
af39618577e03fae
Florian Roth, Tom Ueltschi, e1d3ef681f53390850fb5bcd8
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, 9f8d9388eebce85673fe6b8f7 15 0
JRAT Rule Set (GitHub)
oscd.community 66bd596275003d
CVE-2021-26857 6a562c9f35089d87a91ec35a
Sigma Integrated
Exchange Bhabesh Raj e35044bfb9902969d69d04e8 15 15
Rule Set (GitHub)
Exploitation f50b1e9f2b14b4d0
1b6510b58b9f16b947f9e665
Florian Roth, Jonhnathan Ribeiro, Sigma Integrated
Certutil Encode c0a3f3902f2d51f54d01596eb 15 0
oscd.community Rule Set (GitHub)
9545d8fd6631aa1
UMWorkerProce
ss Creating
SOC Prime Threat 777e78408dd5e81cb40b0dd
Unusual Child
SOC Prime Team, Microsoft Detection 4b18dc729cd882538beac833 15 15
Process CVE-
Marketplace 7067e6a2ceb940493
2021-26857 (via
cmdline)
VBScript Payload dc67cd797236fcf12f7a5e58c
Sigma Integrated
Stored in Florian Roth 0d5fc50318e74f58c9d17e6bf 15 0

.in
Rule Set (GitHub)
Registry 7905e87c5a9c21
PowerShell c2de0fe89604a2026e004a08
Sigma Integrated
Downgrade Harish Segar (rule) 72e75e079b8632fcc9ef341e3 14 1
Rule Set (GitHub)
Attack 4017c52fbb2eba5

APT29 Florian Roth


df
Sigma Integrated
Rule Set (GitHub)
976e44f1ea7fa22eaa455580
b185aaa44b66676f51fe2219
d84736dc8b997d3e
13 0

Ilyas Ochkov, Jonhnathan Ribeiro, 860e5b755d1cea66957a1dad


Clear PowerShell Sigma Integrated
ap
Daniil Yugoslavskiy, 5567ffc45ea7e50f98c8c0958 13 0
History Rule Set (GitHub)
oscd.community 538a8507ec82f71

Credential Florian Roth, Teymur be637f31d674fd7f3e36ce298


Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, 2a40811732c7bbd70435fdb0 13 0
Rule Set (GitHub)
Service Execution oscd.community 378ab0bcbd73618
st

DNS Query for 8c60cfcbc7464b6af5d7b236a


Aaron Greetham (@beardofbinary) - Sigma Integrated
MEGA.io Upload 49a53fbfde22feb2036abbf94 13 4
NCC Group Rule Set (GitHub)
Domain 7df7322a7343a0
In

7a8c60222c9d0320cd13f6c3
Powershell Local Sigma Integrated
frack113 e00c4279e2961daa1560bebf 13 0
Email Collection Rule Set (GitHub)
35dfe8f0de4387a4
Schedule binary 3c44dc412b67786cb131e2f7
Joe Security Rule
from dotnet Joe Security 23dbcfd035125eb3c04b66bc 13 0
Set (GitHub)
directory 8baf4a7efe0ac581
Data 1ea6262b9839c6f8aa32af503
Sigma Integrated
Compressed - Timur Zinniatullin, oscd.community fb227a46a6f22b4778711e1a 12 0
Rule Set (GitHub)
PowerShell 64f62b102e43a3e
758c2b360e853174de27738c
Dumpert Process Sigma Integrated
Florian Roth aef97d466db11778427f5db3 12 0
Dumper Rule Set (GitHub)
0224884512b55494
InfDefaultInstall. f6602c9cc48a37aa44fbfc4ffe
Sigma Integrated
exe .inf frack113 4560e8f37e1934e365a235af 12 0
Rule Set (GitHub)
Execution 4ae61c9571ded1
Mouse Lock 3d2c6b32d1108da7c43b4588
Sigma Integrated
Credential Cian Heasley 8b3ec8440d91776410361312 12 0
Rule Set (GitHub)
Gathering 35b6409be1771ff7
NotPetya 641862d7e2c86cdcc7b53162
Sigma Integrated
Ransomware Florian Roth, Tom Ueltschi 395c508471d30b1911e0be65 12 0
Rule Set (GitHub)
Activity fb335d6208a110b3
Powershell run 09cf140e4816d8c5bcb37b98
Joe Security Rule
code from Joe Security e996e455d8127cbccdf42879 12 0
Set (GitHub)
registry 01654f824cf63f13
0226d2c44e3b81cd4d31e7a8
Root Certificate oscd.community, @redcanary, Zach Sigma Integrated
e55f6a3e3835b44939f721d5 12 0
Installed Stanford @svch0st Rule Set (GitHub)
527b610071ebf40b

Victor Sergeev, Daniil Yugoslavskiy,


Session Manager 9acd91066b664aa3f4181a28
Gleb Sukhodolskiy, Timur Sigma Integrated
Autorun Keys 555facbc432bae9a4c8502aa9 12 0
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification 2ceae1de1f31753
Shelton, frack113 (split)
Suspicious
f64c98dfb55189f8f65b8dc8c
Regsvr32 Sigma Integrated
frack113 77a020a4c869933083e1b3ef 12 0
Execution With Rule Set (GitHub)
087e4dba264e864
Image Extension
7729210ddf59514a2d5ae300
Sysmon Driver Sigma Integrated
Kirill Kiryanov, oscd.community b6b3c3cd9b836719c40091d7 12 4

.in
Unload Rule Set (GitHub)
70a3b08bef6d735d
1e081f4ac10fa7ca5c1322255
Advanced IP Sigma Integrated
@ROxPinTeddy b4569d35b221c6b54e93ab5 11 0
Scanner Rule Set (GitHub)
bd06bd891b690755
Compress Data
and Lock With
Password for frack113
df
Sigma Integrated
Rule Set (GitHub)
227d06b807fcca01531502ab
9bf3471b44a2e7db88394d5d 11 4
Exfiltration With 03f7e07a11adc2e3
ap
7-ZIP
Malicious
behaviour on
user login SOC Prime Threat a4380ca308017f92e049147e
(Microsoft Ariel Millahuel Detection c46e562ab46b9642b1952944 11 0
st

Windows - Marketplace 647bb9bf85e4c95d


c0d0s0 group
behavior)
Path To 71c11c0cc84fa6ba12489ce6f
Bartlomiej Czyz @bczyz1, Sigma Integrated
In

Screensaver b7a0c5729c809f47cf296aa02 11 0
oscd.community Rule Set (GitHub)
Binary Modified 5e7f514394f01b
a8f93a6a21c54d549a6d042e
PowerShell David Ledbetter (shellcode), Florian Sigma Integrated
48c067948add81f96231c70f8 11 0
ShellCode Roth (rule) Rule Set (GitHub)
3cdfa345b1f6cb3

Invoke- fddefdc90062c691bc46bba8a
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community fb5fc6b455c1d7141337a963 10 0
Rule Set (GitHub)
STDIN+ Launcher 441437d5355a6c4

SOC Prime Threat 34b4fad92956929789617ef0


MZRevenge
Ariel Millahuel Detection c367187e5950267fc9fb90289 10 0
Ransomware
Marketplace 3bf5a6583ab5439
Password 68e65c1d21220f970cb68607
Sigma Integrated
Dumper Remote Thomas Patzke 95f7c6918fb617b028d783bcc 10 0
Rule Set (GitHub)
Thread in LSASS 58af027c5ee078c
abb330cf6694939eee00022c
RMSRemoteAdm Joe Security Rule
Joe Security c1eadd65b14603c20a76a3c5 10 0
in Set (GitHub)
90d95ef23c61b22e
Rclone Execution
Bhabesh Raj, Sittikorn S, Aaron d682d09d3c15912248f0f367
via Command Sigma Integrated
Greetham (@beardofbinary) - NCC d755338bbf871b25380f6252 10 0
Line or Rule Set (GitHub)
Group 5ba288c8bf90689e
PowerShell
UAC Bypass
f0a2a0d6b300aa9b5100a3fcd
Using Sigma Integrated
Christian Burkard 8fda2e183d4c22f4c748ebf05 10 0
ComputerDefault Rule Set (GitHub)
6b724965c77639
s
WMIC launch cc58aa96e11657d0df0ee460
Joe Security Rule
script from xsl Joe Security 019755b19a5929a979fdadd5 10 0
Set (GitHub)
file 6569d6b35c03fdba

Windows Crypto 5f96c8ad390b56fba16309ec0


Sigma Integrated
Mining Pool Florian Roth 92ccde0290c7896bd2bfd7c4 10 0
Rule Set (GitHub)
Connections 9b738c77dc36bde
Florian Roth, Tom Ueltschi, 9a837c56dc81ffe30b3cbb46e
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, fbb5eaef5933b049b212514e 9 0
JRAT Rule Set (GitHub)
oscd.community 9bb4380f12623c0
Detected
296c4235eb2d9969dd70271f
Windows Sigma Integrated

.in
Nikita Nazarov, oscd.community 37fd8708d44ea158f9a24508 9 1
Software Rule Set (GitHub)
790c33c5b6003dae
Discovery
PowerShell 3673ff480d9b6da69d58b49c
John Lambert (idea), Florian Roth Sigma Integrated
Credential dbd4653446b39552e947174 9 1
(rule) Rule Set (GitHub)
df
Prompt 47405039cbb476c09
504cd1bcea14d3f138e42531
PowerShell ICMP Bartlomiej Czyz @bczyz1, Sigma Integrated
08d6978349e99adf5984333e 9 3
Exfiltration oscd.community Rule Set (GitHub)
0d5d78865dd1a481
ap
Powershell SOC Prime Threat 1920836da8784b3f635f88d7
Exchange Snapin SOC Prime Team, Microsoft Detection c9216b6619a5f5613a5d53fef 9 0
(via cmdline) Marketplace b342c817897a736
97af35b4172a9333d69b01cd
PsExec Tool Sigma Integrated
st

Thomas Patzke b4d6c6f7b49b0f0d665b4bd4 9 0


Execution Rule Set (GitHub)
c66b4a3bb793547e
Trickbot 7cf68fc17a7548176432b7778
Sigma Integrated
Malware Recon David Burkett, Florian Roth 814a6be12c78c6b34b7a55b4 9 0
Rule Set (GitHub)
In

Activity b5d457302f2c07a
Florian Roth, Tom Ueltschi, a7648695383d3c54094a9a62
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, 3178342f9965ac5977fdf3c70 8 0
JRAT Rule Set (GitHub)
oscd.community 016e06b5d12fbdb

SOC Prime Threat 5157203e484dbfa217f40f708


DarkRAT Botnet Ariel Millahuel Detection 9460a4c6713e54ef44ca66a3 8 0
Marketplace 1ec7d5c820f0d26
Disabling d73609956e7379a0917a1fd7
Sigma Integrated
Windows Event @neu5ron 71e4351b523579011a752df3 8 0
Rule Set (GitHub)
Auditing 4e3ed749bf878180
084f8f629ce19b2d68d7e276
Hidden Local Sigma Integrated
Christian Burkard 15e59a3ebea0e92f94d25fffc 8 0
User Creation Rule Set (GitHub)
df6981152cf5efe
004a32a3ac811e09e68ff3749
Imports Registry Oddvar Moe, Sander Wiebing, Sigma Integrated
364d27bd3064f5a8e6e2869b 8 0
Key From an ADS oscd.community Rule Set (GitHub)
7b47cc6667b939e
64ba6d12e9a7d24ab70539a4
Mustang Panda Sigma Integrated
Florian Roth, oscd.community 1abdbb5f3b47f99268f562046 8 0
Dropper Rule Set (GitHub)
7b24cd8118976be
New or Renamed
User Account
6c5cfe607309f4bc96c164475
with '$' in Sigma Integrated
Ilyas Ochkov, oscd.community 2af6a875fd27ea6910ddff26e 8 0
Attribute Rule Set (GitHub)
40a4ae64a26e05
'SamAccountNa
me'.
Powershell 1f85dfeaa80a160e0d553a3ac
Joe Security Rule
launch wmic via Joe Security 8d1d5139a7622d4d146c43f5 8 0
Set (GitHub)
class 2eedbe005757ba7
7e17cc0d521f2433baf3ca36b
PsExec/PAExec Sigma Integrated
Florian Roth f22ec2946bb387a555fee75af 8 0
Flags Rule Set (GitHub)
f1c992849a2578
Suspicious
ff263a69e24c4173f3baabd03
SYSVOL Domain Markus Neis, Jonhnathan Ribeiro, Sigma Integrated
b59d71e2dd4679b248e9bf08 8 3
Group Policy oscd.community Rule Set (GitHub)
51bd9852043117c
Access
Sysinternals c79aec25ed8a3cf07f3a43954

.in
Sigma Integrated
SDelete Delete frack113 d8dda5823dc140075f59c4e0 8 2
Rule Set (GitHub)
File cae1e5a3aee8072
047c4b3f6b03d9a7cd611e4b
Blue Sigma Integrated
Trent Liffick (@tliffick) aaeffab7d6854460859ecf302 7 0
Mockingbird Rule Set (GitHub)
df 466ae225ddaf2c7
b66ace0358aa3fe35f98b7d2f
CreateMiniDump Sigma Integrated
Florian Roth 726aab76956778883e2fd65c 7 0
Hacktool Rule Set (GitHub)
bc867bae21e360a
ap
Invoke-
Daniel Bohannon 30c408d940a17c92bda9a7a3
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), 661343cb4849cb5206311af4 7 0
Obfuscated IEX Rule Set (GitHub)
oscd.community 62dfa18993f9f0c7
Invocation
PowerShell 6f49f2ed2359b28b3bbcce4b
oscd.community, Natalia Sigma Integrated
st

Scripts Installed 12451150c3c512387446684a 7 0


Shornikova Rule Set (GitHub)
as Services d0f02ffa5ca11b5b
433ecdf8469138ce151b9e28
Python Py2Exe Patrick St. John, OTR (Open Threat Sigma Integrated
3d8e892c2aaec8d0aa9a1f63 7 0
Image Load Research) Rule Set (GitHub)
In

1efac7da11cb1ba8
Suspicious Cobalt b55c667fef3a16ff308f801e44
Sigma Integrated
Strike DNS Florian Roth 896c36f9754c98321c12bc51 7 0
Rule Set (GitHub)
Beaconing 6a13477130f4fd
b1cd37588678d9d180fae5e3
Suspicious Export- Sigma Integrated
Florian Roth ac98088d0fb94bcf137b0f6b4 7 0
PfxCertificate Rule Set (GitHub)
23ba503b9c48334

SOC Prime Threat c53c2f741a37b554e1a5a167


APT 37 Ariel Millahuel Detection 37f3c6f27a5818e8474ade69f 6 0
Marketplace 599e8d18b6df51a
Florian Roth, Tom Ueltschi, 211f7156257e48d853aa431d
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, dfc3fc7b86ca8dabc95f61553 6 0
JRAT Rule Set (GitHub)
oscd.community 575d821ab58fd76
CACTUSTORCH 7b0f6b7c0939954a4e8dd01d
@SBousseaden (detection), Thomas Sigma Integrated
Remote Thread cda83d20044a57808d265a66 6 0
Patzke (rule) Rule Set (GitHub)
Creation 97c3580fde333062
DiskShadow and SOC Prime Threat 85495f94a180f99ee2283759
Vshadow launch Eugene Nechiporenko, SOC Prime Detection ac8a387cd3df5ff6802bcebcd 6 0
detection Marketplace 6fd16bd75788af7
f98998b2f0e9bb08954d7417
Dumpert Process Sigma Integrated
Florian Roth 77bfdb257c7cb3dcce96f88af 6 0
Dumper Rule Set (GitHub)
84ecf966e2e5695
f260e0e6e3999276169e5a2b
Formbook Florian Roth, oscd.community, Sigma Integrated
9378f676cfd85254be368003 6 0
Process Creation Jonhnathan Ribeiro Rule Set (GitHub)
b2cd97e7d6b10e14

Office product
e0e4a0d55b1462c34c5c5922
drops executable Joe Security Rule
Joe Security 1f7b9ae4b1625aa019f157ee 6 0
at suspicious Set (GitHub)
2d60b21d286df9b5
location

Rename system
ae5e05ff7a2f5d6e654578b73
process and copy Joe Security Rule
Joe Security a1ddc50baeec856b0ab003ad 6 0
to suspicious Set (GitHub)
6852c80beb8b068
location

.in
58a87adff5b80f1f00537e13c
Sigma Integrated
Renamed PAExec Florian Roth 96a7a3ca3c24b661fb3d6f998 6 0
Rule Set (GitHub)
ed9a120ad72ccf
Suspicious 4ead40e4f0adc5e486cc7911f
Sigma Integrated
df
Commandline juju4 c0b0b94f05bfe0d27b5f0c2d2 6 0
Rule Set (GitHub)
Escape 4e0c803d089fc5
Suspicious 87d10b87f13ab6dd0ee17c31
Sigma Integrated
Execution of frack113 1d476bcf6fce51f746e639542 6 0
Rule Set (GitHub)
ap
Hostname c1c6c08b6ae8071
Suspicious 22466d36eb86be8a2f88344d
Sigma Integrated
Extrac32 frack113 2ad8707352f79b184489f7bc 6 0
Rule Set (GitHub)
Execution 14547bcc6c82b9c1
5b823c33b4d7a619c0190d52
Suspicious Query Sigma Integrated
st

frack113 bf60fd92f6768d9bff34fb8544 6 1
of MachineGUID Rule Set (GitHub)
6b00ca141f030a
Suspicious Reg 81f2a11aeadd681c5a2bbef5a
Sigma Integrated
Add Open frack113 cdebbc356da424e56854a985 6 0
Rule Set (GitHub)
In

Command e3c7eb0aded2fba
Suspicious
a87fe4afa527fd01cbb17ee26
ScreenSave Sigma Integrated
frack113 918bbf87dacf9b429f97ede32 6 0
Change by Rule Set (GitHub)
b8831532ec4d59
Reg.exe
e8a94b22f6db7e94eaf7903d
TAIDOOR RAT Sigma Integrated
Florian Roth e94492f4bdd5b91eaa24377a 6 0
DLL Load Rule Set (GitHub)
94e7e51bfdb8e562
4bd4adb7096f2875c9d4780c
Wmic Launch Joe Security Rule
Joe Security ebd4f8cc5d8f98ae072aa38ae 6 0
regsvr32 Set (GitHub)
a08cb38ea623042
fb9f6bbd034578721056b64f
Blue Sigma Integrated
Trent Liffick (@tliffick) b7a34b4e2726da17d1cbf571 5 1
Mockingbird Rule Set (GitHub)
1dced3ab7cd005c7
Capture a ed43493e84bcb41bf4a6e8d0
Sigma Integrated
Network Trace Kutepov Anton, oscd.community 3279fa79baffdfa1630065562 5 0
Rule Set (GitHub)
with netsh.exe 2641d8b9754d344
DInject
PowerShell 10bbdc113d1dc5813708dd95
Sigma Integrated
Cradle Florian Roth 928a8d1a38b22ab4b85bc027 5 0
Rule Set (GitHub)
CommandLine daaf8ac7aae65c9b
Flags
Detected
ddc07067e955f9f404023ebf4
Windows Sigma Integrated
Nikita Nazarov, oscd.community e274002f57acb50f1fe16fe88 5 0
Software Rule Set (GitHub)
b6704df84b3864
Discovery

SOC Prime Threat bfa9006c02a3c62043c1bd4c


HiveRAT
Ariel Millahuel Detection 10f77dd29fc786bc22855e00 5 0
detection
Marketplace 928082034c4307cc
c84a7ca7abbe3e5b0d2b85f5
Sigma Integrated
Lazarus Loaders Florian Roth, wagga 7e26013cf82131739ccc06fb4 5 0
Rule Set (GitHub)
271905d4a63f3ef
ed602524330bd363f87bc798
Malicious Service Florian Roth, Daniil Yugoslavskiy, Sigma Integrated
0fbb46e0186704e38a27f85f7 5 0
Installations oscd.community (update) Rule Set (GitHub)
c6030f2ad6356b9
Netcat The 53b2cd18791dffbcc1b31b49

.in
Sigma Integrated
Powershell frack113 b26f0068d68f366bccb84e29 5 0
Rule Set (GitHub)
Version 9cb79ddcccaf04ee
Powershell AMSI 4f48e177e42323bad59a64ab
Sigma Integrated
Bypass via .NET Markus Neis 7de8ad6105458dbcdbb255b 5 0
Rule Set (GitHub)
df
Reflection 095f3c17aa618478f
Process Dump 31766028cc56afd6db535a22
Sigma Integrated
via Rundll32 and Florian Roth 2ec9ffa3a26c485dcd759324e 5 1
Rule Set (GitHub)
Comsvcs.dll 890434acf17a601
ap
5c18d54d0d1977fcaa16d7b1
Sigma Integrated
RClone Execution Bhabesh Raj, Sittikorn S 19948395edb249365b6c767e 5 0
Rule Set (GitHub)
a18e95c6b44204a5
Shedule
powershell with 915a39321a250831a95cbb6b
Joe Security Rule
st

encoded Joe Security 6598214820d1be1095aee65 5 0


Set (GitHub)
command 55106a9ca7d02a36a
parameter
7755af8c0fe9118bb510e5bd
Sigma Integrated
In

ShimCache Flush Florian Roth 0317a174fc59e613270dce76 5 4


Rule Set (GitHub)
2bbc67cac8f68d15
SyncAppvPublishi
ngServer
a8c3610f0218840679ca4d55
Execution to Ensar Şamil, @sblmsrsn, OSCD Sigma Integrated
8856dbb0f5d711cabe7b939a 5 0
Bypass Community Rule Set (GitHub)
9f283180553e2b77
Powershell
Restriction
wmic launch
016a456c70d6e45a65219e2e
powershell and Joe Security Rule
Joe Security e0e3972cd7104bf98c318e2f0 5 0
execute Set (GitHub)
88a07f71fde0d43
encrypted script
f6b39e4a331f85ca7590bf725
CobaltStrike Sigma Integrated
Florian Roth ff05b84567ac82eecf2ef761c6 4 0
Process Patterns Rule Set (GitHub)
0e4baed042482
Emissary Panda 49512d886fa3e8d9595464c6
Sigma Integrated
Malware Florian Roth 93fad4fb93dcbdbc537cda049 4 0
Rule Set (GitHub)
SLLauncher dacce772f11f38f
Findstr 2db81575319b095e5240489
Sigma Integrated
Launching .lnk Trent Liffick dc39a6070fb3e587fb35a6c98 4 0
Rule Set (GitHub)
File 8f38cbc71fede886
Logon Scripts c58463bc214d5126d24453ce
Sigma Integrated
(UserInitMprLog Tom Ueltschi (@c_APT_ure) 3a2db9a54855641facf8d3dcf 4 0
Rule Set (GitHub)
onScript) 2e1a70b4cd47173
358a95254318aa55ff499eb6
Sigma Integrated
Ncat Execution frack113 4277dff47957ac37c63708736 4 0
Rule Set (GitHub)
73433bd55e77cf8
d62173552d7fce98c24a7040
New TaskCache Sigma Integrated
Syed Hasan (@syedhasan009) b784edf35cc6650d2e68ecf2d 4 0
Entry Rule Set (GitHub)
04f40c58d58cfda

Powershell
5c6454bb6fd16d176798dcb8
download Joe Security Rule
Joe Security 685eabffc5295c27b7c2c4715 4 0
payload from Set (GitHub)
12f66343a885a24
hardcoded c2 list

RDP Hijacking. SOC Prime Threat 13ed88b8063438c80d6eb6c7


Last logged-on Den Iuzvyk Detection e9aeda38d201453d83fa949f 4 0

.in
user changed. Marketplace 65867ced46825db3
29e103486311c7c5f253e500
Removal Amsi Sigma Integrated
frack113 ab6386c2aba984cb782efe90 4 0
Provider Reg Key Rule Set (GitHub)
3a88f082d3f70254

Spora
Ransomware
Ariel Millahuel
df
SOC Prime Threat a656aafe4c0cca78f1ad9cc5fe
Detection
Marketplace
8f97b01ab237e247591a7100
edef559c032f30
4 0
ap
SyncAppvPublishi
ngServer
3bc75ee6104b1d450b245ac9
Execution to Ensar Şamil, @sblmsrsn, OSCD Sigma Integrated
4167ae14c204c835e99ff14f8 4 0
Bypass Community Rule Set (GitHub)
40649b7ec5cb561
Powershell
st

Restriction

SOC Prime Threat 8b18641dc7819baf3c131b24


AnteFrigus
Ariel Millahuel Detection 088048e3cf6ac0f5946f136a2 3 0
Ransomware
Marketplace c0b0b36a3754141
In

Credwiz util
47b76425766ceb0d5f71f5b7
dropped by Joe Security Rule
Joe Security 37ae4660dc4fcaa912951313 3 0
mshta for dll Set (GitHub)
95a542596953ef67
sideloading
a6d1a36dcfe72a6d78f5dd3b
Equation Group Sigma Integrated
Florian Roth 78c79bc294296460a9b3adcd 3 0
DLL_U Load Rule Set (GitHub)
993bdd6409046c7f
477a3302165776826dc44070
Esentutl Gather Sigma Integrated
sam0x90 2e8eaed12303d2f1dc7a0fc02 3 0
Credentials Rule Set (GitHub)
eb400d3f82f2e6b
c5017f04443b7c88d4fe3207
Fodhelper UAC Joe Security Rule
Joe Security 34d24f38108f67663239bc00f 3 0
Bypass Set (GitHub)
5c164081e9b5e0a
GfxDownloadWr
apper.exe b72d2ff1b4c8867cd160c5e82
Sigma Integrated
Downloads File Victor Sergeev, oscd.community 653d122b03a4c6bca9ade973 3 1
Rule Set (GitHub)
from Suspicious 73922682058cce1
URL
Java Running 2e7d87bfbd32ac2342d15ebc
Sigma Integrated
with Remote Florian Roth c05f5ef626e85c6ff102705ba 3 0
Rule Set (GitHub)
Debugging 365a90790098278
87bbef1292c33b8d07238254
Microsoft Office Sigma Integrated
NVISO d96faa4edbe7d7b241c05444 3 0
Add-In Loading Rule Set (GitHub)
918849684077237e
Modifies the 7d40150efe45672b8a7928c4
Eli Salem, Sander Wiebing, Sigma Integrated
Registry From a d3ccb55e1238e89ead72dc4a 3 0
oscd.community Rule Set (GitHub)
ADS 08390a907fc57c17
Netcat The 16372019c3e1774b0a40174d
Sigma Integrated
Powershell frack113 12d8465e4bb4ecfac13a7148 3 0
Rule Set (GitHub)
Version 849c9b3d21282f37
Remote File
SOC Prime Threat 16dd4d7c651cd862752fb483
Download using
Den Iuzvyk Detection a4e7898c821603b1739b7aec 3 1
GfxDownloadWr
Marketplace b11298a6e931189e
apper.exe
d48381be3227e49cd9d42fdf
Snatch Sigma Integrated
Florian Roth 472184d9e4db1b4fbe72ee60 3 0
Ransomware Rule Set (GitHub)
48739f0af5913e9f
Suspicious Add

.in
04ed3e23df49b07ebec11f23
User to Remote Sigma Integrated
Florian Roth 74d1ccce40bc71d867b1f8e2 3 0
Desktop Users Rule Set (GitHub)
9ea40b1b9e878ac3
Group
Suspicious 5b2e321b4ad7aa35a23d2181
Sigma Integrated
df
ConfigSecurityPo frack113 a655941dc96ea260435a6e16 3 0
Rule Set (GitHub)
licy Execution 63158a7b2182a9fe
0119b24f133d3f3142f84b35c
Suspicious Shells Andreas Hunkeler (@Karneades), Sigma Integrated
30b7b1c417c4418f4d180982 3 0
Spawn by Java Florian Roth Rule Set (GitHub)
ap
00208947ac5d041
Suspicious Shells dff6f482b1c3296a1eba449d7
Andreas Hunkeler (@Karneades), Sigma Integrated
Spawn by 32fe05e7b9a61f56c3849298 3 0
Markus Neis Rule Set (GitHub)
WinRM ee9d06cec81c941

SOC Prime Threat fd151743b69be65652e958a8


st

TAIDOOR -
Ariel Millahuel Detection 98253090e87a94daf21f008ff 3 1
Chinese RAT
Marketplace acbfef9d8aebcbf
UAC Bypass 00df1f50def5c07da9bb57ea8
Sigma Integrated
In

Using IEInstal - Christian Burkard 313bde4905aeeff9ebf1b2b92 3 0


Rule Set (GitHub)
File 3600351791bd23
UAC Bypass 36c54ff9b60bfb04067bb4fc3
Sigma Integrated
Using IEInstal - Christian Burkard cb55f0efba4285c46c56123f2 3 0
Rule Set (GitHub)
Process 98c17f0ff6aeb1
Windows 10
edf3ca6a0c573fb6b3eae8a8a
Scheduled Task Sigma Integrated
Olaf Hartong 4a6dd129c1ddebc37dc45769 3 0
SandboxEscaper Rule Set (GitHub)
0fae45e9594a950
0-day
AWL Bypass with
Winrm.vbs and 3ac562f761dce56ddce1ba65
Sigma Integrated
Malicious Julia Fomina, oscd.community 81aace41ae7b64cf2b9fd6429 2 0
Rule Set (GitHub)
WsmPty.xsl/Ws 5b4d9d43c26aa21
mTxt.xsl
AWL Bypass with
Winrm.vbs and a84e26c881c97617cb1fd0ca7
Sigma Integrated
Malicious Julia Fomina, oscd.community 67f6c6a6aef9dc2b22b7c5346 2 1
Rule Set (GitHub)
WsmPty.xsl/Ws b71449a2bb5bbc
mTxt.xsl
Amadey Botnet SOC Prime Threat 472362d8dcad8c26a75836b1
detection Ariel Millahuel Detection 6e7f1e1fa272f614affc2dd864 2 0
(TA505) Marketplace 632b8a3af7e12f
E.M. Anhaus (originally from Atomic ced1e1a1282b5d51ede1ac7a
Bypass UAC via Sigma Integrated
Blue Detections, Tony Lambert), 7dcc08496c538aeeb8bc6ecc 2 0
WSReset.exe Rule Set (GitHub)
oscd.community 1f72af56cd773d04
Florian Roth, Markus Neis, 01364fb1c5ccb780456530afa
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil 742fccc7c5de42d1cbac829fd 2 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community 6f4c435888f499
4937cb1804ae450d1760b136
CrackMapExecWi Sigma Integrated
Markus Neis 159503b4a353a27a37e6b662 2 0
n Rule Set (GitHub)
53c12834ae1fa611

Credential Florian Roth, Teymur 61e2aaf48c321983d311349f


Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, 6bced27944c28bcd53f96ee1 2 0
Rule Set (GitHub)
Service Execution oscd.community 43d8a0a1c321a5f2
512a021b2a6002cdc06a2335
Decode DLL Via Joe Security Rule
Joe Security 0dd7744a78311e5eacbe59b1 2 0
Certutil Set (GitHub)
9864a594b50fc33e

.in
Disable db422d3f89e405109467a926
Sigma Integrated
Microsoft Office frack113 cbee52085ff1a33cf97bc0545 2 0
Rule Set (GitHub)
Security Features 29a03a316dafa2e

Dnscat Execution
Daniil Yugoslavskiy,
oscd.community
df
Sigma Integrated
Rule Set (GitHub)
c625578e8b4d44c52ee346e1
df82116ed7e4896e4caad93d
0fdb7fba487dbfdf
2 0

50137e4985d62ff32fe9acc8e
Domain Trust Sigma Integrated
ap
Jakob Weinzettl, oscd.community cd34bbc1e546bce28ae9d0c1 2 0
Discovery Rule Set (GitHub)
68c5bc0e62c2098
6011c0e706a0ea8a69892186
Sigma Integrated
Encoded IEX Florian Roth b9808f52466832e2c60ea353 2 0
Rule Set (GitHub)
b876a15100a2c891
st

Evrial Stealer SOC Prime Threat 9d5974817e9c9eeb05c8b60f


(Sysmon Ariel Millahuel Detection 23de31930c84cb3eb8d24776 2 0
detection) Marketplace 7b7fe7bdbec4ad23
In

50d292f837567defe72f24a4b
Execution via Sigma Integrated
Maxime Thiebaut (@0xThiebaut) 91ee437943cd8f35d5aedcf15 2 2
WorkFolders.exe Rule Set (GitHub)
979d3d253d38e9
03c63f09ca0da10cdd578a2b
HTML Help Shell Sigma Integrated
Maxim Pavlunin 9318266b2f2ac550da5b256d 2 0
Spawn Rule Set (GitHub)
00ce4c0cbbbedda0
Hijack Legit RDP 69573f6b1ce64e7122c33aec
Sigma Integrated
Session to Move Samir Bousseaden 2473e20ddf52e90291907115 2 0
Rule Set (GitHub)
Laterally ac5515a58660b7dd
Invoke- 1c3ea7c0333da16496964e50
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community a5e57012a3b70695f9522123 2 0
Rule Set (GitHub)
Use Clip 51e08d08530da6d0
LSASS Process 532253e22b4c2a6410e69383
Sigma Integrated
Memory Dump Florian Roth 8434b30d959a9ebc0c04a0c8 2 0
Rule Set (GitHub)
Files 61eeb9d593879009
0c0ba5aebd0db3facb25385b
LockerGoga Sigma Integrated
Vasiliy Burov, oscd.community 2dbdc2b2a34be391da1993bc 2 0
Ransomware Rule Set (GitHub)
8a02c689608fba16
MSExchange 7e012de38821878c4217e8f8
Sigma Integrated
Transport Agent Tobias Michalski 25643266daebb69300fb51da 2 2
Rule Set (GitHub)
Installation 895c540db3ca6916
Meterpreter or
Cobalt Strike 9fd506c795090efa401ad8bb
Teymur Kheirkhabarov, Ecco, Sigma Integrated
Getsystem 755474601cc0aaa7ebf5b75b 2 0
Florian Roth Rule Set (GitHub)
Service 096714bd0235016a
Installation
NTFS 411eb79dfeb1cc205d222288
Sigma Integrated
Vulnerability Florian Roth 42bf9c45f6ea648d10de8bf3d 2 0
Rule Set (GitHub)
Exploitation 08e9bdaa31e9d1f
New DLL Added 6f134f381913ef9221138f615
Ilyas Ochkov, oscd.community, Tim Sigma Integrated
to AppInit_DLLs 280ca41e252e823168d7d580 2 0
Shelton Rule Set (GitHub)
Registry Key ab6e713e10beca2

New Hidden Tear SOC Prime Threat 92dd4e3ca17ea4f0bdfb7130


ransomware Ariel Millahuel Detection 4a8fcbbd234749a15c0c2657 2 0
variant Marketplace 9fac17253c4b2463
7210b6208abd6826bfdb8d86
Office Security Sigma Integrated
Trent Liffick (@tliffick) 66ae792549157fe8070e355c 2 0

.in
Settings Changed Rule Set (GitHub)
ad577fd8f9ef6499
PowerShell Get- cac21fdc92116671a9e24502
Sigma Integrated
Process LSASS in Florian Roth beff8b3cc9b77c6d7a23b8f10 2 0
Rule Set (GitHub)
ScriptBlock aefa65821fd9014
Powershell
Profile.ps1
Modification
HieuTT35
df
Sigma Integrated
Rule Set (GitHub)
25ba0fd933ae7d522dfbe81f4
45736e4bb4015e2ab0ce76d4
36c139485e79e2e
2 0

Powershell 9ed950c94ef5dce1af4ac6ba1
Sigma Integrated
ap
Trigger Profiles frack113 eb25704edd170e1a75506e3 2 0
Rule Set (GitHub)
by Add_Content 095eb362e63eab6b
8cdb5f2da7eb9e3002ce4bbd
PurpleSharp Sigma Integrated
Florian Roth d8a373b7dcd25103b4373f9b 2 0
Indicator Rule Set (GitHub)
672e54f74c5316e0
st

Ranumbot Trojan SOC Prime Threat 9adcf2b748c0913ce46ec273


(Sysmon Ariel Millahuel Detection 4223045df982e2a86948b874 2 0
detection) Marketplace 0a48edd412720e70
In

Recon
Information for e49a78894a2986a5fb30eb4a
Sigma Integrated
Export with frack113 b25cd648d87db2a35906c29a 2 0
Rule Set (GitHub)
Command fc8fa6d7664f5e63
Prompt
SamoRat
SOC Prime Threat 8a1644eccd8d683fe61a2638
Behavior
Ariel Millahuel Detection 7c655e1d85bff90b49640b5d 2 0
(sysmon
Marketplace 8c65940e4e1973d0
detection)
Script Event
99d3f28b790cc9edbf77b5fdd
Consumer Sigma Integrated
Sittikorn S d446d2ec05f85ee550310a2a 2 0
Spawning Rule Set (GitHub)
3863e3171a9bd54
Process
Suspicious 5b1f1b40ef6ce717bbb2c8bc6
Austin Songer @austinsonger, Sigma Integrated
Dump64.exe cae3ad4d4530c3d907caaf29c 2 0
Florian Roth Rule Set (GitHub)
Execution 131d784777fc01
6374ec2e5ca4f1bca3332d13
Suspicious Sigma Integrated
Florian Roth 7882a6526e7230b5207c4de5 2 0
Esentutl Use Rule Set (GitHub)
14d3b0a0a1e94fcb
Suspicious Get
386f2bc7492f0e981a3ff4d07
Local Groups Sigma Integrated
frack113 a1e865250fb5f4de55f43a70e 2 0
Information with Rule Set (GitHub)
9ca3e91bd61e31
WMIC
Suspicious
69f693a2bf7b4c283ad2afbd1
Printer Driver Sigma Integrated
Florian Roth 7043a7a25fd7596d7f26f5f77 2 0
Empty Rule Set (GitHub)
436d56ba9529e8
Manufacturer
Suspicious Shells 084aa83f6231ad8f1641d3a1
Sigma Integrated
Spawn by SQL FPT.EagleEye Team, wagga 9e8fd1cfef9a9cc7c1be4c416f 2 0
Rule Set (GitHub)
Server daf86ff56071fa
WMI Backdoor b02fbc5fd12d501dbd787495
Sigma Integrated
Exchange Florian Roth 45483c506550bfb474efa968 2 1
Rule Set (GitHub)
Transport Agent 3e58ac4b2e4211b0
96334f64d755424fcec72b48
Wsreset UAC Sigma Integrated
Florian Roth 81263e66f022d62103fd2ada 2 0
Bypass Rule Set (GitHub)
696b2264912d1cf5
d0e9ddaa18a4b91ef3ab1e80
ZOHO Dctask64 Sigma Integrated
Florian Roth 0b63bf10c6cc73617c12d346 2 2
Process Injection Rule Set (GitHub)
033dea7e84c6e584

.in
9f3c5ba78b1be158567ab3b4
Florian Roth, oscd.community, Sigma Integrated
ZxShell Malware 50ff989c464b256ea5a1f60db 2 0
Jonhnathan Ribeiro Rule Set (GitHub)
f4fdf93d57d249d
654d8ac633b50e98138bcb44
Advanced IP Sigma Integrated
df
@ROxPinTeddy 8019dd2fcb8c0384ae472637 1 0
Scanner Rule Set (GitHub)
28f8b4fd84b8ba98
946d2bbdd10c544f6435f9b5
Advanced IP Sigma Integrated
@ROxPinTeddy 8d066f0d418f7bf78478848e1 1 0
Scanner Rule Set (GitHub)
ap
79abdd8b5ec19b8
Audio Capture E.M. Anhaus (originally from Atomic 9d251711b5a07fe8fb5fa341d
Sigma Integrated
via Blue Detections, Endgame), 8312ddbf0fd1b878b4a2d04e 1 0
Rule Set (GitHub)
SoundRecorder oscd.community 5feebb9885f1067

SOC Prime Threat 73c0a64c5562e339d22b6dd8


st

Cerber
Ariel Millahuel Detection 487f58f08f817a078ee2d99fa 1 0
Ransomware
Marketplace 508f2bcec9487d2
Changing RDP
dc0c536bf76ee17ec594024c
In

Port to Non Sigma Integrated


frack113 9b331e97f259d945e0c52ca0f 1 0
Standard Rule Set (GitHub)
468b6d323906d8b
Number
Cmd.exe 66a17168752e700a1b57242
Sigma Integrated
CommandLine xknow @xknow_infosec bfc6b9a345959b5142a99316 1 0
Rule Set (GitHub)
Path Traversal 865e1d44df709c32f
CobaltStrike d47c2221db7aa13e5c3645ca
Sigma Integrated
Service Florian Roth, Wojciech Lesicki 6ec5b315a643a4b9f5a9e50af 1 0
Rule Set (GitHub)
Installations 5bece9e79885196
CobaltStrike
eaeadfa6378455d35bc7d294
Service Sigma Integrated
Wojciech Lesicki a678cf68a5a8c6c2b5417d03 1 0
Installations in Rule Set (GitHub)
8a80d96bdf2e76de
Registry
d893a429c2ce543e3a265b37
Code Execution Sigma Integrated
Julia Fomina, oscd.community 94e1845676e899c8dab1ac88 1 0
via Pcwutl.dll Rule Set (GitHub)
8aca5607d9821ae7
8618cac2c2c1ec1d0e5b729e
CreateMiniDump Sigma Integrated
Florian Roth ab2f28a1585a023728c5aaa9f 1 0
Hacktool Rule Set (GitHub)
a184b786b52a337
Custom Class c0bd5b42809f6cdda07709c2
Ensar Şamil, @sblmsrsn, Sigma Integrated
Execution via 5bc0f42cbb0a674ce80ec8c63 1 0
@oscd_initiative Rule Set (GitHub)
Xwizard 788ef1efd31cdc5
Detected
01357d5e887b9f5de970cbdf
Windows Sigma Integrated
Nikita Nazarov, oscd.community 4e5303b1faff6ff0de49e5ae4c 1 0
Software Rule Set (GitHub)
516f933c8a951b
Discovery

SOC Prime Threat 4fba485fa9f02eb8d0e28a7b8


Domain Trust
Den Iuzvyk Detection 4276fb6a276943a2948a62fe 1 0
Discovery
Marketplace 3d614248af840fd
Dotnet.exe Exec
3fba0f206c1c867f04a34552b
Dll and Execute Sigma Integrated
Beyu Denis, oscd.community 850e8eeb0b219621923d394 1 0
Unsigned Code Rule Set (GitHub)
bddad4789f293152
LOLBIN

Drops a DLL with 0a0b097696bd0b36b7d1443


Joe Security Rule
WLL extension to Joe Security e446cbff6c2146d7a93cacaf2 1 0
Set (GitHub)
the startup 838ed0fe366b61d9

.in
Enable Restricted
SOC Prime Threat 7b0a12d70498be6b75106ba
Admin Mode To
SOC Prime Team Detection eadc6572fa8f03b6e6ce96998 1 0
Bypass MFA (via
Marketplace c3c84f14e5dd19a6
sysmon)
Execution in
Webserver Root Florian Roth
Folder
df
Sigma Integrated
Rule Set (GitHub)
d11dfd4a7ffb536505adf98a4
b97c1540b6e89a26661bf9f2
38b4a4d8f3133a9
1 0

e491fecd17c16aecfb3b5ac96
Hide copy and Joe Security Rule
ap
Joe Security 288fcdcf7c8ec061a8b1649da 1 0
delete itself Set (GitHub)
4e907b511f1208
IIS Native-Code
cc3ea4eefe5144350cce95a37
Module Sigma Integrated
Florian Roth a83b5a54cb1c3588b6a08901 1 0
Command Line Rule Set (GitHub)
eb81ce60a358d20
st

Installation
Indirect
Command
d4b25cba1a95e034ae676614
Execution By Sigma Integrated
A. Sungurov , oscd.community 7690611472b8ce274332b1ae 1 0
In

Program Rule Set (GitHub)


e27da6faa04335a0
Compatibility
Wizard
Invoke- 92f548de44082f5573a9a1cd
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community e5e0716b71988288605c254b 1 0
Rule Set (GitHub)
Stdin 85f32d8f3405ef83
Invoke- cf3869e5aa623f0e8acc74d1a
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community faf5036cb7bbbcb1418a1af16 1 0
Rule Set (GitHub)
Use Clip 70aef332fd2115
Malicious PE
833d1e3036176fa960339790
Execution by Agro (@agro_sev), Ensar Şamil Sigma Integrated
e9389d39187ba0c444aa4b1f 1 0
Microsoft Visual (@sblmsrsn), oscd.community Rule Set (GitHub)
1d3adc81c860b9fd
Studio Debugger
Malicious
f8ff90356c4ca9019d8527320
Payload Sigma Integrated
Beyu Denis, oscd.community 6850b0132e8b3209bcc1d493 1 1
Download via Rule Set (GitHub)
1bf59b71450a496
Office Binaries
8054438d5b821755b2dbd58
Malicious Service Florian Roth, Daniil Yugoslavskiy, Sigma Integrated
20a438b44688606dc8617bca 1 0
Installations oscd.community (update) Rule Set (GitHub)
3756bd60c75e15aee
Mavinject Inject 22a0144a5fa16f342a409df0a
Sigma Integrated
DLL Into Running frack113 0b3ea1292a72b8e43c7c844b 1 0
Rule Set (GitHub)
Process f06d68f5330fbf4
14054e3c5398e3efeb36907b
Sigma Integrated
Moriya Rootkit Bhabesh Raj 873cd44b2e3e1f45c872fd35f 1 0
Rule Set (GitHub)
c93fe027f026822

SOC Prime Threat 67f08eeb3f74c7dcf4b898515


Netsh Helper DLL Den Iuzvyk Detection 0f3df56b390aec0e1d3edb45 1 1
Marketplace a75c360f73c0134

New Shim
c028d3fbfe3db756b5129f320
Database Sigma Integrated
frack113 616cde63b9929b02e91fb76c 1 0
Created in the Rule Set (GitHub)
1b12fb726eafb71
Default Directory

Office starup SOC Prime Threat 4f71ac3f10bbbdb0bda74ee8

.in
folder Den Iuzvyk Detection 1dba1206ffd26e184cc17f739 1 0
persistance. Marketplace 1a0ca82ad838257
Password
356834a41f1b8ed94c954435
Provided In Sigma Integrated
Tim Shelton (HAWK.IO) df f27d64f970ba67b17ac5474d 1 0
Command Line Rule Set (GitHub)
db8357cfbb8de8d8
Of Net.exe
a78012a975b5cccbdd9caf22c
Sigma Integrated
Ping Hex IP Florian Roth e8a5065aa442b2459190ab2a 1 0
Rule Set (GitHub)
ap
3a0b39e1eb66bee

Possible Privilege
6a8c7191c56707b059d6c77b
Escalation via Sigma Integrated
Teymur Kheirkhabarov 850fd9a1f9bc6c202dd771d1 1 0
Weak Service Rule Set (GitHub)
00565edecef8686b
Permissions
st

5185237d06d1d2c6fa9f5b99
Possible SPN Sigma Integrated
Markus Neis, keepwatch 40219760620e7dd4f1db2fbff 1 0
Enumeration Rule Set (GitHub)
05f0b081ce4967e
In

PowerShell 8f33121f45ae912b9307a03c
Sigma Integrated
ADRecon Bhabesh Raj 4dc5d5309016b47eb4b2d93 1 1
Rule Set (GitHub)
Execution 7c74e55cda019203e
Powershell
9a4875b9a93f7ed6dd4f6259f
delayed Joe Security Rule
Joe Security 58f0ff372f1351c267c6d1123 1 0
execution via Set (GitHub)
64a3064aeae82f
ping command
fc647ef855e070dd8c71ac9be
Process Dump Sigma Integrated
Modexp (idea) e02eb59a9124eded234012d 1 0
via Comsvcs DLL Rule Set (GitHub)
31fef82c72b8c1b0
PsExec/PAExec 95ab10477326346ad231600
Sigma Integrated
Escalation to Florian Roth df85597b403502c24947739b 1 0
Rule Set (GitHub)
LOCAL SYSTEM 6a2b5bf75469a3024
Recon
713f92f086b68096c3f56ca93
Information for Sigma Integrated
frack113 0b031275ba60fcd9b0986dca 1 0
Export with Rule Set (GitHub)
0e69d63a349fe11
PowerShell
Registry Key
8c893b41c5a28ef36c6b16d7
Creation or Sigma Integrated
frack113 09f057af26436898776837e6 1 0
Modification for Rule Set (GitHub)
85d30b93672c2de1
Shim DataBase
5ed404c9cabd248ba80d6d58
Renamed Sigma Integrated
Sittikorn S 52fc81ff9c668726a632eb06b 1 0
MegaSync Rule Set (GitHub)
e9595bd5b80d869
Run Once Task
a670267e081a215d8a32b1cf
Execution as Avneet Singh @v3t0_, Sigma Integrated
6cb799023ff0667dc9da2d47 1 0
Configured in oscd.community Rule Set (GitHub)
4cf20a91e4f2a2cc
Registry

SOC Prime Threat c3b33a6ba821d844c3bfc5a2


Scarab
Ariel Millahuel Detection 17489aca877dc9bc6c76c84e 1 0
Ransomware
Marketplace 4d8cabd6a320bd7b
Shadow Copies 3b5b0346a9d3b5b510bfd33a
Teymur Kheirkhabarov, Sigma Integrated
Access via 67662439c44419ada001c731 1 0
oscd.community Rule Set (GitHub)
Symlink 60bdcc75d76b2d3b
cb903e3e20e158519f1431d1
Suspicious FPT.EagleEye Team, omkar72, Sigma Integrated
978e1d50abf68706bbedd496 1 0

.in
AdFind Execution oscd.community Rule Set (GitHub)
258a99a785f2ec00
Suspicious
90480b0d96dd273a177b536
Certreq Sigma Integrated
Christian Burkard ad0b17f114b0426bdb4c6e04 1 0
Command to Rule Set (GitHub)
df d4692da954658bac1
Download
Suspicious beb013be28477c7cc6a96b5e
Sigma Integrated
Desktopimgdow Florian Roth 49885366af682311b00c0ad0 1 0
Rule Set (GitHub)
nldr Command 36f6df272f0d73bf
ap
Suspicious
9f4d9015afcdadf3e8a90bd3b
PrinterPorts Sigma Integrated
EagleEye Team, Florian Roth 8b01cae40397eca61dc45580 1 0
Creation (CVE- Rule Set (GitHub)
339296224e1b40f
2020-1048)
st

SyncAppvPublishi
37beaf97b85714dccecd452e
ngServer VBS Sigma Integrated
frack113 684c29d067adea49095ddf3e 1 0
Execute Arbitrary Rule Set (GitHub)
c6631dc8acf14337
PowerShell Code
In

UAC Bypass a334f66679d3e373f49f08113


Sigma Integrated
Using ChangePK Christian Burkard 614e79457c624e8ef315085d 1 0
Rule Set (GitHub)
and SLUI e12c285bc5d7d4e
c7f53a29488cdfc8b3ab7ecb4
UAC Bypass via Sigma Integrated
Florian Roth 699f5c655615954b2d1ff9209 1 0
Event Viewer Rule Set (GitHub)
e2dba026e30dbc
VMToolsd bd7b9679a8b4de81c8505039
Sigma Integrated
Suspicious Child behops, Bhabesh Raj 9fe9679a23a1ea3bb48ef315 1 0
Rule Set (GitHub)
Process 09d208152db750f4
WINEKEY 585081efe7df5aaf634ee8b61
Sigma Integrated
Registry omkar72 87b3f8adb0c8156cbcc8f2586 1 0
Rule Set (GitHub)
Modification 7ffec4654fc697
Webshell
fadc206ec1e9e99804969634
Detection With Florian Roth, Jonhnathan Ribeiro, Sigma Integrated
aed9b633228630e0a7212231 1 0
Command Line Anton Kutepov, oscd.community Rule Set (GitHub)
7cd3e674846a8c7c
Keywords
efb250f52392ac4446104881f
Windows Sigma Integrated
Florian Roth f38dafa4934fa84d2f3357065 1 0
Credential Editor Rule Set (GitHub)
c51b4873c737fc
Winnti Malware fa921a7a680703d8b1c263a0
Sigma Integrated
HK University Florian Roth, Markus Neis eba9bec48b3361492b6ea042 1 0
Rule Set (GitHub)
Campaign 4931dba980c317fd
msiexec 80df93b91d026bd6faf3f2849
Joe Security Rule
download and Joe Security 7aecc8b5a81a6553fe9336a2 1 0
Set (GitHub)
execute 04b11f4dcef8733
(SIGRED) CVE-
2020-1350 DNS
SOC Prime Threat 2c660e94b9dd36c78c57a225
Remote Code
SOC Prime Team Detection 0c28533823a79106701103f8 0 0
Exploit [via
Marketplace b2a662501cc2a379
HTTP/Proxy
Logs]
(SIGRED) CVE-
2020-1350 DNS
SOC Prime Threat f45ee46c268733c28e2e456c
Remote Code
SOC Prime Team Detection d180b06976bca8e8fc0819a1 0 0
Exploit [via
Marketplace 41d83778e7e6908b
HTTP/Proxy

.in
Logs]
58cec962c267e019fa838d36
AD Object Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g e02695d7254409214165d3ac 0 0
WriteDAC Access Rule Set (GitHub)
1363b49e8711131a
AD Privileged
Users or Groups Samir Bousseaden
Reconnaissance
df
Sigma Integrated
Rule Set (GitHub)
14cbefe2ccc7618cf17e2c9b9
2743b97fbf394277a7c17c58e
bb3d942aa0a0fd
0 0

1a4024d9c095d28a1da18eb2
AD User Sigma Integrated
ap
Maxime Thiebaut (@0xThiebaut) 57926feded8ec7d7ea03762f 0 0
Enumeration Rule Set (GitHub)
6eab63b22a41721e
ADCS Certificate
6d83e2c5d3c8dd6baf3897d1
Template Sigma Integrated
Orlinum , BlueDefenZer fcfef08e8e7745f60a8712ff35 0 0
Configuration Rule Set (GitHub)
acc679d26b2db6
st

Vulnerability
ADCS Certificate
Template 145c680f84c610717ce0f6412
Sigma Integrated
Configuration Orlinum , BlueDefenZer 6642e2075071657c6b04077e 0 0
Rule Set (GitHub)
In

Vulnerability 58c08042f45b3dd
with Risky EKU
945059b9924f612aec04c225
ADCSPwn Hack Sigma Integrated
Florian Roth 310cee7009f0951805322568 0 0
Tool Rule Set (GitHub)
a62ebbefb71e63b0

ADFS Adapter SOC Prime Threat 5b090817d20c98f190eec819


Process Spawns SOC Prime Team, Microsoft Detection a6c655b46a96324e58e3195a 0 0
(via cmdline) Marketplace 7f9c5e076fae6acb
ADFS Database 4066789e2f52a62b211079b3
Sigma Integrated
Named Pipe Roberto Rodriguez @Cyb3rWard0g 1d3fecc622acde6f0aab1c512 0 0
Rule Set (GitHub)
Connection 7584333f498102c
adb52649fba655a7c618328f
ADSelfService Sigma Integrated
Tobias Michalski, Max Altgelt 8a47138b0829cd7ee3ff23c59 0 0
Exploitation Rule Set (GitHub)
9542d6103b29a92

SOC Prime Threat bb075da0c850b7587ce9434a


AKO
Ariel Millahuel Detection ef02a948171b3545ebd09141 0 0
Ransomware
Marketplace 25d7f5fe4fa590dd
SOC Prime Threat 2c9099b138fc55d5fdb1dce07
APT 37 Ariel Millahuel Detection ff366a656ee06b6ff8dd57d23 0 0
Marketplace 8ce00e61809e4e

APT PRIVATELOG 396dd003148797c25c2cb63e


Sigma Integrated
Image Load Florian Roth 8f2c6e0b3973ed37675f9c214 0 0
Rule Set (GitHub)
Pattern f6a40a269c94131
e2b73603c9441b256be9bab1
Sigma Integrated
APT User Agent Florian Roth, Markus Neis ccd758407a6d6470859f0f6cb 0 0
Rule Set (GitHub)
838ff2eadc08006
APT29 Google 34f4cff056f24abe91bb29dc0
Sigma Integrated
Update Service Thomas Patzke 4a37ee746a4255101a21724b 0 0
Rule Set (GitHub)
Install 9ff28d79785247a
APT29 Google e6247b8fe178e47b7e98f318
Sigma Integrated
Update Service Thomas Patzke da90608dc7aaf94fa99fe8e93 0 0
Rule Set (GitHub)
Install 3f0a05b6498bdb4
572ac9027db60bae5654b7a9
APT40 Dropbox Sigma Integrated
Thomas Patzke bc5d58e315db0810b08d814 0 0
Tool User Agent Rule Set (GitHub)
2c6db54f5e9e7ed24

.in
AWL Bypass with
Winrm.vbs and 1d0bd876f993864d8a65e33c
Sigma Integrated
Malicious Julia Fomina, oscd.community e45e152f3e49063e858a7416 0 0
Rule Set (GitHub)
WsmPty.xsl/Ws 9b77923d673483a8
mTxt.xsl
AWL Bypass with
Winrm.vbs and
df
Sigma Integrated
3f84ecf411a71bd8d115a143
Malicious Julia Fomina, oscd.community 03c8eac0baf1a7d57c27f81e9 0 0
Rule Set (GitHub)
ap
WsmPty.xsl/Ws 9c78b2bff51f3c5
mTxt.xsl
AWL Bypass with
Winrm.vbs and d51a28a580a981a8c30c17c8
Sigma Integrated
Malicious Julia Fomina, oscd.community 985ac1d2bb9187f6dd4a55cf 0 0
Rule Set (GitHub)
st

WsmPty.xsl/Ws 24b6f0c4cfc4c1f4
mTxt.xsl
AWS Attached 0650616005d1cf25b22be420
Sigma Integrated
Malicious Austin Songer f69ef9f6271137f0d29697a56 0 0
Rule Set (GitHub)
In

Lambda Layer f3346877ffd37f8


AWS CloudTrail 4ef2dc5f6a20a82303470615
Sigma Integrated
Important vitaliy0x1 4832eb2b6caacbdd7526d5f7 0 0
Rule Set (GitHub)
Change 2b41b87b661c18b9
AWS Config
1ca012603accfb34b464b1a4
Disabling Sigma Integrated
vitaliy0x1 08012216374690743be9979 0 0
Channel/Recorde Rule Set (GitHub)
de051b99b95859e64
r
7cc31b5a6e3bb9dfe917930e
AWS EC2 Disable Sigma Integrated
Sittikorn S 9cff98c24e1477f39b93c17de 0 0
EBS Encryption Rule Set (GitHub)
733f572469e6746
AWS EC2 52870d4d2756b6f3dde80660
Sigma Integrated
Download faloker 72d0df3fffc2208a2f13a11ad8 0 0
Rule Set (GitHub)
Userdata dda6663fc6c12d
AWS EC2 Startup 839d04c92bee18b43af5b782
Sigma Integrated
Shell Script faloker 44d9a121efb5f27e4eebc842 0 0
Rule Set (GitHub)
Change ae6c62a6c9e4b4f3
510922d4a963b58fd4765ade
AWS EC2 VM Sigma Integrated
Diogo Braz 7ccec8ec0d323813387711be 0 0
Export Failure Rule Set (GitHub)
4acd2577afcd50d5
AWS EFS
320cb5ec91c7d2c86ae27ee1
Fileshare Sigma Integrated
Austin Songer @austinsonger a995b6a6fad692c4dd4716db 0 0
Modified or Rule Set (GitHub)
1bddc009cef68f24
Deleted
AWS EFS
557ffbb2dc96ead10718f0ce8
Fileshare Mount Sigma Integrated
Austin Songer @austinsonger e23abbd4520126cb5eb85b94 0 0
Modified or Rule Set (GitHub)
b8f3d19e7ff6442
Deleted
AWS EKS Cluster 633e9cc212d624837b46fa03
Sigma Integrated
Created or Austin Songer 81b5cb0f70e8a41bb219ae76 0 0
Rule Set (GitHub)
Deleted 550b862d16340cc1

AWS ElastiCache 82c9482509e59596843bf9c3


Sigma Integrated
Security Group Austin Songer @austinsonger 69a8a818e8248c0b8cd43217 0 0
Rule Set (GitHub)
Created 762ccd4546d5471e

AWS ElastiCache
886c07a825a6d3bd1d71d923

.in
Security Group Sigma Integrated
Austin Songer @austinsonger 8ecd1c47fe341acccd997dfca 0 0
Modified or Rule Set (GitHub)
9df6d55d0ce1924
Deleted

AWS Glue df 535cda9e5250683c27341783


Sigma Integrated
Development Austin Songer @austinsonger e572cb03b5946e3a3930ed6e 0 0
Rule Set (GitHub)
Endpoint Activity 7ec71fb51411adc6
AWS GuardDuty 315526975358ad2d0fa1b5c4
Sigma Integrated
ap
Important faloker 4442eda68a1a8a523b0c894d 0 0
Rule Set (GitHub)
Change e935ec21708b66ab
AWS IAM 8ccb5db92041ee60e6fab70b
Sigma Integrated
Backdoor Users faloker edfd8e59fb916edc12266128 0 0
Rule Set (GitHub)
Keys 63ffd244a78e453d
st

AWS Lambda 3bf7f1b2fd7fe897356a44168


Sigma Integrated
Function Created Austin Songer @austinsonger 91664478c352bcff4a562abbb 0 0
Rule Set (GitHub)
or Invoked 4e29d59be58cad
In

2caf12ef20a741df57dbd3af1
AWS Macie Sigma Integrated
Sittikorn S 5b2018c587c7143520a8c077 0 0
Evasion Rule Set (GitHub)
a4fb25e6dd8d75e

AWS RDS Master 5ce71a8dd2051186eb3bc827


Sigma Integrated
Password faloker 687f0161dcd856a3aa78737ff 0 0
Rule Set (GitHub)
Change c610f6040d4166c
9a3dad9567f385fd12f064177
AWS Root Sigma Integrated
vitaliy0x1 61f939eaf3bc223c50daac4c9 0 0
Credentials Rule Set (GitHub)
97e6f50f690b0c

AWS Route 53 91af3f000e86d4d90b8e282d


Elastic, Austin Songer Sigma Integrated
Domain Transfer 15d62993f5d5ca87f5375dee 0 0
@austinsonger Rule Set (GitHub)
Lock Disabled 075988c20a572c22

AWS Route 53
79dd906114c4b150b65cf759
Domain Elastic, Austin Songer Sigma Integrated
c1c0d1d83d74766afc2feb337 0 0
Transferred to @austinsonger Rule Set (GitHub)
b08ee12e340a013
Another Account
AWS S3 Data 14d9fe2befc885c1ed6ef46a5
Sigma Integrated
Management Austin Songer @austinsonger 5bc25f96407917c2385e324b 0 0
Rule Set (GitHub)
Tampering 8515b53a65d4b36
AWS STS ab071ff54304ef514871c1e84
Sigma Integrated
AssumeRole Austin Songer @austinsonger cc731ded005fa0ccda3b6661 0 0
Rule Set (GitHub)
Misuse 6554a41d88efa5e
AWS STS 6994df5208389be2d7437390
Sigma Integrated
GetSessionToken Austin Songer @austinsonger 3274ef547c51d5eed02015e2 0 0
Rule Set (GitHub)
Misuse 5e143b1932795aef
4e8ffcd6780ba56d1f2fa59f77
AWS SecurityHub Sigma Integrated
Sittikorn S 317ebf859a2bf43c4be7719f8 0 0
Findings Evasion Rule Set (GitHub)
1b9e03dd5c83d
173a650247a0aa08e4f7d1fb
AWS Suspicious Sigma Integrated
Austin Songer b1ab2154526c9f23e45d9bbf 0 0
SAML Activity Rule Set (GitHub)
aab1313385bc23ac
AWS User Login 943930b25869dfad30c94e1e
Sigma Integrated
Profile Was toffeebr33k ec864e899816b0d8b783767e 0 0
Rule Set (GitHub)
Modified 1940cd6e0138d53c
Abusable Invoke-
1ed460e3d1d675508d6550a
ATHRemoteFXvG Sigma Integrated

.in
frack113 e97b5b02fb7d2a41633cf104 0 0
PUDisablementC Rule Set (GitHub)
dd13ec5e3898fb4d8
ommand
Abusable Invoke-
3f23a6c297c45d5a9d63d790
ATHRemoteFXvG Sigma Integrated
frack113 df d48c7f197bedbf2e2a62d28b 0 0
PUDisablementC Rule Set (GitHub)
67dec7a5a79e3196
ommand
Abusable Invoke-
aa47fee25ec87cbc15062b8d
ATHRemoteFXvG Sigma Integrated
frack113 3f7e0acb8e38a64de307365a 0 0
ap
PUDisablementC Rule Set (GitHub)
eec8cfbe02f12c8e
ommand
Abusable Invoke-
c16e468ec3aab5a450c95894
ATHRemoteFXvG Sigma Integrated
frack113 6bf9ad962dd0a0b337178f1b 0 0
PUDisablementC Rule Set (GitHub)
dc125ca014779760
st

ommand
Abusable Invoke-
cb8936fcf36d16982575da13
ATHRemoteFXvG Sigma Integrated
frack113 504782d400992adaac08cd26 0 0
PUDisablementC Rule Set (GitHub)
ba7845c4a4279dee
In

ommand
Abusable Invoke-
e78750ceeb186d5ea5bbcfb7f
ATHRemoteFXvG Sigma Integrated
frack113 9ba741b6d8d9978b25212d9 0 0
PUDisablementC Rule Set (GitHub)
7a252621b5af87cf
ommand
Abuse of Service
31469fa3c8d37b7e80913d07
Permissions to Sigma Integrated
Andreas Hunkeler (@Karneades) ce5549c9371e193ac3f0d321 0 0
Hide Services in Rule Set (GitHub)
1f519adbb2de950c
Tools
08cc3358fc66df84bafea5742
Abusing Azure Sigma Integrated
Den Iuzvyk 55088ebf9e6d0b56cc08317a 0 0
Browser SSO Rule Set (GitHub)
bc1bc31f94bab4b

SOC Prime Threat 3a3618c16315d61e28176798


Abusing Azure
Den Iuzvyk Detection a3bb0420bd03a4732de4292 0 0
Browser SSO
Marketplace 0b67e1c038effc0cc
f96e4beae00ea6ddb52dd039
Abusing Print Furkan CALISKAN, Sigma Integrated
e1527892e6c52cdc577988ec 0 0
Executable @caliskanfurkan_, @oscd_initiative Rule Set (GitHub)
8e7730fd3b4cd9a7
Abusing
215ab0e3f729db474131b73e
Windows Sigma Integrated
Sreeman b9950bd1decd0ab51c4d221a 0 0
Telemetry For Rule Set (GitHub)
489c48004d3684e0
Persistence
Abusing
29f4b4ab96f93520895ca3d4
Windows Sigma Integrated
Sreeman 7ccf106f5a6fecadf74906d79a 0 0
Telemetry For Rule Set (GitHub)
302829883cd114
Persistence
Abusing
37508447092b61198dba6c20
Windows Sigma Integrated
Sreeman 77887c7bd32c0396716095cb 0 0
Telemetry For Rule Set (GitHub)
8e25593a16b30929
Persistence
Abusing
9fc475ae448749ce7b6c7760c
Windows Sigma Integrated
Sreeman 27eaa960cebb3e61dd32ccdd 0 0
Telemetry For Rule Set (GitHub)
1ffa55dc831eff2
Persistence

Abusing
Windows SOC Prime Threat 879510fbd52dc559762564e9
telemetry Den Iuzvyk Detection dcee6b800c7ebe8846c23791 0 0

.in
CompatTelRunne Marketplace 1775cf3f6d8d3cd9
r.exe(Audit Rule)
Abusing
Windows
SOC Prime Threat 18fa931666e2ae680fb1e0dce
df
telemetry
Den Iuzvyk Detection c0ba06dadd31ca6b52d9c619 0 0
CompatTelRunne
Marketplace bb42fca8b7d7048
r.exe(Sysmon
Behavior)
ap
9b8b6fde8104ca3626c27c74
Access to Sigma Integrated
Florian Roth 6a6e6e07d3f8c89905e685f9a 0 0
ADMIN$ Share Rule Set (GitHub)
05cb5f6f4edc379

Accesschk Usage Teymur Kheirkhabarov (idea), cd3d7a697c3c3677aa8da2c2


Sigma Integrated
After Privilege Mangatas Tondang (rule), 9a31ba2c427c6efdde2818de 0 0
st

Rule Set (GitHub)


Escalation oscd.community ab23f432540c2193

Accessing
Encrypted 51e8e5e690970ad68d78452
In

Sigma Integrated
Credentials from frack113 5926120f9a5afde96ebd2025 0 0
Rule Set (GitHub)
Google Chrome 3e92cea0d07d54399
Login Database
Accessing
WinAPI in a683beca7674cad333d64a1ff
oscd.community, Natalia Sigma Integrated
PowerShell for e5ac971414b265f15a99e2f9 0 0
Shornikova Rule Set (GitHub)
Credentials d2c7ff967cc2fe2
Dumping
Accessing
780e368b7c4c2665f3cbcc618
WinAPI in Sigma Integrated
Nikita Nazarov, oscd.community 4c03b9147726ab5239f4c013 0 0
PowerShell. Code Rule Set (GitHub)
41cbc02775dafda
Injection.
Account c2d1da71047d12f3e9e82a9b
Sigma Integrated
Enumeration on toffeebr33k 10ae31b7f37c8a89483a537c 0 0
Rule Set (GitHub)
AWS 7049c6f83abd4cb0
1fe55c2a4747185813415dd5
Sigma Integrated
Account Lockout AlertIQ f4e3e497c4f1fc14e546ea9fe 0 0
Rule Set (GitHub)
496f104438a0870
Account
5589ef9f2fa4b4fc38d9e2634
Tampering - Sigma Integrated
Florian Roth cb65b59cc829a86599e808fd 0 0
Suspicious Failed Rule Set (GitHub)
a10586d97094d5b
Logon Reasons

SOC Prime Threat 7036d84b791069d70f9a3818


AcidBox Activity Den Iuzvyk Detection 59bbfdaf7d37a698a47948b3 0 0
Marketplace 43a49a64ab652cce
Active Directory
Kerberos DLL a2eee7390841d2713ce09ab4
Sigma Integrated
Loaded Via Antonlovesdnb 5175d989688027fe21419382 0 0
Rule Set (GitHub)
Office 74b88a1dfe11b75c
Applications
Active Directory
Parsing DLL 6691a047173376a6c37e4a5a
Sigma Integrated
Loaded Via Antonlovesdnb 5a2ca36610041e928c2900eb 0 0
Rule Set (GitHub)
Office 7665491f798ff07e
Applications

.in
Active Directory
db12e3072dac7d4a4e8f6728
Replication from Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 2fbba19b12ef761b40ea2635 0 0
Non Machine Rule Set (GitHub)
9caeec8051cefcd2
Account

Active Directory
User Backdoors
@neu5ron
df
Sigma Integrated
Rule Set (GitHub)
b0cd1653d4d8f0519ad99bcf
040b2db9dd835f2df6daa908
7c3e4e0a13beb319
0 0

Activity 02b84310ae0b2a94f86e5369
ap
Sigma Integrated
Performed by Austin Songer @austinsonger d7ec39f1a701aed32bc6728b 0 0
Rule Set (GitHub)
Terminated User 909b446f929745c1
Activity Related
36868991a76ff137e30dea5f7
to NTDS.dit Sigma Integrated
Florian Roth, Michael Haag 7cced4da2254db444c41aa5f 0 0
st

Domain Hash Rule Set (GitHub)


83cc7ba6b8fed48
Retrieval
Activity from efecf6d62b61312f886723f75
Sigma Integrated
Anonymous IP Austin Songer @austinsonger 2a5c2ee5188a1bac0ee58529 0 0
Rule Set (GitHub)
In

Addresses 4f03e08291d66b8
Activity from b9be4401ecfc9259f3e9b16e7
Sigma Integrated
Infrequent Austin Songer @austinsonger 7573b0abed2cf0df93e746abc 0 0
Rule Set (GitHub)
Country e40e64e7cea7d4
Activity from c020af8eea2544a4fee04ed51
Sigma Integrated
Suspicious IP Austin Songer @austinsonger 43d696c1224c429b3a7871cc 0 0
Rule Set (GitHub)
Addresses 87b00b8d5c6cc8f
Add Port
8dbe594a0f4eb93aed5bfffd0
Monitor Sigma Integrated
frack113 545b03cb0d8c91d229a16970 0 0
Persistence in Rule Set (GitHub)
0c0d5a7b140795b
Registry
f354ac1a99792012ceaef04ee
Addition of Sigma Integrated
Thomas Patzke 732d816f1a2d9dee2e304922 0 0
Domain Trusts Rule Set (GitHub)
95b794811ed0e46

Addition of SID d755877a01e9e73bfd7efde3


Thomas Patzke, @atc_project Sigma Integrated
History to Active 363de1b7976022aad16110c5 0 0
(improvements) Rule Set (GitHub)
Directory Object a4b2995a9f8604f2
ba345e8f98204602e6652f9d
Admin User Sigma Integrated
juju4 41bec21ffed8e55fe558a9831 0 0
Remote Logon Rule Set (GitHub)
5201eec3993eefe
5fbf642a60f85b04f337ffeb9e
Advanced IP Sigma Integrated
@ROxPinTeddy 377bf01fbe1ca8b9325ead91 0 0
Scanner Rule Set (GitHub)
5068bbec2ec06c
fb482f5fd709d1ae001f190ee
Advanced Port Nasreddine Bencherchali Sigma Integrated
187e694e6ae6473e73b36e57 0 0
Scanner @nas_bench Rule Set (GitHub)
e49b6908a1544c3
Florian Roth, Tom Ueltschi, 2430fe9fd6e24946c8534bace
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, 62f59a139bd0871a15e59440 0 0
JRAT Rule Set (GitHub)
oscd.community 8a81134d905d1c3
Florian Roth, Tom Ueltschi, 29d8efa02d53ac611d0b491b
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, edaddbcd34e06668c553dd70 0 0
JRAT Rule Set (GitHub)
oscd.community 2b761afceca6d91c
Florian Roth, Tom Ueltschi, 40b38a30ad910fcc157b48f58
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, 90f35898cc92ae17559bda17 0 0
JRAT Rule Set (GitHub)
oscd.community 64e434dfc37c1d4
Florian Roth, Tom Ueltschi, 6b74b152297fb45850c046a2
Adwind RAT / Sigma Integrated
Jonhnathan Ribeiro, 29ca64920ee9d973e33fdb61 0 0

.in
JRAT Rule Set (GitHub)
oscd.community c3954a849baa882e

AeDebugProtect SOC Prime Threat a3febaea6fa1eefc8642f7d84


ed Reg Key Den Iuzvyk Detection 8d0b2d4f2b70c0359fa395d9 0 0
Persistance Marketplace
df e8ee921c218b36d
1ff53e9fd6749954464f3ac22
Alternate Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
171fc115796cbc09d5ac9331 0 0
PowerShell Hosts OTR (Open Threat Research) Rule Set (GitHub)
d6db4cad674287e
ap
5b34558f1c4d306598963505
Alternate Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 5533ba223585e99be44e2b0 0 0
PowerShell Hosts Rule Set (GitHub)
e319dfc6946c50ee2
66d3c05927db71e9d8760c53
Alternate Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 53ef8a161521b446c0b6cb8e 0 0
PowerShell Hosts Rule Set (GitHub)
st

a538a081d2d15e8f
b98a87132b8f25c1b28f308d
Alternate Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 62a1f37edb6a16c239e5d98a 0 0
PowerShell Hosts Rule Set (GitHub)
314a15853193b18c
In

Alternate 0b70b2266832f57d7fcd62d2
Sigma Integrated
PowerShell Hosts Roberto Rodriguez @Cyb3rWard0g 32b3b469d8788c9a97ee87df 0 0
Rule Set (GitHub)
Module Load ac1147dbd08533a2
Alternate ba100a757ed85b5b1b191f9a
Sigma Integrated
PowerShell Hosts Roberto Rodriguez @Cyb3rWard0g a12c8123ef59a9afd99c6cb8f 0 0
Rule Set (GitHub)
Pipe daeb4f7bd4e12fa

Amadey Botnet SOC Prime Threat cec4465383805716c59e96f5


detection Ariel Millahuel Detection 1fd252bb21a3cba08cb59dfe 0 0
(TA505) Marketplace 0e21d49eaaee228a
Anonymous User
SOC Prime Threat 5262477d283c94c8a282e110
Changed
SOC Prime Team Detection 700640abccc3d50d92a485af 0 0
Machine
Marketplace 02adb2a0ed079358
Password
53c56007ae94680c26786bcd
Joe Security Rule
AntiVM Joe Security 895d2087db975d72635c064 0 0
Set (GitHub)
6c8e0ee8b2ca6539b
Antivirus
b74dd119e6b8a4b8160d85ec
Exploitation Sigma Integrated
Florian Roth 696dd1b8f9d9990a6eebdc5a 0 0
Framework Rule Set (GitHub)
bee1ce10d635d8fa
Detection
Antivirus c199a1ab724951efd7b45265
Sigma Integrated
Hacktool Florian Roth fbdd55c15874411108f51d08 0 0
Rule Set (GitHub)
Detection 0ff79caf07509ed8
Antivirus
26728f84df236571280d6d8d
Password Sigma Integrated
Florian Roth 3ec2ef0250723676cf344e0e4 0 0
Dumper Rule Set (GitHub)
b29b397901037d5
Detection

Antivirus
22284a04af59d3dfb90caff89
PrinterNightmare Sigma Integrated
Sittikorn S, Nuttakorn T d34cb8f366f73553f1aa99101 0 0
CVE-2021-34527 Rule Set (GitHub)
a46e88e4200b71
Exploit Detection
Antivirus a3fdf9ece7053d2030dc642b
Sigma Integrated
Relevant File Florian Roth, Arnim Rupp d2eb70cd4c3a3e45f7939313 0 0
Rule Set (GitHub)
Paths Alerts db5d59ae6fec42db
0abd8831aa5efdcfa40c619da

.in
Antivirus Web Sigma Integrated
Florian Roth, Arnim Rupp deb24d85fa74d097fa44e68d 0 0
Shell Detection Rule Set (GitHub)
639accddb2a7e70
Apache 723a6621f9b140b510c7f465
Sigma Integrated
Segmentation Florian Roth 23b33c69c2beb3f9e824516e 0 0
Rule Set (GitHub)
df
Fault 07e5bb83aa5b0d26
2210d9229d212ebd79a6971
Apache Sigma Integrated
Florian Roth 2d72ae5590caccd7f8c47f913 0 0
Threading Error Rule Set (GitHub)
31c431e3394f87ce
ap
AppInstaller 8c20386ca2239562a26b8081
Sigma Integrated
Attempts From frack113 35071390e3abe7434cb25178 0 0
Rule Set (GitHub)
URL by DNS 1a4656b1b4cf71e6
AppLocker 2331619a69009fbe3cead24a
Joe Security Rule
Bypass via Joe Security 909b7e9d42ffb14b71caa6d8 0 0
Set (GitHub)
st

Regsvr32 3ee04fce114b10eb

Application 3a9675abeacca74d231073ef
Sigma Integrated
Whitelisting Beyu Denis, oscd.community cc4c362ddc755278240288e6 0 0
Rule Set (GitHub)
Bypass via Bginfo 9cd34b2f2052cffc
In

Application
208e2a3b52a6d211e7c5b85a
Whitelisting Sigma Integrated
Beyu Denis, oscd.community 6b02a3d7b276c3d13e266917 0 0
Bypass via Rule Set (GitHub)
a5e033a43cc39d85
Dxcap.exe
Arbitrary Shell
Command 1eb1f4796a2c05305c0e6fb96
Sigma Integrated
Execution Via Sreeman 1bac3fd02861464a7d6bc3d1 0 0
Rule Set (GitHub)
Settingcontent- a35461737101c81
Ms
0274ce4cedfe4942275222ff2
Arcadyan Router Sigma Integrated
Bhabesh Raj 62ad3bc4a6d9230e7d8aa753 0 0
Exploitations Rule Set (GitHub)
adaf19da3b08ebe

Artrta Trojan SOC Prime Threat a460ea212cd93f867529a23e


(Sysmon Ariel Millahuel Detection 3064a9972f4e4b97bbba5f91 0 0
detection) Marketplace 6b427016caaccd93
15ae81a84c9a92e5ffb3bc1c4
Atbroker Registry Sigma Integrated
Mateusz Wydra, oscd.community cecc28883ece49fc1ceef55d7 0 0
Change Rule Set (GitHub)
45ac094ece0622
25ae1d6038813be4c6c9dd48
Atera Agent Sigma Integrated
Bhabesh Raj 2574522a1ec3ed0d01450b06 0 0
Installation Rule Set (GitHub)
b4673f94bef1aa71
Atlassian 56b5ba6ff40bf2213da0f48c8
Sigma Integrated
Confluence CVE- Bhabesh Raj 68136707e52c6ca8ac602bf6 0 0
Rule Set (GitHub)
2021-26084 013d111e87ea977
a4baf3681957e567a0dcabca
Sigma Integrated
Audio Capture Pawel Mazur 982a74d6ef27a7f4371c330e 0 0
Rule Set (GitHub)
743abb82201ce772
E.M. Anhaus (originally from Atomic db002a5ffd8be8305184d197
Audio Capture Sigma Integrated
Blue Detections, Endgame), dda045b272ab439c9fc205a6 0 0
via PowerShell Rule Set (GitHub)
oscd.community ce985e3eb911df70
0c184188e5202d857b8ad979
Sigma Integrated
Audit CVE Event Florian Roth 11db2679f4da47c8ff9498e86 0 0
Rule Set (GitHub)
9e2794f4b017d77
Auditing
08bdc4ce556bc84980d5552b
Configuration Sigma Integrated

.in
Mikhail Larin, oscd.community b3426a25d11cc00dfa1d2ca4 0 0
Changes on Linux Rule Set (GitHub)
e727b609ad595cb6
Host

Automated
Collection df 9fa49f4a1e9253459c99846a0
Sigma Integrated
Bookmarks Using frack113 3ce69d8e029b42640efba5e1 0 0
Rule Set (GitHub)
Get-ChildItem 58e2455b6c0f5fc
PowerShell
ap
Azorult and SOC Prime Threat 312ca94426dbc718ff09f09e6
XMRigCC Ariel Millahuel Detection a43b898190a0aaf80ccbf8bbc 0 0
behavior Marketplace 1faeab30a2381d

Azorult and SOC Prime Threat eb88bdebe1990354c146b84c


st

XMRigCC Ariel Millahuel Detection 3335fe5d42136e63848540b2 0 0


behavior Marketplace 7845073f1f61fd4d
Azure AD Health
3bfeb8cfe94b16cd5b7f3c960
In

Monitoring Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated


24b95509404dee7b48144b2 0 0
Agent Registry OTR (Open Threat Research), MSTIC Rule Set (GitHub)
af8aa5ce4779de13
Keys Access
Azure AD Health
bbe20978cff2db9667ec8775
Service Agents Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
73b1107ee982ff6d743fa80d3 0 0
Registry Keys OTR (Open Threat Research), MSTIC Rule Set (GitHub)
cbf2b74771a384a
Access
Azure Active
74b3585358a705f41a3c47ca
Directory Hybrid Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
255f4fdf226f80d67efcd8180 0 0
Health AD FS OTR (Open Threat Research), MSTIC Rule Set (GitHub)
692d9830cb0cddc
New Server
Azure Active
79b78dee5286fabf9074e377
Directory Hybrid Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
bf3ad75038d8b8d9a5087f43 0 0
Health AD FS OTR (Open Threat Research), MSTIC Rule Set (GitHub)
9b47b5c962e9a221
Service Delete
Azure
8249fead423c34843b4256f3
Application Sigma Integrated
Austin Songer @austinsonger 8229856595e4938b3447407 0 0
Credential Rule Set (GitHub)
99a977671a8721be9
Modified
Azure 2ca197a0660bd80fe905e4ca
Sigma Integrated
Application Austin Songer @austinsonger 00acc28acc9704a89ac7f82e3 0 0
Rule Set (GitHub)
Deleted b3f99f91c2277bc
Azure
Application 99cfccf0f7621c216ab9a6e57
Sigma Integrated
Gateway Austin Songer 4118c7d08bd147ed24fdfc92 0 0
Rule Set (GitHub)
Modified or 3c1bef27869dd2e
Deleted
Azure
Application fee924d31493870a0e467e4c
Sigma Integrated
Security Group Austin Songer 218281258f926382c4aed996 0 0
Rule Set (GitHub)
Modified or e8c0ead7b0ffd1a1
Deleted
Azure Container a50193cebf131589afa2e4c5c
Sigma Integrated
Registry Created Austin Songer @austinsonger af4bd66397e7f3e21a007d2d 0 0
Rule Set (GitHub)
or Deleted ceb8a4a87b50ef2
Azure DNS Zone 43efaace741bf5e0b6dd18d8
Sigma Integrated
Modified or Austin Songer @austinsonger ac4cb9c2541ae1076b512e1b 0 0
Rule Set (GitHub)
Deleted d743a3064a1e6bd6

.in
Azure Device No c81341f9f6cd4cd0b87566645
Sigma Integrated
Longer Managed Austin Songer @austinsonger bb2e5b8bcbf96eb3f70ff9b56 0 0
Rule Set (GitHub)
or Compliant ee3abf4854e84d
Azure Device or
df 96deb162e4d7078c4d37c8e9
Configuration Sigma Integrated
Austin Songer @austinsonger 299cd36a06bd4e7851a6667d 0 0
Modified or Rule Set (GitHub)
bf6d26a2c982d28e
Deleted
Azure Domain
cbd7365e52f94f02a5138467
ap
Federation Sigma Integrated
Austin Songer 14617391f68f6912003a2eb9 0 0
Settings Rule Set (GitHub)
a0bbacf128259b5b
Modified
Azure Firewall d45698a63ac241254c2e58e0
Sigma Integrated
Modified or Austin Songer @austinsonger 06dd45b43f164ffe1d0a192e9 0 0
Rule Set (GitHub)
st

Deleted e4bfb69fd4d0a70
Azure Firewall
4e5d8654f38840ce7dfb65ecc
Rule Collection Sigma Integrated
Austin Songer @austinsonger bb26e41cf2087dc48fd3290a 0 0
Modified or Rule Set (GitHub)
bc364e99ff6c223
In

Deleted
Azure Firewall
Rule 1966c63d48e697e85ff918b1
Sigma Integrated
Configuration Austin Songer @austinsonger 2a3933601905b8e608c26a39 0 0
Rule Set (GitHub)
Modified or ba40d0802843a0a7
Deleted
Azure Key Vault 8277b5e14bd624d703568cc7
Sigma Integrated
Modified or Austin Songer @austinsonger 28cc7573300e7157c6085a66 0 0
Rule Set (GitHub)
Deleted. 9f3c467b2b2dc91f
Azure Keyvault 9cd4b711206e3c37197e3489
Sigma Integrated
Key Modified or Austin Songer @austinsonger 4fa230459f8f3973e55a83936 0 0
Rule Set (GitHub)
Deleted 32f7b4f394a0757

Azure Keyvault ca76365114071335144bbd16


Sigma Integrated
Secrets Modified Austin Songer @austinsonger aa1ff1702fba9628d9339290e 0 0
Rule Set (GitHub)
or Deleted 6ad1ca4038485b0
Azure
0f1f0dc48da97695cb6527b0
Kubernetes Sigma Integrated
Austin Songer @austinsonger 79cf0a309aa8c1f5330034f61 0 0
Admission Rule Set (GitHub)
4fd18aa4a3a515d
Controller
Azure
ad11168ee302b9e417ef34de
Kubernetes Sigma Integrated
Austin Songer @austinsonger 10e853a070a2255f619a0f2e 0 0
Cluster Created Rule Set (GitHub)
5ce8093efa4125ec
or Deleted
Azure 6f0756909a231b1de68feb41
Sigma Integrated
Kubernetes Austin Songer @austinsonger 531a09f1b4aa980d4cb70521 0 0
Rule Set (GitHub)
CronJob 6064bbf410c47f38
Azure 8d931927daa9fe944bfee3fe8
Sigma Integrated
Kubernetes Austin Songer @austinsonger 2c6723e2f8c8daab9a97f657c 0 0
Rule Set (GitHub)
Events Deleted 6b92eec3f60413
Azure
fa73bc2ee70f7f45ebea4039e
Kubernetes Sigma Integrated
Austin Songer @austinsonger 72ecbf9d55585af7633d7dc5e 0 0
Network Policy Rule Set (GitHub)
e78175f740c847
Change
Azure e96da18a9f7bce0ba8dbf0ea7
Sigma Integrated
Kubernetes Pods Austin Songer @austinsonger 4585858e37bdf438c3a3acf0e 0 0

.in
Rule Set (GitHub)
Deleted 69ad4f611d8e00
Azure
Kubernetes
dcf545836738f2f84a8fe3096
RoleBinding/Clus Sigma Integrated
Austin Songer @austinsonger df 88d2565d5db60f2003e89935 0 0
terRoleBinding Rule Set (GitHub)
f9c884ebde8b2f3
Modified and
Deleted
Azure
dcea1ea1d9ac39af65a5f2856
ap
Kubernetes Sigma Integrated
Austin Songer @austinsonger 8f16c91f9dc4c647daea19dce 0 0
Secret or Config Rule Set (GitHub)
016dd2466bdbd8
Object Access
Azure
23e30fa444fae1b172748e6a
Kubernetes Sigma Integrated
Austin Songer @austinsonger 76e829b2b5bc2d747c0c6d67 0 0
st

Sensitive Role Rule Set (GitHub)


9f757fbdb036198b
Access
Azure
Kubernetes 8a73631fa6f0fa5dff761b9c6c
Sigma Integrated
In

Service Account Austin Songer @austinsonger 0a3ccf6a66f65663666241850 0 0


Rule Set (GitHub)
Modified or 3f105d17d8993
Deleted
Azure Network
9899c52490520e420876ad5d
Firewall Policy Sigma Integrated
Austin Songer @austinsonger e364f9f956e993c38bb2bf6e2 0 0
Modified or Rule Set (GitHub)
6f7afad6560eee9
Deleted
Azure Network
Security d91818569830303d0793ec9c
Sigma Integrated
Configuration Austin Songer @austinsonger df27d592e581e957caa02141 0 0
Rule Set (GitHub)
Modified or 080927e8d4debd7d
Deleted
Azure New 168e1c35ae1332d1fde28035
Sigma Integrated
CloudShell Austin Songer 7d55f94bc3fa72d5f623c5075 0 0
Rule Set (GitHub)
Created dc9e95719b508e0
Azure Owner
f497fa0952b0643d212e000f9
Removed From Sigma Integrated
Austin Songer @austinsonger beedfa0e38c340e126cc9807 0 0
Application or Rule Set (GitHub)
59fd73aea3f074b
Service Principal
Azure Point-to-
4fe122fb2f4694c438ef09c62
site VPN Sigma Integrated
Austin Songer @austinsonger c437757ffff5f2960a1d78aa75 0 0
Modified or Rule Set (GitHub)
7b6f0cdab3541
Deleted
8e656dbfb37b60d6fef290149
Azure Service Sigma Integrated
Austin Songer @austinsonger 93072a6b8341f80dbd9d2ac0 0 0
Principal Created Rule Set (GitHub)
901fc71eb99b51f
Azure Service ce41462e381c9c869284161d
Sigma Integrated
Principal Austin Songer @austinsonger b12adbbf2078003b7ce16266 0 0
Rule Set (GitHub)
Removed c923d3dc021e19a0
Azure
Subscription 5fc1781e8afc3e000022771fd
Sigma Integrated
Permission Austin Songer @austinsonger 6678ed7bca2e931810fbe088 0 0
Rule Set (GitHub)
Elevation Via 916375a89ca353c
ActivityLogs
Azure
Subscription f1133baebe520b6bb3b6aa03
Sigma Integrated
Permission Austin Songer @austinsonger c2a199e4297f5620463593d2 0 0
Rule Set (GitHub)
Elevation Via 698f7317285f40a5
AuditLogs

.in
Azure c024312538da26140188fc0c
Sigma Integrated
Suppression Rule Austin Songer 40fb6fdffd2ba7813aeb307a5 0 0
Rule Set (GitHub)
Created 9b8a7a73953de52
Azure Unusual a2fbabf1ea8e4593cac5c7eba
Sigma Integrated
df
Authentication Austin Songer @austinsonger a8163ce713e0ccc9f65c8c76f 0 0
Rule Set (GitHub)
Interruption d6ac40c53ccab9
Azure VPN
e0af5f08fe2a083cdd976c7c9
Connection Sigma Integrated
Austin Songer @austinsonger 26cdeee6d6099cf28085ad65 0 0
ap
Modified or Rule Set (GitHub)
013d5a1c9041186
Deleted
Azure Virtual
caa2f19474e04314ce3f38bdc
Network Device Sigma Integrated
Austin Songer @austinsonger 4f01d4f9704a841377ea1291 0 0
Modified or Rule Set (GitHub)
71fc6d2ec5f08e0
st

Deleted
Azure Virtual
daf496c3dedf483941f304039
Network Sigma Integrated
Austin Songer @austinsonger 8af3b052a54fea0d8f410a240 0 0
Modified or Rule Set (GitHub)
7b7284ae613dd4
In

Deleted
AzureHound d745e174b185bed59eeb7c26
Sigma Integrated
PowerShell Austin Songer (@austinsonger) c061f86404d4a74607b52397 0 0
Rule Set (GitHub)
Commands 3b17ee01d22e665f
7e3c417e8dc74e72824b44e7
Baby Shark Sigma Integrated
Florian Roth 45f3abcd085e70e309ca15d2 0 0
Activity Rule Set (GitHub)
79f127de94331f6e
65fc9733e96d5061d9c0158d
BabyShark Agent Sigma Integrated
Florian Roth 5e935ee4fb89c6a3d5981ed3 0 0
Pattern Rule Set (GitHub)
e2ee6eba8d7931bc

SOC Prime Threat e578b7532f350b30e9614eb1


BackSwap Trojan
Ariel Millahuel Detection a524f8d25975960eeaa667be 0 0
detection
Marketplace cc98ac9cd99c42ee
db25081a26915f454c9f9fc4d
Backup Catalog Florian Roth (rule), Tom U. Sigma Integrated
d73865d15100f764005bd361 0 0
Deleted @c_APT_ure (collection) Rule Set (GitHub)
a8ec9eecee428d3
Bad Opsec c536e387a5fd3183e46be3c9
ok @securonix invrep_de, Sigma Integrated
Powershell Code a492ab73e5ade9b45179341e 0 0
oscd.community Rule Set (GitHub)
Artifacts a25fcfe383cee92d

SOC Prime Threat cf78d5c37f3b09e94b3500ed


Banload Trojan
Ariel Millahuel Detection de1baaf99114e6503c98d1ce 0 0
Detection
Marketplace dbf58f67f4e2b1de

SOC Prime Threat df75fb5e2add2e6674d7b5df9


Banload Trojan
Ariel Millahuel Detection 31eb3ea32c98e61f6fcc4cb9e 0 0
Detection
Marketplace 981b99fab72c52
02cb79a02d071bcc40631d14
Igor Fits, Mikhail Larin, Sigma Integrated
Binary Padding 4c5a778d3326e0d222608953 0 0
oscd.community Rule Set (GitHub)
8e755f27dfac2048
3fbac61acf4870c524599db45
Sigma Integrated
Binary Padding Igor Fits, oscd.community e1b2dfc09b3058a0096d5fb5 0 0
Rule Set (GitHub)
b9f1cbc7cde4fee
2e6f9336c9aa7e0fb900844d
Bitsadmin to Sigma Integrated
Florian Roth b203acd64f2e49c46053557f7 0 0
Uncommon TLD Rule Set (GitHub)
6e819509277e0b2

.in
SOC Prime Threat 7b246ccd83dc04be953170d8
Black Kingdom
Ariel Millahuel Detection 6f9c74b4e9d46071fbc61252 0 0
Ransomware
Marketplace 3b2b7b5564ea248e
BlackWater
Malware
(Sysmon
Ariel Millahuel
df
SOC Prime Threat 39cd8a4762fefe23e71b4a9c9
Detection
Marketplace
25150241a4c887c22e6c3356
1f972f394454f55
0 0
detection)
ap
SOC Prime Threat 85ed357648ddf115b4b4d159
Blackout
Ariel Millahuel Detection 6a36cdf430f132c7262701da1 0 0
Ransomware
Marketplace 960f5d9c685d48d

SOC Prime Threat b5d26570d88e55e6f8513514


st

Blackout
Ariel Millahuel Detection b34cb8ae7122dfac66a407ee 0 0
Ransomware
Marketplace 89e3136500fcec9b

SOC Prime Threat acbedd0b4dd2d9374454267


In

Bladabindi
Ariel Millahuel Detection 6c9afdfcf6f0f313229b26f137 0 0
backdoor
Marketplace a2d979893bec5ff
0cb9e146271e0c9ad794c988
Blue Sigma Integrated
Trent Liffick (@tliffick) 63e0e6d9c6ca19471bfea205 0 0
Mockingbird Rule Set (GitHub)
eee4a276fecbd69d
8f6a9e9bbcb601d1bc09093f
Blue Sigma Integrated
Trent Liffick (@tliffick) 383e8d8f1f7f09bf7d7e69843 0 0
Mockingbird Rule Set (GitHub)
c14a7cd880ee0c1
d0b6ca563c74d796de2ac3b8
Blue Sigma Integrated
Trent Liffick (@tliffick) 200508b7ea05a9ba9533d0d 0 0
Mockingbird Rule Set (GitHub)
455ec1f717dd0b8d5
f1ab359e7200763d0ebd605b
Blue Sigma Integrated
Trent Liffick (@tliffick) 4d6c074a821679006372360c 0 0
Mockingbird Rule Set (GitHub)
1fef073501822e2b
f723401b33927cfc6f265fefe6
Blue Sigma Integrated
Trent Liffick (@tliffick) 6ce2982144e1ddeb991a3b47 0 0
Mockingbird Rule Set (GitHub)
302b70b730b91a
4307719a67c4c9c1343c12fa7
Aleksandr Akhremchik, Sigma Integrated
Brute Force fbdb91107ce614a895545a9b 0 0
oscd.community Rule Set (GitHub)
2de04426298134a

Buer Loader SOC Prime Threat 6327206ca6b0ae94eb02e02c


(Sysmon Ariel Millahuel Detection 0eda55e26020672bad83ed8 0 0
detection) Marketplace 831fcdc84f2c0f3ff
ad1714ed24aec2fa28551a24
Buffer Overflow Sigma Integrated
Florian Roth 7a666369e496ada2acb48b02 0 0
Attempts Rule Set (GitHub)
b3b266083d75e6b1

SOC Prime Threat 3a8e7baeffec67b69220da8b


Bunitu Trojan Ariel Millahuel Detection 8d25bcae45e047937d0f2f83 0 0
Marketplace 3052ef5ea532aa9a

Bypass UAC da3ec62084336efcb20f4f4e3


Sigma Integrated
Using frack113 a94268ca6c1665699d00b48e 0 0
Rule Set (GitHub)
DelegateExecute 490be7fc41d2287
Bypass UAC a0f94cedc18c397f576619978
Sigma Integrated
Using Event frack113 b15265938adc1cba9d431467 0 0

.in
Rule Set (GitHub)
Viewer d50db98d8a79972
Bypass UAC
09bd87cd156913fd5b64ab54
Using Sigma Integrated
frack113 8f700258c49833a235b205c8 0 0
SilentCleanup Rule Set (GitHub)
df 494f05634670d8d9
Task

CARROTBAT SOC Prime Threat 793159445715fc7a8b862f94


Malware Ariel Millahuel Detection 666ae175cf0a3f6ab66c76e3a 0 0
detection Marketplace f31ac86638fa859
ap
CLR DLL Loaded 6362c65a14d81807ed78ab9e
Sigma Integrated
Via Office Antonlovesdnb 2fa99fbb546c067d39b3b638 0 0
Rule Set (GitHub)
Applications 46c820e5c401e2e3
CLR DLL Loaded 5c2eb7356281203a2556ea40
Sigma Integrated
st

Via Scripting omkar72, oscd.community a71892ba7a369c46d5f2fc457 0 0


Rule Set (GitHub)
Applications 4a427ac968c097c
fcd2fd95fad355c5e2d783abe
Sigma Integrated
CMSTP Execution Nik Seetharaman f0cb21f5fcc96e6ed5e0637f4 0 0
Rule Set (GitHub)
In

65bb7e75cf9342
87af8c0b574ec328882da2ed
CMSTP Execution Sigma Integrated
Nik Seetharaman 6ae28880f2577cf0bbe165ae 0 0
Process Access Rule Set (GitHub)
6e19d50475c6d86a

COM DLL Loaded


SOC Prime Threat 8f3c9743049559fb0309f2478
Via Microsoft
SOC Prime Team Detection f6d6c65e7de8ef0a27373e4c5 0 0
Office Product
Marketplace 84779e3276979c
(via sysmon)
ab8743ded66b586929aa13e4
COM Hijack via Sigma Integrated
Omkar Gudhate 5ceb037d6d8b0070893c7f23 0 0
Sdclt Rule Set (GitHub)
eb993baabe393a9d

COMPlus_ETWEn 37c4f090dee0ead128c75a30
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
abled Command b117563fd3376ddf2e4b6223 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Line Arguments 11b167c9a3b1ba18
COMPlus_ETWEn 35fa58d3974ddf4be72ca9c52
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
abled Registry 73ff5dfde7de065d8b27e4bae 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Modification f1189a9c10014d
COMPlus_ETWEn cc1b63adcbcba57ac6edb791
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
abled Registry 3c2741cb0bee32fe4301f250e 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Modification e4087ba643a654f
CVE-2010-5278 d934f98bfa1d3842f51f86448
Sigma Integrated
Exploitation Subhash Popuri (@pbssubhash) d12eaa5d7ae665d51986c839 0 0
Rule Set (GitHub)
Attempt 307e4494210607e
CVE-2020-0688
00d02232ebab9d4ccdb76302
Exchange Sigma Integrated
Florian Roth 2a32fda3d58da65c29159ed6 0 0
Exploitation via Rule Set (GitHub)
992ba07072196b09
Web Log
CVE-2020-0688 5bbc9c67b6f5cb0d9b567b09
Sigma Integrated
Exploitation NVISO 5ac079935288aace38c952fee 0 0
Rule Set (GitHub)
Attempt efe24cca8db2fbf
CVE-2020-0688 b8583b9acaa360ecfe76d00ff
Sigma Integrated
Exploitation via Florian Roth, wagga 9d352cbdf6d3107d975a243b 0 0
Rule Set (GitHub)
Eventlog 3ffb45ea03c67e9

CVE-2020-10148
b8a891b94f9eaba11d1c04c2
SolarWinds Sigma Integrated
Bhabesh Raj 500b004dcd5a7de6f8e0722e 0 0
Orion API Auth Rule Set (GitHub)
f3d08f910741c37e

.in
Bypass
CVE-2020-1350
DNS Remote SOC Prime Threat 332d13dcb0a4e1a6c422484f
Code Exploit SOC Prime Team Detection 6927e7408031f7270166ea37 0 0
[SIGRED] (via
DNS)
CVE-2020-1350
df
Marketplace cf7f557c68ec5efa

DNS Remote SOC Prime Threat 5cf068578d60f0e62a85062e


ap
Code Exploit SOC Prime Team Detection 3f528e2e675df78e1d1b2324 0 0
[SIGRED] (via Marketplace b93218b97404a4bd
DNS)
CVE-2020-1350
DNS Remote SOC Prime Threat 241626240096e85dd40e071
st

Code Exploit SOC Prime Team Detection e886b505b28444c8f3af6df03 0 0


[SIGRED] (via Marketplace ef5c13b9d9776cda
cmdline)
CVE-2020-1350
In

DNS Remote SOC Prime Threat bd554d600bee5054372f7312


Code Exploit SOC Prime Team Detection 17934ed318c54147855183a2 0 0
[SIGRED] (via Marketplace 61c54405ef43c54a
cmdline)
CVE-2020-5902
28e45cf616425b3c243efdcab
F5 BIG-IP Sigma Integrated
Florian Roth 379f55c65b9c0717203ffc48f 0 0
Exploitation Rule Set (GitHub)
3c3f124c310ff5
Attempt
CVE-2021-1675 d7d444c9a70f46cddde00a1f
Sigma Integrated
Print Spooler Florian Roth d7df0120fbe71489ab597d30 0 0
Rule Set (GitHub)
Exploitation 7121ebaa8d8fabf6
CVE-2021-1675
f011655155a4809262d5b5b2
Print Spooler Sigma Integrated
INIT_6 89c20c070c7a7dec29d95846 0 0
Exploitation IPC Rule Set (GitHub)
c91f3e39396d8bcc
Access
CVE-2021-21972 2215493140650ea52f95acdf
Sigma Integrated
VSphere Bhabesh Raj 1c79355498c6a798bd8ab94a 0 0
Rule Set (GitHub)
Exploitation 6943d450e765fd0c
CVE-2021-21978 82d6ddf5b00dd27b2c72d0ff1
Sigma Integrated
Exploitation Bhabesh Raj 70f126fdfad3155a287a936bd 0 0
Rule Set (GitHub)
Attempt 9d6075a8f8d944
CVE-2021-3156 236292ff7ca8a69ab14291cb8
Sigma Integrated
Exploitation Bhabesh Raj d62c04d3b02986279a40bf5a 0 0
Rule Set (GitHub)
Attempt 30c9345804f78bc
CVE-2021-3156 5d4f849169f7cbe8f891d2622
Sigma Integrated
Exploitation Bhabesh Raj b175e4a42e41f434ea0540e8 0 0
Rule Set (GitHub)
Attempt 41504b3b7de6e41
CVE-2021-3156 908809e40074898d7b46058
Sigma Integrated
Exploitation Bhabesh Raj 6768c977b2a700582c38d035 0 0
Rule Set (GitHub)
Attempt 5eb3f7e823d8d2c59
CVE-2021-3156 ab3709539b01cbfabb623bf8
Sigma Integrated
Exploitation Bhabesh Raj 6f278fcfc6c5bb5e735e7b133 0 0
Rule Set (GitHub)
Attempt 92f184bd6bfbfc6
CVE-2021-3156 daa2b8c9a016f7a9553030afb
Sigma Integrated
Exploitation Bhabesh Raj e735cc198ea85e381594ee1f 0 0
Rule Set (GitHub)
Attempt 438d0c54496b152
CVE-2021-31979

.in
3fc8cf89558a3ec50308aea72
CVE-2021-33771 Sigma Integrated
Sittikorn S b7745ae0f219f9882cda378f1 0 0
Exploits by Rule Set (GitHub)
cbf0487a7a3e32
Sourgum
CVE-2021-31979
df 70390bef07d59937cec0216e
CVE-2021-33771 Sigma Integrated
Sittikorn S 008ce815799b4c22a5e260a6 0 0
Exploits by Rule Set (GitHub)
84ed6bfac4fdcd1c
Sourgum
CVE-2021-31979
9c20b726dcc3e2be564bb8c4
ap
CVE-2021-33771 Sigma Integrated
Sittikorn S 5c1c3372d7051d5cf3ff87aa6 0 0
Exploits by Rule Set (GitHub)
5115c110cb62f4b
Sourgum
CVE-2021-31979
a5aa00b412cd8e83e52f741c
CVE-2021-33771 Sigma Integrated
Sittikorn S e80dafabe03f640d00ccf9f43 0 0
st

Exploits by Rule Set (GitHub)


a9c610344a8627c
Sourgum
CVE-2021-33766
8f5525eb13728c689fc0e016f
Exchange Florian Roth, Max Altgelt, Christian Sigma Integrated
ae75537d736213235bcab835 0 0
In

ProxyToken Burkard Rule Set (GitHub)


284983e3ec2e37a
Exploitation
f438a85d4d0729d23171fa18
CVE-2021-40444 Sigma Integrated
@neonprimetime, Florian Roth 23ccdb8541fc46f2e71ea2827 0 0
Process Pattern Rule Set (GitHub)
ad42bc7f373a360
CVE-2021-40539
Zoho 0c9b01c970160550c39d0322
Sigma Integrated
ManageEngine Sittikorn S, Nuttakorn Tungpoonsup 37474fe010d45a8b283b5308 0 0
Rule Set (GitHub)
ADSelfService 4a214bb65abf5fae
Plus Exploit

CVE-2021-41773 785c77adf74a5ac52d0c7c196
Sigma Integrated
Exploitation daffainfo, Florian Roth fb79ad631311bdc96913b8d2 0 0
Rule Set (GitHub)
Attempt e2b6f6486c36578
Capture 15be2ea21971f32bb037bc7f
Sigma Integrated
Credentials with Julia Fomina, oscd.community 681259a4f9e1989cf78ab9a1 0 0
Rule Set (GitHub)
Rpcping.exe dd5f8efe68cfcdbb
SOC Prime Threat 064b8f335c5dad53244cfd14a
Cerber
Ariel Millahuel Detection 7c51a8fd536dc8c86741bd66 0 0
Ransomware
Marketplace 99e06ffdc7563a1
Certificate
9ec2157972ed064f3fd9dc25
Request Export Sigma Integrated
Max Altgelt d8dd71195ab84c7747a3c179 0 0
to Exchange Rule Set (GitHub)
23cb09230442d76b
Webserver
Florian Roth, Markus Neis, 173b1203b0d58ac13e3b9354
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil 2a1017cf3769eb4ba1be56bb 0 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community 4bc926e53578dc74
Florian Roth, Markus Neis, 1d13c62f756a81c5138fc3c57
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil 236cc1ec96910a5b90687e62 0 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community 8170734dae53640
Florian Roth, Markus Neis, 1f40062e963356a7f04535a0f
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil 3fb4eec269440ca226f367f7b 0 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community 8bab940022cac4
Florian Roth, Markus Neis, 353ed25aa9f2dfe8e0a56f2a3
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil 321d579ce4e7e8d20563769e 0 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community 0f02ff01ac06c3a

.in
Florian Roth, Markus Neis, 4207cea59e80ca7ec1b55f3b
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil d2cfae0e47398daf8485c73fe 0 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community abf38a1484ac532
Florian Roth, Markus Neis, 481b18e9f3ae67f2f52eafd5f0
Sigma Integrated
df
Chafer Activity Jonhnathan Ribeiro, Daniil 2566e687c982a62597a8333e 0 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community c6c4eb21f97fc8
Florian Roth, Markus Neis, 5a93f630933a2040c4795df3
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil 41b70fd08f3b7f1730c331cb6 0 0
Rule Set (GitHub)
ap
Yugoslavskiy, oscd.community e025d13fe3d7d30
Florian Roth, Markus Neis, 6d4dbcdef02bddd827d8a073
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil 9ad5f31dc3844674ae32cf4be 0 0
Rule Set (GitHub)
Yugoslavskiy, oscd.community 9de19c3e4202940
Florian Roth, Markus Neis, b1eb7ac5e07136335fc21860
Sigma Integrated
st

Chafer Activity Jonhnathan Ribeiro, Daniil 603d89c40eb6488824477f00 0 0


Rule Set (GitHub)
Yugoslavskiy, oscd.community 827b6749b15c1217
Florian Roth, Markus Neis, fed33455c8438e9a672de5f0f
Sigma Integrated
Chafer Activity Jonhnathan Ribeiro, Daniil c2f48651ff0449b0427f5747e 0 0
Rule Set (GitHub)
In

Yugoslavskiy, oscd.community 2b98db25e3088f


cadeba64d91814a5bec0863e
Chafer Malware Sigma Integrated
Florian Roth cd58722639024a5eb3b5f8e1 0 0
URL Pattern Rule Set (GitHub)
059bf7ac84765c9f
Change Outlook ad1841979098a6b76c24ea78
Sigma Integrated
Security Setting frack113 0263b9da230373dc9a0d48d8 0 0
Rule Set (GitHub)
in Registry 41538ec02cecb447
Change
5572c8188426269a10ccb41f
PowerShell Sigma Integrated
frack113 c8e9c8445391ac38a0917621 0 0
Policies to a Rule Set (GitHub)
b0a1ee05ec99aac9
Unsecure Level
Change to b48b8735d4b0c36f6b4415f9
Sigma Integrated
Authentication AlertIQ 561a541fe792f70783e40570 0 0
Rule Set (GitHub)
Method d3558a3bdb50c550
Check privilege 07a05a43e0384cce9c41d6cb
Joe Security Rule
of CMD via Joe Security 6ed256ebce6aea8c6455db04 0 0
Set (GitHub)
whoami 4d755ece6063babe
SOC Prime Threat 5915609df8f0f33be9c7c8279
Chthonic Banking
Ariel Millahuel Detection 7ba777d92dff34c96c4483d7 0 0
Trojan
Marketplace 6ea06e3a514454e

SOC Prime Threat bb3d22a048ab0177787e51d


Chthonic Banking
Ariel Millahuel Detection 23515065a6af77e3dad57b62 0 0
Trojan
Marketplace 1b06f01af9fa36675
Cisco ASA FTD 58180314ba9a1b6fc6135d8a
Sigma Integrated
Exploit CVE-2020- Florian Roth 5452d7ec429cce39bb8a0ee0 0 0
Rule Set (GitHub)
3452 5e19b8cf2240315e
f2d0601cc4bc2b37896ef81bb
Sigma Integrated
Cisco Clear Logs Austin Clark 36379f95f6d6da0f54e5d298d 0 0
Rule Set (GitHub)
76af6e9e34dfc6
2c692110983c838f0baff38e1
Cisco Collect Sigma Integrated
Austin Clark 8c9350ae3def6ff7afca5af552 0 0
Data Rule Set (GitHub)
21519eed38387
c3f4d338f538ec307b874891
Cisco Crypto Sigma Integrated
Austin Clark bf2dbd5f3ab916918bdca04a 0 0
Commands Rule Set (GitHub)
2ed53da9cb5ba3d5

.in
c9b1080d16e9e0175fdcbb20
Cisco Denial of Sigma Integrated
Austin Clark 2f1842cefd864c57eaa6a64ff 0 0
Service Rule Set (GitHub)
1c1b4d6a5e71ae4
caab8d24d82768943d8a9bc5
Cisco Disabling Sigma Integrated
df
Austin Clark bc8ec1de7d099ef18de8846a 0 0
Logging Rule Set (GitHub)
7a84c7a0c123ae9e
922dd1761e6de8935b8deddf
Sigma Integrated
Cisco Discovery Austin Clark 2c702455c9687e7ce9135ddc 0 0
Rule Set (GitHub)
ap
502be597a434ebf1
a81d06d9e233156764ebf91e
Cisco File Sigma Integrated
Austin Clark 560a8a01fdf1b044beeaaa40 0 0
Deletion Rule Set (GitHub)
0b065b5be267cbb0
066ace76e41c5e84ccb56804
Cisco Local Sigma Integrated
st

Austin Clark 255ccf2d9c27332fc287e7715 0 0


Accounts Rule Set (GitHub)
1b9a6bd70f1d723
e1d658a7e96d34fae9c9489f
Cisco Modify Sigma Integrated
Austin Clark 15cc7e66d2d932e0902ae1d9 0 0
Configuration Rule Set (GitHub)
In

b63e49f69008a557
52e2f120bc6f6a2fdea0d88c7
Cisco Show Sigma Integrated
Austin Clark 334e68be41c50e02ac50ad94 0 0
Commands Input Rule Set (GitHub)
47e3b97ccc8e8c8
8acea30044d76f3304a28112
Sigma Integrated
Cisco Sniffing Austin Clark da3f66be2f2b9d450a7cdd17 0 0
Rule Set (GitHub)
84f9c45ad56191de
3ba27fda76b2e27f70c6f07a6
Sigma Integrated
Cisco Stage Data Austin Clark 68f4d28b5903a7813afffa184 0 0
Rule Set (GitHub)
749aeb9b961725
Citrix ADS
afd8157e130ac5b1e85a8366
Exploitation CVE- Sigma Integrated
Florian Roth 6d958d63adfa7ab570ebfbdc 0 0
2020-8193 CVE- Rule Set (GitHub)
abdc1b7034b9f9c1
2020-8195
Citrix Netscaler 98e0f69c0d080f1ab9346e1e
Sigma Integrated
Attack CVE-2019- Arnim Rupp, Florian Roth bed9222049669b100a11bba 0 0
Rule Set (GitHub)
19781 a8b110d9d96ad8828
Victor Sergeev, Daniil Yugoslavskiy,
Classes Autorun acb1ec4240103205f334c8fe2
Gleb Sukhodolskiy, Timur Sigma Integrated
Keys 6431568a458950f7b86b5965 0 0
Zinniatullin, oscd.community, Tim Rule Set (GitHub)
Modification 2440e1de4dc0449
Shelton, frack113 (split)
ede87d3abc8a99be3ca19ab4
Nasreddine Bencherchali Sigma Integrated
CleanWipe Usage 102e923f13e3f7b181cde6ed 0 0
@nas_bench Rule Set (GitHub)
dea9e6f1593b1e77
c5903ffafd80f3200d3223dd4
Clear Command Sigma Integrated
Patrick Bareiss 4f4e4200331a8bfef040c23fc 0 0
History Rule Set (GitHub)
1812186018c6b9
4a4b8d80ea9937a6728e92b1
Sigma Integrated
Clear Linux Logs Ömer Günal, oscd.community 079891255ed26e302f37e290 0 0
Rule Set (GitHub)
db84bbaffc71c386
Ilyas Ochkov, Jonhnathan Ribeiro, 2169a242b9139d712fde6f31
Clear PowerShell Sigma Integrated
Daniil Yugoslavskiy, 781a606f5f50af9d5dd7474d4 0 0
History Rule Set (GitHub)
oscd.community 15ae08a0cf96fb7
Sigma Integrated Rule Set
Clear PowerShell Sigma Integrated
Ilyas Ochkov, oscd.community (GitHub)-dfba4ce1-e0ea-495f- 0 0
History Rule Set (GitHub)
986e-97140f31af2d

.in
Clearing 30041403950554ea68cae843
Sigma Integrated
Windows Austin Songer @austinsonger 6931add62874ca499364d423 0 0
Rule Set (GitHub)
Console History bd04a8ccb124d999
1f1ab8a0a3fe05dc5f6db77a7
Cleartext Sigma Integrated
df
Alexandr Yampolskyi, SOC Prime 33d09949a236725db888a8fc 0 0
Protocol Usage Rule Set (GitHub)
8999542edaa9d84
4ffd878e89c72b4ceec82aae1
Cleartext Sigma Integrated
Alexandr Yampolskyi, SOC Prime b81d7e86116017e259d0f026 0 0
Protocol Usage Rule Set (GitHub)
ap
184c047ac87f080
550069c609adf898c0cd2425
Cleartext Sigma Integrated
Alexandr Yampolskyi, SOC Prime bccf7458002df9eda036de658 0 0
Protocol Usage Rule Set (GitHub)
988e3fc1c99025d
5a34aa084745df161fe9743d
Cleartext Sigma Integrated
st

Alexandr Yampolskyi, SOC Prime b142a1c40cb5ee3886200a67 0 0


Protocol Usage Rule Set (GitHub)
d6ad228a51483a8a
d2de6c91a552659c64031d52
Cleartext Sigma Integrated
Alexandr Yampolskyi, SOC Prime 630045d58a65e9b7f816c23d 0 0
Protocol Usage Rule Set (GitHub)
In

ffb75c531fe65479
Clipboard
bba5d6f743a4d29df17318be
Collection of Sigma Integrated
Pawel Mazur a6702db4ec9ccad741bcfd23 0 0
Image Data with Rule Set (GitHub)
0545482d2f75c48b
Xclip Tool
Clipboard Pawel Mazur, Roberto Rodriguez 05e02a479959ef4e06411f4b
Sigma Integrated
Collection with (Cyb3rWard0g), OTR (Open Threat 132dbfbf2eff4ab9239d4732b 0 0
Rule Set (GitHub)
Xclip Tool Research), MSTIC c6b92c1762decc4
Clipboard 5750f0c9e7a5b3d955a1de73
Sigma Integrated
Collection with Pawel Mazur bac6ad176f1d221bbe3b3a3c 0 0
Rule Set (GitHub)
Xclip Tool 29db1eba3f280619
ae9cf008e7075ab1e5658ff0f
Cobalt Strike DNS Sigma Integrated
Florian Roth 1449d564314bf06bb13fc381 0 0
Beaconing Rule Set (GitHub)
dda84df5e63e523
e1f2db3ffec989759e5467440
CobaltStrike BOF Sigma Integrated
Christian Burkard cde906de0dd4aa563b137379 0 0
Injection Pattern Rule Set (GitHub)
e91daed32103267
CobaltStrike
e4c423de550bfad9e2962081
Malformed UAs Sigma Integrated
Florian Roth acef2175c6383ee5809f156de 0 0
in Malleable Rule Set (GitHub)
edc218690445bcc
Profiles
CobaltStrike acdef10f5ebf1c2a007b873f8
Sigma Integrated
Malleable (OCSP) Markus Neis 340f11064f333ffafafbe6d545 0 0
Rule Set (GitHub)
Profile 8758dfafd1a60
CobaltStrike
Malleable 4c8dcd1969f5864da6d00d31
Sigma Integrated
Amazon Markus Neis 6324cc9c07906eb46dcd52cb 0 0
Rule Set (GitHub)
Browsing Traffic 5ef77dec09e5f886
Profile
CobaltStrike
Malleable e3debddaebc6a6805b6ecd20
Sigma Integrated
OneDrive Markus Neis 4901a61dc7771baba667b06a 0 0
Rule Set (GitHub)
Browsing Traffic e7259af94cbd15da
Profile
acc7e9be68d0e1ad85dc9aafc
CobaltStrike Sigma Integrated
Florian Roth, Wojciech Lesicki 935bc08834e6cc9a7cc48742 0 0
Named Pipe Rule Set (GitHub)
991e53d197a46af

.in
CobaltStrike 337224175c49faeb48d475b3
Sigma Integrated
Named Pipe Florian Roth 0549b027ea2f3c467baf9b22 0 0
Rule Set (GitHub)
Pattern Regex a069f35aebe5bd66
CobaltStrike 905fc9490af8169f526089d67
Sigma Integrated
df
Named Pipe Florian Roth, Christian Burkard 0a3608b44417c93f5ab5a80b 0 0
Rule Set (GitHub)
Patterns e4f4e507ea02668
a95251178853987552aca691
CobaltStrike Olaf Hartong, Florian Roth, Aleksey Sigma Integrated
c7ec1d2e31c91213e0e11f80f 0 0
Process Injection Potapov, oscd.community Rule Set (GitHub)
ap
d3e7789a1234894
CobaltStrike 07ed77ae45c45cd6dbde5870
Sigma Integrated
Service Florian Roth, Wojciech Lesicki 2a9401f505bb4cd22daf19d0 0 0
Rule Set (GitHub)
Installations 9993a5c55b05ec21
CobaltStrike 1528f16fe86df1015680377ea
Sigma Integrated
st

Service Florian Roth, Wojciech Lesicki b269f8383ca863cc09a04060 0 0


Rule Set (GitHub)
Installations 5bbd624ab36512e
CobaltStrike 52fb124d4388460bedaa284c
Sigma Integrated
Service Florian Roth, Wojciech Lesicki 35492d9da80a1d697d6610dc 0 0
Rule Set (GitHub)
In

Installations dcfa5dc688ad118b
CobaltStrike bd6e98a1ffa061e8610929a9
Sigma Integrated
Service Florian Roth, Wojciech Lesicki 67d533a5f85adf437c7f2694f 0 0
Rule Set (GitHub)
Installations 4b79edcf04c254f
Code Executed 166571671ff0b50e7d6b641f7
Sigma Integrated
Via Office Add-in frack113 490790a2762897cb0cbbe9e2 0 0
Rule Set (GitHub)
XLL File d489edb3d71010e
ef655b20c81f4dddb081e2c7f
Code Injection by Sigma Integrated
Christian Burkard e6c60ee0ea86d7e37cdf55fe0 0 0
ld.so Preload Rule Set (GitHub)
2cd0c8586de4d1

Commands to Max Altgelt, Roberto Rodriguez 82fe97976c538cbc804bd324


Sigma Integrated
Clear or Remove (Cyb3rWard0g), OTR (Open Threat c0c8e95c4df77ed62a637f5e1 0 0
Rule Set (GitHub)
the Syslog Research), MSTIC d33dd2d9c9b416d

Commands to 9a49b4476704bd301f2c0b13
Sigma Integrated
Clear or Remove Max Altgelt c87316f7e92aef899ef21b8e3 0 0
Rule Set (GitHub)
the Syslog f6db3c943390df6
Common Port SOC Prime Threat 448567e1372cc2d57c61ba12
with Unusual SOC Prime Team Detection 58607614de4959656f08b0c7 0 0
Service Marketplace 69cc4a2d4b6adf6b
f13e798225ef1d32c44d8511
Communication Sigma Integrated
Florian Roth ab7c95a58e93d46b8c833bfb 0 0
To Mega.nz Rule Set (GitHub)
47f55eb5d9bb69e2
Compress Data
and Lock With b6ab11c7f95ec7eeb0c511d3
Sigma Integrated
Password for frack113 c26533628fe403bbf4d5d8e1 0 0
Rule Set (GitHub)
Exfiltration With 3ba54958aa6899da
WINZIP
Confluence 51b242528b12df33e19aef0d
Sigma Integrated
Exploitation CVE- Florian Roth 9c491da0899ee0c15706bd24 0 0
Rule Set (GitHub)
2019-3398 fa1d8bbfdd0c0e20
70f387e708b9ab503041091a
Connection Sigma Integrated
Ömer Günal 0b074a7d2aa84dea74f61b39 0 0
Proxy Rule Set (GitHub)
8fa6fc3f154dacaf
Container Image
SOC Prime Threat 0b491699d6ca77a7ec742e96
was Uploaded

.in
Brandon Hart Detection 76c80395862b7093ff6ffbfb2a 0 0
via Unusual
Marketplace a1d4d22e32f84e
Client.
a8204898cf8fc5736e342a776
Conti Backup Sigma Integrated
frack113 57426a9af40b6b573152d2d6 0 0
Database Rule Set (GitHub)
df e852a3112dead6d
Conti c41fdd8a72030a4b0b96e025
Sigma Integrated
Ransomware frack113 a1f36e7970262ad1e17a4ad2 0 0
Rule Set (GitHub)
Execution a29f643cb2033927
ap
08ef6e8b498eef96cef9154fc
Conti Volume Sigma Integrated
Max Altgelt, Tobias Michalski 59c951d935c3fc9b707146c4 0 0
Shadow Listing Rule Set (GitHub)
eca4567eaa5db9f
0b3dd39a21682b0ad57453e
Conti Volume Sigma Integrated
Max Altgelt, Tobias Michalski 8c2da509ea751696a9ed99ca 0 0
Shadow Listing Rule Set (GitHub)
st

e7fb6658a7c77adde
2904a54d46badb30ae1eda5e
Conti Volume Sigma Integrated
Max Altgelt, Tobias Michalski 935bcbcc71f8a08303a31fb68 0 0
Shadow Listing Rule Set (GitHub)
bf9e1fb8f0f0858
In

afa46c9c99b3c76a0450a8c7d
Conti Volume Sigma Integrated
Max Altgelt, Tobias Michalski face8fa7a53dda1c62644f81f 0 0
Shadow Listing Rule Set (GitHub)
d73ced0a0d096f

Copperhedge SOC Prime Threat aa72a19331c2c067f40e6e48f


Malware (Hidden Ariel Millahuel Detection f853baac0a3d4a25566bc668 0 0
Cobra) Marketplace 09995fc42cf7cd8
Correct f2418d4c95e6ea8c75c68ad4
Sigma Integrated
Execution of Arun Chauhan 358af3fc47e78b7630289f9d1 0 0
Rule Set (GitHub)
Nltest.exe 3fe04dc688a039b
CrackMapExec 4adf455dcb8e143b4df56b11
Sigma Integrated
Command Thomas Patzke 5b6a64714aa6d18f105e8e3d 0 0
Rule Set (GitHub)
Execution 9859c02f686e393b
687da476fe7fa5f062fed8f4a4
CreateDump Sigma Integrated
Florian Roth daf9774c0ac4734d817bf428d 0 0
Process Dump Rule Set (GitHub)
2c8de23a0b15f
9ba3182e2ff92ecee64624cd2
CreateMiniDump Sigma Integrated
Florian Roth f1f24935f5ebeb42a5e6530ca 0 0
Hacktool Rule Set (GitHub)
d6ea428e2941ea
db9bea11b648e60a727a16af
CreateMiniDump Sigma Integrated
Florian Roth 04702fe0746657460d47aa50 0 0
Hacktool Rule Set (GitHub)
814a4f7999f58cb6
Creation Exe for 3b925709ef1196fbdf20c495c
Sigma Integrated
Service with frack113 5a7972944bd56a4ab342009e 0 0
Rule Set (GitHub)
Unquoted Path f41e3f3273c15af
Creation Of A de6224d573389a0f865f0a33
Sigma Integrated
Local User Alejandro Ortuno, oscd.community bd9bc3784cd12bf697150f8f8 0 0
Rule Set (GitHub)
Account e0a9708a4e00199
f796279cc60013c4736e3ef7e
Creation Of An Sigma Integrated
Marie Euler 5a140375fba8a3d78694c9d5 0 0
User Account Rule Set (GitHub)
24620326ae8efcf
Creation of a
958ac16256f17b20c00b2a83f
Local Hidden Sigma Integrated
Christian Burkard 4bbad49236266d2b84e59eb 0 0
User Account by Rule Set (GitHub)
2d3c29989efc96b0
Registry
9eed77c2ef05fafded05e61ec
Cred Dump-Tools Teymur Kheirkhabarov, Sigma Integrated
71d8bdd695696543061ef8b8 0 0
Named Pipes oscd.community Rule Set (GitHub)
4fca37d1606484e

.in
Credential Florian Roth, Teymur 1243009f29fe311d9199398e
Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, 8babee9294e8f9e57205fe6e 0 0
Rule Set (GitHub)
Service Execution oscd.community bec6696ab0eec9e0

Credential Florian Roth, Teymur df 25727cb75bc931bc91e433f5


Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, 340be32ccedd13bf460a2fd8 0 0
Rule Set (GitHub)
Service Execution oscd.community da5b1a8d8b4a369b

Credential Florian Roth, Teymur 433b594a58a12c33431c033f


ap
Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, 7e53c41d5f635df8cee206163 0 0
Rule Set (GitHub)
Service Execution oscd.community 112bfffde169958

Credential Florian Roth, Teymur 9a7af0218101ae1b67047098


Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, f1cf187e06c88982ba45ad3ef 0 0
st

Rule Set (GitHub)


Service Execution oscd.community 1c685c27788b02d

Credential Florian Roth, Teymur ad25ab512a3789c7da7d55a7


Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, b60c4d528db1206a0a4d26f3 0 0
In

Rule Set (GitHub)


Service Execution oscd.community f44d945cc456cc2d

Credential Florian Roth, Teymur cda32da0a87ef0f9603fc5592


Sigma Integrated
Dumping Tools Kheirkhabarov, Daniil Yugoslavskiy, 471efd0b39082003d4bc39f0 0 0
Rule Set (GitHub)
Service Execution oscd.community 6871a5dd4336130
Credential 8cca9e462f882fe58e9f320bb
Sigma Integrated
Dumping by Bhabesh Raj, Jonhnathan Ribeiro 7380d7edbaaaab831521d9f7 0 0
Rule Set (GitHub)
LaZagne 39cca42cf64db37
Credential e7a973176dcaaa7050f1a216
Sigma Integrated
Dumping by Bhabesh Raj ca0d3075bfc12fecf2db13696 0 0
Rule Set (GitHub)
Pypykatz af32148bd07d6bf

Florian Roth, Roberto Rodriguez,


Credentials Dimitrios Slamaris, Mark
a293708df42b2beba9f1a26e
Dumping Tools Russinovich, Thomas Patzke, Sigma Integrated
123fed278dfc67f5946ce8c99 0 0
Accessing LSASS Teymur Kheirkhabarov, Sherif Rule Set (GitHub)
5b2800c58d69e2f
Memory Eldeeb, James Dickenson, Aleksey
Potapov, oscd.community (update)
26d8c61d691959676fb6d8b0
Credentials In Sigma Integrated
Igor Fits, oscd.community 217d408f4dde823800f79771 0 0
Files Rule Set (GitHub)
a458011d3577ffbb
bb9fce766014ab2fb2210641
Credentials In Igor Fits, Mikhail Larin, Sigma Integrated
0384571f0217fa35e9914bdc 0 0
Files oscd.community Rule Set (GitHub)
3dd86452d8d4ed64

Credentials from 0a2ce7410c4271e6c41926b4


Tim Ismilyaev, oscd.community, Sigma Integrated
Password Stores - fe0f5903a05d4a02cd8dcd4a2 0 0
Florian Roth Rule Set (GitHub)
Keychain 73e86065b3f46b6
f74e8628441aa3b7bcbf82dd
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Cron Files 77cc025925e34078d02d169d 0 0
OTR (Open Threat Research), MSTIC Rule Set (GitHub)
d947db62675dbeaa

SOC Prime Threat 06c9cbff1ed607186f04da92f


Cryptbot Stealer Ariel Millahuel Detection 2cf1648e2db7108306751e56 0 0
Marketplace b1e9f5123d11b60

SOC Prime Threat b2707a69365d76d4836147e


Cryptbot Stealer Ariel Millahuel Detection eaf9407e838f5322fcbd5f89cf 0 0

.in
Marketplace 86c86f1ba4239d5
ff0cfc194b0f8edd392e317c8
Crypto Miner Sigma Integrated
Florian Roth a3d0e012351873096248a33c 0 0
User Agent Rule Set (GitHub)
a36c2b71f5ab3a1

Cybergate RAT Ariel Millahuel


df
SOC Prime Threat e806ec700e831384b0d77c85
Detection
Marketplace
08e1614d850eb5c7ccb89a9b
745d0871c0136e5d
0 0
ap
DCERPC SMB 9aca3bd938d644fb20cf3d83a
Sigma Integrated
Spoolss Named OTR (Open Threat Research) 10353ff1440153ab17579e69 0 0
Rule Set (GitHub)
Pipe ed2ee17848c5d93

SOC Prime Threat 35dd39a15009dacc7bdd973a


DCRat Malware Ariel Millahuel Detection 9fb1484b964accb38bbcb7a6 0 0
st

Marketplace 3bc0b1bf73131df0

SOC Prime Threat d84b3a1cba66ed28c6c66d9a


DCRat Malware Ariel Millahuel Detection 5dd807e984d42ba3b1e61ae 0 0
In

Marketplace 45717b77695109095
ae140eaae48e1659eb9013e9
DD File Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
c7758cc3ebb59100fc5bce9ed 0 0
Overwrite OTR (Open Threat Research), MSTIC Rule Set (GitHub)
e4e8a0ca0fb76b7
9e465f124d03f3f4a5d575cc4
DEWMODE Sigma Integrated
Florian Roth d87bde86fda1fa3092da13a4 0 0
Webshell Access Rule Set (GitHub)
7c07f473c865bbc
08a22f080dbceb91fd610915
DHCP Callout DLL Sigma Integrated
Dimitrios Slamaris 9e695139744d9c12f6d94b12 0 0
Installation Rule Set (GitHub)
c35474b710aeb4ae
DHCP Server
11670a8f337ded0b6b72a5c4
Error Failed Dimitrios Slamaris, @atc_project Sigma Integrated
1df4831c1b1da694f85e044e 0 0
Loading the (fix) Rule Set (GitHub)
4afe1839d5dbc82d
CallOut DLL
DHCP Server 4928e3042535af018624a20c
Sigma Integrated
Loaded the Dimitrios Slamaris e17e807b66cf935200331da0 0 0
Rule Set (GitHub)
CallOut DLL 4e2db35a1b6cb695
203a47b7ef9f6721efefc8005
DIT Snapshot Sigma Integrated
Furkan Caliskan (@caliskanfurkan_) ca1492daf475a9b03afc70af3f 0 0
Viewer Use Rule Set (GitHub)
de9780df06253
DLL Execution dd9b6910a5e264c2b56a7a73
Ivan Dyachkov, Yulia Fomina, Sigma Integrated
Via Register- 5f0cfc2cab9c341775db4a260 0 0
oscd.community Rule Set (GitHub)
cimprovider.exe bbadf7815d05772
18ed0db67fcc790c2b7e9ff5c
DLL Execution via Sigma Integrated
Julia Fomina, oscd.community 111ae3691af0b9f2d52618d4 0 0
Rasautou.exe Rule Set (GitHub)
1d7f956ce8aa598
b829a2f1ed89d5380f218ac5f
DLL Injection Avneet Singh @v3t0_, Sigma Integrated
6e134b4301319062cf792789 0 0
with Tracker.exe oscd.community Rule Set (GitHub)
557f30f6f903d24
4dbf0d3da4d07dd172361786
DLL Load via Sigma Integrated
Florian Roth 684269e5741eb3602ce1bf2c 0 0
LSASS Rule Set (GitHub)
2c287041e8abe017

DNS Cache SOC Prime Threat 11f3c97d5bb96ad59c7eb445


Enumeration(via Den Iuzvyk Detection ca4feeab94c4ea4fbc54c6a6ff 0 0
CIM/WMI) Marketplace 11061bab8a11b3
DNS Events ed013f86bfbbcd25b8e46239

.in
Saw Winn Naung, Azure-Sentinel, Sigma Integrated
Related To 1d437165af76f6ca7e0b33cde 0 0
@neu5ron Rule Set (GitHub)
Mining Pools 4fceb2ee58d3e57
DNS
3aadcde102c8a083c36e571f
HybridConnectio Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
df 1926927d5bdeddec39fc0f3ca 0 0
nManager OTR (Open Threat Research) Rule Set (GitHub)
9c514988407c7fe
Service Bus
c2b9377be93da37de7a04778
DNS RCE CVE- Sigma Integrated
Florian Roth f2a879e0e03b32b8aa2f1d0d 0 0
2020-1350 Rule Set (GitHub)
ap
d8b7c1ba72d7727b
DNS Server Error
Failed Loading a560dac7223fded812b9599d
Sigma Integrated
the Florian Roth 8c99d9973956309982969834 0 0
Rule Set (GitHub)
ServerLevelPlugi 9739e8edeb365cc8
st

nDLL
DNS 167ca4630ac31daedf547da8
Sigma Integrated
ServerLevelPlugi Florian Roth bb8695b2fbc83687b5dec494 0 0
Rule Set (GitHub)
nDll Install 38c407766e74c574
In

DNS 5935b25ff10421da2a478f9f4
Sigma Integrated
ServerLevelPlugi Florian Roth 84858a9599e6551a17272c7a 0 0
Rule Set (GitHub)
nDll Install 4017c6e1a55df07
DNS 8435be4251ebdf2b4f18ae9d
Sigma Integrated
ServerLevelPlugi Florian Roth 65faca381dc2fad4574c29cff3 0 0
Rule Set (GitHub)
nDll Install a962e5c9237487
DNS 8a0b41208edc45c1f006ab6d
Sigma Integrated
ServerLevelPlugi Florian Roth a0f12b0b819a810a16ba4179 0 0
Rule Set (GitHub)
nDll Install e2ef632571eafa18
DNS cfcbc45713ff3176a1284f986
Sigma Integrated
ServerLevelPlugi Florian Roth 927a251f17c892931e878713 0 0
Rule Set (GitHub)
nDll Install 25476256b26bb0c
1b16378c68113f05c5cf4b515
Sigma Integrated
DNS TOR Proxies Saw Winn Naung , Azure-Sentinel 86d582401449553cf4775243 0 0
Rule Set (GitHub)
b8ce459ef59ef99

DNS TXT Answer 8960985ab852fb33eb502577


Sigma Integrated
with Possible Markus Neis cd94683447f94e1a5299bfb6 0 0
Rule Set (GitHub)
Execution Strings 07905f6a591cc78e
DNS Tunnel c2860e5a2a470c1dbb00003a
Sigma Integrated
Technique from @caliskanfurkan_ 43f3a9f04e5180cb5c7ec9e7a 0 0
Rule Set (GitHub)
MuddyWater 5bdcdfdd86a15a9
DNS-over-HTTPS 0426d73fef7393ca82c3fbe1b
Sigma Integrated
Enabled by Austin Songer edafc6d698e787d2cd679e17 0 0
Rule Set (GitHub)
Registry ae93a3b446a487f

DNSCat2
Powershell b31e87788fbc1690d2371c0a
Sigma Integrated
Implementation Cian Heasley 80ebe27cf8c7a433c9a7f28b1 0 0
Rule Set (GitHub)
Detection Via a077ba534308772
Process Creation
DPAPI Domain d9a0bb3db2e444420bfe144e
Sigma Integrated
Backup Key Roberto Rodriguez @Cyb3rWard0g 0ffc3f7e4dd9315a4792d088f 0 0
Rule Set (GitHub)
Extraction 6d79b706ac5fac0
DPAPI Domain 084c47f6ea9d2126ec7b6b95
Sigma Integrated
Master Key Roberto Rodriguez @Cyb3rWard0g e20cdf54557800f1b8394ae4 0 0
Rule Set (GitHub)
Backup Attempt 72f95b6162be6db1
fbcabbd5b0fb4855de3b0bcf6
DTRACK Process Sigma Integrated
Florian Roth bd58239facf0733ad46f2269e 0 0

.in
Creation Rule Set (GitHub)
f540d344acb5bb

Dacls RAT SOC Prime Threat 79cabd2716a91ac3ac201a10


(Lazarus's Linux Ariel Millahuel Detection 6a3c135e584d110d8527ac13 0 0
Malware) Marketplace
df 8457a5b89fb2b2a6

SOC Prime Threat 097182ab9d206700057ec3ab


DarkRAT Botnet Ariel Millahuel Detection 10e6684d34c9b3ff109901a1 0 0
Marketplace 4fb1dbd8da889d95
ap
fb2193574c75e35df0989335
Data Sigma Integrated
Timur Zinniatullin, oscd.community aac30e2e13f3b8163caf7eef4 0 0
Compressed Rule Set (GitHub)
6058ae407b19e98

Data Exfiltration bae0cfa813856773ccb7c9ac2


st

Sigma Integrated
to Unsanctioned Austin Songer @austinsonger 654b2f064928c841cb1442d6 0 0
Rule Set (GitHub)
Apps dda554b4e346c98
334aab46cbdf770ef0720448
Data Exfiltration Sigma Integrated
In

Pawel Mazur d240e1b67c2a759449b703fb 0 0


with Wget Rule Set (GitHub)
a9d425f1450d83f9
0f307ac40cafbbdb1e262b899
Decode Base64 Daniil Yugoslavskiy, Sigma Integrated
732195a25952ad5bb013ca8e 0 0
Encoded Text oscd.community Rule Set (GitHub)
6d280eefd45a141
6101f5b902371808a5b407d6
Decode Base64 Daniil Yugoslavskiy, Sigma Integrated
6c189f259bec69ab6b4cf5b58 0 0
Encoded Text oscd.community Rule Set (GitHub)
a655af663843c71
Decode strings 9d57b9ed7a852960b15a4d2
Joe Security Rule
from lnk via Joe Security a7fb4faa9174893a98953c9f0 0 0
Set (GitHub)
findstr.exe 9989faab11ed110d
19a7f2dd57b12f6048694290
Default Cobalt Sigma Integrated
Bhabesh Raj 890081c7033fcf871e2c6ac4d 0 0
Strike Certificate Rule Set (GitHub)
dac91980374c15b
Default 65501b5c31cfa5ab80e3a451
Sigma Integrated
Credentials Alexandr Yampolskyi, SOC Prime 2b833f9e4bb77ef303f17fc88 0 0
Rule Set (GitHub)
Usage 39abf9c1b435969
Default SOC Prime Threat 3ed924bf0f9ebfc7642bd2eb1
Credentials Alexandr Yampolskyi Detection a2b925d801ff58fd267c5066f 0 0
Usage. Marketplace e579c55051e5cc
Default
40b130caca0f58482d7bae97
PowerSploit and Sigma Integrated
Markus Neis, @Karneades 3cb51c3d6c7a02a91a7f448a 0 0
Empire Schtasks Rule Set (GitHub)
1c19eb96333f5a10
Persistence
1ab376818e4cb7b7005cf46c
Defrag Florian Roth, Bartlomiej Czyz Sigma Integrated
5c118f9d09e2779f289cd7f37 0 0
Deactivation (@bczyz1) Rule Set (GitHub)
afc5fca8fc6e4f5
462e0455aac7979a20819093
Defrag Florian Roth, Bartlomiej Czyz Sigma Integrated
4de4564c8d6f5759fa73ea35 0 0
Deactivation (@bczyz1) Rule Set (GitHub)
5f31b871967ed1eb
4a305b6df01e5870b2018b57
Defrag Florian Roth, Bartlomiej Czyz Sigma Integrated
9218b7e7b94bcc24e0959629 0 0
Deactivation (@bczyz1) Rule Set (GitHub)
d5cd3812d771d39b
Delete Volume
57a9202655d8133d3a5eb0a9
Shadow Copies Sigma Integrated
frack113 d51c9f5dedb6b15cfc700005f 0 0
Via WMI With Rule Set (GitHub)

.in
6f0d686df4f2ba2
PowerShell
Delete Volume
7435e1880cdd78f155ad539e
Shadow Copies Sigma Integrated
frack113 af8348f3ea0d6fa1183fac382 0 0
via WMI with Rule Set (GitHub)
df 443553cac2159be
PowerShell
f15234ba5cc4c709633e015e
Deletes Backup Sigma Integrated
frack113 497cce2bab7cd6f91b488b8c 0 0
Files Rule Set (GitHub)
04ecfd5651e68749
ap
755295cd9d58dfbf7808166e
Denied Access To Sigma Integrated
Pushkarev Dmitry cd446d284fa160fe7f2e2b567 0 0
Remote Desktop Rule Set (GitHub)
3aeef6cc5cb0a44
Detect Sql 7940d1dd84f2a311d67ac511
Sigma Integrated
Injection By Saw Win Naung 006deeead549c05a4cadaca9 0 0
Rule Set (GitHub)
st

Keywords 908e1071a153106c
Detect XSS abfc554e6723d78308adb5dd
Sigma Integrated
Attempts By Saw Win Naung 0917e5604dac15611a986376 0 0
Rule Set (GitHub)
Keywords 33eae81fc3aff08f
In

Detected
45e686dc153cf8d6e5cf577bc
Windows Sigma Integrated
Nikita Nazarov, oscd.community 67b50dc6668c51412eddb7ae 0 0
Software Rule Set (GitHub)
de600f65fd5e9f0
Discovery
Detecting Fake 8dd172636988b9cdc1bf44aa
Sigma Integrated
Instances Of Sreeman ceb27f6009d97516c54decea 0 0
Rule Set (GitHub)
Hxtsr.exe 0812022b61cd8d7a
Detecting
SOC Prime Threat 9d639e1b707b6f24ae8b637d
Sysmon on a
Ariel Millahuel Detection f63d5ac02aac0933b062d347 0 0
Victim Host (via
Marketplace 7fa84d3194dc4e7b
powershell)
Detection of 45c3c61e20707c18533d763c
Sigma Integrated
Possible Rotten Teymur Kheirkhabarov 9e1c0a2f3abd229bd485f75c9 0 0
Rule Set (GitHub)
Potato 33da3e4ba156186

Detection of 5980c0048e6d0468659094b7
Sigma Integrated
PowerShell Markus Neis 3e0c348afcf2c52a7842e0308 0 0
Rule Set (GitHub)
Execution via DLL 9c1279a023c70c9
Detection of
541caef712c71465ca223d69
PowerShell Sigma Integrated
Agro (@agro_sev) oscd.community 670a2ef4826f41323f21f161b 0 0
Execution via Rule Set (GitHub)
c699c23ba201602
Sqlps.exe
5b2f81ece2c70e3e5e4dd770
Detection of Sigma Integrated
Markus Neis e0b9c755c90c099bf527d2b2 0 0
SafetyKatz Rule Set (GitHub)
57d43e1193585d13
Devtoolslaunche 336df26c319863147659e184
Beyu Denis, oscd.community (rule), Sigma Integrated
r.exe Executes f6387914d5b34b55eeb4dabe 0 0
@_felamos (idea) Rule Set (GitHub)
Specified Binary 819907f747016967
e01fcd88ad6ac5ad9762f652a
Direct Syscall of Sigma Integrated
Christian Burkard 28d6c714dc5ccf89b89c118b 0 0
NtOpenProcess Rule Set (GitHub)
dd3bb33e5cf8abd
Disable Exploit
Guard Network 8c426cb2a8a98a743f8e95cb
Sigma Integrated
Protection on Austin Songer @austinsonger 5717e867cc5d4d22fcc97255 0 0
Rule Set (GitHub)
Windows e10fac2d59176fac
Defender
Disable 09601976d693769f1fe442a0
Sigma Integrated
Important frack113 618410420380d7de7aeec4e5 0 0

.in
Rule Set (GitHub)
Scheduled Task 2c0ebe6e3ebebe56
Disable PUA
09a64c87ba1b11c75a19c495
Protection on Sigma Integrated
Austin Songer @austinsonger d100b0ef9fa95955560f0e1b4 0 0
Windows Rule Set (GitHub)
df f9f2842159caaef
Defender
Disable Security
6eaa9c84915e6b68d49ea0ea
Events Logging Sigma Integrated
Ilyas Ochkov, oscd.community 6b069124ad33f6d9666e8baf 0 0
Adding Reg Key Rule Set (GitHub)
43270a57ee9e1b2a
ap
MiniNt
d934cd2adbdfb7c12ed5f937
Disable Security Daniil Yugoslavskiy, Sigma Integrated
e36ed253d3f53495f0194507 0 0
Tools oscd.community Rule Set (GitHub)
c0ea80b55f983957
Disable Tamper
bf1de3b61466c6018ee71be3
st

Protection on Sigma Integrated


Austin Songer @austinsonger f901fb544ddb30709a256ce8 0 0
Windows Rule Set (GitHub)
8ddc19444b5a1ea1
Defender
8e9b40932ae787a51edc9fad
Disable Windows Sigma Integrated
In

frack113 bb2fd842437eea7b83804b00 0 0
IIS HTTP Logging Rule Set (GitHub)
90d7f069e2d0a5f2
Disable or Delete 780ed5be93f71a397b1b6c9d
Sigma Integrated
Windows Florian Roth 95912c0781c2ed9114eef8fc5 0 0
Rule Set (GitHub)
Eventlog aec854bf80b1f2c
dd832d1e805b850c68be7f12
Disabled IE Sigma Integrated
Florian Roth 0da6482e6126a8ee0860e335 0 0
Security Features Rule Set (GitHub)
5d54604a2040eee7
Disabled Users
Failing To a87dc529f00cccdafd3037358
Sigma Integrated
Authenticate Mauricio Velazco, frack113 d753f5b37bdbc5d5860e077d 0 0
Rule Set (GitHub)
From Source 8794985d3d93f5d
Using Kerberos
570e42eea810ffc81d8b3f1b5
Disabled Volume Sigma Integrated
Florian Roth d284c891c1ca4a897bc6a8d5 0 0
Snapshots Rule Set (GitHub)
307ba5ac4feebbe
17b8565aac7819789a47a069
Disabling Ömer Günal, Alejandro Ortuno, Sigma Integrated
aa7bbdb1c69f755edcfcb766c 0 0
Security Tools oscd.community Rule Set (GitHub)
10e1d973768a357
495b384015032ab9c529e649
Disabling Ömer Günal, Alejandro Ortuno, Sigma Integrated
f340c35394c72a7ace8daf0ae 0 0
Security Tools oscd.community Rule Set (GitHub)
cc9b3fe7bb5f54e
7657d165811c7f6d4f9ff55e9
Disabling Ömer Günal, Alejandro Ortuno, Sigma Integrated
ce81d8405e42f6157faed664f 0 0
Security Tools oscd.community Rule Set (GitHub)
28bbc8fe97e560
7c1caf17a217864cc13be5d73
Disabling Ömer Günal, Alejandro Ortuno, Sigma Integrated
20e631c61b949686fc630c72 0 0
Security Tools oscd.community Rule Set (GitHub)
b5d143d1b4cdbbb
df800176ac79cd510a92bccec
Disabling Ömer Günal, Alejandro Ortuno, Sigma Integrated
d1ec64124d8917bd009406ab 0 0
Security Tools oscd.community Rule Set (GitHub)
d5457f353896225
Discord client
SOC Prime Threat d513011ab49524e73ae98c85
stealer
Ariel Millahuel Detection b1f902158f55f0412551679d5 0 0
(AnarchyGrabber
Marketplace acbb03eee68c4a3
)
Django fad46f86c5fe8acee91d73cf59
Sigma Integrated
Framework Thomas Patzke 01cf64df547e2777230845acf 0 0
Rule Set (GitHub)
Exceptions e89b79cbf172a
0469df5507574c65082f6241

.in
Dllhost Internet Sigma Integrated
bartblaze 0c1cc9e493ba1daeff82396b3 0 0
Connection Rule Set (GitHub)
8a60516c6f4187c
Domain User
11a4140a5787cdd2ea81d81e
Enumeration Nate Guagenti (@neu5ron), Open Sigma Integrated
df 4e06755144d3c4abe02a886e 0 0
Network Recon Threat Research (OTR) Rule Set (GitHub)
c68eeb79c5273223
01
Domestic Kitten d75f4b248c10259b10111070
Sigma Integrated
FurBall Malware Florian Roth 00396926b1a9e5cd4b003150 0 0
Rule Set (GitHub)
ap
Pattern 0be48aee109855b5

SOC Prime Threat 431dbf8b11cf45bebac6646a5


Donotgroup APT Ariel Millahuel Detection fe3c450c306b29edaf2597767 0 0
Marketplace 5ee072495216f8
st

SOC Prime Threat b3a4cba903a56c4b1c614cbd


Donotgroup APT Ariel Millahuel Detection e0de39dbec54a5aa5c8c8990 0 0
Marketplace df7f654b4a4c05ab
In

Download EXE 0182cb90eb98bcbd6b9724bd


Sigma Integrated
from Suspicious Florian Roth f7aa6f62ee6e327b059e2425 0 0
Rule Set (GitHub)
TLD 7dfd8339db0d3579
Download from d24da8eb78bf79c4be60dc23
Sigma Integrated
Suspicious Florian Roth a68bd4ced6da6a3ad0eca8e8 0 0
Rule Set (GitHub)
Dyndns Hosts c2f4f43d08527e24
5ccaad9297f4a0eab603cadda
Download from Sigma Integrated
Florian Roth b274e285f600daadd324b7ff0 0 0
Suspicious TLD Rule Set (GitHub)
b1664d5fa19675

SOC Prime Threat 76c36e8978ca88131a604877


DragonFly
Ariel Millahuel Detection 350f6d74659dd6354870487d 0 0
variant (Goodor)
Marketplace 271706837731f68c

SOC Prime Threat f9376b94f03fe9d6f1fa80fe12


DragonFly
Ariel Millahuel Detection 4bddee8d9d51ee56b3e761e 0 0
variant (Goodor)
Marketplace 3b550f5717ea1e8
Dropping Of ee1da0ec4e59bf6a30e8d78ef
Sigma Integrated
Password Filter Sreeman cf41afcbe4babcee998f991aa 0 0
Rule Set (GitHub)
DLL 62701b5fdb80df

Drovorub SOC Prime Threat 00861734ad4b4865c4fd337b


Malware Ariel Millahuel Detection 091aace8388feda059f681fa1 0 0
Detection Marketplace a0d0a6659b55d31
Dump
Credentials from
5058b79d96d2165425d539e
Windows Sigma Integrated
frack113 148ae3fe578dfa62b75b71f82 0 0
Credential Rule Set (GitHub)
ca2bd6bc347be4d5
Manager With
PowerShell
DumpStack.log 9aa94cce0b20ff88d8c54a77c
Sigma Integrated
Defender Florian Roth 049e7d80f00af8ed4def6aa73 0 0
Rule Set (GitHub)
Evasion 95dc01692b5394
4182b10f293111ccccca770ad
Dumpert Process Sigma Integrated
Florian Roth a467f9a23c6679818008b743 0 0
Dumper Rule Set (GitHub)
6e1842cac95a691
4f4552b72d1fdf1daa9803088

.in
Dumpert Process Sigma Integrated
Florian Roth eabda70a1a8259d5eae424fc 0 0
Dumper Rule Set (GitHub)
bf3b7edae985b63
9f11ecfc5795bbd9676baf8be
Dumpert Process Sigma Integrated
Florian Roth 43d9bd9f6da30f13022e7d97 0 0
Dumper Rule Set (GitHub)
df b279730326db7ad
Dumping
Lsass.exe c2b930e9318dce446b4b4ed0
Perez Diego (@darkquassar), Sigma Integrated
Memory with 18e6ade935182bf7ca1404ae 0 0
oscd.community Rule Set (GitHub)
ap
MiniDumpWrite 47923673beafee95
Dump API
Dumping Process b8953b2fd9eedf5150cb430e
Sigma Integrated
via Kirill Kiryanov, oscd.community c88f3653045e82c553904a73f 0 0
Rule Set (GitHub)
Sqldumper.exe 87423600b427bee
st

Dumps Process SOC Prime Threat 1b2196c83bd73a6164882d3


Using Den Iuzvyk Detection b22f19d200742a1d5541207b 0 0
tttracer.exe Marketplace 0e4b8684476e12ce2
In

SOC Prime Threat 68250cc49ef2301bbd3bc510


Dupzom Trojan Ariel Millahuel Detection 4579a2f065206211acccf6978 0 0
Marketplace a71097bddd98d6d

SOC Prime Threat b68ad5ecfba8b9b44e110368


Dupzom Trojan Ariel Millahuel Detection c029c99324cfa21b47820974 0 0
Marketplace 6fa0fcc441e51659
EDR WMI
Command 283d42c1fadd5e7b1d94efc7
Vadim Khrykov (ThreatIntel), Sigma Integrated
Execution by 08531703992e171a52b45eef 0 0
Cyb3rEng (Rule) Rule Set (GitHub)
Office e6e2eba61827fcdc
Applications
EKANS/SNAKE
SOC Prime Threat 164ef4a9c3213fa19bce8c0de
Ransomware
Ariel Millahuel Detection f1c7e491e774e8b12b55aaf5 0 0
(Sysmon
Marketplace 5c5cc2732b4386f
detection)
EQNEDT32.EXE 3b421cd3a4401c0dfc3d2c56
Joe Security Rule
connecting to Joe Security 13d705669e2bdcf8d998c4e3 0 0
Set (GitHub)
internet 63d2e1e5cbd328d4
Edit of cebaa2668c1b09efe1fcc6d46
Sigma Integrated
.bash_profile and Peter Matkovski 8abfb9aa15dbba4c6e04246b 0 0
Rule Set (GitHub)
.bashrc a9e9f0bf407dc65
33bbc287fcdff32099d907d12
EfsPotato Named Sigma Integrated
Florian Roth 2b96db06214e7ef12bdbe38c 0 0
Pipe Rule Set (GitHub)
c574df4fbcd94ff
7f1a0bd0e13fc71835ebb28c9
Sigma Integrated
Elise Backdoor Florian Roth bcd3329c320fbb38c22a6521 0 0
Rule Set (GitHub)
ad2ec7afec74c71
23618eea142f67106fec1f2e4
Sigma Integrated
Empire Monkey Markus Neis 9084b25abad9af9614fd101fa 0 0
Rule Set (GitHub)
e65a465fce36f6
5e739870e4f0680d4f5cb3caa
Sigma Integrated
Empire Monkey Markus Neis 8012e5362e20450756aaed3d 0 0
Rule Set (GitHub)
6d5c2156e412a1c
Empire 82469a7e6790faf9f415ad43c
Sigma Integrated
PowerShell UAC Ecco df63ae3c4665bc5c9336e489f 0 0

.in
Rule Set (GitHub)
Bypass 310de170797ea9
Empire 2f9a27d9a32a1db53d0ad914
Sigma Integrated
UserAgent URI Florian Roth de9cc96ab6822811498c2464 0 0
Rule Set (GitHub)
Combo c72d7ac1ae5ea6c8

Empty User
Agent
Florian Roth
df
Sigma Integrated
Rule Set (GitHub)
db3df2f3bab9e0691c10d2f19
8c0eed1ea877206a82309623
60652fa37013d1e
0 0

Enable Windows 7f8fcfb39f92617ac21dbc51e


ap
Sigma Integrated
Remote frack113 4c66b0663520cef30300bc28 0 0
Rule Set (GitHub)
Management dd89572f6574253
Enabled User
5b7c1293fd9b0e601e332e39
Right in AD to Sigma Integrated
@neu5ron 57086d1d0c6a06bfadd6c43e 0 0
st

Control User Rule Set (GitHub)


4270efb3277d3f29
Objects
Enabling COR
54d006ecd6dae89f884b01b6
Profiler Jose Rodriguez (@Cyb3rPandaH), Sigma Integrated
fbaa0d8010a9ab60d59993aa 0 0
In

Environment OTR (Open Threat Research) Rule Set (GitHub)


4d10c45146c3b4ca
Variables

Enabling RDP SOC Prime Threat a0da5ca640c0db1d98b306ba


remotely using Ruslan Mikhalov, SOC Prime Team Detection 62d3da18bb15ee97be16ca41 0 0
PsExec Marketplace d672fe2e8ebec17c
Enumerate
Credentials from
0470d9b3a45f6fadd1112844
Windows Sigma Integrated
frack113 69ea5f0dc2a9e4cebf5973ac1 0 0
Credential Rule Set (GitHub)
3ec483c7c1e072b
Manager With
PowerShell
Enumeration for cf1e24c4e4b805857977d873
Sigma Integrated
Credentials in frack113 b41de8cf08d618fa56ffb27ec 0 0
Rule Set (GitHub)
Registry e5e9b41e84807d6
Enumeration via 1305672c2572166a4d69a39b
Chakib Gzenayi (@Chak092), Hosni Sigma Integrated
the Global 49ae88090a50a828e90fe74e 0 0
Mribah Rule Set (GitHub)
Catalog cbcb764defc3658e
Equation Group ec2be6d2ee05ce5b9bbe5fa0
Sigma Integrated
C2 Florian Roth e0c88445206d45c31719b20f 0 0
Rule Set (GitHub)
Communication 8b334b51509702ca
214644f8f8defe22c479a808c
Equation Group Sigma Integrated
Florian Roth 315e0abeab487ba6453aea73 0 0
Indicators Rule Set (GitHub)
b617671e82afc64
Evasion Base64
decode
SOC Prime Threat 66bf1484dc26be16a812d0aa
arguments in
Roman Ranskyi Detection d2d4ac6fb6a930d54d654fefd 0 0
Powershell.
Marketplace b5395f2f5bdd569
(Possible APT29
activity)

SOC Prime Threat bc6f9cb8f39b70734c26b70f5


Evasive Azorult
Ariel Millahuel Detection 09cd672b3173413fef65146e 0 0
detection
Marketplace 95364ccd778a60e

Event SOC Prime Threat 6069c607c41cfbdf480184c91


Tracing(ETW) Den Iuzvyk Detection 403313c4f458c82732ed81f1c 0 0
.NET Bypassing Marketplace ff013d545756f6

.in
21811843bfb7d3bd52d24ba7
Sigma Integrated
Eventlog Cleared Florian Roth 51e69b943436736e36c5b88a 0 0
Rule Set (GitHub)
3f0f5d4f80c042fd
7ab84c6091a1b4ceb1d00bb8
Sigma Integrated
df
Eventlog Cleared Florian Roth f3be32dcd111618b7e0b705f 0 0
Rule Set (GitHub)
7a14f2696bd4527c
eef34d2dd2c9264ef00f80ce3
Sigma Integrated
Eventlog Cleared Florian Roth cee8c0b7232729bfb39f5f525 0 0
Rule Set (GitHub)
ap
8afc0701b750ba
EvilNum Golden
c07dab99223af1d0dcc74e54
Chickens Sigma Integrated
Florian Roth 19200d751c154be9bf5fb4f88 0 0
Deployment via Rule Set (GitHub)
17b718b80074034
OCX Files
st

Christopher Peacock
cfd44c3835317e846b18021a
Excel Network '@securepeacock', SCYTHE Sigma Integrated
9060f4b9b011294ec53eb3ac 0 0
Connections '@scythe_io', Florian Roth Rule Set (GitHub)
1fad568abeb37922
'@Neo23x0"
In

Excel Proxy
368433c7157e0778f035c6c8
Executing Vadim Khrykov (ThreatIntel), Sigma Integrated
b5a6cd0f273d860606bfa36f6 0 0
Regsvr32 With Cyb3rEng (Rule) Rule Set (GitHub)
32144c7050b4c7d
Payload
Excel Proxy
769fe648255c0a237ee125f7
Executing Vadim Khrykov (ThreatIntel), Sigma Integrated
4d2685b54cf7799f6b5cffeae 0 0
Regsvr32 With Cyb3rEng (Rule) Rule Set (GitHub)
1f2fee47164091c
Payload

Exchange 8b0df83cd0067e8ec609c343
Sigma Integrated
Exploitation CVE- Florian Roth 855fdc202dc02e08333f5308 0 0
Rule Set (GitHub)
2021-28480 7a98ea20ae5a5b9a
Exchange
fa61fa3a9e1eb0bec15a00e9a
Exploitation Sigma Integrated
Florian Roth 84860be9b60903bc19014548 0 0
Used by Rule Set (GitHub)
41437fa15d2b33e
HAFNIUM
Exchange
d6b23e65044f31aa0e870c30
PowerShell Snap- Sigma Integrated
FPT.EagleEye cfcb96f03b4e07207a6ee29c0 0 0
Ins Used by Rule Set (GitHub)
ed9707981459b23
HAFNIUM
Exchange 64bc18e376a29a7021c54cb9
Sigma Integrated
ProxyShell Florian Roth, Rich Warren dd0360d271fdc492dfe54970 0 0
Rule Set (GitHub)
Pattern 6a750fcce1c06b85
Exchange Set
76f94274bd2a1a2e6fff0a841
OabVirtualDirect Sigma Integrated
Jose Rodriguez @Cyb3rPandaH 31b19b7a88097a0ecdf13f71 0 0
ory ExternalUrl Rule Set (GitHub)
3b85cbe87821798
Property

Exe Launched By fb6e575b96ef105d7648f2fbb


Joe Security Rule
ReflectiveLoader Joe Security 84e53c968901fc34652bf5131 0 0
Set (GitHub)
Dll 7f8fa76685654f
c5b9b720930832b94426c87d
Executable from Sigma Integrated
SOC Prime, Adam Swan 7d20296939a583d3a341561 0 0
Webdav Rule Set (GitHub)
476b195402c712b66

SOC Prime Threat 39c77a2689a21b694239fd44


Executable from

.in
SOC Prime Team Detection d2ca79bd9fbdd010599631d8 0 0
Webdav - Zeek
Marketplace 11030596b2bb794d
5be9da0a90b142239a3ff281
Executable in Sigma Integrated
Florian Roth, @0xrawsec 9edf2283938855da3b4c80d6 0 0
ADS Rule Set (GitHub)
df 3d8e6db63c2c4fe7
4c7cd76bbfcbeccd5a632e963
Execute Code Sigma Integrated
Julia Fomina, oscd.community 5a2ba08c7f1b72ecfc3b734d0 0 0
with Pester.bat Rule Set (GitHub)
1e3a46c75c1779
ap
Execute Files 01d30cac08cb23905f4eacf48
Sigma Integrated
with Beyu Denis, oscd.community a745712b09efd4d13ece8136 0 0
Rule Set (GitHub)
Msdeploy.exe df401f4fa5a9969
Execute From 050886ba2f2b1f82f8131a47c
Sigma Integrated
Alternate Data frack113 e6b22fb2663a44155ba973da 0 0
Rule Set (GitHub)
st

Streams 3477fde647c06a5
Execute Invoke- 61dae8b0a35fc9369e410406
Sigma Integrated
command on frack113 f226b559d6c9cb1283734772 0 0
Rule Set (GitHub)
Remote Host 4e7c4f9281869910
In

Execution DLL of 99b21cfd2dee5c20c4ee150c


oscd.community, Natalia Sigma Integrated
Choice Using 1f8ff725e843b680ad0362dc1 0 0
Shornikova Rule Set (GitHub)
WAB.EXE 0682baf38dba493
Execution in e10440993b0b656a1a8c6d3b
Sigma Integrated
Outlook Temp Florian Roth 8e4bbc81af5b7f7cc7b8373de 0 0
Rule Set (GitHub)
Folder 18dea6d80adae4e
bc6e1fabac9a6bb91d67a4a5
Execution of Sigma Integrated
Jason Lynch 439f899182862c791a4d2bb7 0 0
Renamed PaExec Rule Set (GitHub)
2fbaf27b552554d6
Execution via 076e35f57ad985cac0733c6af
oscd.community, Natalia Sigma Integrated
CL_Invocation.ps e62d6b1e84acd633b22254d9 0 0
Shornikova Rule Set (GitHub)
1 de99c537d5d5c6f
Execution via c162774264013dd3be5fe01d
oscd.community, Natalia Sigma Integrated
CL_Invocation.ps b608c8cd43087fb90d8ec4a8 0 0
Shornikova Rule Set (GitHub)
1 371ec6c119f1fef0
Execution via ceefb57442e7180174970790
oscd.community, Natalia Sigma Integrated
CL_Invocation.ps 9d69108b161f2d2e4a973242 0 0
Shornikova Rule Set (GitHub)
1 (2 Lines) e7e2386648bee9b9
Execution via 1394e1d2c663042f47108fb1
oscd.community, Natalia Sigma Integrated
CL_Mutexverifier 90ff989e13550eff19ce6db03 0 0
Shornikova Rule Set (GitHub)
s.ps1 ef09a0c5a92aaec
Execution via e0857d3351e317e009063a58
oscd.community, Natalia Sigma Integrated
CL_Mutexverifier 53ed0234b65be28d6b94c97 0 0
Shornikova Rule Set (GitHub)
s.ps1 27a4473d4bd135d9c
Execution via 389839a4c3b9d52b701fe26d
oscd.community, Natalia Sigma Integrated
CL_Mutexverifier be2f77f37e841fec35467860c 0 0
Shornikova Rule Set (GitHub)
s.ps1 (2 Lines) ed1accddf84b24d
1fc7c2d6af25fd4fb6af44ba89
Execution via Sigma Integrated
Ivan Dyachkov, oscd.community bae55555dbcfdcc31e586fd94 0 0
Diskshadow.exe Rule Set (GitHub)
298ac39ea011d
c012b058c607c697ab301378
Execution via Sigma Integrated
Austin Songer (@austinsonger) 3a9a418dd2b233fa1f22ea4f8 0 0
stordiag.exe Rule Set (GitHub)
160238a19c65577
Exploit 5568bf39e0e0778586bb12b9
Sigma Integrated
Framework User Florian Roth eec75fa632d667e59d9a2593 0 0
Rule Set (GitHub)
Agent a81fc3c1f92482df
Exploit
864e1d1683353be902b628fe
SamAccountNam Sigma Integrated

.in
frack113 efe866931925fd28550796b0 0 0
e Spoofing with Rule Set (GitHub)
4dc914f4e7ff53ea
Kerberos
d3c02a535ea8c2ccc601d4d5
Exploit for CVE- Sigma Integrated
Florian Roth 317b74c2389350cbeffab45fe 0 0
2015-1641 Rule Set (GitHub)
df 35634fb61351840
9931af355487f8ba552a4261f
Exploit for CVE- Sigma Integrated
Florian Roth 563cca37a36e808d77f2dbc3 0 0
2017-0261 Rule Set (GitHub)
857687968010e3a
ap
9697bdf7c6b76b101974ea8a
Exploit for CVE- Sigma Integrated
Florian Roth 0feee97c4b309c7c74d5ccbf4 0 0
2017-8759 Rule Set (GitHub)
e0c2b3a5e03f167
Exploitation of e9dbd9775b62ea76e1f299ca
Sigma Integrated
CVE-2021-26814 Florian Roth eec38e889d5ade4d1b9f15f0 0 0
Rule Set (GitHub)
st

in Wazuh 125be4c6c34f6ed8
Exploited CVE-
f85ce5948989e315c57d34da
2020-10189 Sigma Integrated
Florian Roth 1951a85d6b29e1dd91e294fe 0 0
Zoho Rule Set (GitHub)
d17c4c5d2a65ca26
In

ManageEngine
ca8e07ebb4a9e88b2988f1c2
Exploiting CVE- Sigma Integrated
Florian Roth c1da442f21dd9e29212734ca 0 0
2019-1388 Rule Set (GitHub)
d87963436e07697a
Exploiting
aaf4513bd87abe8d41992949
SetupComplete.c Florian Roth, oscd.community, Sigma Integrated
584d6e69d734d9f68ef90eaa 0 0
md CVE-2019- Jonhnathan Ribeiro Rule Set (GitHub)
97be26b350d990c6
1378
Exports Critical dbe237db785de8531f797d5f
Oddvar Moe, Sander Wiebing, Sigma Integrated
Registry Keys To 0689f67cf0389152523f491db 0 0
oscd.community Rule Set (GitHub)
a File 2c761f5888de930
Exports Registry
9695789356ce1e4c280773e1
Key To an Oddvar Moe, Sander Wiebing, Sigma Integrated
a4990ee193bc17704d78da2b 0 0
Alternate Data oscd.community Rule Set (GitHub)
4acb48eed6061293
Stream
External Disk 69ec9de0dde4471e41ee7ac0
Sigma Integrated
Drive Or USB Keith Wright 07a2e667bee45fc610f59477c 0 0
Rule Set (GitHub)
Storage Device fcd75bb72afdf6a
SOC Prime Threat f91099b17f9d1bca0d4db4e5
External Facing
SOC Prime Team Detection b0ad22f95649383e9cf2240cc 0 0
ICS DNP3
Marketplace 0abc68540881418
External Proxy
SOC Prime Threat 8871bb484e485ff18029d70e
Detected
SOC Prime Team Detection d25036cf72ae96f363232176 0 0
(Overview
Marketplace d3f639f5ffc8c719
Query)
Extracting 4e243e6a618f306cfd754df3b
Sigma Integrated
Information with frack113 30132c4fa518c4ad26b6d755 0 0
Rule Set (GitHub)
PowerShell 244064cd3110b0f
ca26332fee8f2e589029cf0e8
F-Secure C3 Load Sigma Integrated
Alfie Champion (ajpc500) f2b212bae02121915a9cc3a2 0 0
by Rundll32 Rule Set (GitHub)
cefe4c1a96419c1
FASTCash 2.0 -
SOC Prime Threat 328842f9bf7293774dba7e98
North Korea's
Ariel Millahuel Detection cfbc8dc38cc5c3bfd0b550b66 0 0
BeagleBoyz
Marketplace f9f388d2364db6b
Robbing Banks
FASTCash 2.0 -
SOC Prime Threat 4f4f4d2ef9741a90d68b3e1ca
North Korea's

.in
Ariel Millahuel Detection 5439694604fc80bcb02c3cbd 0 0
BeagleBoyz
Marketplace e70096562cc6000
Robbing Banks

SOC Prime Threat 94db0c3a112be50fd02c2ff8b


FIN7's Backdoor
Ariel Millahuel Detection
df 6bdb0ac37e92b752979f8c6f 0 0
"GRIFFON"
Marketplace 2e5563abe56be96

SOC Prime Threat b76c81cee8f9040791d362bd


FIN7's Backdoor
Ariel Millahuel Detection e9fa5c5ec808c3d2f0fce6f9f4 0 0
ap
"GRIFFON"
Marketplace a04448b9e10018

SOC Prime Threat 4675166eaef352485a92c18a


FORMBOOK
Ariel Millahuel Detection 16d156904430c5c7735fd58d 0 0
Detection
Marketplace ba24cf182c23d60e
st

SOC Prime Threat eeee8664c6a13d9135d1338a


FORMBOOK
Ariel Millahuel Detection 6561c8e98c8d43e7769fb153 0 0
Detection
Marketplace 2912f88a85cfc98d
In

Failed Logins
with Different 39c6740d7e5a4065ad484a47
Sigma Integrated
Accounts from Florian Roth fdf900dac6ebb236a092d3a6 0 0
Rule Set (GitHub)
Single Source 2ae08b42f997aaf4
System
Failed Logins
with Different 96209abdf48c67f20055c6bff
Sigma Integrated
Accounts from Florian Roth 1def00f64467ff7b6241d0f81f 0 0
Rule Set (GitHub)
Single Source 46fb6dd9c45ce
System
Failed Logins
with Different c205af7876e4586e4a5a6daf3
Sigma Integrated
Accounts from Florian Roth 886f1baa3df67852a520806a 0 0
Rule Set (GitHub)
Single Source a99706ca5d30f1d
System
Failed Logins
with Different ca722b22c08d09482ee7e905
Sigma Integrated
Accounts from Florian Roth dc151bc4c635059ae6cca8d5 0 0
Rule Set (GitHub)
Single Source e7319d79d75a939b
System
Failed Logins
with Different da16f0c4a5327c930eada871
Sigma Integrated
Accounts from Florian Roth 93754d50bfcbe86ae02f2b34 0 0
Rule Set (GitHub)
Single Source 6843be759f3bf068
System
Failed Logins
with Different e0dab5d045b069343558464
Sigma Integrated
Accounts from Florian Roth 7bbbacf51af451c35bf907372 0 0
Rule Set (GitHub)
Single Source 3e14ce5e9faa977a
System
747bd73d4c017e43abc40ee6
Failed Logon Sigma Integrated
NVISO 2507a5889d075d5fde6a504c 0 0
From Public IP Rule Set (GitHub)
4d858fa2bcf544cf
Failed
4ffd23c451cedb770f7b27887
MSExchange Sigma Integrated

.in
Tobias Michalski ee3bedb3bd28836fcf3f1af17 0 0
Transport Agent Rule Set (GitHub)
ddfcc02f42244f
Installation
Fax Service DLL 4bd3cd7f770c6c3ec6329529
Sigma Integrated
Search Order NVISO 702f55c609cbd0c8220a36c0 0 0
Rule Set (GitHub)
df
Hijack 8756e56a5eb0e553
File Creation by 4c867f43073512dc59c123d5
Vadim Khrykov (ThreatIntel), Sigma Integrated
Office 7114baa298a7f696a87ca884 0 0
Cyb3rEng (Rule) Rule Set (GitHub)
Applications 2fba36f25783ba49
ap
ca09f90f6791c066d3cb4ab07
Sigma Integrated
File Deletion Ömer Günal, oscd.community b1fbc4ed8bc75831b99eae01 0 0
Rule Set (GitHub)
23b994db452cc63
File Download ab434fe480ee2a7a4567eef3
Sigma Integrated
with Headless Sreeman, Florian Roth 8af37753eb61b2fe82708db1 0 0
Rule Set (GitHub)
st

Browser 056313a73ab0fac0
98a04cf3e09ed0fd0d955b12
File Time Sigma Integrated
Igor Fits, oscd.community 33d5da45cab63a5a2370ab7d 0 0
Attribute Change Rule Set (GitHub)
c16a507783467e67
In

cf228b836870037eda6ce9d4
File Time Igor Fits, Mikhail Larin, Sigma Integrated
29595c3a3c8bb83b64b142fc 0 0
Attribute Change oscd.community Rule Set (GitHub)
4dae821bc43b3fd8
9a03b6952f3ce7ab37238d17
File Was Not Sigma Integrated
Pushkarev Dmitry b0e583d82c02641e1cd9add5 0 0
Allowed To Run Rule Set (GitHub)
995da0319dc8e27f
File and 3d3b45d016905389c43a4a14
Daniil Yugoslavskiy, Sigma Integrated
Directory 252fb73bf6a6f29ca1d925f44 0 0
oscd.community Rule Set (GitHub)
Discovery b19ff52a9bc0571
File and de61a9a6e51619752c9f8bf8
Daniil Yugoslavskiy, Sigma Integrated
Directory 7bb41536abc4f6983711039d 0 0
oscd.community Rule Set (GitHub)
Discovery cef99b9732a26713
File or Folder 2aa85d50392d0c934bd64316
Sigma Integrated
Permissions Jakob Weinzettl, oscd.community 8b9d6106622e796b2f125ccb 0 0
Rule Set (GitHub)
Change fdbc65beb9d9328d
Files Dropped to
0dec80af16a1229c7c8b9478
Program Files by Teymur Kheirkhabarov (idea), Ryan Sigma Integrated
448b6a3fe7a1cd392768c3d1 0 0
Non-Priviledged Plas (rule), oscd.community Rule Set (GitHub)
1e0cc1d3f56ce89c
Process
FindPOS Banking SOC Prime Threat b4f6a2934ee226030f077e9c
Trojan (Sysmon Ariel Millahuel Detection 78924c5b5a78d41ee66a0529 0 0
detection) Marketplace dd426becc7b33ddd
6403688c88307224c6c37547
Findstr GPP Sigma Integrated
frack113 c26a3634868d77d08502d775 0 0
Passwords Rule Set (GitHub)
29f03daacc410a51
First Time Seen 8f55e684b93688b5ada963a9
Sigma Integrated
Remote Named Samir Bousseaden 2be16b72c1a0cfc3cb3de96d 0 0
Rule Set (GitHub)
Pipe d117b81f4ca48353

First Time Seen SOC Prime Threat 480a8350961bc4753587db02


Remote Named SOC Prime Team Detection 9d2b4b67af4927083b258b8a 0 0
Pipe - Zeek Marketplace c071d0dea69e5107
First Time Seen 6dfb9593c473f7b52b104c46
Sigma Integrated
Remote Named Samir Bousseaden, @neu5ron e0f2ae974fd27365b3fef0767 0 0
Rule Set (GitHub)
Pipe - Zeek 29065c3ceb7336d
Flash Player
f98973bb4e1b72aebf2e59ea
Update from Sigma Integrated
Florian Roth eb00827a358135f7260cf198 0 0
Suspicious Rule Set (GitHub)

.in
ac43e31c7422e15b
Location
ac4c45d3a4b76d63ba2158cb
FlowCloud Sigma Integrated
NVISO 0a11df8d1e2733506cb845e7 0 0
Malware Rule Set (GitHub)
8700108737b600ee
FoggyWeb
Backdoor DLL
Loading
Florian Roth
df
Sigma Integrated
Rule Set (GitHub)
668c7b595f169cd509eb51c2
9bc594ff624919395214381e
2eac4fa7ff9e94ac
0 0

Format.com 9e9f93dcbdb926c3870d61f8
Sigma Integrated
ap
FileSystem Florian Roth a14fc94391072517d5685565 0 0
Rule Set (GitHub)
LOLBIN 8b4592a4e886289c
Fortinet CVE- 48f4e640f9feb5bf31487a870
Sigma Integrated
2018-13379 Bhabesh Raj 784507ef5f7d38f22e9b62e9b 0 0
Rule Set (GitHub)
Exploitation bd954a197833ca
st

Fortinet CVE- c1c52f5ba98a73c39c7b7d85


Sigma Integrated
2021-22123 Bhabesh Raj, Florian Roth 9118c45a22218d1c92dbd128 0 0
Rule Set (GitHub)
Exploitation e54bcb34942092c7

Frat Trojan SOC Prime Threat ea1d6297c25d9b1788bf0e9b


In

(Loader Ariel Millahuel Detection b1ef3fe785a4ced33855144d 0 0


detection) Marketplace 3102a01fd227049a
GAC DLL Loaded 10c0778367f03c51cf9136815
Sigma Integrated
Via Office Antonlovesdnb b90c0d7a820fa857a135c645 0 0
Rule Set (GitHub)
Applications c55014481fd1395
13e966f80ac9708db929626d
GALLIUM Sigma Integrated
Tim Burrell 50e35b4c614959c0d209d094 0 0
Artefacts Rule Set (GitHub)
25ff454546ad372a
4aa39f58ddd2f2f3bdd80a29f
GALLIUM Sigma Integrated
Tim Burrell 42c84ca2fe61a048fc8819faaf 0 0
Artefacts Rule Set (GitHub)
f5df28a22b7db
54e36ba8fed69643d4a587ce
GALLIUM Sigma Integrated
Tim Burrell f4fddde07614258a1c1996ed 0 0
Artefacts Rule Set (GitHub)
0c958450ccadf258
a28fbac5cff189dab10e229b3
GALLIUM Sigma Integrated
Tim Burrell a0ae2e24b372d2b111d7262f 0 0
Artefacts Rule Set (GitHub)
d83043e661ef513
a43dac5f26c85a94239a7441
GALLIUM Sigma Integrated
Tim Burrell 5d13e774debdccd841db3117 0 0
Artefacts Rule Set (GitHub)
40a5727d95a105bb
a850462e96a471d0210fd57a
GALLIUM Sigma Integrated
Tim Burrell 8d09b89aa9d484414bb317e 0 0
Artefacts Rule Set (GitHub)
d6f8dfba6bfee5d84
d1012f082becc4692509094f
GALLIUM Sigma Integrated
Tim Burrell 0b3f52f4bfff06a6a239d05da 0 0
Artefacts Rule Set (GitHub)
80ed461dad4a230
fc4bbb141d939f93ce4dba43
GALLIUM Sigma Integrated
Tim Burrell aa3b43e635f4dda080c5e27e 0 0
Artefacts Rule Set (GitHub)
e58529a1563dab8e
e8a715c11ff2888a95d902af6
GUI Input Sigma Integrated
remotephone, oscd.community f79e1e2aac74e027662e679bf 0 0
Capture - macOS Rule Set (GitHub)
2d24be5d33ec77
Gamaredon
SOC Prime Threat 0f97ccec7b149884820f61a17
Group Behavior
Ariel Millahuel Detection 2664b0ab480111696291696c 0 0
(Sysmon
Marketplace b4b3e7ae011c34f
detection)
7f400a75c32e600540f4565b

.in
Gatekeeper Daniil Yugoslavskiy, Sigma Integrated
d2cb4099e67aab98f70299b5 0 0
Bypass via Xattr oscd.community Rule Set (GitHub)
fe20136c9bc9f13b
GatherNetworkIn 93d3c8484d953299cdaafb69
Sigma Integrated
fo.vbs Script blueteamer8699 6acdb7e33fd8a569cd8682a0 0 0
Rule Set (GitHub)
df
Usage d501a122f2b8290b

Generic Roberto Rodriguez, Teymur


021958a970490c9f053ccc5d
Password Kheirkhabarov, Dimitrios Slamaris, Sigma Integrated
257c9c5f17746ceb0270b213 0 0
Dumper Activity Mark Russinovich, Aleksey Potapov, Rule Set (GitHub)
ap
e185a4c9354e912c
on LSASS oscd.community (update)
562da91a76462659002a010f
Joe Security Rule
Geofenced Ru Joe Security 3f5e20f6ea8d3c7771e342dce 0 0
Set (GitHub)
7b3d0b5b2421eb8
st

Get antivirus 6e2720fef4d33bcf8ad643d1ff


Joe Security Rule
details via WMIC Joe Security 91ff392e3afc91ad4446024cf 0 0
Set (GitHub)
query 5a4dfa46685aa
959a4fa9a66799f33b7f7ea4c
Get2 Joe Security Rule
In

Joe Security 82ec1869a3031768b47d0a7b 0 0


Downloader Set (GitHub)
e1221b66ee355bd

Glupteba SOC Prime Threat 7d6a15e8de84af0efc173edd


malware Ariel Millahuel Detection 7fc1d08b2c8d250be90a4105 0 0
detection Marketplace 6ded2b99d918271c
GoldenHelper
SOC Prime Threat 85d7d4821cc1ccf999a9455b
Behavior
Ariel Millahuel Detection 3045c5778b716b7140209df1 0 0
(Sysmon
Marketplace e1293db41bbc0bea
detection)
Google Cloud
4e9fe08e5c9be680bfaf33cdd
DNS Zone Sigma Integrated
Austin Songer @austinsonger cd1081cd3aba686ce5077b1c 0 0
Modified or Rule Set (GitHub)
d0b5856663dbe0e
Deleted

Google Cloud 75e61beb3d99547100af121b


Sigma Integrated
Firewall Modified Austin Songer @austinsonger 2ea1688aa808d3688450d44d 0 0
Rule Set (GitHub)
or Deleted 493780d2cc802900
Google Cloud
5790f7e831d8a6bc3ca5c218
Kubernetes Sigma Integrated
Austin Songer @austinsonger 539243db16d6289b537af31c 0 0
Admission Rule Set (GitHub)
00d082fe78ed2c01
Controller
Google Cloud 06da8a78620eee29e603c816
Sigma Integrated
Kubernetes Austin Songer @austinsonger 960eae96dcb6ef22786be239 0 0
Rule Set (GitHub)
CronJob 5c7c89a4483be9c6
Google Cloud 555a6561c2563b49ce91769c
Sigma Integrated
Kubernetes Austin Songer @austinsonger 6ac3f56617339b3b8813f72c9 0 0
Rule Set (GitHub)
RoleBinding fa1bd32ec71f74e

Google Cloud
6ee389129056d76efea184de
Kubernetes Sigma Integrated
Austin Songer @austinsonger d09eba9cf1c324f400b3d0d5 0 0
Secrets Modified Rule Set (GitHub)
0b87786d565d0e03
or Deleted
Google Cloud Re-
ddff51832fbd0426593249f78
identifies Sigma Integrated
Austin Songer @austinsonger 16c2949713da15d8f5f43d7bf 0 0
Sensitive Rule Set (GitHub)
73dbe4402ba1c3
Information.
Google Cloud

.in
a916fae3b74465ca20244fcbd
SQL Database Sigma Integrated
Austin Songer @austinsonger 2427d10e602ebd5bd23e20c8 0 0
Modified or Rule Set (GitHub)
30516535a652466
Deleted
Google Cloud
df 5162849b0852d05e10e767dc
Service Account Sigma Integrated
Austin Songer @austinsonger f89c82633c89592c636df59ce 0 0
Disabled or Rule Set (GitHub)
a0c8d66143fef63
Deleted
Google Cloud 26b1499ccf7a72e494ae575cf
Sigma Integrated
ap
Service Account Austin Songer @austinsonger a25674e193d0d80f0ee98197 0 0
Rule Set (GitHub)
Modified 7d65e518bf7575f
Google Cloud f5a9b68010504eff3ab69d140
Sigma Integrated
Storage Buckets Austin Songer @austinsonger 6d28ce83a81c9b2399b5424d 0 0
Rule Set (GitHub)
Enumeration 60221ca6c707c08
st

Google Cloud
432ac1fb76a98caf7e4c2c36d
Storage Buckets Sigma Integrated
Austin Songer @austinsonger c767867c71c8241b3abb88c2 0 0
Modified or Rule Set (GitHub)
38e09dd1dd6eb52
Deleted
In

Google Cloud
1ec92cc5b58c4d0aba97c210
VPN Tunnel Sigma Integrated
Austin Songer @austinsonger 716e4f4a0e3bc4148bac041b 0 0
Modified or Rule Set (GitHub)
47e830680b25de8d
Deleted
Google Full 11db866a2c986c2622afc6b4
Sigma Integrated
Network Traffic Austin Songer @austinsonger e18e39a469b925ba219af228 0 0
Rule Set (GitHub)
Packet Capture e1b93928526e7317
Google
7aad3ceec393171e628be57a
Workspace Sigma Integrated
Austin Songer d1507a50aaa34f68bfa8af505 0 0
Application Rule Set (GitHub)
481b9406de81834
Removed
Google
7447e9cdd0e5729172c1c9f7
Workspace Sigma Integrated
Austin Songer 143faf9ada51a1e939eb6100 0 0
Granted Domain Rule Set (GitHub)
d7066e46913117c5
API Access
Google a6f7ea87e017ce01123928b2
Sigma Integrated
Workspace MFA Austin Songer e8c2bee1808d90c322c0fe3f8 0 0
Rule Set (GitHub)
Disabled 660c929ed149b5d
Google
a941017b4f691cb4487bac97
Workspace Role Sigma Integrated
Austin Songer de7b0d0a9649ffd6b3f402774 0 0
Modified or Rule Set (GitHub)
dde963b3e3ecdaa
Deleted

Google 9eb6ba62c47e14ada70fa08f7
Sigma Integrated
Workspace Role Austin Songer edc5aeb9118c433612b3feba 0 0
Rule Set (GitHub)
Privilege Deleted 5a7ce44fc77a909
Google
107b17aa4a3574e6f2957478
Workspace User Sigma Integrated
Austin Songer 81192bc95a741ad7258df4c3 0 0
Granted Admin Rule Set (GitHub)
d1abeb9bcd9031d5
Privileges

Grafana Path
e5ef12864d0d0ecf03667482
Traversal Sigma Integrated
Florian Roth 6506d6184e1b067e991808aa 0 0
Exploitation CVE- Rule Set (GitHub)
0e1ff455c7ac0dcd
2021-43798

SOC Prime Threat 4f31c3fa158f312c5152f83df3


GrandSteal
Ariel Millahuel Detection 86b1fb92e53b215040fb3ae2 0 0
Malware

.in
Marketplace 68cbb215e31429

SOC Prime Threat 43c3cf1aec99bd2e109fd3867


Grandoreiro
Den Iuzvyk Detection cd77e17e8a24f54da3251b30 0 0
banking trojan
Marketplace
df dd592cf83272b56
Granting Of 2c4ab12457b78f88ac519103
Sigma Integrated
Permissions To sawwinnnaung 7416703011e6de4aa39693b0 0 0
Rule Set (GitHub)
An Account 9e20823de2f0f42f
ap
Guacamole Two 17fc2e35d07c0b3986643b47
Sigma Integrated
Users Sharing Florian Roth 3df8b54cf3371854ed30f7d65 0 0
Rule Set (GitHub)
Session Anomaly fe415a944ba6961
Guildma
SOC Prime Threat 1e6ac5cb97a765bdc2b15c1c
st

detection
Ariel Millahuel Detection a55ec978b04d9511ddba2126 0 0
(sysmon and
Marketplace 304966bde1b17fde
cmdline)
Guildma
SOC Prime Threat 3394ac20f81b6dbd77a611e1
In

detection
Ariel Millahuel Detection dfd1c52794b199583960710e 0 0
(sysmon and
Marketplace bc28c01bae3a27a4
cmdline)
HTTP POST or SOC Prime Threat c4ee6e518d8bece54b732fc5
PUT URI Non SOC Prime Team Detection a27bd8515ed478d3f3168189 0 0
ASCII Character Marketplace 1fab56111b6ca18f
9645aaedf8ece3691433afeb3
Hack Tool User Sigma Integrated
Florian Roth 9dfddf3048958fa600acc234a 0 0
Agent Rule Set (GitHub)
56f522b4f41b8e
cd304d70f67c3d14033f8319
Sigma Integrated
Hacktool Ruler Florian Roth 71d45bee3264cc411ea28209 0 0
Rule Set (GitHub)
db2f6d148ea9f2f6
HawkEye
malware - SOC Prime Threat 06789be682ab6cf58699c036
Coronavirus Ariel Millahuel Detection 53b66c7f9299038c2c44e967 0 0
scam (Sysmon Marketplace e3c68a2e40fdbbdc
detection)
HawkEye
malware - SOC Prime Threat b7f993191f989d1f86bba4825
Coronavirus Ariel Millahuel Detection f6e96a7c27e80b1bcdbf6ed64 0 0
scam (Sysmon Marketplace 78ae89239222eb
detection)
6c95803fd57ca93faa4a13a1b
Hidden Files and Sigma Integrated
Pawel Mazur e90825b893e3d84ac45ca8c7 0 0
Directoriese Rule Set (GitHub)
0e80cf1574d4028

SOC Prime Threat 6416d92c1d6493914510053


Hidden Tear
Ariel Millahuel Detection de27fbb52201520df66cac07 0 0
Ransomware
Marketplace 5111034d37aac4194

SOC Prime Threat b11fac69696a228f0a15679f5


Hidden Tear
Ariel Millahuel Detection 95df7b336dde8d11522e2dfd 0 0
Ransomware
Marketplace d9e1004aacf5721
809fde43d8c51148345ce944
Hidden User Daniil Yugoslavskiy, Sigma Integrated
01363b56daa369da6e6bdb7 0 0
Creation oscd.community Rule Set (GitHub)
66f26a3a3af847f65
2bc3d95bf98633de61ea95a0

.in
High DNS Bytes Daniil Yugoslavskiy, Sigma Integrated
05c1b04db78ea390377ce363 0 0
Out oscd.community Rule Set (GitHub)
fc04a09d20374cde
4e81552b913384840b8f3b63
High DNS Bytes Daniil Yugoslavskiy, Sigma Integrated
1ab5be105841ff6a829f1a496 0 0
Out oscd.community Rule Set (GitHub)
df fd1e3e13effafba
5d26dba8fce23cc9f2e893e61
High DNS Bytes Daniil Yugoslavskiy, Sigma Integrated
faa96cbbae4bce1e530e4154 0 0
Out oscd.community Rule Set (GitHub)
294172451e4a1b1
ap
a958051334fc197d28be902c
High DNS Bytes Daniil Yugoslavskiy, Sigma Integrated
c93f3d866e1ca9a16f90a70f2 0 0
Out oscd.community Rule Set (GitHub)
1bd60a2f47fbc29
db7861630c3853feeea696d7
High DNS Bytes Daniil Yugoslavskiy, Sigma Integrated
11f739104df19b415fd9ba6c1 0 0
Out oscd.community Rule Set (GitHub)
st

a8fec46002a8fbf
16b85da18d9082b3b4511ae
High DNS Daniil Yugoslavskiy, Sigma Integrated
7d959fbf89409bb88f17d708a 0 0
Requests Rate oscd.community Rule Set (GitHub)
f4f48b0a422adefb
In

2082aad99bb35c4089a7d806
High DNS Daniil Yugoslavskiy, Sigma Integrated
951cf7090bca3bdeb0a052f76 0 0
Requests Rate oscd.community Rule Set (GitHub)
1dc38d878e58c57
4d753950eaec7ac9fc0b8435
High DNS Daniil Yugoslavskiy, Sigma Integrated
2b52a7d1e44cd4806bded593 0 0
Requests Rate oscd.community Rule Set (GitHub)
087c93032ce8e29a
888de5606c7898a641ac0f06
High DNS Daniil Yugoslavskiy, Sigma Integrated
071d731769cd6a0c2a8638b9 0 0
Requests Rate oscd.community Rule Set (GitHub)
bd65e4c7832b4a8c
fb55eac70ca85e41bd6aedae
High DNS Daniil Yugoslavskiy, Sigma Integrated
03e77e21466cde4d3e05bdcc 0 0
Requests Rate oscd.community Rule Set (GitHub)
c80080c9df288d8f
High NULL 85891d3694d60dcdc316d135
Daniil Yugoslavskiy, Sigma Integrated
Records 514866fe396add3b76b77fb7 0 0
oscd.community Rule Set (GitHub)
Requests Rate cb7757ce6012957c
27156cd3bf11019c9f610f2ca
High TXT Records Daniil Yugoslavskiy, Sigma Integrated
55106a23d64717f78b7db173 0 0
Requests Rate oscd.community Rule Set (GitHub)
0a6b20daae7fc23
SOC Prime Threat 6bb0fcaf34349cee860ba3a31
Hiloti Trojan Ariel Millahuel Detection 5fdc7aed5aa00d66dcf54cae1 0 0
Marketplace 67073a246cf851

SOC Prime Threat f8a63428721bcc8ad6de541a


Hiloti Trojan Ariel Millahuel Detection 48e0a1f21d8e73a4f114603b 0 0
Marketplace cb7e9066042c502c

SOC Prime Threat 1542db80b3c0353f1a027f7d


HiveRAT
Ariel Millahuel Detection dd3b1a2980335d4ef03fae03 0 0
detection
Marketplace a4f951743f67648e
b27d91650a86f43d59ca651f
Host Without Sigma Integrated
Alexandr Yampolskyi, SOC Prime ec4af5b7b4a87e4b4d5b89b8 0 0
Firewall Rule Set (GitHub)
19a3aa69c312b60e
HybridConnectio
517263a8c15fed9ded106be8
nManager Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
82b2ec39dde9a02250421088 0 0
Service OTR (Open Threat Research) Rule Set (GitHub)
d9b2a222e1516406
Installation
HybridConnectio

.in
6ba69204045297b2467cffd2
nManager Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
d3908dc1588e213dfeaf62bb 0 0
Service OTR (Open Threat Research) Rule Set (GitHub)
11c1778c9d93dcf0
Installation
HybridConnectio 711a6c8a033fd8cc45c82ea8f
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
df
nManager dd9a7b6f95b70c88e157d2d6 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Service Running 7579ce7dff11b76
e6b3709b80b265ad0fed3cb1
Sigma Integrated
ISO Image Mount Syed Hasan (@syedhasan009) ec046dc0b3dfa6eba361f593c 0 0
Rule Set (GitHub)
ap
53333b71c662136
967066367d1b4b6d60bdc3b
IcedID Joe Security Rule
Joe Security b6c06da99df284842490e627 0 0
Downloader Set (GitHub)
971ffc36d72138e44
Image Load of
90a2634e64f0a02343bf17b7
st

VSS_PS.dll by Sigma Integrated


Markus Neis, @markus_neis 97e3d249061fdee81d36e5da 0 0
Uncommon Rule Set (GitHub)
c2d8e3fe2a2df280
Executable
Impacket 3d5ac2209c46a9cb869f82a5
Ecco, oscd.community, Jonhnathan Sigma Integrated
In

Lateralization 1ef7ec32954bc3ca32fe71092 0 0
Ribeiro Rule Set (GitHub)
Detection 9ac41137e9f7957
3f02ed054f271ff6065ad3057
Impacket PsExec Sigma Integrated
Bhabesh Raj 2fa0e95c2bd16820da55d1ad 0 0
Execution Rule Set (GitHub)
40d10e8fafd0eca
309cda68f6a1f23a3de3d660
In-memory Tom Kern, oscd.community, Natalia Sigma Integrated
4cd71d89098ca2472c6cfaae5 0 0
PowerShell Shornikova, Tim Shelton Rule Set (GitHub)
72a5d4375389247

Indicator
adfe5f99b6a812a149fe86b53
Removal on Host Sigma Integrated
remotephone, oscd.community 528239d9e7938e56d2864d1 0 0
- Clear Mac Rule Set (GitHub)
403950040a11e57b
System Logs
ec31a3e8dcd4d55b032d9d66
Install Root Sigma Integrated
Ömer Günal, oscd.community 97f403b4260762840a75ef84 0 0
Certificate Rule Set (GitHub)
a25fec68f4d78fd6
InstallerFileTake
b0c213591ac3b9d67559c62e
Over LPE CVE- Sigma Integrated
Florian Roth 06f44e984fa9cccd8eadc7126 0 0
2021-41379 File Rule Set (GitHub)
488916b8f112271
Create Event
Interactive Logon 287dcb23b97461c15bc62862
Sigma Integrated
to Server Florian Roth 6d410d7134857f2a8a73b586 0 0
Rule Set (GitHub)
Systems 7709120813e47c17
Invalid Users
Failing To
bd35715e77f17842c47f4bd4
Authenticate Sigma Integrated
Mauricio Velazco 5fb125c2aee1c533dadb3de0 0 0
From Single Rule Set (GitHub)
25a01b53ccdc7464
Source Using
NTLM
Invalid Users
Failing To 24e430c06c4928d27c8c2309
Sigma Integrated
Authenticate Mauricio Velazco, frack113 7b69829139af8fce404dbe51f 0 0
Rule Set (GitHub)
From Source 3b1a45cfe4c963d
Using Kerberos
Invocation of
84d018445ff2f74f3d42483a4
Active Directory Sigma Integrated

.in
Thomas Patzke 605f7bf5d16da359866d95b1 0 0
Diagnostic Tool Rule Set (GitHub)
be54371131e5836
(ntdsutil.exe)
Invoke- 07b20a8191672f390880af0df
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community ccb1dcb42df51d9b0e0e5b4f4 0 0
Rule Set (GitHub)
df
CLIP+ Launcher a34ae2636c385a
Invoke- 55d070128f8d768c5650c81c
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 573dcfbad37b719f2e5b4c2e 0 0
Rule Set (GitHub)
CLIP+ Launcher 508c2a7fde28c9ba
ap
Invoke- 61b487de335dac84b1a9bbd3
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 816d5111cabce315463c02cb 0 0
Rule Set (GitHub)
CLIP+ Launcher 2953344caca3cd95
Invoke- 66ae2d866adeac92a15a12e3
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 1d3a3be37036f330111ae0f3f 0 0
Rule Set (GitHub)
st

CLIP+ Launcher e3b7c895374ede1


Invoke- 66f7192930e6691d3b4ee72b
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 4a6351242a104911c34cc2e5 0 0
Rule Set (GitHub)
CLIP+ Launcher 63539db593bf6bc5
In

Invoke- 96f143150cf12b082ad12ff80
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 043a40ce507e50dbf6f4c6d68 0 0
Rule Set (GitHub)
CLIP+ Launcher fb1f4f0cbe1771
Invoke- a4095d2245c467d53d473d6f
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 0b5664e6043544a19c73bd87 0 0
Rule Set (GitHub)
CLIP+ Launcher d555a5316ada37e7
Invoke- bc4b79447cdefa2382da736b
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 3a63a3ce5a01a6400ed11820 0 0
Rule Set (GitHub)
CLIP+ Launcher db5ee38b981e2e34
Invoke- d9fcc5b01474c94f013105b53
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 2ce885ebb7d8cedac210ff18b 0 0
Rule Set (GitHub)
CLIP+ Launcher b921bd350afa1f
Invoke- dd967df044da70a0ce8e3d07
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 66de79d0c1392ca968e6c1f2 0 0
Rule Set (GitHub)
CLIP+ Launcher 755dc95b76062a7d
Invoke-
23d33c003cb0a2893d558ec9
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community fc1f759265b5200122f0155a8 0 0
COMPRESS Rule Set (GitHub)
1fd6da5eda7cb4a
OBFUSCATION
Invoke-
2abb23702384c2980e4ffe0d
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community d690fcd4ba17539c7c79c671 0 0
COMPRESS Rule Set (GitHub)
8252778eab17fcc1
OBFUSCATION
Invoke-
30afe98d3f1fe8511eb6a67ad
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community 5f0d954762e3ae473d2c53b3 0 0
COMPRESS Rule Set (GitHub)
90482613c6afe8e
OBFUSCATION
Invoke-
b5835a1f1f607f7c9b2995761
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community 947f379ab9343ac06637ece5 0 0
COMPRESS Rule Set (GitHub)
caf60435a682e6c
OBFUSCATION
Invoke-
bf865a7d8524d34ec2fcf3661
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community 03b431319a364992070da49 0 0
COMPRESS Rule Set (GitHub)
982bf7a6bf68fcd2
OBFUSCATION
Invoke-
dc78b6b33628aead1fdeb14c
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community 4a18756a01373ea62b8d5462 0 0
COMPRESS Rule Set (GitHub)
c0c12f0dc5dc8be0
OBFUSCATION

.in
Invoke-
eacdd56ee69da6ba92a6f01f7
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community d2cb4022f9ffb08eebd0a09a1 0 0
COMPRESS Rule Set (GitHub)
e17012fc9f3307
OBFUSCATION
Invoke-
Obfuscation
COMPRESS
Timur Zinniatullin, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
f39f375a39ff602aaeb463af7e
29f879cf1e2728e1bfd0ce46c
68ce463d545c9
0 0
OBFUSCATION
ap
Invoke-
Daniel Bohannon 02563551ca2b811c4f5ebea1
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), 3242cffde0a8e5d1dbe9578a 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community 4e836117c3344457
Invocation
Invoke-
Daniel Bohannon 229bed31b945cf52d288e09e
st

Obfuscation Sigma Integrated


(@Mandiant/@FireEye), 87afafe82ddc418cc89ac78e4 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community aa57bb1505f4e17
Invocation
Invoke-
Daniel Bohannon 532d5adca424a8a32820d44f
In

Obfuscation Sigma Integrated


(@Mandiant/@FireEye), 658dea5035219510229a38ea 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community 885eea469ae8f8a7
Invocation
Invoke-
Daniel Bohannon 6e2b0909c3266faf43a0917df
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), 01825825b4ad958d6cdaa0a4 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community 5c9cfe53e15affa
Invocation
Invoke-
Daniel Bohannon 6e503c48dbf119e0821aab4c
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), 7ebde353e0b781363fe0c88a 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community c53e10fabedeeb33
Invocation
Invoke-
Daniel Bohannon 778d34341a09f9942b6754b2
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), 57881e32f43e5eb36c396c5a 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community 7bf385626994b6a3
Invocation
Invoke-
Daniel Bohannon 7c97dec04489c3636dd72432
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), f11eeb579854a1d03d55419b 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community afb059e73e43dd4c
Invocation
Invoke-
Daniel Bohannon 89b3cbec0ebda2750669f9b5
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), 831ae50fb9a2e58ba9d9ecb7 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community 6d82c553dd9fbaed
Invocation
Invoke-
Daniel Bohannon 978e8ef0c97aa415779127f1
Obfuscation Sigma Integrated
(@Mandiant/@FireEye), b750df3d71553c0ed2f593b7 0 0
Obfuscated IEX Rule Set (GitHub)
oscd.community 499f7213094b8a22
Invocation
Invoke-
013f9f3361dd5e5e166cef936
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community 40767e854c135731f7b10a6e 0 0
RUNDLL Rule Set (GitHub)
86a582e2a3da454
LAUNCHER
Invoke-
15e77f32f6ce577059ce2a023
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community 014f97f6166500fe342a79064 0 0
RUNDLL Rule Set (GitHub)
2abbb2d7524dd1
LAUNCHER
Invoke-
36d028c2bbec04da64cd22e6
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community d7ade29f0485073c4f2a3374 0 0
RUNDLL Rule Set (GitHub)
8b660bc41add11c5
LAUNCHER

.in
Invoke-
5092dd88f643768409b7b033
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community 996ae9886f7916c352f876f58 0 0
RUNDLL Rule Set (GitHub)
742e741c818de58
LAUNCHER
Invoke-
Obfuscation
RUNDLL
Timur Zinniatullin, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
513a8ffd6dffc7c0f80d198481
50c2e0de524c7115a18106ba
96a0d789b07e1e
0 0
LAUNCHER
ap
Invoke-
669e0fa4f936ba08d94a0d94
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community b4ff0a17a257f5b85f14a70e6 0 0
RUNDLL Rule Set (GitHub)
08f1804ef1226ef
LAUNCHER
Invoke-
7943e73e12090a40bcc5a95e
st

Obfuscation Sigma Integrated


Timur Zinniatullin, oscd.community 498a4655704cd76a8f1cc15ac 0 0
RUNDLL Rule Set (GitHub)
fef595e7f85a442
LAUNCHER
Invoke-
b81cfe0479a3286d77237d82
In

Obfuscation Sigma Integrated


Timur Zinniatullin, oscd.community 97165880ec1fbe3652ad795c 0 0
RUNDLL Rule Set (GitHub)
eb1abaa1eccb8d0f
LAUNCHER
Invoke-
d304bf8af334b938ef27fc29d
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community e6beeba9510de9abd801458 0 0
RUNDLL Rule Set (GitHub)
029e2aad0a96a430
LAUNCHER
Invoke-
f4b87782d8c00059afd020ee
Obfuscation Sigma Integrated
Timur Zinniatullin, oscd.community d2b619da907273f77ea5c3ba 0 0
RUNDLL Rule Set (GitHub)
678a81e4a369045e
LAUNCHER

Invoke- 21fb91a013d99fcb0a512f126
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community e1db671d61521863baf20148 0 0
Rule Set (GitHub)
STDIN+ Launcher 369276f4ce90a79

Invoke- 33f26be0d86ded162f5f9983f
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 8ccec7e33739e7d61ce1550a 0 0
Rule Set (GitHub)
STDIN+ Launcher 476f8d6d9fb1585
Invoke- 3c63fdf3c3489825803565ebe
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community f9d7aa5574b069b7df909431 0 0
Rule Set (GitHub)
STDIN+ Launcher ca0cd9bbfff1014

Invoke- 5a405d8959e0dbe9e8c85da1
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community ee53bb94a514c82a1c85543b 0 0
Rule Set (GitHub)
STDIN+ Launcher cde6cdb5fa6c8d81

Invoke- 7c91efe9f8bcf7588b12461ab
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community fce94d9de990787f00ec01fdc 0 0
Rule Set (GitHub)
STDIN+ Launcher 0378b6d0ea5f7f

Invoke- 8bc4688c4e1827de8ac2769d
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community d693f5ee1d6a3dd731e0fa45 0 0
Rule Set (GitHub)
STDIN+ Launcher 9a1d47788bc3ab77

Invoke- a48b077866cf1527dd61081b
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community a5998bcaeba2f75f76f2b644f 0 0
Rule Set (GitHub)
STDIN+ Launcher 786592b048ccc42

.in
Invoke- e65f5089591863acc7d1b072
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 4c258c83ed40c7f2ef5a4d11d 0 0
Rule Set (GitHub)
STDIN+ Launcher a364c316768c806

Invoke-
Obfuscation
STDIN+ Launcher
Jonathan Cheong, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
f46e368df2720b7c679c6d8a7
af787029a555248b2a687d24
4934f424619531f
0 0
ap
Invoke- 37472617d726e65dc836731e
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 68fa4b615e3453db5924b2ed 0 0
Rule Set (GitHub)
VAR+ Launcher 694f6d42f3fa2e7c
Invoke- 46f308942e8413fc74d14eb2
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 8362c26efc33f463b1d70394 0 0
Rule Set (GitHub)
st

VAR+ Launcher 188e9cc50989434c


Invoke- 785b999a59eeb49c52b8de6d
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community b77180b2f32a1c32f55c5a661 0 0
Rule Set (GitHub)
VAR+ Launcher 24df629511ee71e
In

Invoke- 85c1b5321d15597e6d632e33
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community d628537f69719336ffcaf3486 0 0
Rule Set (GitHub)
VAR+ Launcher 716d44dc6a94690
Invoke- 9e447b626bcce83fc27a2087f
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 918f28e255669c87d60b118f 0 0
Rule Set (GitHub)
VAR+ Launcher ea3f35a6276ace9
Invoke- 9fac765a1fc90df763e789705
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 62f2ec88d72f5a1b755dc6922 0 0
Rule Set (GitHub)
VAR+ Launcher c9df6f6b3283a3
Invoke- cf80a5797b65d0aae908c9fb7
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community bdd2ffdf5cdbace0b8e61a023 0 0
Rule Set (GitHub)
VAR+ Launcher 20a61266fddbce
Invoke- d5a5398fc7d4724a6543cb1b
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 92710954d8f52105738cb1bd 0 0
Rule Set (GitHub)
VAR+ Launcher 31d2db507b433082
Invoke- dbba719e722ed35e6290aec9
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 3e2c9879ef0eb3966254ad9f 0 0
Rule Set (GitHub)
VAR+ Launcher 15c73b24f11ccf9e
Invoke- f0ed779291914bc6744829d7
Sigma Integrated
Obfuscation Jonathan Cheong, oscd.community 83902b1aa18afca33fcdce512 0 0
Rule Set (GitHub)
VAR+ Launcher a6e6dcec594b8fe
Invoke-
Obfuscation 23598265f485b73118223796
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community eab6ef3d4710b6c7855ae76f 0 0
Rule Set (GitHub)
LAUNCHER e8ef5e3156537361
OBFUSCATION
Invoke-
Obfuscation 3481fdd9c7d7aa343ba20022
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community ceec206525f19fda50c317ba5 0 0
Rule Set (GitHub)
LAUNCHER e59f6996102f4ce
OBFUSCATION
Invoke-
Obfuscation 43fda3b4b26f2d722e172affa
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community c6a534e640b6f690827cb80f2 0 0
Rule Set (GitHub)
LAUNCHER 7eae7bf1121924
OBFUSCATION
Invoke-
Obfuscation 56d1f6c5dcbbe1fd4ecdb8702

.in
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community 8f432b123ac0cf5fe37a336f0 0 0
Rule Set (GitHub)
LAUNCHER ed6c34521f370a
OBFUSCATION
Invoke-
Obfuscation
VAR++
LAUNCHER
Timur Zinniatullin, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
9b7f8d96a709f458ef164dd0c
2b1c0bd21506b6a9292710e9
5e822b262716fc0
0 0

OBFUSCATION
ap
Invoke-
Obfuscation ac263989614ade79cd7024eb
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community 73729ba0d899416a4618b2b 0 0
Rule Set (GitHub)
LAUNCHER 37f9fe886b6ae1ea6
OBFUSCATION
st

Invoke-
Obfuscation b85a3806145ca2440f6e4328
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community faea04b4694be6c4dfad9550c 0 0
Rule Set (GitHub)
LAUNCHER a882b91babed162
In

OBFUSCATION
Invoke-
Obfuscation b95438303858dee4a1b7686
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community bca97ba3c32d14bde4bccb73 0 0
Rule Set (GitHub)
LAUNCHER cd0cce0decef9cb1c
OBFUSCATION
Invoke-
Obfuscation f80b47791783e7ca801863d0
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community 5a76bb83fb2ae70b2dc9d18a 0 0
Rule Set (GitHub)
LAUNCHER 13fd9db9172baf46
OBFUSCATION
Invoke-
Obfuscation ff49fb699dd54313f9d61a9bb
Sigma Integrated
VAR++ Timur Zinniatullin, oscd.community a7e0c0021f31cf6bbad674527 0 0
Rule Set (GitHub)
LAUNCHER 54dffe5f1a87f2
OBFUSCATION
Invoke- 171e9c19da7073d50de0611f
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 10f7fe49f18e33f0eb2271f14 0 0
Rule Set (GitHub)
Stdin 51e3122dd70da39
Invoke- 4c4b43817f5f5dcaf3aadb0e5
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 08301e535f4809ca042fa2cec 0 0
Rule Set (GitHub)
Stdin 1ae56068e38683
Invoke- 5a9474f49eedd6f514e9f05bd
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 95d3fde3747f03da5803a359 0 0
Rule Set (GitHub)
Stdin 962b76fe04d3dc0
Invoke- b3a5bd1f34b26d6c54d45604
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community acabcec5814c2c266d0ab054 0 0
Rule Set (GitHub)
Stdin 7c722d22583b78e8
Invoke- bba8cd2d0e60c82277d0117e
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 4841b13ee087cacccbf6b9bd 0 0
Rule Set (GitHub)
Stdin d7d3c83f0375582a
Invoke- ca82d3c569666b788bdb9b70
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 4468045f733d45dac72cb22f 0 0
Rule Set (GitHub)
Stdin 0dc35242d6dd30ce
Invoke- d9663bea4419d4e77af5748a
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community dd1d59d90a3c136f0100ad05 0 0
Rule Set (GitHub)
Stdin f55199c8b38636f0
Invoke- e6338468914bbd534177587
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community d16fde9881596bc9d1ac95c3 0 0

.in
Rule Set (GitHub)
Stdin a142e76a6d587e32c
Invoke- ea2300c5e8a8dfac7a21e289
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 614c34963c361bffda74ba0d 0 0
Rule Set (GitHub)
Stdin dba16af4c009a74c
Invoke-
Obfuscation Via
Use Clip
Nikita Nazarov, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
0d70c217e51ad45cc6411546
634b710d8a2bd8d7fe04cea1
55aa5a5274d4b8c1
0 0

Invoke- 52417f5a914da422b1f4a12e
Sigma Integrated
ap
Obfuscation Via Nikita Nazarov, oscd.community ae2a1fd94408538cc4aa1373f 0 0
Rule Set (GitHub)
Use Clip 9a527d748628701
Invoke- 62ac6078947c91fe388df8ac3
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 354f7d5cab59710aa0d05714 0 0
Rule Set (GitHub)
Use Clip 8b72b409203a565
st

Invoke- 76af6c7b5bbcbcbccfb2ea260
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 489d66ab26fb91c612afce2ee 0 0
Rule Set (GitHub)
Use Clip a8b5538bb36c35
Invoke- ce17aada5a7768055bbf5a41
Sigma Integrated
In

Obfuscation Via Nikita Nazarov, oscd.community 6696626ce2063fc2947da124 0 0


Rule Set (GitHub)
Use Clip 934a97f0ff076ba6
Invoke- f7ed971f190a397799a0730d
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 5ae3ae4a8795ea76e4255476 0 0
Rule Set (GitHub)
Use Clip 8900a03c1bbf7ad2
Invoke- f8caa5c28a6fabe724cbb68e6
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community a4175a973edeb9f4a0caf001c 0 0
Rule Set (GitHub)
Use Clip d768f207c2da3c
Invoke- ff8bf7ea172d6967d31c7cd38
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 33e156278c00c013da4bed9d 0 0
Rule Set (GitHub)
Use Clip 4b45159acd507cb
Invoke- 0930a93e61dc6ca5c708a09f
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 8f1a8c0dc24b8d942a8e8900 0 0
Rule Set (GitHub)
Use MSHTA 144c6dee8703e343
Invoke- 0e5566fb9e5f855f277b707f5
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 2ff16085f2976cb6768b08e31 0 0
Rule Set (GitHub)
Use MSHTA 51b738f7cc6992
Invoke- 2f4d7a7bc3e29eaeac5423c4
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community d276d9a90586e6c3d4277f4d 0 0
Rule Set (GitHub)
Use MSHTA 264c9d8aa54f6ec3
Invoke- 437698a3ddc141ac75cb0615
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 90808bbcb7de0b4fb7ebaf60 0 0
Rule Set (GitHub)
Use MSHTA 345f0549f4cc9816
Invoke- 43cbdd33506d9ffaa0d9a81b
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 702937c5941031eccf02bfa20 0 0
Rule Set (GitHub)
Use MSHTA 564b42417d9ff47
Invoke- 9e9633eb15bfbbe3ed0b8c01
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 989e6bb38f91bdcfe4de5867 0 0
Rule Set (GitHub)
Use MSHTA c801ab39f781cce6
Invoke- a5d8322f8fd4a171b92a497ef
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community db17590b3b6b58818835a03 0 0
Rule Set (GitHub)
Use MSHTA 4997d21e4270b693
Invoke- aa4d39be626c3fd4a68412b1
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community a7760b0957c0c5b86f79eb89 0 0
Rule Set (GitHub)
Use MSHTA 3d14f58e7fce6c6d
Invoke- d851e8933dce5155d4504668
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community c3fad20bca16e503e478165a 0 0

.in
Rule Set (GitHub)
Use MSHTA ad802dc4e5634563
Invoke- fa1bd4dbff85b70daad8ab600
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community a4cfee9488c2ff0188d3cea00 0 0
Rule Set (GitHub)
Use MSHTA e84d7b073405ea
Invoke-
Obfuscation Via
Use Rundll32
Nikita Nazarov, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
2f55b73ec314c7381dc97aba
eb5ef1469713fc1c552265bc1
225b96c6ad6cc83
0 0

Invoke- 4131754f7c0e71d23eac2114f
Sigma Integrated
ap
Obfuscation Via Nikita Nazarov, oscd.community 63c2445f3ea1e8f38df8a7656 0 0
Rule Set (GitHub)
Use Rundll32 3917e98baf7123
Invoke- 7d11bdaa4f671e75a6cf0ddb
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 788f3ea6ff550f3371c61cb0a 0 0
Rule Set (GitHub)
Use Rundll32 29f802ef5ac61d0
st

Invoke- 93a7143b3c3623e84f71a4ba
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 7087c95eadd288a96cc5205d 0 0
Rule Set (GitHub)
Use Rundll32 70645fb23d9fd956
Invoke- a7908e5cb15379fd8bcf3a968
Sigma Integrated
In

Obfuscation Via Nikita Nazarov, oscd.community 9d34ff1a5a72ab4c6ca6d6c65 0 0


Rule Set (GitHub)
Use Rundll32 e24d53ffbb2c13
Invoke- c7fc78f9f9afd5b257d906bdd
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community d5224d85c22d33c73eb36c94 0 0
Rule Set (GitHub)
Use Rundll32 c9ee19f427defb0
Invoke- dc490d5d39ceac22ac7a1842
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 63ef179d60d4acaa65976183 0 0
Rule Set (GitHub)
Use Rundll32 ddf786bd75366d9f
Invoke- f78da06c94256bbc6f7356a38
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 83982528e6282d615f1a6c25 0 0
Rule Set (GitHub)
Use Rundll32 c43ddaad4687c18
Invoke- fc25895e0aab53d526b1f268
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community 874e1f81955fb22d2d310fc8a 0 0
Rule Set (GitHub)
Use Rundll32 14e2f4cc28a52b4
Invoke- fe3560ed4bbd6192e8416571
Sigma Integrated
Obfuscation Via Nikita Nazarov, oscd.community fbbe1e5fe61a8b92201d44f81 0 0
Rule Set (GitHub)
Use Rundll32 8823f75e7f8578e
67e1bb7efdc9f72507d792fff
JNDIExploit Sigma Integrated
Florian Roth d9669f000bac02c81b6c5880 0 0
Pattern Rule Set (GitHub)
693f3e473360550

JSOutProx RAT SOC Prime Threat 02be37dad81df3baa83c02c7


(Sysmon Ariel Millahuel Detection 95e51416bda450b6272fe958 0 0
detection) Marketplace 5a50171a69535256
Jacksbot
(Registry event SOC Prime Threat de380d617af0b2dd78f410efa
and Ariel Millahuel Detection 4fc36f895a556759177b34f04 0 0
CommandLine Marketplace dad90698a9b833
parameters)
Jacksbot
(Registry event SOC Prime Threat eed56e9a26e865b9accdc5a4
and Ariel Millahuel Detection ef7e681ca4b83deb2c6f21a65 0 0
CommandLine Marketplace d28cac9e28547f1
parameters)
b86f637637bb79d44a1590bf
Java Class Proxy Sigma Integrated
Andreas Hunkeler (@Karneades) 2bb4feadebbd6c2757ea9c00 0 0
Download Rule Set (GitHub)
16f1a9595504b17d

.in
JexBoss a3bdc4cfa6129ab202d0c31fd
Sigma Integrated
Command Florian Roth 0a1b62c238614b1ef2d06391 0 0
Rule Set (GitHub)
Sequence 3d6414edf0845b7

Judgement df d891d43fe1fffa5c84fc567a5e
Sigma Integrated
Panda Credential Florian Roth aff4bcf0c35cfcfdaeda3284ed 0 0
Rule Set (GitHub)
Access Activity 6d5becfcfe90
Judgement 79e0e41a4f427cdb7337c02f6
Sigma Integrated
ap
Panda Exfil Florian Roth d2bf2f18272a145bf619561b7 0 0
Rule Set (GitHub)
Activity 49dc623133dc88

SOC Prime Threat 7f8871e9eb7dd4fee1e3a813


KONNI Malware
Ariel Millahuel Detection c111693a960996e217fa6df2 0 0
behavior (APT37)
Marketplace 63e3f2c45aa76a90
st

SOC Prime Threat dac73d2c69f90d09101600be


KONNI Malware
Ariel Millahuel Detection c5114075b4bfc85ce4fd27657 0 0
behavior (APT37)
Marketplace 0acd4b4b4002ac3
In

Ke3chang 189d7c7c265aa63d59bd8d89
Sigma Integrated
Registry Key Markus Neis, Swisscom a83cf406231c66f42999d77ba 0 0
Rule Set (GitHub)
Modifications 7e92640c28bc2e1
231c4645e3a84818601e7315
Kerberos Sigma Integrated
Florian Roth 6d0ec49d61870632b546fe12 0 0
Manipulation Rule Set (GitHub)
9f75f9795fa95b1a
Kerberos
78b71e2b045b325f1db53774
Network Traffic Sigma Integrated
sigma 8abc852151228024bbcd9466 0 0
RC4 Ticket Rule Set (GitHub)
84eb402afddd7b1a
Encryption
Koadic post 6cfb40f83f69b8f6221133239
Joe Security Rule
exploitation Joe Security 461ee688e15ec2c65581eb5b 0 0
Set (GitHub)
rootkit 5674a17e24831a1

SOC Prime Threat 5c5eb2e19924ab6d6c54d36e


Kwapirs Trojan
Ariel Millahuel Detection 0730e90e8dfea2ee983a708a 0 0
Detection
Marketplace 1ecf6a596cd7bd9c
SOC Prime Threat 96ca7fcb576c97b0d5789bb1
Kwapirs Trojan
Ariel Millahuel Detection 536ba5039c9decf46b748ed5 0 0
Detection
Marketplace 01cc0945e90fb25e

LDAP
afe088ee5f69ba6fb59e2c89d
Reconnaissance / Sigma Integrated
Adeem Mawani 995b9a77ed2636f341d9222a 0 0
Active Directory Rule Set (GitHub)
077422e7ccb35d8
Enumeration

LNK File SOC Prime Threat ffd8e0662e18d53ff9cd24c14


Download or SOC Prime Team Detection 0aa76098f09521d84cc29f2f0 0 0
Usage over HTTP Marketplace 0a17fa50a43e37
LNK File
Download or SOC Prime Threat a4d2269d88c903801fac5733
Usage over SMB SOC Prime Team Detection 945f9e7aa870b2b167f014df8 0 0
(Overview Marketplace 65f794d517e8907
Query)
LOLBAS Data 4ca63f832211aa3558085e05
Ialle Teixeira @teixeira0xfffff, Austin Sigma Integrated
Exfiltration by e1123658cee6f4d5daa8c91fc 0 0

.in
Songer @austinsonger Rule Set (GitHub)
DataSvcUtil.exe 9deeb13b8ab7b5a
LPE
5aac8fe297cc2a7fde7dd8b7e
InstallerFileTake Sigma Integrated
Florian Roth 3bc82990cbcba14f3acb11dfc 0 0
Over PoC CVE- Rule Set (GitHub)
df d8306587c8b02d
2021-41379
LSASS Access
563af56cc44b5473ca2297f99
Detected via Sigma Integrated
Markus Neis 17233ed8264136d5730aed0 0 0
Attack Surface Rule Set (GitHub)
bf08f98e4294e060
ap
Reduction
LSASS Access c6493cb4442f7c6d607b5946
Sigma Integrated
from Non System Roberto Rodriguez @Cyb3rWard0g 53ad5f32371b52193211d685 0 0
Rule Set (GitHub)
Account ce4fa631017ee7cf

LSASS Access df0d05c25b308b1067253d66


st

Sigma Integrated
from Program in Florian Roth 65734b787aee2e0d8b177c08 0 0
Rule Set (GitHub)
Suspicious Folder f0fad5c83a9b598c
63d1c446465d6c6205e2452b
LSASS Memory Sigma Integrated
In

Samir Bousseaden 5fca8715042ebcc9bfa046242 0 0


Dump Rule Set (GitHub)
88ce34d07cfa028

Lateral c978aa658df36ee024186bee
Sigma Integrated
Movement Janantha Marasinghe 37eb8f5b1974ccfe8ded97a97 0 0
Rule Set (GitHub)
Indicator ConDrv 3bfe4dc6e197008
5239809b3d434a5fd8676014
Sigma Integrated
Lazarus Activity Florian Roth 8a6ba71288898a2f7c5d6c43 0 0
Rule Set (GitHub)
70e4afdf12c7283c
Leviathan 8d55489934039427d1fae624
Sigma Integrated
Registry Key Aidan Bracher f0b85085985ab01440f56559 0 0
Rule Set (GitHub)
Activity b26c68f7a6a1deb4
15f5291aefe8242b4be19083
Linux Capabilities Sigma Integrated
Pawel Mazur 68af4c1c020bff933d962fa5c3 0 0
Discovery Rule Set (GitHub)
d2690592a1d9db
a54f90d76f6357c3494a2796
Linux Crypto Sigma Integrated
Florian Roth 6d9ddc15850d9dd07fd3848a 0 0
Mining Indicators Rule Set (GitHub)
c2a031ac149bec1a
Linux Crypto 94ce005adcd09f3ebc9f1adf5
Sigma Integrated
Mining Pool Florian Roth dfb87bc39cf45a1c8e1176675 0 0
Rule Set (GitHub)
Connections 682711a53d88f5
577e8f6fda6da02c80afa50dd
Linux Network Sigma Integrated
Alejandro Ortuno, oscd.community f199a9e2817ae570e37dff3c7 0 0
Service Scanning Rule Set (GitHub)
43910d6e4dd273
676feba35f86e9e41213bf2cd
Linux Network Sigma Integrated
Alejandro Ortuno, oscd.community 1daab4e4ad9143714e10f335 0 0
Service Scanning Rule Set (GitHub)
981beeb7ba5d4a5
7f6a694ee18581a5a2bb34e7
Linux Network Sigma Integrated
Alejandro Ortuno, oscd.community 8f7cb079d0e12a465aa6639e 0 0
Service Scanning Rule Set (GitHub)
291e138f6f308d27
96c79bd2f46a79e85a3f40f62
Linux Network Sigma Integrated
Alejandro Ortuno, oscd.community 06e96a7cc2f097ac4d2dd574 0 0
Service Scanning Rule Set (GitHub)
d735dccec840832
e34284bbb0ad4c302ba9dd1f
Linux Network Sigma Integrated
Alejandro Ortuno, oscd.community de4f2de41f24db62c0b7bbd5 0 0
Service Scanning Rule Set (GitHub)
7804d77d81b02119
b76b38e7cf87e1b2f37b5680
Linux Remote Sigma Integrated
Alejandro Ortuno, oscd.community 47e66cfd972f62fbfdebc15ecf 0 0

.in
System Discovery Rule Set (GitHub)
f4adb21293b524
9627ed9b9dde6f0e9ce83624
Linux Reverse Sigma Integrated
Florian Roth eb258b8c304ba56da7d65198 0 0
Shell Indicator Rule Set (GitHub)
5c1e06a0ed0b4975

Linux Webshell
Indicators
Florian Roth
df
Sigma Integrated
Rule Set (GitHub)
f1ddd314aee4681dd4bc1821
da4b796ecf94c8b1576209bb
191b5a8dbdcdb26a
0 0

SOC Prime Threat 4596c900255dd64bed15c00f


ap
Liphyra Botnet Ariel Millahuel Detection 02fd2c020992da25e6600d35 0 0
Marketplace 36b6b12b8992d409

SOC Prime Threat 98cabebe7a41e8259d15db20


Liphyra Botnet Ariel Millahuel Detection be2beb491b39babbd9a772c2 0 0
st

Marketplace 0ccf447f7a5c5490

LittleCorporal f10b695dfd304615f49826a39
Sigma Integrated
Generated Christian Burkard fd11fb539271f8272a9a80be8 0 0
In

Rule Set (GitHub)


Maldoc Injection f070a758f8f025
Live Memory 843f3a30bd6700683442b21b
Sigma Integrated
Dump Using Max Altgelt bfb20c59afbc32cc978b84e9b 0 0
Rule Set (GitHub)
Powershell 713a85d39d8cc90
Load
87990351a4e0cbfe8406a67a
Undocumented Sigma Integrated
oscd.community, Dmitry Uchakin 021f9d9da456c915388fde09 0 0
Autoelevated Rule Set (GitHub)
8e654a87ba123617
COM Interface
Load of
dbghelp/dbgcore 31e54e59e39fda87af874302c
Perez Diego (@darkquassar), Sigma Integrated
DLL from 79fe8910fcd407edfed11f536 0 0
oscd.community, Ecco Rule Set (GitHub)
Suspicious cb042394e49c09
Process
Loading of Kernel e690fd8425bfb6339396e2e0
Sigma Integrated
Module via Pawel Mazur b658a06d8dad95357a25603 0 0
Rule Set (GitHub)
Insmod d9ed007d8acae6e6b
0b93262008400f8b22d04eac
Local Groups Ömer Günal, Alejandro Ortuno, Sigma Integrated
398727ff17377f8b7f399741a 0 0
Discovery oscd.community Rule Set (GitHub)
879ed674b5940f3
96830978814aeec9f41351cd
Local Groups Ömer Günal, Alejandro Ortuno, Sigma Integrated
26d413ad426a28c3bf7d6f36 0 0
Discovery oscd.community Rule Set (GitHub)
30ee7e9a578659b9
Local System db147f594af74bbd5641cf034
Sigma Integrated
Accounts Alejandro Ortuno, oscd.community cfa4ce699110ac6712abb106 0 0
Rule Set (GitHub)
Discovery 2141aefe2d13704
Local System e73eb94c02ee03d3d629b3d5
Sigma Integrated
Accounts Alejandro Ortuno, oscd.community 4b02d2cf6c9b1dab8a7831ba 0 0
Rule Set (GitHub)
Discovery 27d8da0c88755c94
b1f5ca9566ca9b549b32bfe57
Locked Sigma Integrated
Alexandr Yampolskyi, SOC Prime eee2e7ec1ae42a47aeba5cdf 0 0
Workstation Rule Set (GitHub)
24c69c64e35dd5f

SOC Prime Threat 53e145805bb5e6301f081883


Loda RAT
Ariel Millahuel Detection d8d97fc2ebfa40287aec49d41 0 0
detection
Marketplace 1fbba030d1fa39c
Log4j RCE CVE- 8c495666d5450c3e2e0bb34d

.in
Sigma Integrated
2021-44228 Florian Roth 2cf7eef172c34ec61b80fb24f 0 0
Rule Set (GitHub)
Generic 7ee56955d98c3cd
Log4j RCE CVE- a089911dd0c5c3ead7a5b984
Sigma Integrated
2021-44228 in Florian Roth c73e7ff29d2a74b294849fe17 0 0
Rule Set (GitHub)
df
Fields ffc932bf33784e9
Logging
445f9624d922b1b8b49be62a
Configuration Sigma Integrated
Mikhail Larin, oscd.community a6ab367c68746e2b43bdbb4e 0 0
Changes on Linux Rule Set (GitHub)
2e6c630e88e18678
ap
Host
1514d5d526c9b5a1a6c5e315
Login to Disabled Sigma Integrated
AlertIQ c592705ba8e80d9698d2928a 0 0
Account Rule Set (GitHub)
ed28182666d2a2e3
19ef4372b7c2775276ff1cd9b
Sigma Integrated
st

Login with WMI Thomas Patzke 0da8737a7f6e8739d252d7f9 0 0


Rule Set (GitHub)
0e3f3ba296d1c78
Logon Scripts 4e10510e7f7c48be7d293bdd
Sigma Integrated
(UserInitMprLog Tom Ueltschi (@c_APT_ure) 42d3c63dbb1c4ef878bb17ff2 0 0
Rule Set (GitHub)
In

onScript) 0069102a6a1a6b1
96e45b283c76172a1e89d979
Logon from a Sigma Integrated
Austin Songer @austinsonger 8c6e7952bf70ba4017864f8b 0 0
Risky IP Address Rule Set (GitHub)
0941dbffd56f7055

LokiBot Trojan SOC Prime Threat 25b0a9aa21e02bf2b942c3a8


behavior Alexandr Yampolskyi, SOC Prime Detection 42e1cee818237b7da5e121b0 0 0
(Sysmon). Marketplace 8157b081a775e7dd
Lolbins Process eb1dbd652c505f66652af568
Vadim Khrykov (ThreatIntel), Sigma Integrated
Creation with 3ecfecaacb1483523b07254e 0 0
Cyb3rEng (Rule) Rule Set (GitHub)
WmiPrvse 9d1eaee151af6ec9
Lsass Memory 3c0e931ed838b9556e57c738
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Dump via 5ca8aa0e20d9e4a2256e761c 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Comsvcs DLL 1f13540f3df2f513
Lucifer Botnet
SOC Prime Threat b78dfe3c36a3641e35470c0d
Detection
Ariel Millahuel Detection 66caaab300392d55f5c4664b 0 0
(Mimikatz
Marketplace 7541ee0d13af1e9f
Abuse)
MITRE BZAR 92c43f07a2d15dc0d84c3162
Sigma Integrated
Indicators for @neu5ron, SOC Prime 04afa24eb03535cb3460b718 0 0
Rule Set (GitHub)
Execution 3fae873f9f93601e
MITRE BZAR 41587ecc9bb28242c77b042a
Sigma Integrated
Indicators for @neu5ron, SOC Prime a99238dbce0be3451506ce1d 0 0
Rule Set (GitHub)
Persistence eaa512acac0d4481
8ad7367c9de9a165016d9a8b
MSBuild Joe Security Rule
Joe Security 662d34004cffb1cf0000aa760 0 0
Launched By Scr Set (GitHub)
ebe1742b6a83175
MSExchange 711b03ff1593b84b2c430081
Sigma Integrated
Transport Agent Tobias Michalski 585f67ac7553da05293568f4 0 0
Rule Set (GitHub)
Installation 3b5d49201ac3715f
MSExchange 7c1f925effd9c12efb8a40826
Sigma Integrated
Transport Agent Tobias Michalski e8b85d7d92e1819d550b48a 0 0
Rule Set (GitHub)
Installation dd5d3bd5ee8421e2
MSExchange 9aa90df87bd198fdfd7ce530f
Sigma Integrated
Transport Agent Tobias Michalski 731f1242cebb92ae83299962 0 0
Rule Set (GitHub)
Installation 50469bfd299dfd7
MSExchange e771c0dcabbf8a0f6d4bb616
Sigma Integrated
Transport Agent Tobias Michalski 409030d867092a5b633c5f87 0 0

.in
Rule Set (GitHub)
Installation b668c761e0a73c23
MSI Spawned
Cmd and Teymur Kheirkhabarov (idea), c7a8b63e31de07a842a530c5
Sigma Integrated
Powershell Mangatas Tondang (rule), 020291d2370e859b36aea254 0 0
Rule Set (GitHub)
df
Spawned oscd.community 20f0d9744a271f6f
Processes
545e2b755dc7bda66c90dfd7
MSTSC Sigma Integrated
Florian Roth 3d0da8d2692a4c7181d99d42 0 0
Shadowing Rule Set (GitHub)
ap
9ad2c0253be12ef7
839422d12551f797abb514fc
MacOS Emond Sigma Integrated
Alejandro Ortuno, oscd.community 052bfc852f3811d1b983090e 0 0
Launch Daemon Rule Set (GitHub)
cd6b6cf2f22d8ed9
4fff924a8370247252e1b9316
MacOS Network Sigma Integrated
st

Alejandro Ortuno, oscd.community 9b91f3d7ed7d41b98603cfd2 0 0


Service Scanning Rule Set (GitHub)
b8ce78153c97dd3
MacOS Scripting 6ecd0ccd55a70b96ebb8ad35
Sigma Integrated
Interpreter Alejandro Ortuno, oscd.community b9fc18b56f99fdae0b1c2d235 0 0
Rule Set (GitHub)
In

AppleScript ba3300b9457b516
f3cd8ef31c8b21a65b954ec79
Macos Remote Sigma Integrated
Alejandro Ortuno, oscd.community c8cab26887cd18d064a995d6 0 0
System Discovery Rule Set (GitHub)
66dee41e8acec49
Mailbox Export 993b4f45701b3ec9d79ce389
Florian Roth, Rich Warren, Christian Sigma Integrated
to Exchange b7e4b9ba421865eff166ec27 0 0
Burkard Rule Set (GitHub)
Webserver 145d75741b2609eb
18beefa1a0a5830d767ea9fe
Malicious Named Sigma Integrated
Florian Roth, blueteam0ps, elhoim 1831ce5fc0abbffeccd3c5932 0 0
Pipe Rule Set (GitHub)
ea06333ab16d451
6476024015d6f67313581ba8
Malicious Service Florian Roth, Daniil Yugoslavskiy, Sigma Integrated
41b49d2aa8a5bd55b43397b 0 0
Installations oscd.community (update) Rule Set (GitHub)
b49521162a7688649
9f944a38f9e33b70e2b645ce
Malicious Service Florian Roth, Daniil Yugoslavskiy, Sigma Integrated
13a2ea1152481f589928dd16 0 0
Installations oscd.community (update) Rule Set (GitHub)
4e9a2ca5ca452880
ed399c29991d5d0998f08a59
Malicious Service Florian Roth, Daniil Yugoslavskiy, Sigma Integrated
30c2fb1aadbd51855a51b2b3 0 0
Installations oscd.community (update) Rule Set (GitHub)
0d76a6bf630eabd9
Malicious
fd4e3cdd5f9ec511509a9b456
ShellIntel Sigma Integrated
Max Altgelt, Tobias Michalski f37f38c1e40597b044a8b780 0 0
PowerShell Rule Set (GitHub)
d338b09445fcf05
Commandlets
Malicious
behaviour on
user login SOC Prime Threat fa6ee0e8f8cead534cdfd17b6
(Microsoft Ariel Millahuel Detection 66caa7f1d01a684b482e45fc1 0 0
Windows - Marketplace dcc98c3a17c190
c0d0s0 group
behavior)
Malicious
payloads that are SOC Prime Threat ca17d229059d9b7592cdb79a
hidden in fake Ariel Millahuel Detection fc25ca5111f033e6033346e48 0 0
Windows error Marketplace 1fcc97443e1cca9
logs
Malicious
SOC Prime Threat 8b1787853632b3c011481b5
utilization of
Ariel Millahuel Detection 856d0f67e76dcd5ca18b18c1 0 0
mofcomp.exe via
Marketplace 7758687641e424c52
CMD

.in
Malware
ffb6e23f9b9b02d3336ba381f
Shellcode in John Lambert (tech), Florian Roth Sigma Integrated
296b796adbc31e0297afd825 0 0
Verclsid Target (rule) Rule Set (GitHub)
7cec5c40e66bd8b
Process

Malware User
Agent
Florian Roth
df
Sigma Integrated
Rule Set (GitHub)
a352975e140ee0d8fd67c6be
0d75ce52c7e74a2fc7970079
0bdaa343d062c5c4
0 0

Manipulation of
ap
User Computer
080f39fb13644d7055303fabf
or Group Sigma Integrated
frack113 2a4ace323c7ca1c92ffe33c37 0 0
Security Rule Set (GitHub)
a94ed397cecedd
Principals Across
AD
st

Masquerading as 9a46c620e21e78da1889a3e8
Sigma Integrated
Linux Crond Timur Zinniatullin, oscd.community f6dbe4070319becd3a7ef3bd 0 0
Rule Set (GitHub)
Process c1d9b11595613ef8
f7232cef6ad5bca28b27340de
MavInject Sigma Integrated
In

Florian Roth 367589ba9ef580c1abb6dd69 0 0


Process Injection Rule Set (GitHub)
d8f2005a6473a4d

SOC Prime Threat d73a269ba693e8e5fa275faa


Metamorfo
Ariel Millahuel Detection 3169b39f3228c9708fae0c818 0 0
malware
Marketplace a2e076be89ebac8

Metasploit Or
5a244f13e4984c1b2b7a499c
Impacket Service Sigma Integrated
Bartlomiej Czyz, Relativity b46ddf8b68c1ba5230d646ce 0 0
Installation Via Rule Set (GitHub)
c6c578e0fc490e30
SMB PsExec

Metasploit Or
ae51d2d67f9cc0555bac0f8f0
Impacket Service Sigma Integrated
Bartlomiej Czyz, Relativity 7cd0f21e85bf7996326a2ea7 0 0
Installation Via Rule Set (GitHub)
36bf9240afc5c73
SMB PsExec
Metasploit Or
c27cff6b98bff3ffc6f117f1ee7
Impacket Service Sigma Integrated
Bartlomiej Czyz, Relativity a6d6969aafd5a49ec2acfc599 0 0
Installation Via Rule Set (GitHub)
aeac2d16d3aa
SMB PsExec

Metasploit Or
fb37de09ff35e1a563c8446c1
Impacket Service Sigma Integrated
Bartlomiej Czyz, Relativity 88e8763186905bd6f1231f36 0 0
Installation Via Rule Set (GitHub)
c4344b06b1c1e49
SMB PsExec
22b00ff2151af3d4d5470dded
Metasploit SMB Chakib Gzenayi (@Chak092), Hosni Sigma Integrated
7d187d4f3021d163003a5608 0 0
Authentication Mribah Rule Set (GitHub)
c0f6ce4c476db3f
Meterpreter or
Cobalt Strike 192e53b4eb1008e71a9b6e6
Teymur Kheirkhabarov, Ecco, Sigma Integrated
Getsystem 9068e10ea48a5dcaf61b1fc5d 0 0
Florian Roth Rule Set (GitHub)
Service 176c068bac8e1c8e
Installation
Meterpreter or
Cobalt Strike 40660e5f6c68cd541236f69c0

.in
Teymur Kheirkhabarov, Ecco, Sigma Integrated
Getsystem 88146a482a8ebd809f57b774 0 0
Florian Roth Rule Set (GitHub)
Service 378aa0152dca75f
Installation
Meterpreter or
Cobalt Strike
Getsystem
Service
Teymur Kheirkhabarov, Ecco,
Florian Roth
df
Sigma Integrated
Rule Set (GitHub)
40956f4e065cdfa5d7b282c64
90d46c2ec2965fea47b1d597
b61302386d09236
0 0

Installation
ap
Meterpreter or
Cobalt Strike 817e49977822d01e34c3e5dd
Teymur Kheirkhabarov, Ecco, Sigma Integrated
Getsystem 05aba6ee11f45ab3c722bc7b 0 0
Florian Roth Rule Set (GitHub)
Service 2a2bb085226e41cc
Installation
st

Meterpreter or
Cobalt Strike 9b174921e3b6661c344cd2c3
Teymur Kheirkhabarov, Ecco, Sigma Integrated
Getsystem 0a575a282bf403e050644ebc 0 0
Florian Roth Rule Set (GitHub)
Service 88bac4c93c5f47bd
In

Installation
Meterpreter or
Cobalt Strike bc197a778a20b521388a98e5
Teymur Kheirkhabarov, Ecco, Sigma Integrated
Getsystem 62298e644a301273af9279e8 0 0
Florian Roth Rule Set (GitHub)
Service 993a0b44cc59c8c8
Installation
Meterpreter or
Cobalt Strike ec12972980ba51f81e74946a
Teymur Kheirkhabarov, Ecco, Sigma Integrated
Getsystem 518425d59ff6b1a2e43fa17be 0 0
Florian Roth Rule Set (GitHub)
Service 336b5e67b155fa7
Installation
Microsoft 365 - d3a30f1e296d56fea04ef4681
Sigma Integrated
Impossible Travel Austin Songer @austinsonger 0f3df154d12cf590c5dc97084 0 0
Rule Set (GitHub)
Activity de9af8009056ab
Microsoft 365 -
02ad8f012c03cc13afc7b6cd6
Potential Sigma Integrated
austinsonger 7d789e91979b43473e7203b 0 0
Ransomware Rule Set (GitHub)
074dd4d9f0b7a889
Activity
Microsoft 365 - be9779fe3da9967876ef0678
Sigma Integrated
Unusual Volume austinsonger 33b541b5c0d33a033ab69dae 0 0
Rule Set (GitHub)
of File Deletion a3ab20181ea1e000
Microsoft 365 -
37b5a17283cb3c4128108fd3
User Restricted Sigma Integrated
austinsonger 4d6a17996547cba22f82cb66 0 0
from Sending Rule Set (GitHub)
467c0ef87a0455a7
Email
Microsoft Binary dd661868928412c287335c17
Michael Haag (idea), Florian Roth Sigma Integrated
Github 03782413d4880320931356e 0 0
(rule) Rule Set (GitHub)
Communication df3f1e713563d99e2

Microsoft Binary
d01338d0a87197c0e5132ec7
Suspicious Sigma Integrated
Florian Roth b920332c01f5c9e8218c7275 0 0
Communication Rule Set (GitHub)
91d81888d10a9754
Endpoint
Microsoft
Defender 1870d785edc3b42af09c0eb7
Sigma Integrated
Tamper Bhabesh Raj 3a2aa3683103c07aea155f77f 0 0
Rule Set (GitHub)
Protection 90275e694cb6a79
Trigger

.in
Microsoft
d9bfe783bdd11d38a6493085
Malware Sigma Integrated
Florian Roth cbd1c673a360226722228507 0 0
Protection Rule Set (GitHub)
fb920ef71b62895d
Engine Crash

Microsoft Teams
update.exe
suspicious Den Iuzvyk
df
SOC Prime Threat 1b4855885781ab5b82eba4b
Detection 8b314d00176f5ac0f29ba843 0 0
command Marketplace 91f11660a70ecd421
ap
argumets
ec2307a906e3ea53e96b7874
Mimikatz DC Benjamin Delpy, Florian Roth, Scott Sigma Integrated
574d7a2e89921b6e7f541a66 0 0
Sync Dermott Rule Set (GitHub)
3a6626661dcdc850
st

Mimikatz ff1315c395da2bdbd410add7
Sigma Integrated
Detection LSASS Sherif Eldeeb 40bc4f48077e8e1d846f3e25 0 0
Rule Set (GitHub)
Access 31758ed506a43645
dadac8ee034d1cee2ef5b7d9
Mimikatz In- Sigma Integrated
In

sigma a388d1421c731a5371783450 0 0
Memory Rule Set (GitHub)
7c67ffe1b14b5104

Mimikatz 1bf84826e67862a2c36769a8
Sigma Integrated
MemSSP Default David ANDRE 990e8a19bc79218d45bd297e 0 0
Rule Set (GitHub)
Log File Creation ac23f736bebb40c4
Mimikatz
through 847efb8ac13cfab516079fc4fc
Sigma Integrated
Windows Patryk Prauze - ING Tech 864f42a81274705a40c71c2e 0 0
Rule Set (GitHub)
Remote 343e3ff59586c4
Management
E.M. Anhaus (originally from Atomic 35fdcd5de6749c0a36488598
Modification of Sigma Integrated
Blue Detections, Tony Lambert), 77873d553a64b9d469a1b72 0 0
ld.so.preload Rule Set (GitHub)
oscd.community 223f3430a15ab10e7

SOC Prime Threat 83d78690b6193fe5c1396f8b


Modirat Trojan Ariel Millahuel Detection c78fdedf8ba876a1e3b33e73f 0 0
Marketplace bd88be9ad9ac43b
SOC Prime Threat 8db76b3af1f01ca259e1dfb9ff
Modirat Trojan Ariel Millahuel Detection ced0b62d57908e3afda6d719 0 0
Marketplace 0050a3651d0f35
Monero Crypto 0752dd4f3de82ada650a6c6e
Sigma Integrated
Coin Mining Pool Florian Roth d1887cc940d8f55e130fec468 0 0
Rule Set (GitHub)
Lookup ce0df9b2ec4ef25

Monitoring 12f03e6b0e193a0311b8fdfe3
Sigma Integrated
Winget For Sreeman 79fc617a6b5ec4b6afd3fa4e2 0 0
Rule Set (GitHub)
LOLbin Execution f8b3f1eb8774e8

Monitoring
b7e3452e4a99ca10a2296ac9
Wuauclt.exe For Sigma Integrated
Sreeman 9559c3c5ad282843dc9d00e9 0 0
Lolbas Execution Rule Set (GitHub)
9e744ca6725da3ae
Of DLL
4a9ddb920ad6eab5d240fd46
Sigma Integrated
Moriya Rootkit Bhabesh Raj b4a22a2839ea161414fab29f 0 0
Rule Set (GitHub)
dcd567a468de9295
9dd3e22b848384bcb3c88ebe

.in
Sigma Integrated
Moriya Rootkit Bhabesh Raj f774e34383b1ce9ed5a38ae9 0 0
Rule Set (GitHub)
e19b8002aa5e1197
e890924140d1c95de2b7a7fb
Sigma Integrated
Moriya Rootkit Bhabesh Raj 0972af50a2c5721ef4967616 0 0
Rule Set (GitHub)
df 69c3aba2244f16e8
fd2423cd1fb181effe2fb4c562
Sigma Integrated
Moriya Rootkit Bhabesh Raj 18d09921ebaa407b7951392 0 0
Rule Set (GitHub)
0ea5b24c9a3f645
ap
022d94a14c023de93a446a40
Mshta Download Joe Security Rule
Joe Security 880959661603927ebe5efff6b 0 0
Pastebin Set (GitHub)
062cf01f85d2627
Multifactor 486699d92cc29a0049da80bf
Sigma Integrated
Authentication AlertIQ 790ffe339597bd00fe884682f 0 0
Rule Set (GitHub)
st

Interupted 96c34da8e130514
Multiple
SOC Prime Threat b6ffd0976104f055b1bd3ba4
Abnormal non
SOC Prime Team Detection 9b801ac35b6e79610413ba34 0 0
conforming HTTP
Marketplace 5169d98aeae6b573
In

Requests

Multiple Clients
to HTTP Using
SOC Prime Threat 511963c1db190bc62faca5bc
Unicode Host via
SOC Prime Team Detection 4ca06521da4635570743caf2 0 0
HTTP - Possible
Marketplace d3f9cd4d56ca50a5
Multiple Phishing
Attempts

Multiple Clients
to HTTP Using
SOC Prime Threat 988a0ffb0a0f47129dd9b934d
Unicode Host via
SOC Prime Team Detection cb130f00534a2413639d8a3c 0 0
HTTP - Possible
Marketplace 688061cd4a9765e
Multiple Phishing
Attempts
Multiple
SOC Prime Threat b8fd2aa035454d18d6233196
Compressed Files
SOC Prime Team Detection fd8163e8a2353d52c1aac775 0 0
Transferred
Marketplace 73478869e2f4e068
Outbound

Multiple
SOC Prime Threat 7bad960058d62e8ad7b373e
Compressed Files
SOC Prime Team Detection 0f3e304754a2b6902377eb2e 0 0
Transferred over
Marketplace 11113e17b75ccc3c7
HTTP
Multiple 3262aea4a6fe473c1bbccdfd2
Sigma Integrated
Modsecurity Florian Roth 3a7fdf4ca12d85cd72e7f33b3 0 0
Rule Set (GitHub)
Blocks 8038ec0744e1c2

Multiple Remote
SOC Prime Threat c8e5e581e3b175b3982cdbb5
SMB
SOC Prime Team Detection 99ff7f79477c6d33f45c778d0 0 0
Connections
Marketplace e404d3b39611c79
from single client

Multiple SSH SOC Prime Threat 169719cbc9d66e576e8fed12

.in
Brute Inferences SOC Prime Team Detection 1636ea4267a6c02afe085331 0 0
from Single IP Marketplace 53871190bf0ee2ae
Multiple
36b7f0b4e7ca31a80f5929c77
Suspicious Resp Sigma Integrated
Thomas Patzke df 9c0b90ea599d134f5e18ed40 0 0
Codes Caused by Rule Set (GitHub)
4448e5c7e4664d5
Single Client
Multiple Users
Attempting To c9d7284a26107f63bbe72669
Sigma Integrated
ap
Authenticate Mauricio Velazco 30bba513eee485e862028ef3 0 0
Rule Set (GitHub)
Using Explicit d01f460fdfd13353
Credentials
Multiple Users
Failing to b83947b9ca0aad485d29caf7
Sigma Integrated
st

Authenticate Mauricio Velazco 23d94bab0c256d4731fd51b5 0 0


Rule Set (GitHub)
from Single dd69d8ee931646f2
Process
Multiple Users
In

Remotely Failing 4107edd5afd06ad49d102029


Sigma Integrated
To Authenticate Mauricio Velazco bda7ae9f9b114dc56eb3f36a 0 0
Rule Set (GitHub)
From Single d01188bfdcdbf804
Source
Multiple
SOC Prime Threat 9480e7a6092cdaee91f66357
Windows Admin
SOC Prime Team Detection eb157816e36db05dcc021646 0 0
Share
Marketplace b7b6bd3b1f0deba2
Connections
Multiple
Windows SOC Prime Threat 555ec13fb5fd2bac1c4c3d565
Remote Registry SOC Prime Team Detection 34a101fe85e324759a14d2ef 0 0
Service Marketplace bcff17a8ce0d68e
Connections

MustangPanda SOC Prime Threat 50f367f6a2c0c7a6e7071294d


COVID-19 Ariel Millahuel Detection 21ea586cf7ba6280290d19c2 0 0
campaing Marketplace 8143cb5ba740344
MustangPanda SOC Prime Threat 6fa28d8cc3b3f717443e0a42b
COVID-19 Ariel Millahuel Detection 68552d7a87153b44f262b798 0 0
campaing Marketplace 24fdceb66d49c55
fe93afc27b2b53b9e4deb1b2
NPPSpy Hacktool Sigma Integrated
Florian Roth 9d0172ddf97ab492beba618f 0 0
Usage Rule Set (GitHub)
da8529d8eb602bed
7c3dc15fbc51dea715925bf59
Sigma Integrated
NTLM Logon Florian Roth 5cd0f9e0a02de70e6c439f34e 0 0
Rule Set (GitHub)
6f1f0e05748574
270a1fb968dc6493ee107a0a
Joe Security Rule
NanoCore Joe Security 5e9afce805af2cd2d8675f58a 0 0
Set (GitHub)
02c418e36821076
Nansh0u
SOC Prime Threat 904193bc621aaa8bd679e318
Campaign
Ariel Millahuel Detection 40889e7e0ebdd3012ad80cd2 0 0
(Sysmon
Marketplace 85a787efa9a21a1e
detection)
Narrator's 4064f97b1b93e3d50e6d45f0
Sigma Integrated
Feedback-Hub Dmitriy Lifanov, oscd.community 91287083f57a4143e79079dd 0 0
Rule Set (GitHub)
Persistence d4afcae5bd61545f

.in
Nemty SOC Prime Threat b6e935f32e1e64aba00eeea3
Ransomware Ariel Millahuel Detection 6dedcf16c051a067fc0bd9e45 0 0
(LOLBins abuse) Marketplace ea29c807851976e
NetNTLM
Downgrade
Attack
Florian Roth, wagga
df
Sigma Integrated
Rule Set (GitHub)
628b3cedd2ee451a4c293777
e6a6b1405d7ff8640e456f6c9
47256490c60b5d7
0 0

NetNTLM bec1f52073fc2866f36490eba
Sigma Integrated
ap
Downgrade Florian Roth, wagga 29525c7075bac3d5209203cf 0 0
Rule Set (GitHub)
Attack da883af578ca4f8
NetNTLM cf37bb8e1c6eb04a715e1acac
Sigma Integrated
Downgrade Florian Roth, wagga 3004996b87765e5a9a1641cd 0 0
Rule Set (GitHub)
Attack 5f9ba489b398a21
st

ce5ddd582faff7ef5d678ca34
NetWire RAT Sigma Integrated
Christopher Peacock 6465de3df879ce2fce177a243 0 0
Registry Key Rule Set (GitHub)
fb03283ce96f91
Netcat The 0fd4e2409b6a9d2d52410acd
Sigma Integrated
In

Powershell frack113 12bed00a2c98b5907728ae24 0 0


Rule Set (GitHub)
Version ee86bc36d470b52d
Netcat The afccc7dbdf0a361ce026bc9a3
Sigma Integrated
Powershell frack113 76283952eb427865b9051cc0 0 0
Rule Set (GitHub)
Version 7fd5ff5ed819482
Netsh Allow
Group Policy on 631a83ba9daa9bb7ff02be55
Sigma Integrated
Microsoft frack113 784068db1eeaa6935ea10809 0 0
Rule Set (GitHub)
Defender a1b8a8cf4ce2abd3
Firewall
70c15fe82eef73d893f59ec35
Netsh RDP Port Sigma Integrated
Florian Roth, oscd.community 89b484917b941f103c9c2904 0 0
Forwarding Rule Set (GitHub)
8472576af7e8cc8
45df53aa30dc2cfa8b51eefcfc
Sigma Integrated
Network Scans Thomas Patzke 5610c077a28dd2cc8dc1e231 0 0
Rule Set (GitHub)
a33ea4a8787dd7
bb657f87ac9c438630487838
Sigma Integrated
Network Scans Thomas Patzke d7c6786269418efb6f627897 0 0
Rule Set (GitHub)
a245514632b7b71c
bf8c0428428fa1278ad2e0afa
Sigma Integrated
Network Scans Thomas Patzke 0221c340e18931c689a1a746 0 0
Rule Set (GitHub)
60e2b25a2a1860a
Network Scans 0513b00d4770e8ba4e68a1bf
Sigma Integrated
Count By Thomas Patzke 68cab686e859e14797388dbc 0 0
Rule Set (GitHub)
Destination IP f6f51ea10f3042cc
Network Scans d59f72c28978b1e054ff60f91
Sigma Integrated
Count By Thomas Patzke c7cbf0354f8d455e90795685 0 0
Rule Set (GitHub)
Destination Port 535c1697fd3c945

Network Service SOC Prime Threat d2d4bc90121c2e5cb6f3b788


Scanning SOC Prime Team Detection 4fe1e4c06a3a4c61c381e33ea 0 0
Multiple IPs Marketplace f549354d0929db8
Network Service
SOC Prime Threat e06753fd5e71bee4c1603fb8
Scanning
SOC Prime Team Detection e04f441b1a19e365ff5202313 0 0
Multiple IPs for
Marketplace 41b58b5c9676d87
Open Port

SOC Prime Threat 7cda33e78a2e154cdc2a2bbe


Network Share
SOC Prime Team Detection b41857926b105d3f9e7750e0 0 0
Discovery

.in
Marketplace d39c1a6db9bf9563
34a3b83c8ed31a73806fd506
Sigma Integrated
Network Sniffing Alejandro Ortuno, oscd.community d538c5611d10141f5683c39c 0 0
Rule Set (GitHub)
cd3e822a4e68da7b

Network Sniffing Timur Zinniatullin, oscd.community


df
Sigma Integrated
Rule Set (GitHub)
cec88cf573d8c7f5ff9c871e5c
af9caf91adc563916947a89aa
d1491da2346ac
0 0

e0fec53c12094131d1b4e307
Sigma Integrated
ap
Network Sniffing Timur Zinniatullin, oscd.community c8e9dcea040e6d3cbb6b5eff0 0 0
Rule Set (GitHub)
144c5a71473253d

SOC Prime Threat c36594c085c33464fc5cde06d


Neutrino
Ariel Millahuel Detection c8ae917de450f86a16aff6f5e 0 0
Backdoor
Marketplace 7e0f6e3be73f2b
st

SOC Prime Threat d3b050f13506d1bf0507f478


Neutrino
Ariel Millahuel Detection 002af7a34e949fa40a2ef119f 0 0
Backdoor
Marketplace bc657f3a35de60a
In

63f0997b285249bf20906023f
New Application Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
b00f8eb00815314c790f67a7 0 0
in AppCompat OTR (Open Threat Research) Rule Set (GitHub)
0befd01625e8aeb
New DLL Added 4bdead82e3a6a57ba296d62c
Sigma Integrated
to AppCertDlls Ilyas Ochkov, oscd.community cea3f3cd1086e50cb50a9b58 0 0
Rule Set (GitHub)
Registry Key 540d3e065c5c756b
New File 3616394136d97f22be2d8a07
Sigma Integrated
Association Using Andreas Hunkeler (@Karneades) 18627a44f64289b519a8ab45 0 0
Rule Set (GitHub)
Exefile 5bef574a2a43961a

New Lolbin 8a45e61fc1757825afcd5eca5


Vadim Khrykov (ThreatIntel), Sigma Integrated
Process by Office 31a7940c6b8fd8ed95faee7b 0 0
Cyb3rEng (Rule) Rule Set (GitHub)
Applications 3ea517339e0ee17
7a4cd40845c7f590d81d5519
Sigma Integrated
Nginx Core Dump Florian Roth efe14cb755da4ad7e8382cf1b 0 0
Rule Set (GitHub)
793884653b688b5
Nibiru detection
(Registry event SOC Prime Threat 3debb91f02ff96ef7063287de
and Ariel Millahuel Detection 5f4ac2a5b63133f3d2217b25 0 0
CommandLine Marketplace 2f7ff735f72fe86
parameters)
Non-privileged 27c02a5e277091bc1c5b7d2a
Teymur Kheirkhabarov (idea), Ryan Sigma Integrated
Usage of Reg or 04365e89a8787ee68e58616a 0 0
Plas (rule), oscd.community Rule Set (GitHub)
Powershell fd80ef5c26aa04de

SOC Prime Threat f699b7b7fd20025dcb81e258


Novter Botnet
Ariel Millahuel Detection 6b58b97d0ba868dae7904c07 0 0
detection
Marketplace e08849456012355d
Number Of
Resource 72c0e900a73e61f8d65b8fc1b
Sigma Integrated
Creation Or sawwinnnaung c7424e17ed6404f198817556 0 0
Rule Set (GitHub)
Deployment ef1b8bf780307f9
Activities
OMIGOD HTTP
37c2af49383c30c36d87b721
No Sigma Integrated
Nate Guagenti (neu5ron) 5b22296e477d1b387c3b0c34 0 0
Authentication Rule Set (GitHub)

.in
cf3a3050d62099f1
RCE
OMIGOD SCX 1aa03e3c54881b2badbac443
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
RunAsProvider dfd964bb5e89d65f3a4230dd 0 0
OTR (Open Threat Research) Rule Set (GitHub)
ExecuteScript b1349cd55dd16701
OMIGOD SCX
RunAsProvider
ExecuteScript
df
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
OTR (Open Threat Research), MSTIC Rule Set (GitHub)
d532e92700eb248ec7d25152
f456ce46ecee476d6fd76a7b3
e07659c54d26855
0 0

OMIGOD SCX
57337e7a54cc7d5663f144c2
ap
RunAsProvider Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
d4051297cb796d11797ae6e1 0 0
ExecuteShellCom OTR (Open Threat Research) Rule Set (GitHub)
ca29ba67c27edb19
mand
OMIGOD SCX
5d1fd434b1c927d94f9fe4453
RunAsProvider Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
395535db904af037d3b9d3ff4 0 0
st

ExecuteShellCom OTR (Open Threat Research), MSTIC Rule Set (GitHub)


5b6ef71c0f8e43
mand
5a41f82caece4fe65bbe71be9
OceanLotus Sigma Integrated
megan201296, Jonhnathan Ribeiro 148baa62a842cabce69fc96f2 0 0
Registry Activity Rule Set (GitHub)
In

5fcdbf97f8008d
ad8390b7e69e5ce853f3c92a
Octopus Scanner Sigma Integrated
NVISO d2199323cf05de73cc23538d 0 0
Malware Rule Set (GitHub)
5f0c64b8f2ee6bfe

Offensive tool
SOC Prime Threat 83567691787215050fc2832d
MaliciousDLLGen
Den Iuzvyk Detection 1859c46eef4d6ec184c2e866 0 0
erator. DLL side
Marketplace 75a1cda9293f9656
loading(Sysmon)
Office
d30a6ec556476631a5a9c60d
Application Sigma Integrated
omkar72 8741c765b1c2e39b6c80bda1 0 0
Startup - Office Rule Set (GitHub)
ad8bff961bbdae9a
Test
Office
4e7dcf0bdb7133795dc5f59a
Applications Vadim Khrykov (ThreatIntel), Sigma Integrated
3dce3f19d7a78ad417e3b41e 0 0
Spawning Wmi Cyb3rEng (Rule) Rule Set (GitHub)
7dea915b76bdfd5d
Cli
Office macro SOC Prime Threat 6633d004f33515072ffdd8f03
parent spofing Den Iuzvyk Detection f41910d3d9da5e01701655ea 0 0
injection Marketplace 5e05259c72e6d05
Oilirg's "RDAT
SOC Prime Threat 75f9172f5d8240599ba3e902
"Backdoor
Ariel Millahuel Detection 28c244a661f19b8fecdf018de 0 0
(Sysmon
Marketplace efea7ea69584949
detection)

SOC Prime Threat ea4cbf16bdb71984f5023f3f7


Oilrig Ariel Millahuel Detection cb99896b2f2fbbc624e3fed16 0 0
Marketplace 9da1b645de6150
37c62bd2bbcddc4acc9d1a57
Okta API Token Sigma Integrated
Austin Songer @austinsonger 90917fced5f8bffd7529d1780 0 0
Created Rule Set (GitHub)
6bae479015d0438
0f26d84e2eba3bdbd5a67b63
Okta API Token Sigma Integrated
Austin Songer @austinsonger c111a77e2d63546e74143de4 0 0
Revoked Rule Set (GitHub)
9507314c059c0fd2

Okta Admin Role 76ee74749375861af873800c


Sigma Integrated

.in
Assigned to an Austin Songer @austinsonger 29031bf76c1d499b124d9ea8 0 0
Rule Set (GitHub)
User or Group 39ba8c40dee90c8e

Okta Application 5146d9202bfee99aebeefa43c


Sigma Integrated
Modified or Austin Songer @austinsonger df 786b2e3719434b3ce05ab72c 0 0
Rule Set (GitHub)
Deleted 3c3b42d285cebe5

Okta Application
2ef17e10bfa93f6d655fd5a9f
Sign-On Policy Sigma Integrated
ap
Austin Songer @austinsonger 9191f5ac2f485b9a0dd458d4 0 0
Modified or Rule Set (GitHub)
50ad6d3337261e9
Deleted
ec810333c5b5e59400842656
Okta MFA Reset Sigma Integrated
Austin Songer @austinsonger cc184df2783f47b5b55d0030 0 0
or Deactivated Rule Set (GitHub)
st

bfa5a4f21568df9c

Okta Network fe00ea6d901a92c5ecc5302f0


Sigma Integrated
Zone Deactivated Austin Songer @austinsonger e36994a890f1b517bb02510b 0 0
Rule Set (GitHub)
or Deleted 6a368f421ec89c9
In

Okta Policy 1c210d6fdbd5b2ba495cbd1a


Sigma Integrated
Modified or Austin Songer @austinsonger 803fad26f2c34786e6b979f4c 0 0
Rule Set (GitHub)
Deleted e8e88872a25db23
Okta Policy Rule ae0100a24042add9897a9439
Sigma Integrated
Modified or Austin Songer @austinsonger 49ccd1e1e3f8c310cd5979cf4 0 0
Rule Set (GitHub)
Deleted 8accbce725cd423
82f25417bf76cf8b64d66b26b
Okta Security Sigma Integrated
Austin Songer @austinsonger f54c4850a4187772d8094d02 0 0
Threat Detected Rule Set (GitHub)
f3f8eb64bc20bf4
Okta 4ac129ccafdbbfad46a3392c4
Sigma Integrated
Unauthorized Austin Songer @austinsonger e73182ba5823ac3df49ac7d3 0 0
Rule Set (GitHub)
Access to App e35e10cbf159b2a
Okta User 713536374c2a86507e8c3738
Sigma Integrated
Account Locked Austin Songer @austinsonger a171b0b1ab7398e3b84b9a4 0 0
Rule Set (GitHub)
Out 91e14890485ff6bb7
989ec67196bdfe4759541550
OneLogin User Sigma Integrated
Austin Songer @austinsonger bbddc7a6be65ecf2debfc1559 0 0
Account Locked Rule Set (GitHub)
8f3768a4000df04
OneLogin User f0eee7a94251a99b6a747dc1
Sigma Integrated
Assumed Austin Songer @austinsonger 86b09c26d9850f1e61d9cbcb 0 0
Rule Set (GitHub)
Another User 7a5939e633565f04
OpenWith.exe ea5ec4a6c95de7e028405041
Beyu Denis, oscd.community (rule), Sigma Integrated
Executes a4052a38c12bd6345847e628 0 0
@harr0ey (idea) Rule Set (GitHub)
Specified Binary f0b4ed6648db62d1
0981b6a6bd3a352e954d4f80
Operation Sigma Integrated
Florian Roth, frack113 8351eef72bde12f597fac0673 0 0
Wocao Activity Rule Set (GitHub)
85a86f67f28169f
2e30c366dcaa537ae7d98a97
Operation Sigma Integrated
Florian Roth, frack113 8f19c3a6bbf9b459e177978af 0 0
Wocao Activity Rule Set (GitHub)
689a71981ca468f
41500c83cd93f90f6d367be3
Operation Sigma Integrated
Florian Roth, frack113 449920cac482603fa9b7f4137 0 0
Wocao Activity Rule Set (GitHub)
f2576feb2ba50a8
a0774a9062d671fa2115dde2
Operation Sigma Integrated
Florian Roth, frack113 a5620ddb95c39200fc4fbcd5a 0 0
Wocao Activity Rule Set (GitHub)
7504ced2408c516
d4c0402f67c8a3748cf75523e
Operation Sigma Integrated
Florian Roth, frack113 f859b1c3b31b2503661858ec 0 0

.in
Wocao Activity Rule Set (GitHub)
74bc3b5c7cad0af
9bfd34293b2b68ab59c38057
Oracle WebLogic Sigma Integrated
Florian Roth b018b43e4604ddd974aedeb 0 0
Exploit Rule Set (GitHub)
628eb74f48467b2af

Oracle WebLogic
Exploit CVE-2020- Florian Roth
14882
df
Sigma Integrated
Rule Set (GitHub)
82dda926865821ca5e8c3ddb
93fc4f69772bb79643d23c06
1dc2f359fcb25cee
0 0
ap
Oracle WebLogic 58f3096519d091461dc02d54
Sigma Integrated
Exploit CVE-2021- Bhabesh Raj 0c9ad2e2714378fc856af5b52 0 0
Rule Set (GitHub)
2109 dcd246cf062437e

SOC Prime Threat 870bd93000dae7789508610f


st

Orcus RAT
Ariel Millahuel Detection 80cf9f2862f3b3e9fefec9b3cb 0 0
detection
Marketplace a32617a75799cd

SOC Prime Threat c71576208518c999b7feba52


In

Orcus RAT
Ariel Millahuel Detection 9c697771d91ca38beb7d087c 0 0
detection
Marketplace 1d8ae78eba2c5bb0
6521fe44f6063c0c245933490
Outlook C2 Sigma Integrated
@ScoubiMtl 2169e29975140f570d57f3ec 0 0
Macro Creation Rule Set (GitHub)
5fb33d79f3b074b
2f07ac019282aa31e7681103
Outlook C2 Sigma Integrated
@ScoubiMtl 6780c9cb961d1b01262e2bee 0 0
Registry Key Rule Set (GitHub)
ea4f9f7c17a906eb
b8ad31e84529c4f0ecaff3ccd
Outlook Form Sigma Integrated
Tobias Michalski b07e6876487faa4fe4e57f07a 0 0
Installation Rule Set (GitHub)
fb4d3a104ed7c4
Overwrite d3e54936275abafa46d4b778
Sigma Integrated
Deleted Data frack113 91ec8f7fe6dd55d420fec6134 0 0
Rule Set (GitHub)
with Cipher 76144dd5d26f1a7
Overwriting the fb9c58953377bc9ef08cbec4e
Sigma Integrated
File with Dev Jakob Weinzettl, oscd.community 7921e8bfd0bcea1b91c79a56 0 0
Rule Set (GitHub)
Zero or Null cd7f21e179f5514
Oxypumper and SOC Prime Threat 2e9004538d0ac25abf5f74d2
Qwertminer Ariel Millahuel Detection ab10e6804e8c5a6d78ded8ec 0 0
detection Marketplace 678d1d57791fdd4d
PCRE.NET 314e0194b44c70b9c92c8fcd
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Package Image 5ab2295e9f0c5d034db71b85 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Load 6dc14098ba319f82
PCRE.NET 298754861fb9b51e8da2c449
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Package Temp 0353502093fe96a301b2c943 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Files df1e6d6ccc641ea8
PSExec and WMI d5f9283f29961f497c15a772f
Sigma Integrated
Process Bhabesh Raj e3eaf3852c91aaeca1034ffa8f 0 0
Rule Set (GitHub)
Creations Block bac0ad1e65b32
1280d1699ff038c66a632a34
Pandemic Sigma Integrated
Florian Roth d113a985abe94aba7a198de8 0 0
Registry Key Rule Set (GitHub)
5b3dec7e8c56e432
83870fe1bc3919a21d0e4bfe
Pandemic Sigma Integrated
Florian Roth 80e46298d498a92fede41333 0 0
Registry Key Rule Set (GitHub)
6e99c62c736fde77
94c2e0c66ba5ec7b925ceb0b

.in
Pandemic Sigma Integrated
Florian Roth 07bd496ceb43525c621caa6b 0 0
Registry Key Rule Set (GitHub)
3a18048c1c9ffd88
a1ba081fa2fecc17406857322
Pandemic Sigma Integrated
Florian Roth da10c42bfd5d39b025a35029 0 0
Registry Key Rule Set (GitHub)
df fa0fe1b55760821
f3d343e52cbeb2af747dd246
Pandemic Sigma Integrated
Florian Roth bd8ea56b0de2c474c81d88ef 0 0
Registry Key Rule Set (GitHub)
7e6cd844d31fe85a
ap
Ilias el Matani (rule), The 28b05b77c561c979f988b8e6
Pass the Hash Sigma Integrated
Information Assurance Directorate 8e0fd7bee5c3d69bebf583aef 0 0
Activity Rule Set (GitHub)
at the NSA (method) ab5e6c03dbd30d4

Password
Change on d5526765d05068ba3b4fc756
st

Sigma Integrated
Directory Service Thomas Patzke 226bbb23764077a29b90a8d 0 0
Rule Set (GitHub)
Restore Mode 1b182c52b27247a96
(DSRM) Account
In

Password 9621c87be63b1ea5e038a8d2
Sigma Integrated
Cracking with frack113 759bc0bbe6a5ee4f322b9763 0 0
Rule Set (GitHub)
Hashcat fdc06f159d781698
Password 25dff248d062d94230b27dc2
Sigma Integrated
Dumper Activity sigma 516c0e2a98f6760f4b5d93f07 0 0
Rule Set (GitHub)
on LSASS 871a0f48b12c990
70af2a777246077f95f00d880
Password Policy Ömer Günal, oscd.community, Sigma Integrated
94a0d2d36234fe41d5cb7930 0 0
Discovery Pawel Mazur Rule Set (GitHub)
3b751759b327351
Path Traversal 773cff12ec7cbfc99bc118e98
Subhash Popuri (@pbssubhash), Sigma Integrated
Exploitation 518f2e0050d70dca13977467 0 0
Florian Roth (generalisation) Rule Set (GitHub)
Attempts d5ec706e1253a9d
Persistence and
261e256e88ce2c0fee286d62
Execution at Sigma Integrated
Samir Bousseaden 0d8ff6e77e8cd38f8b7edfda2 0 0
Scale via GPO Rule Set (GitHub)
1eb83ac8d48a9b5
Scheduled Task
Persistent 6ae750585488b213e225f24f
Sigma Integrated
Outlook Landing Tobias Michalski 0cd7693782801986e4406629 0 0
Rule Set (GitHub)
Pages 424e8bba973f8645
Persistent 7b23c3334a69965bcad3cbae
Sigma Integrated
Outlook Landing Tobias Michalski 78bfb96013d973e4eafe5031 0 0
Rule Set (GitHub)
Pages ea53c5b35acadb90
PetitPotam
ea26c5b32a6c3921fdfe6b9e3
Suspicious Sigma Integrated
Mauricio Velazco, Michael Haag d229e17679f51ee847975052 0 0
Kerberos TGT Rule Set (GitHub)
2d3af1a3e499d7e
Request

SOC Prime Threat 49cbcdd3c2bd2982afc88c585


Phorpiex Trojan Ariel Millahuel Detection 8d00892e8d508453878c1a3c 0 0
Marketplace d42562042976e54
12147457a137c617a8c55dba
Pingback Sigma Integrated
Bhabesh Raj edd9bc3c0cec1a58f0abd3a36 0 0
Backdoor Rule Set (GitHub)
4a57af2b9dc7967
25fa9043dc7fef1e4d5f8f2c70
Pingback Sigma Integrated
Bhabesh Raj 2b53d1134ca5d490bae826fd 0 0
Backdoor Rule Set (GitHub)
7ecf2551f3e2ce
5c3e50d74286082eb71b8889
Pingback Sigma Integrated
Bhabesh Raj 3a78ffa754ccb9d60b9acce0b 0 0
Backdoor Rule Set (GitHub)
b0b8cb91d5ba31d

.in
6445b62d62c302592ad18186
Pingback Sigma Integrated
Bhabesh Raj 139719c0e819f43d9a6beed3 0 0
Backdoor Rule Set (GitHub)
bf0ab7f2d451d194
ea92810a14a762b008597bcf
Pingback Sigma Integrated
df
Bhabesh Raj 3399fe14869e0f793089b7e1 0 0
Backdoor Rule Set (GitHub)
62701a7be5def9bd
f384452415580cfacef78ec66
Pingback Sigma Integrated
Bhabesh Raj 267f7d0bfb736fee4faca1b9d 0 0
Backdoor Rule Set (GitHub)
ap
7d41f0a7975af2

SOC Prime Threat 9d199db1a634577d3f5cc20a


PoetRAT
Ariel Millahuel Detection 856125c4d011cf3785ae959d 0 0
detection
Marketplace dad5ca77431d81a2
st

Ponmocup SOC Prime Threat 552054511e656c379a350ba0


Malware Ariel Millahuel Detection be389fc00411a46c49cefaa59 0 0
Behavior Marketplace 69933937782bd7f
In

e95b67f51925e56d5e1ce568
PortProxy Sigma Integrated
Andreas Hunkeler (@Karneades) 81ff5e65536dbd8010857767 0 0
Registry Key Rule Set (GitHub)
0b3adf94d708f2e7
Possible App
Whitelisting
93807d89530fb696ca050ed3
Bypass via Sigma Integrated
Beyu Denis, oscd.community db0953ce414b88509cf14222 0 0
WinDbg/CDB as Rule Set (GitHub)
3144b53058957b9a
a Shellcode
Runner

Possible CVE- SOC Prime Threat 004fb7066c5a25b3f6a6420c6


2020-1472 SOC Prime Team Detection a8725fbc30258b16fb591b4c 0 0
(zerologon) Marketplace 9b86b9da893d74d

Possible CVE- SOC Prime Threat b2199e218352cf6a91e1a9ea


2020-1472 SOC Prime Team Detection 26af1aa07e66c291293a802c 0 0
(zerologon) Marketplace 8fdf82966b40dbe4
Possible CVE-
bead488a4543b9f760689bdc
2021-1675 Print Florian Roth, KevTheHermit, Sigma Integrated
7093fc4540098b5bcf3c09c67 0 0
Spooler fuzzyf10w Rule Set (GitHub)
8976c6ed6354eb2
Exploitation

Possible
SOC Prime Threat a2858e2b79b3da9a5b4d130
CobaltStrike
SOC Prime Team Detection 4cbcd84acf91d6a6062ca5f09 0 0
PsExec filenames
Marketplace 5b0d774272030879
(via audit)

Possible
SOC Prime Threat a321323d7d6157b4259e681
CobaltStrike
SOC Prime Team Detection 855280c87bb847b7bc7874bc 0 0
PsExec filenames
Marketplace 3fabdbdf23ec563c7
(via audit)
Possible Coin 066bf65181967c1e98ac2f9df
Sigma Integrated
Miner CPU Florian Roth 11a8fd671e19d04a92efcac22 0 0
Rule Set (GitHub)
Priority Param 3bb0d380b06fdf
Ilyas Ochkov, oscd.community, b2fec2248b287bf7e5d5226c
Possible DC Sigma Integrated
Chakib Gzenayi (@Chak092), Hosni 97e0e035d64995c904571c48 0 0
Shadow Rule Set (GitHub)
Mribah 230b8adac0240d6b

.in
7a69b135d65a01f790259777
Possible DNS Sigma Integrated
Ilyas Ochkov, oscd.community 1e9c5634482fc44f6a01ddde7 0 0
Rebinding Rule Set (GitHub)
6c647a9b293f852
e597452786d564a9ef799690
Possible DNS Sigma Integrated
df
Patrick Bareiss 2a2c2c93c77f558932cbf4f4b 0 0
Tunneling Rule Set (GitHub)
df5a3bc3bd8414f

Possible Data SOC Prime Threat ac79c3ded0f25a49a60eeb68


Collection Over SOC Prime Team Detection 06049f4e21c47eff774ed79ce 0 0
ap
SMB Marketplace b760b8377ace4c6
Possible Data
Collection
SOC Prime Threat d6ed6d774c0f9d1aa8f9e7c8d
related to Office
SOC Prime Team Detection 6e850cccf5682e206f4cf08de 0 0
st

Docs and Email


Marketplace 83bda6b90994fb
Archives and
PDFs
Possible
SOC Prime Threat 05a6eb84ba469846def921f9
In

DePriMon
Ariel Millahuel Detection 14e3d8b9fbdd2692488b9f37 0 0
activity (via
Marketplace c291938d73de1a2c
registry_event)
Possible
SOC Prime Threat c49479c5356b52e94528e552
Directory
SOC Prime Team Detection ed642e4987c6a5c700ed76eb 0 0
Traversal Web
Marketplace e1536af2231219d0
Server Attack
Possible
SOC Prime Threat e69ddf941adc94abece38df21
Exchange CVE-
SOC Prime Team, Microsoft Detection 7d775b76868df2e2ea22a1ec 0 0
2021-26858 (via
Marketplace 52a70e9f236fe22
audit)
Possible
SOC Prime Threat ff377bfd583855c832c7dd822
Exchange CVE-
SOC Prime Team, Microsoft Detection b71dcb07ea79b550063b031c 0 0
2021-26858 (via
Marketplace 7e96add1d6524e5
audit)
Possible
SOC Prime Threat 99b35216607149affdfa929b0
Exchange CVE-
SOC Prime Team, Microsoft Detection e387d69d2806cbefee2308c2 0 0
2021-26858 (via
Marketplace 735848d194d344d
file_event)
Possible
5a40221e67f7aba15ef82f3d0
Exploitation of Sigma Integrated
Florian Roth, @testanull d7b2b844f8ae17825570bff63 0 0
Exchange RCE Rule Set (GitHub)
0c88811cc4ad61
CVE-2021-42321

Possible F5 BIG- SOC Prime Threat 218640966c9d97eb1eff96fd1


IP TMUI Attack Roman Ranskyi Detection e484617b91f4df0ea75bcf0e4 0 0
CVE-2020-5902 Marketplace e5cb6fdf8d99b6

Possible F5 BIG- SOC Prime Threat 6479d3a228183d5f5cbc12cf0


IP TMUI Attack Roman Ranskyi Detection 6692c41fdde83f2aeac8f71a1 0 0
CVE-2020-5902 Marketplace 56a2a48b648a32

Possible F5 BIG- SOC Prime Threat 88b5d334ee9ea111b57d657c


IP TMUI Attack Roman Ranskyi Detection d139707d075dd8ed6627da1 0 0
CVE-2020-5902 Marketplace 6a793126604d859dd

Possible F5 BIG- SOC Prime Threat c1f2f68a9cff2de7103eeb1fd3


IP TMUI Attack Roman Ranskyi Detection 1cdbaf1b6fa00837c80f48223 0 0

.in
CVE-2020-5902 Marketplace a78b3610f8eee

Possible Flash
0day execute SOC Prime Threat b817381a55e4395f3432afde
embedded in Roman Ranskyi Detection
df aba45bc656fe1d69add003ca 0 0
Word document. Marketplace 93890ee9dbb88dc8
(Sysmon)
Possible
SOC Prime Threat 3f570551a3f5298bb8ffcdbfa6
ap
HAFNIUM
SOC Prime Team, Micrsoft Detection a8a34da33b20e2466ac11869 0 0
Webshell March
Marketplace 3efa67b24e4b43
2021 (via web)
Possible
d662c9e44d08cdfba8767e63
Impacket Sigma Integrated
Samir Bousseaden, wagga ec2258087b3839be1275833c 0 0
st

SecretDump Rule Set (GitHub)


535955e8dfdc962a
Remote Activity
Possible
Impacket SOC Prime Threat 0f0d88d275fc1726d496bdd1f
In

SecretDump SOC Prime Team Detection 93e157e9474e735b61dce0f2 0 0


Remote Activity - Marketplace a1a7e62b73aa4d0
Zeek
Possible
Impacket 9817f9971438f3d35c3ff932f3
Sigma Integrated
SecretDump Samir Bousseaden, @neu5ron 69427b842af1830ee9d876b8 0 0
Rule Set (GitHub)
Remote Activity - 2315c2af4ec94b
Zeek
Possible MS RDP
Worm activity SOC Prime Threat 4f9d5b07a08c2a6f429d46dd
aka "BlueKeep" Roman Ranskyi Detection 58004d7b7cd97555012e4b1 0 0
(CVE-2019- Marketplace 97608622358100e0c
0708).
Possible
SOC Prime Threat 8883f6245da8667a77cc2858
Malicious Docker
Brandon Hart Detection 555fe077b1437141d61a2ce0 0 0
Image was
Marketplace 27184b194828a850
Uploaded.
Possible
PetitPotam 8b1c0d38f0e9f17fd31e1b3ae
Sigma Integrated
Coerce Mauricio Velazco, Michael Haag 1092dd248b2ae07a01e4a431 0 0
Rule Set (GitHub)
Authentication 516fa46995b8d0f
Attempt
Possible
ad5c13aa09c3e5f96d8d44e5
PrintNightmare Sigma Integrated
@neu5ron (Nate Guagenti) 0e12cbf519a648471259976a 0 0
Print Driver Rule Set (GitHub)
40654ceb7215e58a
Install

Possible Privilege
Escalation via eb45f6868e84101d08fc7e8a
Sigma Integrated
Service Teymur Kheirkhabarov d4de6ebe7a9bdf7ab558ec19 0 0
Rule Set (GitHub)
Permissions 1c3afe9857058360
Weakness
Possible Process fcf7620e2328b946e9b3d0f40
Sigma Integrated
Hollowing Image Markus Neis 4695a61a8943ec4865dcb48e 0 0
Rule Set (GitHub)
Loading 4be1d1094ac3196

Possible Remote
b1713847a4daf31e020cbf71

.in
Password Sigma Integrated
Dimitrios Slamaris 527ef33d0662b5c19661263a 0 0
Change Through Rule Set (GitHub)
b551e6ad9fd67ab6
SAMR

Possible Ruby on SOC Prime Threat 6fba8939e048342afcf17dfc0


df
Rails CVE-2019- Roman Ranskyi Detection 48d360bac3d5b6624cf12a22 0 0
5418 PoC Marketplace d156736dd818870

Possible Ruby on SOC Prime Threat 75865efeda875bb8b0aac82f


ap
Rails CVE-2019- Roman Ranskyi Detection b3b5a47ff0e7f843016157ee8 0 0
5418 PoC Marketplace 942621977061407
Possible
Unknown SOC Prime Threat b9468847ca9a6e3d39ea2b21
st

Exchange 0 day SOC Prime Team, volexity Detection 395d1127e2ffa91f808f3fc894 0 0


March 2021 (via Marketplace 2ef0d65b7f12f7
web)

Possible
In

SOC Prime Threat 42df827de0dcea1b983942ba


VMWare vCenter
SOC Prime Team Detection 353a02fb956b2fde9a0ad658 0 0
Exploit CVE-2021-
Marketplace 8f317f9ffd56110b
21972

Possible
SOC Prime Threat b9b880760f2efb391cc1fc7cb
VMWare vCenter
SOC Prime Team Detection 12a935b3838db71ee45575fc 0 0
Exploit CVE-2021-
Marketplace 112bbe9b4a306a1
21972
Possible
SOC Prime Threat 12b4ca0d87e88664b966d19b
Webshell - Rare
SOC Prime Team Detection d99b3ccc51ff3c7ee9c0a5458 0 0
PUT or POST by
Marketplace b0f0675a0cd65cc
IP
Possible
SOC Prime Threat 7a8435fc28a2572f17ab3899
Webshell - Rare
SOC Prime Team Detection 49908468b06e249365c83e22 0 0
PUT or POST by
Marketplace 03a00baa233b8eb2
IP
Possible
Windows
Executable SOC Prime Threat 815d6d2c68a3ef44716300a0
Download SOC Prime Team Detection 7a6814032d253de34cd2f2be 0 0
Without Marketplace 2648db1efc8c3b61
Matching Mime
Type
Possible
e4567b8b5187e55fdafa4689
Zerologon (CVE- Aleksandr Akhremchik, @aleqs4ndr, Sigma Integrated
6fe44aa16e80e8299fdf61656 0 0
2020-1472) ocsd.community Rule Set (GitHub)
2294969ae32c7a6
Exploitation
Possible
SOC Prime Threat 413ee025b8a23df869f73427
emails/attachme
Den Iuzvyk Detection 78fc274599e24cfb881e26cde 0 0
ts extraction by
Marketplace 55b06feddae06bd
Emotet

Post CVE-2017- SOC Prime Threat ac7133ba82228763e38c9dec


5638 Ariel Millahuel Detection e3427e679698ee3bedde0c21 0 0
exploitation Marketplace e00adf3e4dfa06ac

.in
Post CVE-2017- SOC Prime Threat f0750e1ec35c54a3e4b96c31c
5638 Ariel Millahuel Detection 30c90992261adc3f0dbfc07f1 0 0
exploitation Marketplace c841b4cd0b5be0

Potential df 1211ca2125800a5536381bbb
Greg Howell, OTR (Open Threat Sigma Integrated
Exfiltration of aa31e5785a63d393b5361c9c 0 0
Research) Rule Set (GitHub)
Compressed Files 79a2fdc9327a21df
Potential Forced
SOC Prime Threat 2b3b8e854d19405e5e6c9c31
ap
External
SOC Prime Team Detection 054a6c326d1039ac85adacc9 0 0
Outbound
Marketplace d7aa4959aa5f1fc0
DCE_RPC
Potential Forced
SOC Prime Threat 19c3e23b94517f688049e398
External
SOC Prime Team Detection 8bf887fd740097d02ec462d5 0 0
st

Outbound
Marketplace b0eb20e52f2b568f
GSSAPI

Potential Forced SOC Prime Threat aad30630b73b0f4a4236cce2


External SOC Prime Team Detection c8d814e292ee13ba01bebf01 0 0
In

Outbound NTLM Marketplace 326ebda63aeacc7a

Potential Forced SOC Prime Threat b7eb3b4728494a3c2f99e1d0


External SOC Prime Team Detection 9ccee9a7405011f233c53109 0 0
Outbound SMB Marketplace 6f5ae77b9367a6c9

SOC Prime Threat 263ef200cd98649e7eb618ce


Potential Forced
SOC Prime Team Detection 3d0700e62dfddb6368b1167c 0 0
LLMNR Lookup
Marketplace 164c8437f249eaaa
Potential
21730cbb0a1909a9d76a80ac
PetitPotam @neu5ron, @Antonlovesdnb, Mike Sigma Integrated
d4bde103b4ccadc42883b227 0 0
Attack Via EFS Remen Rule Set (GitHub)
a3f9568259cfbfcf
RPC Calls
Potential RDP 8b02859a07f68105c212ab86
Lionel PRAT, Christophe BROCAS, Sigma Integrated
Exploit CVE-2019- 20bad0936e88ff1273a8ea01 0 0
@atc_project (improvements) Rule Set (GitHub)
0708 6f9c1c6c6789a39e
Potential Remote
Desktop 4c5c4668e312589fc1aa4db7
Sigma Integrated
Connection to James Pemberton 34482c2b724cda2ae380d3de 0 0
Rule Set (GitHub)
Non-Domain 9dfdac43ccd99fc4
Host

Potentially SOC Prime Threat 5f9b3f2dc239f570301cb831e


Harmful SOC Prime Team Detection a6671acf4414fbb82a5dc4df8 0 0
Attachment Marketplace 77925dbc1176c8
PowerShell dbe1887e879ebc1177cca950
Sigma Integrated
Base64 Encoded Florian Roth ec8a82a43b96e7015767750a 0 0
Rule Set (GitHub)
Shellcode 0118dc61344ccdad
PowerShell
Called from an ed7108b00b6a517dcbcd529d
Sean Metcalf (source), Florian Roth Sigma Integrated
Executable 98b8c8e1ed551160e89bbf03 0 0
(rule) Rule Set (GitHub)
Version 699b6fe2e3b49fc2
Mismatch
PowerShell 40fcac117060a3b800bb902b
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Decompress 404dce3cc30abc9822159a68 0 0

.in
OTR (Open Threat Research) Rule Set (GitHub)
Commands c7414603e70e131c
PowerShell 46f9d269c8a2f1c1c268482b8
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Decompress f189bfcb71e5f354e01cbc485 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Commands f42aaa02be9a64
PowerShell
Downgrade
Attack
Florian Roth (rule), Lee Holmes
df
Sigma Integrated
(idea), Harish Segar (improvements) Rule Set (GitHub)
68dfd4dca345ef6d2fe87835d
b75f6e538426102929780a6f
37dddb7730cb7e8
0 0

PowerShell f25494bc9c5e8430fee8451d8
ap
Sigma Integrated
Encoded Florian Roth 958642f0d15778570833a0af 0 0
Rule Set (GitHub)
Character Syntax 3f2c0cc1592a4ca
77eafc1cb5e5d7dea3787413
PowerShell Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 3cea2270c0c4189a07aa4cf03 0 0
Execution Rule Set (GitHub)
st

9207c99c17281fb
PowerShell
Execution SOC Prime Threat f2ffe839a68caf5469d7f0c6bb
(Potential event SecurityJosh, Roman Ranskyi Detection a1649431891460f9c0827150 0 0
In

manifest Marketplace 7f594cb5080470


tampering)
524490479b353ff8d877b617
PowerShell Get Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
014d2cbb9a65d782e87caae2 0 0
Clipboard OTR (Open Threat Research) Rule Set (GitHub)
1e923760fd2ed255
8fecdfab629105e4822e49c9d
PowerShell Get- Sigma Integrated
Florian Roth ae2daf531f93b9b9f4a90cb0b 0 0
Process LSASS Rule Set (GitHub)
a780ea4a09adac
PowerShell b5e9f310ab6a8611ea1b7b78
Sigma Integrated
Network Florian Roth 8e712f0f6bf452c3092675694 0 0
Rule Set (GitHub)
Connections cf6256931874071
PowerShell
SOC Prime Threat a885d4a4024ecfaa6ba2d4e7
Obfuscation
Den Iuzvyk Detection 07d9c8f3f22ff62b699033255 0 0
using
Marketplace 7b511f2f8dd3198
SecureString
229ea6fc4268ad28126e92f6f
PowerShell Sean Metcalf (source), Florian Roth Sigma Integrated
1ebd4679c50f3be77030a58b 0 0
PSAttack (rule) Rule Set (GitHub)
60af12fa0ef8eb3
PowerShell 2edbd80b280a70f7636ca307
Sigma Integrated
Remote Session frack113 800e2c61b25d829eca7c9921 0 0
Rule Set (GitHub)
Creation 25bf15782e91f688

PowerShell b6b512a36600d72d464945b
Sigma Integrated
Rundll32 Remote Florian Roth 37dc5edcb606a3e429979c7f 0 0
Rule Set (GitHub)
Thread Creation 50e117d9a428ebaeb
f82541606097e898ede6da39
PowerShell SAM Sigma Integrated
Florian Roth 077c7fe527c1fcd403d041ebe 0 0
Copy Rule Set (GitHub)
375f28d5f4339fc
PowerShell 1364ad75b0dc2267d0c0662c
oscd.community, Natalia Sigma Integrated
Scripts Installed 954f3be5c9215494cf31c1e20 0 0
Shornikova Rule Set (GitHub)
as Services fe403ea6c3e83c3
PowerShell 2cc62e06802026a69ee67d8d
oscd.community, Natalia Sigma Integrated
Scripts Installed bae18471e27c0c724a173360 0 0
Shornikova Rule Set (GitHub)
as Services 2613735fb6fd72e5
PowerShell 445aaa2d9f84a2f2f097156da
oscd.community, Natalia Sigma Integrated
Scripts Installed f5b3f2cf8034d25addcd37e18 0 0
Shornikova Rule Set (GitHub)
as Services 89105ca6dad11b
PowerShell 467dfca5cc97071e4d713c6a6

.in
oscd.community, Natalia Sigma Integrated
Scripts Installed 403209934b96ad6317643eef 0 0
Shornikova Rule Set (GitHub)
as Services 8e56b83b8134f8e
PowerShell 8ccccb7310714bae7f496aec4
oscd.community, Natalia Sigma Integrated
Scripts Installed 6cc573dd0bc8f2794b820a30 0 0
Shornikova Rule Set (GitHub)
df
as Services 70864fbdb99fdbb
PowerShell f1c32a70362f7ed2aa5c0293e
oscd.community, Natalia Sigma Integrated
Scripts Installed db9c51408a0bdb4a1d93b8f1 0 0
Shornikova Rule Set (GitHub)
as Services 01b2d7c38590993
ap
PowerShell 014598477a00db3dbeee84e
oscd.community, Natalia Sigma Integrated
Scripts Run by a 541504e310712bfb7380fe0f6 0 0
Shornikova Rule Set (GitHub)
Services c18921580f829d4e
Powershell 60d527fe5a592cbe8e98428d
Sigma Integrated
Create Scheduled frack113 1412743b909d5625ec8bc91d 0 0
Rule Set (GitHub)
st

Task 20e8b6ee8b36db20
a40151c9a2ec5e5671945ace
Powershell Sigma Integrated
frack113 abe6ad097c67f4d304566442 0 0
DNSExfiltration Rule Set (GitHub)
30d8f9a37511a161
In

Powershell
6e1823de286f8bef414c648f5
Detect Sigma Integrated
frack113 738bec3bd40700cba3765da2 0 0
Virtualization Rule Set (GitHub)
6e6500bc2d8e387
Environment
Powershell ece68c3b6fda1fe5c7d8707c5
Sigma Integrated
Execute Batch frack113 dd9099cf564ed0e7e7b480e9 0 0
Rule Set (GitHub)
Script 7278c475f10e5a7
Powershell b09b9f74febb3e25b3de6961
Sigma Integrated
Exfiltration Over frack113 4b6193a2740c00fe9e7ccf5e6 0 0
Rule Set (GitHub)
SMTP 2f503de56c5c1bf
Powershell File febfc891e8c04ffe16ce1a9eaf
Sigma Integrated
and Directory frack113 5731b0a321cf42be5c06aed0 0 0
Rule Set (GitHub)
Discovery 6252ec31cdbb79
Powershell IEX 47700446a254048704b602b
Joe Security Rule
Download In Joe Security 4820482299b526c610cd8cfa 0 0
Set (GitHub)
Base64 3a164f19784195ba9
Powershell 51fc69e23d6cd3acb20d821d
Sigma Integrated
Install a DLL in frack113 be95596fb6d8cc314866c51a 0 0
Rule Set (GitHub)
System32 6a23033b83818ee8
ed239970ee8d5e197f594aac
Powershell Sigma Integrated
frack113 c2fd6f6f6d3dae189b2b2aaea 0 0
Keylogging Rule Set (GitHub)
8c2f5d100939e42
Powershell ed5457ba384a36ef60723b4f
Joe Security Rule
Launched By Joe Security a6a186fb0048d8947aa3ad64 0 0
Set (GitHub)
Winword ee30284ed1b8b658
Powershell b3caa02d87fceb141c3eb2e3
Sigma Integrated
LocalAccount frack113 715d1290976d6fdb56070c03 0 0
Rule Set (GitHub)
Manipulation 362cd1fb6808f95d

Powershell Store dabcdcdecebe87ed3085b193


Sigma Integrated
File In Alternate frack113 d3ed09029f3556672622b42d 0 0
Rule Set (GitHub)
Data Stream 5759dc816f0b6173

Powershell 7cf1e08df2c1e71b9ecbab0ba
Sigma Integrated
Suspicious frack113 652d8d7adc890f53db8c630b 0 0
Rule Set (GitHub)
Win32_PnPEntity 859d32064f3eb3a
d31a6afb995dab0473ccaefae
Powershell WMI Sigma Integrated
frack113 327155cd4ba87afbabf6a872 0 0
Persistence Rule Set (GitHub)
553475c50bb7182

.in
Powershell f5d1804b36d00e52057d36ac
Joe Security Rule
download file Joe Security 92f04d0f6434083c9a000d91 0 0
Set (GitHub)
and shellexecute 6380a1c01f1c01c2
Powershell
download file
from base64 url
Joe Security
df
Joe Security Rule
Set (GitHub)
197268256285c42b2e838f02
7388654e2a212ce987a525c6
d95784c7abb2d786
0 0

2daf820a836b6725473b0e6e
Powershell Joe Security Rule
ap
Joe Security f3075aff5f25c39f1613ea91e0 0 0
launch wscript Set (GitHub)
98fa179d7a30a6
Powershell load e4b3ed1b620f60e713a7faf98
Joe Security Rule
assembly from Joe Security 4b8fa2b870914dfe494ac56f9 0 0
Set (GitHub)
internet 9bffbb5133e11f
st

Powershell load 5388b2590b9ed2f4d530c9ea


Joe Security Rule
assembly from Joe Security c824a7ddde5512e4224c1a64 0 0
Set (GitHub)
registry b5a6da98fee0fbeb

Powershell sleep 1f9a2d4cfcbbab989273e05d8


In

Joe Security Rule


and launch Joe Security 1a5ab3ca1e580cddc3b83970 0 0
Set (GitHub)
executable 7dc19d6731f93a9
Powerview Add-
Samir Bousseaden; Roberto d52fe14049b24733e329f274
DomainObjectAcl Sigma Integrated
Rodriguez @Cyb3rWard0g; 322c156982d55e21e66e2575 0 0
DCSync AD Rule Set (GitHub)
oscd.community 8d8e7bc91aa8c4fe
Extend Right

Predator The SOC Prime Threat 1f8699a3474b828805b77c6e


Thief (command- Ariel Millahuel Detection d86f5b86087391365eed2339 0 0
line detection) Marketplace 92d6ac3d289bc822

Predator The SOC Prime Threat 5422d5ef2c42f4981afdae1e5


Thief (command- Ariel Millahuel Detection ad6c5159df8099190c17da49 0 0
line detection) Marketplace 7f76919f0cfbcfc
c865945cbecb1d16e71f70bb
Prefetch File Sigma Integrated
Cedric MAURUGEON af2926d63799a2a7a109ded5 0 0
Deletion Rule Set (GitHub)
95203301bc777f0d
PrintNightmare 9994b75f6dfdb006404fdee33
Sigma Integrated
Powershell Max Altgelt, Tobias Michalski 726452e641b8b07bbd4b6c7 0 0
Rule Set (GitHub)
Exploitation 9f61249f3ef3c1d3

SOC Prime Threat 16ca1eb37f09dfe266d25530


Printer Service
Den Iuzvyk Detection 18aa5c7f236b3fe27572ab12 0 0
Modification
Marketplace 15a0f4fa1302f765
PrinterNightmare 093a9d8f83c2689c873979bf8
Markus Neis, @markus_neis, Sigma Integrated
Mimimkatz 7e2d4d8082037d9d782bf32c 0 0
Florian Roth Rule Set (GitHub)
Driver Name a870205e3992ffc
Privilege 9a8a7c1b00c147f05b826124
Sigma Integrated
Escalation Patrick Bareiss 99df919b5a2fd429c3bb0c64 0 0
Rule Set (GitHub)
Preparation 866b947ab39671e8

ProLock SOC Prime Threat 6f434a5ccf3c234c99a17756d


Ransomware Ariel Millahuel Detection 76f7690d09d6c565f238cb77 0 0
Behavior Marketplace 186e687baae2278

ProLock SOC Prime Threat 7a7f19c4b3dd631c48ffccc30


Ransomware Ariel Millahuel Detection 2c2a36f81088073798fbc563b 0 0

.in
Behavior Marketplace 9c645f20f5fb19
0085bf33f8f7fe01581d6bf7c
Process Sigma Integrated
Ömer Günal, oscd.community 6463a6396d9843436e5c10f0 0 0
Discovery Rule Set (GitHub)
da6186171d0b9c8

Process Dump
via
RdrLeakDiag.exe
Cedric MAURUGEON
df
Sigma Integrated
Rule Set (GitHub)
5cdfd68738b7b527a6fe7958
d3484f9854aad921a6148f39
e7a6851417647792
0 0
ap
ProcessHacker 2149649a6e304c127fc371a6
Sigma Integrated
Privilege Florian Roth 342964619569b0ba1bcd812 0 0
Rule Set (GitHub)
Elevation d2381173324736db4
Processes
b956cdd9fcde5ccf08a7776e2
Accessing the Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
989b0bfad944b79dd75e20c1 0 0
st

Microphone and OTR (Open Threat Research) Rule Set (GitHub)


1d38bb24dbfbfc6
Webcam
Processes
accessing the
SOC Prime Threat 7b3cfa10cc9723d7c4fa50a1b
In

camera and
Den Iuzvyk Detection 3b77c1b9689fe594822023e0 0 0
microphone
Marketplace 9771ed6cbdce53f
from suspicious
folder
Program
22c7d8bc06e4a35a30455248
Executions in Sigma Integrated
Florian Roth 48896a9e21533b194fcdbca7 0 0
Suspicious Rule Set (GitHub)
ed641a2a8fa7a4de
Folders
Protected 67aa4f89c2b8f751b7be7a71
Sigma Integrated
Storage Service Roberto Rodriguez @Cyb3rWard0g 23233e4baca5464a20c273bf 0 0
Rule Set (GitHub)
Access ce1d81fcd1589781

ProtocolHandler. b886d124810a581d5017eaa5
Sigma Integrated
exe Downloaded frack113 d5eb0d9d6835919fc18f7f9b4 0 0
Rule Set (GitHub)
Suspicious File c5939e0fba81825
Roberto Rodriguez (Cyb3rWard0g), d8bd87c5bebb059ab6031d2
Proxy Execution Sigma Integrated
OTR (Open Threat Research), 484dd86fc3c0f14c4dcadd278 0 0
via Wuauclt Rule Set (GitHub)
Florian Roth 95205b1267ab7658
ProxyLogon
0c6a87dbb998eae574f7a831
MSExchange Sigma Integrated
Florian Roth 7bcb860cd4acabdaef209f25c 0 0
OabVirtualDirect Rule Set (GitHub)
80bc5fb2e54d5af
ory

ProxyLogon
bd2871cff93ff62a864fd7b4e1
Reset Virtual Sigma Integrated
frack113 3617d202605e22089c562c84 0 0
Directories Based Rule Set (GitHub)
540f8a8d25392b
On IIS Log
508460a99a052814512ff212
Ps.exe Renamed Sigma Integrated
Florian Roth e0f6f3bb5e1d3de21c79ff3e2 0 0
SysInternals Tool Rule Set (GitHub)
4f6d05463448b1d
d5a93fd832fa665cec13e7681
PsExec Pipes Sigma Integrated
Nikita Nazarov, oscd.community c2db65b6feb3c719a2ea43cf4 0 0
Artifacts Rule Set (GitHub)
08a884503fa0b3
1518bae3460d45d1166480cf
PsExec Tool Sigma Integrated
Thomas Patzke dbf8f19603549ebe5930c037 0 0
Execution Rule Set (GitHub)
d7001c15d30c322b
4b9b15bf02c7c8b9fd6f4a020
PsExec Tool Sigma Integrated
Thomas Patzke a6318957101b14776b4e6ab 0 0

.in
Execution Rule Set (GitHub)
6375abc57ce2d101
7f0d5bf894afae6dab8a01119
PsExec Tool Sigma Integrated
Thomas Patzke 7896b06675a9c3089b1b1ffff 0 0
Execution Rule Set (GitHub)
c6efca6e2eae29

PsExec Tool
Execution
Thomas Patzke
df
Sigma Integrated
Rule Set (GitHub)
8cab50a6d456060d4de01cc1
8fbe85b349cefb689386336cc
8fe05f8854c9f31
0 0

a140e6a4ca5fb32569012656
PsExec Tool Sigma Integrated
ap
Thomas Patzke b50cf8d077ed195688bccda1 0 0
Execution Rule Set (GitHub)
b6cd6a7bcc32aea0
b677aa8615b26b7047d758b
PsExec Tool Sigma Integrated
Thomas Patzke 5e937e92d67219dafb0f4168 0 0
Execution Rule Set (GitHub)
698b819a2fd7dd925
st

cbdad3dc58dae0d5b7ccf82a
PsExec Tool Sigma Integrated
Thomas Patzke 897b981e992a31f8f2a45d86f 0 0
Execution Rule Set (GitHub)
b8554c1c5bafdb4

SOC Prime Threat 63753d667c596fd59cca6de2


In

PsiXBot Malware
Ariel Millahuel Detection 77c7a4f8062dd47fb2ae19a1 0 0
behavior
Marketplace efdda0cbb8d7692b
959d7cd5c3bea11a5cd18369
Psr.exe Capture Sigma Integrated
Beyu Denis, oscd.community 3349bf492efb4f2d787903a7c 0 0
Screenshots Rule Set (GitHub)
74a5c24cbc60b34
Publicly 84b66d47b8f699ef0111cfc0d
Sigma Integrated
Accessible RDP Josh Brower @DefensiveDepth 68cdc2be9451bc55091156ee 0 0
Rule Set (GitHub)
Service 5cbb23cce133b76
Pulse Connect
ab8e48d7ca9cf33f92ac8c77e
Secure RCE Sigma Integrated
Sittikorn S 2ba4f029ae209d2bc21b576b 0 0
Attack CVE-2021- Rule Set (GitHub)
7d3870ff51a9215
22893
Pulse Secure a4eac94c575b5162661af988
Sigma Integrated
Attack CVE-2019- Florian Roth 8cf6bf6e1c6b2765b9129be1 0 0
Rule Set (GitHub)
11510 5a313f4f596de87b
3c12c79f550c4f0f3128094db
Sigma Integrated
PwnDrp Access Florian Roth 8b532ddb7997afc5d22889d5 0 0
Rule Set (GitHub)
46ed3c68317e67c
e4d5f1be0673fa786cc8379c1
Python Initiated Sigma Integrated
frack113 5338af08cdd11eed433bead9 0 0
Connection Rule Set (GitHub)
e801d6204d42a2d
c355e46fd180c68033fae6aa2
Python SQL Sigma Integrated
Thomas Patzke 64ce176fc46107a47b4ad0a2 0 0
Exceptions Rule Set (GitHub)
2812ae40f1fd65b

SOC Prime Threat 1946000b4b23e17072b4e16f


Pyvil RAT Ariel Millahuel Detection 69f6d214b8cd744492cfc3d80 0 0
Marketplace 9c91c0250a9329a

SOC Prime Threat c272bf0614a45f345c008e393


Qealler
Ariel Millahuel Detection b47040de6ef75f4a3e349485 0 0
Detection Rule
Marketplace 3f36aa9768f0736
QuarksPwDump d5fafba749f09175307d78b0d
Sigma Integrated
Clearing Access Florian Roth 786f5482b76b825bb977157b 0 0
Rule Set (GitHub)
History 90e432409119ff4
4517db7f1f005bd0a18fc8081
QuarksPwDump Sigma Integrated
Florian Roth dbef15a21dede187d618c626 0 0
Dump File Rule Set (GitHub)
99e3b1d8668580b

.in
Quick Execution
ed973bd3154186b4b9179b4
of a Series of Sigma Integrated
juju4 00d5cad9f28291698fa06658 0 0
Suspicious Rule Set (GitHub)
8f22e9cc1fb5f8ed9
Commands

Qulab Trojan
(Covid-19 abuse)
Ariel Millahuel
df
SOC Prime Threat 15e1323de6b754fd8ed09a65
Detection
Marketplace
a9756cee2a8cab604d50013e
f15dfb651b0154ef
0 0
ap
SOC Prime Threat 36a825331394fd916bee36fd
Qulab Trojan
Ariel Millahuel Detection bd94d6fc383f14774529b3c9f 0 0
(Covid-19 abuse)
Marketplace acc40eb7f1ad066

SOC Prime Threat 82a3dfab9619a2d77e3d2866


st

Qulab Trojan
Ariel Millahuel Detection 4ef300769a61d65c3e3b1739 0 0
(Covid-19 abuse)
Marketplace dda336dc4af6cee0

SOC Prime Threat d2fd35d9e091008717a1ddb2


In

Qulab Trojan
Ariel Millahuel Detection ba521ecdd25ba3b5491c7191 0 0
(Covid-19 abuse)
Marketplace 79b54b0b099349cb

SOC Prime Threat d107f1b47b43fc725572a5dc


RATicate Group
Ariel Millahuel Detection 8b69c66ee12cc6062ee0a67c 0 0
behavior
Marketplace 4a35ac7cb778d95b

RDP Dashboard SOC Prime Threat 71a226733f7f12aa303328c54


(Overview SOC Prime Team Detection 2409ef9b1016c750c4a8f78c8 0 0
Query) Marketplace 6a615e3da3cf6a

RDP Hijacking. SOC Prime Threat 5af33fb9edf5af983870138dd


Last logged-on Den Iuzvyk Detection 17270a22ec3c4046fa58eb0a 0 0
user changed. Marketplace 27c209c5951b03c
3895d9722610797e2eb09dca
RDP Login from Sigma Integrated
Thomas Patzke 91e1a804bb4eec6cc1ca5b81 0 0
Localhost Rule Set (GitHub)
a937f13e4adc81f6
RDP Over 0fc2c398ce1141e654d51055
Sigma Integrated
Reverse SSH Samir Bousseaden a3df9803bd5e0031fec24100c 0 0
Rule Set (GitHub)
Tunnel f28a042b9b9df0a

RDP Possible
SOC Prime Threat ff0ab5b6cd3ebd7aeade8aa8b
Non User Login,
SOC Prime Team Detection 55790d7096ac7ba96d54a8ed 0 0
Abnormal Screen
Marketplace 6587d0c5f25da39
Resolution
RDP over 9ac83d94dd47e5c8ac03b867
Sigma Integrated
Reverse SSH Samir Bousseaden 8d0569ce163716d072aa690e 0 0
Rule Set (GitHub)
Tunnel WFP e44b67d5ae12510a
REvil Kaseya
fc2108a980d79a05e920b28c
Incident Sigma Integrated
Florian Roth 15d995fa0652a1dda317ce1fa 0 0
Malware Rule Set (GitHub)
22da44d694541d3
Patterns

SOC Prime Threat c5bc56057878575689e1e806


Racoon malware
Ariel Millahuel Detection 2054f20ea3f118c0e52f17403 0 0
detection
Marketplace 445a2bb339ea3f9

.in
SOC Prime Threat ef297eac8d295b521dbb1e20
Racoon malware
Ariel Millahuel Detection 7df57db1a1e62453c926eed3 0 0
detection
Marketplace fd6bfc9460b6f6ed

SOC Prime Threat 016eb94fa1071faeb02a09e5


df
Ransom X
Ariel Millahuel Detection 2d8d7e64b3702d3e8cdbb12 0 0
Behavior
Marketplace 683eb99da9b3b4889
95b4be8473d9667e7c486d85
Rare Scheduled Sigma Integrated
ap
Florian Roth a5a38d5d2a0fe7d4716c8644 0 0
Task Creations Rule Set (GitHub)
8e7f15cbbd167c80
52bcf8d53a2e9861ebf212d6f
Rare Schtasks Sigma Integrated
Florian Roth b5c8c8000ff4ad6aef25806a2 0 0
Creations Rule Set (GitHub)
01b8115c7c5852
st

b4520bca6240f5cea8758ebfe
Rare Service Sigma Integrated
Florian Roth 31a5de0d007fb4ee971d1504 0 0
Installs Rule Set (GitHub)
eb4afaf9aaaf107
Rare
73526ac545356edf8d777186
In

Subscription- Sigma Integrated


sawwinnnaung 5258ba2671d34ed6c9c1e4e8 0 0
level Operations Rule Set (GitHub)
9dda4f64833fc5ca
In Azure

SOC Prime Threat a34ca7a1c15bec9b90de6c46


Rasautou.exe
Den iuzvyk Detection 395088c6d253b54b770a60de 0 0
execution.
Marketplace 680af7cd9943c085

Raw Disk Access a89a26f2bdfeb3c1f3e5ad8ac


Teymur Kheirkhabarov, Sigma Integrated
Using Illegitimate f0a4a51ef45bb9859403cee7f 0 0
oscd.community Rule Set (GitHub)
Tools 91739b74d79dec
df29e480a1da07c9864f41b5f
Raw Paste Sigma Integrated
Florian Roth 7bf34765c1d2ea9af15046dd 0 0
Service Access Rule Set (GitHub)
3aec14367536f8f
76a893bef53690d6ce976442
Rclone Config Aaron Greetham (@beardofbinary) - Sigma Integrated
7bd65300fe3d50440086afa7 0 0
File Creation NCC Group Rule Set (GitHub)
7a1b15d3f777d9c1
Rclone Execution
1f67c2169d6cb6e70c9bac22
via Command Aaron Greetham (@beardofbinary) - Sigma Integrated
b944ff64fa959097dba5e8b96 0 0
Line or NCC Group Rule Set (GitHub)
3852d6c58fc8e1a
PowerShell
2d7bbe44a845a98779776b8
RdrLeakDiag Sigma Integrated
Florian Roth 89cc1c74c4e424725151f7aae 0 0
Process Dump Rule Set (GitHub)
9eb73be3b70f4dac
Florian Roth (rule), Jack Croock e4f2c05322c3be28c50da390
Reconnaissance Sigma Integrated
(method), Jonhnathan Ribeiro 03b02312523eac5e2b83bf82 0 0
Activity Rule Set (GitHub)
(improvements), oscd.community 0349a063d6e18167
Reconnaissance a6adbabf733244eb498c551e
Sigma Integrated
Activity with Net Florian Roth, Markus Neis d9ba1387ba2997a06332e517 0 0
Rule Set (GitHub)
Command c89b955160edea9a

RedLine Stealer SOC Prime Threat 1d84ec4dfb91d5af2a7692cc3


(COVID-19 Ariel Millahuel Detection 7b5fe558279fe33b3b6ae373 0 0
Campaign) Marketplace 987f71ba7df5e8b

RedLine Stealer SOC Prime Threat 4f3bb7ac672f51adf9d944139


(COVID-19 Ariel Millahuel Detection cabbb66f52ef10a9abcfea24b 0 0

.in
Campaign) Marketplace 65ba3c1cfc1252
RedMimicry d6c33aea206d318b0bebc06a
Sigma Integrated
Winnti Playbook Alexander Rausch f8753c1497ad0abc154f4b62b 0 0
Rule Set (GitHub)
Dropped File e36cc3893897876
RedMimicry
Winnti Playbook
Execute
Alexander Rausch
df
Sigma Integrated
Rule Set (GitHub)
2c7173d7fd6c440ff57e03f67
e736353c0d299567579d7429
2ce79ddb87df5b7
0 0

RedMimicry 13e4345b125509a08fb73bfaf
Sigma Integrated
ap
Winnti Playbook Alexander Rausch 0cf1f2320148020c7e45ab1cf 0 0
Rule Set (GitHub)
Inject 8b47ef011db176
RedMimicry
86b53f7f939e5987f63a77e6b
Winnti Playbook Sigma Integrated
Alexander Rausch 31ad7f58f28592bead63b318 0 0
Registry Rule Set (GitHub)
94216d116ecd120
st

Manipulation

SOC Prime Threat 1544d96bd9a34be41d2e2c97


Redaman RAT Ariel Millahuel Detection 6346e9c6ced04c82b6490ad0 0 0
Marketplace 606f48640531400a
In

SOC Prime Threat ef28bd95f54d82f5f8245ca83


Redaman RAT Ariel Millahuel Detection 7359781d3cfb48f7f3e7401ef 0 0
Marketplace 6bbebff3dbea8e
f972e2d6ad7812da19ebfc6d
Joe Security Rule
ReflectiveLoader Joe Security 0e73c5dba52f470a48646159 0 0
Set (GitHub)
facd3ffa24e4d8df
RegAsm 4ff400ac692a7dca2bab429ba
Joe Security Rule
connects to smtp Joe Security e7ab6cb7f2bae4525b1ba942 0 0
Set (GitHub)
port 0ef0b5137ebf1d2
40b85d8543b5dc00f22211f0
Regedit as Sigma Integrated
Florian Roth dd2f05012b435d38fd8e1703 0 0
Trusted Installer Rule Set (GitHub)
70986c189a9b39f2
Register dll at
6e3d105ee67957d16975a4ff
autostart Joe Security Rule
Joe Security 8dcbbb38b9c8dd21ccd2dc07 0 0
location via Set (GitHub)
e9c194a6c153ba98
regsvr32
Register new f7cacbd7c0676adf78318bb6d
Roberto Rodriguez (source), Ilyas Sigma Integrated
Logon Process by 9de688bc97c4aa69d5afa2f1d 0 0
Ochkov (rule), oscd.community Rule Set (GitHub)
Rubeus 55866ce06b3867
Registry Dump of 3e6aec9c264981c1c738cf2bb
Sigma Integrated
SAM Creds and frack113 29a907f7fc01867b91cf31a6d 0 0
Rule Set (GitHub)
Secrets 4ba46d35129230
Registry Entries 4ad66d0e46670f58101e391a
Sigma Integrated
For Azorult Trent Liffick c2d114fc7e3b06243c7b8188 0 0
Rule Set (GitHub)
Malware 8faf05840934d168
e9fa03c18cdfe5568dbbe7586
Registry Parse Sigma Integrated
frack113 2d4ab693fba40025a197a202 0 0
with Pypykatz Rule Set (GitHub)
1d576f54e3eaf76
Registry
Persistence ca3672e906735c6f2aa0f7aa7
Sigma Integrated
Mechanism via Lednyov Alexey, oscd.community 3bd9796d29cd4f03ef8541b6 0 0
Rule Set (GitHub)
Windows bb17a0518502b51
Telemetry
Registry
661375a6a064f858d66665c1
Persistence Sigma Integrated
frack113 3895d00ce56bb356ccda48cb 0 0
Mechanisms in Rule Set (GitHub)

.in
c40727b9b6f4e220
Recycle Bin
Registry-Free f566e9fbc25004f90a7c50240
Sigma Integrated
Process Scope frack113 6100ff744d00b85ad929d568 0 0
Rule Set (GitHub)
COR_PROFILER a47872238e1af75

Regsvr32
Network Activity
Dmitriy Lifanov, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
bcbb15efbb568b9a302a100e
8cea3e019b9b8d04fbcd5d17
a4439b424fe30e59
0 0

5105b3bed3732f01c5689b86
Relevant ClamAV Sigma Integrated
ap
Florian Roth 7054b8ff7c5645b8ef18842d8 0 0
Message Rule Set (GitHub)
9506409437037e9
b50b6d86173debc4d608b98
Joe Security Rule
Remcos Joe Security 1e7d6b5136092c515286d20c 0 0
Set (GitHub)
0eafcce3b7c411dde
st

Remote Code 38b612a88929aab8a1ee49b6


Sigma Integrated
Execute via Julia Fomina, oscd.community e7616c06ee06da5daeb4e09a 0 0
Rule Set (GitHub)
Winrm.vbs 215f9c865d870910

Remote Desktop SOC Prime Threat 96a069aeb5c6003d5e4ffe4aa


In

From Internet SOC Prime Team Detection f6d30be7b05d356c661367a3 0 0


(via audit) Marketplace 48514a7c2c5beac

Remote Desktop 257b13d5b7127756fd3872ae


Sigma Integrated
Protocol Use frack113 69c87afe430e3a8d7933cef87 0 0
Rule Set (GitHub)
Mstsc a19e05fc1658d70
1cde4fe7d0cd62ea67b1474e
Sigma Integrated
Remote File Copy Ömer Günal 3fd6fe9a6931bd8af934f3a5e 0 0
Rule Set (GitHub)
9b8c134d90bd7b5
Remote 1cef3fd3818cc81e0b14412af
Sigma Integrated
PowerShell Roberto Rodriguez @Cyb3rWard0g 94c6998bf6abb8a8d1f5ea34 0 0
Rule Set (GitHub)
Session 4f2457a1f880d4c
Remote 48a36a2180adc9f076d8a15c
Sigma Integrated
PowerShell Roberto Rodriguez @Cyb3rWard0g 870bb4583783f4984a012d21 0 0
Rule Set (GitHub)
Session d17fe64439511244
Remote d2a86c0c533d4197640ec374
Sigma Integrated
PowerShell Roberto Rodriguez @Cyb3rWard0g 2c4054be9017d215efd16a8d 0 0
Rule Set (GitHub)
Session 462456a23db8a109
Remote
PowerShell
6590a6d9a0f48ca7180efed5c
Sessions Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g df2aadb0d828795034779b58 0 0
Network Rule Set (GitHub)
60a47b16c811835
Connections
(WinRM)
Remote Registry 89100186dc0ee80d9ed100f7
Teymur Kheirkhabarov, Sigma Integrated
Management 046a9a131a40270385fdcd89 0 0
oscd.community Rule Set (GitHub)
Using Reg Utility 94b102aa36f06ae5
Remote Service
046ceb0cf9b6078b4d6bd583
Activity via Sigma Integrated
Samir Bousseaden 847ee8a30ecc082fb018cd5d 0 0
SVCCTL Named Rule Set (GitHub)
e8af33d9203a2519
Pipe
Remote Task
fde467e8c3cd6651030d6082
Creation via Sigma Integrated
Samir Bousseaden 1479ab66e029e1c6541daa5a 0 0
ATSVC Named Rule Set (GitHub)
16b3611959c7b529
Pipe
Remote Task
236138dfbc31327293697d57
Creation via Sigma Integrated
Samir Bousseaden, @neu5rn 944480418437a91071cb427e 0 0
ATSVC Named Rule Set (GitHub)

.in
4f48f5755f2319df
Pipe - Zeek
Remote Task
SOC Prime Threat 92258356e34556c631e9519a
Creation via
SOC Prime Team Detection e4be82df3ecb4ccaf390d03c4 0 0
ATSVC Named
Marketplace
df 59a5df6a3705804
Pipe - Zeek
Remote WMI 820499826df98e19e14c24da
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
ActiveScriptEven c63db285b19863b3c8af168e 0 0
OTR (Open Threat Research) Rule Set (GitHub)
tConsumers 63e83a6df9d864d8
ap
Remote
execution via sql SOC Prime Threat 375cb93c2bb69dad51d360b1
extended stored Den Iuzvyk Detection 936e69ba1b68424e34970ff0 0 0
procedure Marketplace b9b9c6b9c98f989f
xp_cmdshell
st

Remove Account 2b323eb1de293c4dbf91041f


Sigma Integrated
From Domain frack113 23c3507c4aaf71c4bc36b04cc 0 0
Rule Set (GitHub)
Admin Group b8fc5731995a398
In

Remove
Exported bdfd4f3c151a5adc98ef77f6ac
Sigma Integrated
Mailbox from Christian Burkard 75cdfd440bb51043d01c27b9 0 0
Rule Set (GitHub)
Exchange 4e2a5a63f4f4de
Webserver
Remove e28706c6a53a1d6ff5721149
Sigma Integrated
Immutable File Jakob Weinzettl, oscd.community 98015648c27e89167c103799 0 0
Rule Set (GitHub)
Attribute 05d0cbc361712d41
eef2c27cd98b92f6ac98d5b6f
Renamed MSHTA Joe Security Rule
Joe Security a781fc1ef9fcb1fc12f0e72db4 0 0
launching html Set (GitHub)
1aa0308a33ad7
a470fbf97e0f7a4d42fd59ad6
Renamed Sigma Integrated
Harish Segar, frack113 332c7521f57d919e725bc61c 0 0
Powershell Rule Set (GitHub)
84ea7ee2e451426
0d4118d9a3bcc02c529a5322
Renamed ZOHO Sigma Integrated
Florian Roth 214c7e45fc4ad36aec272ddc3 0 0
Dctask64 Rule Set (GitHub)
772230315188701
Replace Desktop 0f1aa746beaad206dc77bb85
Sigma Integrated
Wallpaper by frack113 42a498967f1fb26e0677a3fdf 0 0
Rule Set (GitHub)
Powershell 90cfd5cf5c22a75
Request A Single 7b7092f37f648c00a538947e
Sigma Integrated
Ticket via frack113 2cb178b5c50e31e552b8bff8 0 0
Rule Set (GitHub)
PowerShell 251ffaf4d4e49a68
Restore Public 1a859b52b21821dc4f0a817c
Sigma Integrated
AWS RDS faloker e7326759948e5b2065d0047 0 0
Rule Set (GitHub)
Instance 9202bffad5175fc08
RottenPotato 5389e8a683229a6fb7e29cc1
Sigma Integrated
Like Attack @SBousseaden, Florian Roth 7dff4e0811d8239798f60128c 0 0
Rule Set (GitHub)
Pattern 6f63871d4bececd
74f9a93f96bad4ba440f105a7
Rubeus Hack Sigma Integrated
Florian Roth 89ab5905ef284191baa10573 0 0
Tool Rule Set (GitHub)
7e7ac861d13bd44
Ruby on Rails b3e15ce29c0578285d8af1d8
Sigma Integrated
Framework Thomas Patzke 092873431b79ef0d74202d48 0 0
Rule Set (GitHub)
Exceptions d1b55dccaaa861de
Run CertUtil d10fe75d3edfe38a67c07061

.in
Joe Security Rule
from suspicious Joe Security 4eaf661fe0d608b0d0b81ed8 0 0
Set (GitHub)
location 8ad9673766b25eba
Run Once Task 0e31671617efd7f7d79bdc60
Avneet Singh @v3t0_, Sigma Integrated
Configuration in 259af085a8ceadd59619e28e 0 0
oscd.community Rule Set (GitHub)
df
Registry 3f3d57d90ed1501d
b0a64287d64cf778925e076c
Run PowerShell Sergey Soldatov, Kaspersky Lab, Sigma Integrated
13aae743cdb5da1000efa636 0 0
Script from ADS oscd.community Rule Set (GitHub)
d98364e0e42edf83
ap
Run PowerShell
64fc279e6738ccc6db931977
Script from Moriarty Meng (idea), Anton Sigma Integrated
799249729de73acffc5034f83 0 0
Redirected Input Kutepov (rule), oscd.community Rule Set (GitHub)
e3094bc34ab2011
Stream
4725cdcf2dfdd90c3aa0d331f
Rundll32 Internet Sigma Integrated
st

Florian Roth ae77d6ac8021c254701744a0 0 0


Connection Rule Set (GitHub)
1444af04e9a0e69
Running Chrome
09e6a0408f2c734eee75232a
VPN Extensions Sigma Integrated
frack113 b5bc1dd09b1be6e414b3e10 0 0
In

via the Registry 2 Rule Set (GitHub)


b4d2f9efdd69c2311
VPN Extension
cdbc62d2dc895924c046364f
SAM Dump to Sigma Integrated
Florian Roth 27452f287723a2b72efb654b 0 0
AppData Rule Set (GitHub)
a041280d91f69acd
SAM Registry d98473553a7ba81cf9e2ce17
Sigma Integrated
Hive Handle Roberto Rodriguez @Cyb3rWard0g e305853d35be853a95ef549f 0 0
Rule Set (GitHub)
Request c405dfa67f646391
4b5721fb3c1349a8cd1a6f9e8
SCM Database Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 7bed2fef39d379476067fe7fe 0 0
Handle Failure Rule Set (GitHub)
05c685e4a9a382
SCM Database 30a1135097fc1ebdc8fe0b030
Sigma Integrated
Privileged Roberto Rodriguez @Cyb3rWard0g 918fe2ad05ad4512d17062d8 0 0
Rule Set (GitHub)
Operation d1920bdd5cfbdbb
0f63070b903766c40f1681e4
SILENTTRINITY Sigma Integrated
Aleksey Potapov, oscd.community 4325de9e396c2b6dd03613b 0 0
Stager Execution Rule Set (GitHub)
2686896de828564fd
8275c8ed59f78788721cb0f9
SILENTTRINITY Sigma Integrated
Aleksey Potapov, oscd.community d2fe01fae3fbfd381cd3c846fe 0 0
Stager Execution Rule Set (GitHub)
2715c4a5f8adfc
982e0890a48832865614790
SILENTTRINITY Sigma Integrated
Aleksey Potapov, oscd.community 7a9d7da438f6a9b5f133b904 0 0
Stager Execution Rule Set (GitHub)
17b42dd585d158a15
d6d031ceeda5d6a3d7194bd6
SILENTTRINITY Sigma Integrated
Aleksey Potapov, oscd.community ec4d67e5ffb9cc743448939fd 0 0
Stager Execution Rule Set (GitHub)
f278463bdd3e686
e20a4ca9a2ec3dbe28c1851e
SILENTTRINITY Sigma Integrated
Aleksey Potapov, oscd.community cdb7656f0b386147843cdb3a 0 0
Stager Execution Rule Set (GitHub)
7f3d749bfb40defd
SMB Create 8ca9660ea1755b4e1702a1ca
Jose Rodriguez (@Cyb3rPandaH), Sigma Integrated
Remote File e3092454355f15fc519799fdb 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Admin Share 87d3e6839afa23c
SMB Spoolss 01306ab05e6ee3fec1a74538
OTR (Open Threat Research), Sigma Integrated
Name Piped de482f1e109754346730be0a 0 0
@neu5ron Rule Set (GitHub)
Usage 73742b46a7c7eaeb
SMB single file
SOC Prime Threat 7ffa016b10d3241bd89a2006
created then

.in
SOC Prime Team Detection ec066c969c740b97ae3cf7ec5 0 0
deleted
Marketplace cc91eabf2c6335d
successively

SMBv3 SOC Prime Threat 5f65bceb308a9da7f66986e8


Compression Den Iuzvyk Detection
df 6311c701f4f34184d1833cfc7 0 0
Enabled Marketplace e465767fb18a102

SOC Prime Threat e0fca2cc0e2ed43fc1a0c7b39


SMInit exploit
Den Iuzvyk Detection 9ded68159180c4f82074a3f3 0 0
ap
chain
Marketplace 124e26c3139fc6e
SMTP Email
containing NON SOC Prime Threat 5b50e56fccf5b9b41516c2fc1
Ascii Characters SOC Prime Team Detection 4cbfb85fad941e5eacb051891 0 0
st

within the Marketplace a2493db49fac93


Subject
225f115c0a824b3ec735568b
SOURGUM Actor Sigma Integrated
MSTIC, FPT.EagleEye 05a49394fa6da38bcdc9e2f71 0 0
Behaviours Rule Set (GitHub)
In

661b34a9bde1c53
SQL Client Tools
8e776e236be945ae976b2513
PowerShell Sigma Integrated
Agro (@agro_sev) oscd.communitly cef49318e8986b57ab334e2a 0 0
Session Rule Set (GitHub)
8f2a9968f4a3081d
Detection

SSH Inference SOC Prime Threat 213b04a00fc3394df6cb347b


Abnormal Client SOC Prime Team Detection 642ceb29f5e7294a1d6d7203 0 0
Activity Marketplace e21998962369643a
SSHD Error 5ac7c90edd2ba8133a86c284
Sigma Integrated
Message CVE- Florian Roth d95dae84b58026895599a49 0 0
Rule Set (GitHub)
2018-15473 43646e0e39367e995
STOP
Ransomware and SOC Prime Threat 4ae55153d32cc3b88c7e99d1
Vidar Ariel Millahuel Detection 2dbcc4db828e7f96ec3ccbe3b 0 0
Ransomware Marketplace 8f662ef4d09e2ef
detection
STRRAT Behavior SOC Prime Threat 37be2d5ff063bab1272d9db2
(Sysmon Ariel Millahuel Detection 6a35c83920a7ad21e155ae6c 0 0
Detection) Marketplace 12c1730446b5194d
bfad2de2a3ff697a6170b4899
SVCHOST Sigma Integrated
Florent Labouyrie 03df374d7555714e903a5cd7 0 0
Credential Dump Rule Set (GitHub)
64894bec8d7b4df

SOC Prime Threat dacddd5435eda2fc54dcf6d58


Sakula RAT Ariel Millahuel Detection 5d0e82a0379e27c838a82beb 0 0
Marketplace c8ec9f0c0ac9921
SamoRat
SOC Prime Threat 2fbdd381a1c20671e2c9bd73
Behavior
Ariel Millahuel Detection 3e716a02c99a470023981c60 0 0
(sysmon
Marketplace de3e3402ff08313f
detection)
Sapphire
SOC Prime Threat af5ee1ff302412603f190ad74
Ransomware
Ariel Millahuel Detection d459219970f99e1b5a92d952 0 0
(Sysmon
Marketplace a2e953f522b38c3
detection)
Scanner PoC for 6b75b0b00b5529a6a6d3fcf1f

.in
Florian Roth (rule), Adam Bradbury Sigma Integrated
CVE-2019-0708 f03341ca43c3fa7fdfcc055f26 0 0
(idea) Rule Set (GitHub)
RDP RCE Vuln dd0ba221f2213

SOC Prime Threat e1354c1cc16fda38432e3dd0


Scarab
Ariel Millahuel Detection
df 1a191f253341fe937e231562 0 0
Ransomware
Marketplace 38d85e90d8191395
Schedule Task
SOC Prime Threat c155230c5fcc90d90646898aa
Access or
SOC Prime Team Detection 82112b6f73ac2e0dc430ad9d 0 0
ap
Manipulation
Marketplace ce7826e28297cdf
over SMB
80a5b002421fe7261fe436fe3
Schedule script Joe Security Rule
Joe Security 4fde2f1e2a0b5b1d5fb7fee3b 0 0
as task Set (GitHub)
2afe02f76952ba
st

17e54e203e8a8aa2c9b91420
Scheduled Cron Sigma Integrated
Alejandro Ortuno, oscd.community 2cbafe7a371b6019f97729b8 0 0
Task/Job Rule Set (GitHub)
3dc10a8f643dc884
572b438b19c769d86cabf9aef
Scheduled Cron Sigma Integrated
In

Alejandro Ortuno, oscd.community 66e7f6d1cadfa28c31734af9c 0 0


Task/Job Rule Set (GitHub)
c9577e10af72b7
53299fc80451ec1c374dc7dca
Scheduled Task Sigma Integrated
David Strassegger d4c9aee3f98bd1defb1b23e0 0 0
Deletion Rule Set (GitHub)
2900f2cf17d8c14
4b0543e80b3bd16b1e6ea91
Scheduled Sigma Integrated
Ömer Günal, oscd.community 9e7bc4a108b206468266597c 0 0
Task/Job At Rule Set (GitHub)
7a5147cd615f35fe3
f4a2d13a06a29fbf2313f8875
Screen Capture - Sigma Integrated
remotephone, oscd.community 3ab9955589a7aef45cfb0faea 0 0
macOS Rule Set (GitHub)
108c5bfac59ab3
ea2f87ff45a684c78cb46d65a
Screen Capture Sigma Integrated
Pawel Mazur f3705037b7721905ce237e6d 0 0
with Import Tool Rule Set (GitHub)
aa335a3fd7b5769
c3c6c21ad23cac48bdee8d46
Screen Capture Sigma Integrated
Pawel Mazur a0a64de20e48510c5ed1617d 0 0
with Xwd Rule Set (GitHub)
23cb328129b7f580
Script Host SOC Prime Threat fcd207e8b19603f1d4e5450c
Engine Den Iuzvyk Detection 04a2007f88780ea51861992a 0 0
Modification Marketplace 3e346474d646cbbd
SectorB06
SOC Prime Threat 6ffdda4e9d83f1b99a9956882
Behavior
Ariel Millahuel Detection 2f16d5a5a458ffccdb25fad46 0 0
(Sysmon
Marketplace 9aaf2dbb8f0dd9
detection)
183ca715ffa97f30b076bb2c8
Secure Deletion Sigma Integrated
Thomas Patzke 793c0cb64221f3ad05c65fb42 0 0
with SDelete Rule Set (GitHub)
5e3a38faac3645
f32dc431e5951341656e9d55
Security Event Sigma Integrated
Saw Winn Naung c58e0047b56f1beee18a05bd 0 0
Log Cleared Rule Set (GitHub)
2b1e816ddbd10a17
152b1150f7da94998822f9e5
Security Eventlog Sigma Integrated
Florian Roth 5f3591b37d319fd7ce375004 0 0
Cleared Rule Set (GitHub)
d24703a99aa957a5
e20a3a5b38df7ceb5e947124
Security Eventlog Sigma Integrated
Florian Roth 85f6285fdd2ca0b40cf0a5eed 0 0
Cleared Rule Set (GitHub)
31a42bbc779e4ff

.in
Security 62a85e4a565b5b8609540a8a
Daniil Yugoslavskiy, Sigma Integrated
Software ab58fbf730dd8330b219cb92 0 0
oscd.community Rule Set (GitHub)
Discovery da87bb5be582ebeb
Security 96f1ded9c8d78d6aecb533a9f
Daniil Yugoslavskiy, Sigma Integrated
df
Software dde682e09aa97bc94f4d21bd 0 0
oscd.community Rule Set (GitHub)
Discovery 39577705c1d7547
Security
f02d9a0f1e4d862f9d1b1d10a
Software Sigma Integrated
frack113 2f43de36d855212d5a70b671 0 0
ap
Discovery by Rule Set (GitHub)
a8493d53a1b1722
Powershell

Serv-U
624b1600e93d3b9c6146b01
Exploitation CVE- Sigma Integrated
Florian Roth 36e00c73c8c809fe24a3f5299 0 0
2021-35211 by Rule Set (GitHub)
st

cbd4de5d727d1833
DEV-0322
Service Control
Manager SOC Prime Threat b7809c2203acd7e06846efb5
In

Communication( Den Iuzvyk Detection d0cddd1ab656f1e9f41b1f1bb 0 0


RPC/TCP) Marketplace ff1bf84603a0a48
Modification
Service
3a4567bd735e7ae20a9b3bf3
ImagePath Sigma Integrated
frack113 921ad6e9acdec3b957cdbdb4 0 0
Change with Rule Set (GitHub)
eebfd6feed5670d3
Reg.exe

Service Registry 12c54ba61c9b654789342d68


Sigma Integrated
Permissions frack113 9a197406cec675bbda5716b7 0 0
Rule Set (GitHub)
Weakness Check 749539b147856e21
8c6d633ce7d27d281b8cc113
Sigma Integrated
Setuid and Setgid Ömer Günal ebb409901529acad5564c5a8 0 0
Rule Set (GitHub)
758ac987fc31b2b7

SOC Prime Threat 3dbc7016da1cb9e2f97a1a07


Shared Webroot SOC Prime Team Detection a36ceac8fa6a6df1669425785 0 0
Marketplace 241bc69b0d6d966
SOC Prime Threat 31cfc7594bce0379cd087a7f0
SharpRDP
Den Iuzvyk Detection fc2e2da4a491ff6b2df31db44 0 0
execution
Marketplace 7eac7eec8b2d22
c6e62a3980f00e65b47fe7e5
Shellshock Sigma Integrated
Florian Roth da5be2a0c6a37bd3ba4b893e 0 0
Expression Rule Set (GitHub)
e3c533fea9a42f74
Alina Stepchenkova, Roman 357adfc0bd514a2087509d1a
Silence.Downloa Sigma Integrated
Rezvukhin, Group-IB, 67412a62f8823fd9caa3b6bcb 0 0
der V3 Rule Set (GitHub)
oscd.community 80328828f9ed240
48a4a06b77cb84b45614503f
Silence.EDA Alina Stepchenkova, Group-IB, Sigma Integrated
3dd1035f0a83b236c4f840f9f 0 0
Detection oscd.community Rule Set (GitHub)
eab9be366a47d1d
SilentProcessExit 11ecefcf79daf3998440bd34d
Sigma Integrated
Monitor Florian Roth 870da91d9c7644eb708e0f93 0 0
Rule Set (GitHub)
Registrytion 3349a5ec077fc87
SilentProcessExit
04ff5b08364c475a03462281
Monitor Sigma Integrated
Florian Roth 2a1a7c93e181b8b348d6dc3b 0 0
Registrytion for Rule Set (GitHub)
1fe28b11828e7d23
LSASS

.in
Silenttrinity 6a6afb8a168ede702164bc11
Sigma Integrated
Stager Msbuild Kiran kumar s, oscd.community 69f8f046647310ca518ed5dd 0 0
Rule Set (GitHub)
Activity 776966148a0e9532
Sitecore Pre- ad5d590f46596f06240eee45
Sigma Integrated
df
Auth RCE CVE- Florian Roth 86f7acc7d925fcf0ea9f364266 0 0
Rule Set (GitHub)
2021-42237 b902bedd614224

SOC Prime Threat 0f0b6b52e3342eb0329e8ff51


Smoke Loader
Ariel Millahuel Detection f0683aa5892c55d6d44aa49fc 0 0
ap
Behavior
Marketplace dbdf0f25761103

SOC Prime Threat 8d6d3b800ba936bb6910fd8b


Smoke Loader
Ariel Millahuel Detection bf9551207e2288db95a5dafa 0 0
Behavior
Marketplace 6474e8a1d2f2d5fc
st

c070e2f2f992c0ce37ed49db7
Sofacy Trojan Florian Roth, Jonhnathan Ribeiro, Sigma Integrated
2f4c8ea1c3a9cc853e61535bd 0 0
Loader Activity oscd.community Rule Set (GitHub)
2625b5ae688b78
In

Solarwinds
Launching SOC Prime Threat 30b4784c9d03d78a809bed19
Powershell With SOC Prime Team, Microsoft Detection df233f6f95fc2c8325b32af97e 0 0
Base64 Encoding Marketplace 0b1b8d24c6676e
(via cmdline)
Solarwinds 81250a3a43500530ef04ff62b
Sigma Integrated
SUPERNOVA Florian Roth 918cc5690b18cc4d09b4f773 0 0
Rule Set (GitHub)
Webshell Access 15012231acaa8bd
Solarwinds
launching SOC Prime Threat 0174ab54fed285f5c38eceee1
cmd.exe with SOC Prime Team, Microsoft Detection 97f8a60debfec2c3aa5906040 0 0
echo (via Marketplace 79831c288a9fb6
cmdline)

SonicWall e272203177abd4fd109dd93a
Sigma Integrated
SSL/VPN Florian Roth e0e9913836f80a81b43eec0c 0 0
Rule Set (GitHub)
Jarrewrite Exploit 819720c72843582c
Sophos Firewall
SOC Prime Threat abea43cce1ab59b98d083a4b
Zero-Day
Ariel Millahuel Detection c5077c3e4acd49c745ee202f3 0 0
explotation
Marketplace 92405853fd46664
(Asnarök attack)
Source Code
91e80be4f3cb482bed8e242e
Enumeration Sigma Integrated
James Ahearn b9e418e4fee5b1aaf32e61f4a 0 0
Detection by Rule Set (GitHub)
e6d7def7d537d66
Keyword
96dade50824ff0a3a7ba5d5a
Space After Sigma Integrated
Ömer Günal 9abc82419f0df174afff971fe0 0 0
Filename Rule Set (GitHub)
d7d87e74061785
Space After 2b3ab43da00d1cb60c0d3f83
Sigma Integrated
Filename - remotephone 7ce61f81355c37b68a1c3e82 0 0
Rule Set (GitHub)
macOS 6e66d68962c57752
3adbeb64ee2cc89f2825fbd13
Split A File Into Sigma Integrated
Igor Fits, oscd.community 3547fe3d84aac1ee5d48faaf2 0 0
Pieces Rule Set (GitHub)
375b7c8364f74b
712e9f7f7214c248ff6777f914
Split A File Into Igor Fits, Mikhail Larin, Sigma Integrated
a1cf282ba49bc580bbbe4bb4 0 0
Pieces oscd.community Rule Set (GitHub)
0a38cfacec7927

.in
Spring b9855abb1feaca99e5181199
Sigma Integrated
Framework Thomas Patzke bf4d256c29f0150d137ed61e 0 0
Rule Set (GitHub)
Exceptions 9cef83ce27764295
80c9078b4f0a214125069612
Sigma Integrated
df
Startup Items Alejandro Ortuno, oscd.community 51c7253e037afc83c8a88cd36 0 0
Rule Set (GitHub)
2377082d1efaa30
Steganography 9e28a144fe3121ecd3d91e84
Sigma Integrated
Extract Files with Pawel Mazur 6d0e1d5fb7be043db90ebdcd 0 0
Rule Set (GitHub)
ap
Steghide a4ce1ddc629e0b78
Steganography 2bc5697bb7a12c272490c67a
Sigma Integrated
Hide Files with Pawel Mazur 3d83002e19dfb4722525786e 0 0
Rule Set (GitHub)
Steghide 91a4fba4c8b9ee97
Steganography
bb93f264dbaa005c9bc379b7
st

Hide Zip Sigma Integrated


Pawel Mazur db5eaa5cd680009288c824a9 0 0
Information in Rule Set (GitHub)
916340aef05188bc
Picture File

Steganography
In

100e9962a68f74be52b70ad1
Unzip Hidden Sigma Integrated
Pawel Mazur 1285a16a1d1aa29e419831b6 0 0
Information Rule Set (GitHub)
0158672ee356b344
From Picture File
Florian Roth, @twjackomo, 210403ed0765f9206944ba0e
Sticky Key Like Sigma Integrated
Jonhnathan Ribeiro, 7ae9a7fed3b74606aa7d5def 0 0
Backdoor Usage Rule Set (GitHub)
oscd.community d92b45c7565c50b4
Florian Roth, @twjackomo, 846842612cb81a07c0a4439f
Sticky Key Like Sigma Integrated
Jonhnathan Ribeiro, 34127f7229a040a0618300a9 0 0
Backdoor Usage Rule Set (GitHub)
oscd.community 62ad5a95316f5417
Florian Roth, @twjackomo, baf8cb1a268fb3d9173b5474
Sticky Key Like Sigma Integrated
Jonhnathan Ribeiro, a184cb8fd04489192832ac12 0 0
Backdoor Usage Rule Set (GitHub)
oscd.community dcd4d826248523b2
09c420a38066758c0236577c
StoneDrill Service Sigma Integrated
Florian Roth cb5fd401e138351217d25dbe 0 0
Install Rule Set (GitHub)
ae1220521c446472
7c4cece5b540c72f100dd8b8
Stop Or Remove Sigma Integrated
frack113 b7fc1c10727460ec0f36c7524 0 0
Antivirus Service Rule Set (GitHub)
9e28ed51d6348ef
Successful e33130e6f328543f0b8bb35ef
Sigma Integrated
Exchange Florian Roth, Rich Warren 1bb2f92e015fe84965c32bf1d 0 0
Rule Set (GitHub)
ProxyShell Attack 82d85dd00e1c1c
Successful IIS a46c1f051bcaa146c4a9adddc
Sigma Integrated
Shortname frack113 286b70714cb1365fe10a19aa 0 0
Rule Set (GitHub)
Fuzzing Scan 2dcc7fd1aaaaf0f
Sudo Privilege 01dc28806687bbabc12e4c23
Sigma Integrated
Escalation CVE- Florian Roth cb8e022a4a81f459e26a267f3 0 0
Rule Set (GitHub)
2019-14287 4656b9e1aedf31e
Sudo Privilege 1ddcb9d1b179a17e011ac90c
Sigma Integrated
Escalation CVE- Florian Roth 0294b7768bd99cc9d2a79c0d 0 0
Rule Set (GitHub)
2019-14287 f5506d870771953c
Sudo Privilege 284295b46bb8dd089813e30
Sigma Integrated
Escalation CVE- Florian Roth 5d695c5a0d85a5bde29f85e0 0 0
Rule Set (GitHub)
2019-14287 14d643b3cf63bbeb7
Sudo Privilege 37747140310b15c961b277ca
Sigma Integrated
Escalation CVE- Florian Roth 418c6bcac1cfbd1a54e54df2a 0 0
Rule Set (GitHub)
2019-14287 20cf743aa17f317
Sudo Privilege 75e40e43cc29db5d459f59bc

.in
Sigma Integrated
Escalation CVE- Florian Roth c8d869264e37cb55976f57b0 0 0
Rule Set (GitHub)
2019-14287 d731c18039306935
9fc70bf733b29bcd18e12529f
Suspect Svchost Sigma Integrated
Tim Burrell 975e24abdf01e3660221d791 0 0
Memory Asccess Rule Set (GitHub)
df f76d57e02e2d527
Suspicious ADSI- 39b6e2d47cbb2139a0b088fb
Sigma Integrated
Cache Usage By xknow @xknow_infosec 0f338071749fe923d01346e4 0 0
Rule Set (GitHub)
Unknown Tool 57f7ba2b0371e1b5
ap
Suspicious
c31fff6fad64dfd4138d6e166a
Access to Sigma Integrated
Samir Bousseaden 46e20bf4a25db7117bc20b82 0 0
Sensitive File Rule Set (GitHub)
965e7ed11982d3
Extensions

Suspicious
st

375d7fe36535214203bd98ae
Access to Sigma Integrated
Samir Bousseaden, @neu5ron 8bf81aecffb58ea5ae11de354 0 0
Sensitive File Rule Set (GitHub)
f0140e7390327e2
Extensions - Zeek
In

Suspicious
SOC Prime Threat 50e6edda507653e781908aed
Access to
SOC Prime Team Detection 57ac737c10463c8aa7a2b28e 0 0
Sensitive File
Marketplace c7724a716c0c9073
Extensions - Zeek
Suspicious 9f38dd0d0f681b4185f6a6008
Sigma Integrated
Activity in Shell Florian Roth d3904a10d8e2fe4e9dcf5aaba 0 0
Rule Set (GitHub)
Commands 007262f1230dcb
Suspicious 2abd81b6396ea687490b2d7
Sigma Integrated
AdFind frack113 03ce07c1abd135ba398d89ab 0 0
Rule Set (GitHub)
Enumerate 839c66e6a43f713f0
Suspicious b19ad60b757e0d750b6426b
Sigma Integrated
Bitstransfer via Austin Songer @austinsonger 1bf5fc68b705f7acf21dabd6e 0 0
Rule Set (GitHub)
PowerShell 2a59f369493ff2e8
7f495f7056b28211483e60f8f
Suspicious C2 Sigma Integrated
Marie Euler 0510254ee64903ec5d127b9b 0 0
Activities Rule Set (GitHub)
822b085833218e9
Suspicious
f73e458cd36aac62c3443939
Camera and Sigma Integrated
Den Iuzvyk 924222027b1344d84127a52 0 0
Microphone Rule Set (GitHub)
bf5623bcc692c86fc
Access
Suspicious Child Teymur Kheirkhabarov, Roberto 84856c029af862b4a726da59
Sigma Integrated
Process Created Rodriguez (@Cyb3rWard0g), Open 44e6a57aaed5fda15c317414f 0 0
Rule Set (GitHub)
as System Threat Research (OTR) 9afeb3941c0010d
Suspicious cf2baf60d63943d7200da283
Sigma Integrated
Cmdl32 frack113 91b4e63298b2d186faf45b49 0 0
Rule Set (GitHub)
Execution 9b001ca84dc882ea
Suspicious
Command Line
SOC Prime Threat 348e3e3f1264df658d94d7b4
Contains Azure
SOC Prime Team Detection 8e449838ca835512c3589152 0 0
TokenCache.dat
Marketplace 0db55b7b1f16160b
as Argument (via
cmdline)
3458d203410df750034bc6a6
Suspicious Sigma Integrated
Florian Roth cf707cf905639d4ded28fbafa 0 0
Commands Linux Rule Set (GitHub)
c96941e0a0ec53a
Suspicious

.in
Computer 367ee44bfca23688ae0b0af0a
Sigma Integrated
Account Name Florian Roth 5b6d5e824e751b28ac7849d1 0 0
Rule Set (GitHub)
Change CVE- 648bafb35b0448f
2021-42287

Suspicious
Connection to
Remote Account
frack113
df
Sigma Integrated
Rule Set (GitHub)
71f9611fe50b2788a25e6b1c
3fb3d035c5e04dfe73447ed1
85bfde157084fc72
0 0
ap
Suspicious 0791036b2af8420cef203df27
Sigma Integrated
Control Panel Florian Roth c7840172deaafc554441f24ba 0 0
Rule Set (GitHub)
DLL Load 507cd69d0d79e3

Suspicious 965125e7c09a79de6429b921
Sigma Integrated
Creation TXT File frack113 8659a7c8785c989273642091 0 0
st

Rule Set (GitHub)


in User Desktop a7ebae3bfbe920c1
d478344c6645595e8636745b
Suspicious Konstantin Grishchenko, Sigma Integrated
d5f3fcc68955c4777726aba46 0 0
Csi.exe Usage oscd.community Rule Set (GitHub)
In

6ad93f133453add
Suspicious DNS 7c4c3ea7b520b1ed475e29a9
Sigma Integrated
Query with B64 Florian Roth 99863beeb5301ce2a0cee83a 0 0
Rule Set (GitHub)
Encoded String 0b246f19f1e0601c
9520587a618269e5bf36ca31
Suspicious DNS Z @neu5ron, SOC Prime Team, Sigma Integrated
426edd352f0894b0dd96480e 0 0
Flag Bit Set Corelight Rule Set (GitHub)
2a48554e5794148a
Suspicious b01cb061a8ed4c005cf232ea
Sigma Integrated
Desktopimgdow Florian Roth 599f09e2e3fdcc4033c23e747 0 0
Rule Set (GitHub)
nldr Target File 29723958607fce3
Suspicious Diantz
5888f710b830080c3505ccf3c
Alternate Data Sigma Integrated
frack113 3631d57eb9bd8be6b13d067f 0 0
Stream Rule Set (GitHub)
e7926dae9e72dc4
Execution

Suspicious Diantz
b05a48e704cc2fbb722e3b35
Download and Sigma Integrated
frack113 33e7b741751d8699bff15f6f2 0 0
Compress Into a Rule Set (GitHub)
8571133fe7611da
CAB File
Suspicious a93dc62f3906167da8a6825e
Sigma Integrated
Download from Florian Roth b9c1d7bd2ce6bfbb4ab31823 0 0
Rule Set (GitHub)
Office Domain 29221f812e8374ee
bb97779ed58fef8b7d6843a1
Suspicious Driver xknow (@xknow_infosec), xorxes Sigma Integrated
6b444d10cebd87234c0aab09 0 0
Loaded By User (@xor_xes) Rule Set (GitHub)
d85ee1151b982c8d
Suspicious
06b69d9fb47d54903b8bff29c
Encoded Scripts Sigma Integrated
Florian Roth 64d3bc3ad88eab8d9196cef1 0 0
in a WMI Rule Set (GitHub)
ed669080b206973
Consumer
Suspicious f9e5ca1d53357c6179a23ffe1
Sigma Integrated
Execution from Markus Neis ed388ebe305e69c24b43fd23 0 0
Rule Set (GitHub)
Outlook 804a567a490780a
Suspicious 5fcc3dcdd38e008741a75f024
Sigma Integrated
Execution of frack113 bab3a696ef8d9b4feba96144 0 0
Rule Set (GitHub)
Adidnsdump 8f2bbe027db5cf8
Suspicious
fcd75941371f1c365f40d29f8
Execution of Sigma Integrated
frack113 498522d49065fb5ad8dc28a9 0 0
SharpView Aka Rule Set (GitHub)
7b979603a6333ba
PowerView

.in
Suspicious
Extrac32 908072bc38c223e94e034ac7
Sigma Integrated
Alternate Data frack113 acafdfda27359b429525af331 0 0
Rule Set (GitHub)
Stream f388a7ef0e2b66c
Execution
Suspicious
Findstr 385201 frack113
df
Sigma Integrated
Rule Set (GitHub)
d58a7bc786bd9e9a6ecc6de9
2ba386f2e8ff1b3b96a65d1cd 0 0
Execution aa66db5cd0b94d1
ap
Suspicious Get
Information for 1bccdc208f191ae10d0fa4267
Sigma Integrated
AD Groups or frack113 5f08a37e14e4f39ff07da3fc0c 0 0
Rule Set (GitHub)
DoesNotRequire 15510993f6e9c
PreAuth User
st

Suspicious Get
Information for a205be34057679bd055b1f3c
Sigma Integrated
AD Groups or frack113 b3fd18d4d31f2b0bd776288c 0 0
Rule Set (GitHub)
DoesNotRequire cba6be10b5a818e0
In

PreAuth User
Suspicious Get 78af9841681cc3ae06f2b4282
Sigma Integrated
Information for frack113 7aa5b5f54e7e1cd67967a87c 0 0
Rule Set (GitHub)
SMB Share c99a5e7d4cfe18d
Suspicious Get 8f4c645fe661dc0ebdeff288f1
Sigma Integrated
Information for frack113 761a20acf930f02e4c51bc48e 0 0
Rule Set (GitHub)
SMB Share 6bafc245c1006
Suspicious Get 098feee88c8a66070a3ec1f3c
Sigma Integrated
Local Groups frack113 56be0ede46676cee2b799ba6 0 0
Rule Set (GitHub)
Information d309360ce563ba7
Suspicious Get 5ef6bc365a01e6ef90c1fc4f49
Sigma Integrated
Local Groups frack113 006e9a8fe08e82c0a9ce80c1 0 0
Rule Set (GitHub)
Information 0153915771547b
Suspicious
ed9636ccdbf53d675f6ffeccce
GrantedAccess Sigma Integrated
Florian Roth e23b849237a42f01ec09ad9e 0 0
Flags on LSASS Rule Set (GitHub)
bf4ac4ed4a3afb
Access
609a26363ca1233fc9637c9ef
Suspicious HWP Sigma Integrated
Florian Roth 8d9c18feb2dc0dcf6b98ccb94 0 0
Sub Processes Rule Set (GitHub)
9a1913e739c3dc
Suspicious 946d8ac00870587827118a55
Sigma Integrated
History File Mikhail Larin, oscd.community 3b9209dbf76acb7e909425d9 0 0
Rule Set (GitHub)
Operations 1f177bde98fc1401
Suspicious a90720274637391656758b0
Sigma Integrated
History File Mikhail Larin, oscd.community a5ab9ec371918d4a1e9d3ac5 0 0
Rule Set (GitHub)
Operations 6fd4d0f8719a7da72
08e71eab529494c6cef4d7f69
Suspicious Sigma Integrated
frack113 9f5d95c87b1d954ee61b6f06 0 0
IO.FileStream Rule Set (GitHub)
1d7005246b726af

Suspicious In- Perez Diego (@darkquassar), 4e3a7d5df089d2d7c80cf84b


Sigma Integrated
Memory Module oscd.community, Jonhnathan bba4e8a4363101ac03f6a9c7 0 0
Rule Set (GitHub)
Execution Ribeiro 58101f0c1bb010a4
487fc5687e250bef85f8102ef
Suspicious Inbox Sigma Integrated
Austin Songer @austinsonger a69086f801e489db41cb0f01c 0 0
Forwarding Rule Set (GitHub)
4bf4b1ed4827f3
Suspicious

.in
f8335c66f6b8aed850de5246
Interactive Sigma Integrated
Florian Roth bacec6f1eee18e5549c581e9 0 0
PowerShell as Rule Set (GitHub)
892827d840e5720a
SYSTEM

Suspicious df 7f2bb7e386b3f3d057b64c70
Sigma Integrated
Kerberos RC4 Florian Roth d36264a2c7163a1215e88b87 0 0
Rule Set (GitHub)
Ticket Encryption 31f9b87d919ca77d
Suspicious Kernel f1a72edd07dd4c90ef3c56a4a
Sigma Integrated
ap
Dump Using Florian Roth aab9034ebe25d9a2b5d3e9de 0 0
Rule Set (GitHub)
Dtrace 4deb8877f60ea24
Suspicious 1e8253d40fd15968a25971ec
Sigma Integrated
Keyboard Layout Florian Roth 64e35f84f90536676b445d16 0 0
Rule Set (GitHub)
Load 184bde41a5fc6ba0
st

0730743577ad7cca00176898
Suspicious LDAP- Sigma Integrated
xknow @xknow_infosec 7a40afda61d7838e179b9c8f 0 0
Attributes Used Rule Set (GitHub)
1053e72a1459048a

Suspicious bdd4b3cf901dc4fd7c4ee1232
In

Sigma Integrated
LOLBIN Florian Roth 3f20fd996bc0170c122f0566f 0 0
Rule Set (GitHub)
AccCheckConsole 5dbfbede875c23
489015366445b29d739d0c3
Suspicious LSASS Sigma Integrated
Florian Roth, Samir Bousseaden 5ebba4e9278457dd045568a 0 0
Process Clone Rule Set (GitHub)
bcf2266370379e7944
Suspicious Load 42f3abed5774e74cc80412ca
Sigma Integrated
DLL via Austin Songer @austinsonger d617ceb1f8881fc484a38c351 0 0
Rule Set (GitHub)
CertOC.exe eed5b589c80dee3
3b172a1d01b7c198d455c2a1
Suspicious Log Sigma Integrated
Florian Roth 7e8ae127ce5f5dba1c75a0a9 0 0
Entries Rule Set (GitHub)
9cc77599f4ca78f7

Suspicious 71c75c172863712967d00b92
Sigma Integrated
MacOS Firmware Austin Songer @austinsonger 8953180528e3cb3b663a1722 0 0
Rule Set (GitHub)
Activity 518a9271c3538625
Suspicious
5cbe938f157b387106147682
Multiple File Sigma Integrated
Vasiliy Burov, oscd.community e156a8efa2d8aeb5efce0266d 0 0
Rename Or Rule Set (GitHub)
3c0081b69e12678
Delete Occurred
Suspicious NT a5d0ee315323a7612e8c53b5
Nasreddine Bencherchali Sigma Integrated
Resource Kit bbcba868cb9cf4a4b8ca2b58 0 0
@nas_bench Rule Set (GitHub)
Auditpol Usage 50b97eaf2c03f1e6
b8b5a8000383b99cb6f14f2e
Suspicious Sigma Integrated
Florian Roth 8f17d927da0e92e965c625faa 0 0
Named Error Rule Set (GitHub)
3cabe1e72b84323
Suspicious Netsh 25c7926ea5dfde7ab41cd4ae
Sigma Integrated
Discovery frack113 ebfb89e01d4dcb8b7243522a 0 0
Rule Set (GitHub)
Command f4f643f690d857c7
Suspicious New
2855d4d044bf08f00f380efb8
Printer Ports in Sigma Integrated
EagleEye Team, Florian Roth, NVISO 8fbd76fba4f8199fdab66a8c7 0 0
Registry (CVE- Rule Set (GitHub)
aaad6d63bbe63e
2020-1048)
Suspicious New- 9b5bc7e38efe4f1b17f2a923c
Sigma Integrated
PSDrive to Admin frack113 a4fbbd1303baf2899f224b7e4 0 0
Rule Set (GitHub)
Share 0278aea60cfc64

.in
4225d7662d0eec6d20893e2e
Suspicious Nmap Sigma Integrated
frack113 9f75328a37cc7a24ba7f1932e 0 0
Execution Rule Set (GitHub)
3c993cf482e46d5
Suspicious Non
df b42a14d4eb96ec45f6bc9ca1
PowerShell Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
90be91d043f6ead5ff998b704 0 0
WSMAN COM OTR (Open Threat Research) Rule Set (GitHub)
aabb76605041d4b
Provider
Suspicious OAuth
fa3f7119a0c19e9ddb6bf3def
ap
App File Sigma Integrated
Austin Songer @austinsonger e5e0797888e23ec789c8f335 0 0
Download Rule Set (GitHub)
7af53a5f70c3c94
Activities
Suspicious e0a89459a9f05d408d482b96
Sigma Integrated
OpenSSH Florian Roth 40980fec9bab82d2dd11083d 0 0
Rule Set (GitHub)
st

Daemon Error 04356a4055021f78


Suspicious
55516cecb3b5273d1166f185
Outbound Sigma Integrated
Ilyas Ochkov, oscd.community e3e1bcd239eaaa5df10cea2fb 0 0
Kerberos Rule Set (GitHub)
888c3f4d4e4dbdf
In

Connection
Suspicious
9c660d5fee16f15f8c327be10
Outbound Sigma Integrated
Ilyas Ochkov, oscd.community 917fac3b7275a58ecb9ed73d 0 0
Kerberos Rule Set (GitHub)
49e0ac6c35a7df0
Connection
Suspicious dbfca88ab9ee6831be6d244d
Sigma Integrated
Outbound RDP Markus Neis - Swisscom dd8d59d64840215c6266895a 0 0
Rule Set (GitHub)
Connections ed60b0192f60f226
Suspicious 3659f9925f327ac0ba2be9b3c
Sigma Integrated
Outbound SMTP frack113 8c7240f432c4b62f162b846c1 0 0
Rule Set (GitHub)
Connections 0410fff320b6f7
Suspicious 0c6e3c35fbd166dc96fbf3faf4
Sigma Integrated
PowerShell Florian Roth f052230a9cc9db642ee3bee4 0 0
Rule Set (GitHub)
Download 0f5c94d5938d03
Suspicious 124bf07ac70743e91b5698e3
Sigma Integrated
PowerShell Florian Roth 731aae0330fc182aa5803639 0 0
Rule Set (GitHub)
Download 0f2a0457a90b5341
Suspicious 69130b2eb287f08303a70922
Sigma Integrated
PowerShell Florian Roth 22cc3a0be896a066b64f8b32f 0 0
Rule Set (GitHub)
Download 96d08ff4708e37f
Suspicious 9d6bbc732c370aae45fda2c0c
Sigma Integrated
PowerShell Florian Roth 962d9136afa87ecd16506420 0 0
Rule Set (GitHub)
Download 8cb40aa877e4e5b
Suspicious ddc4948cb3433762084af70d
Sigma Integrated
PowerShell Florian Roth b4c7d85a2cd1e48ee6ae8dc1 0 0
Rule Set (GitHub)
Download 52412a50dfbb42db
Suspicious
3f1f1d4b840f1276832b328fa
PowerShell Sigma Integrated
Florian Roth (rule) b68511c28f6b7918e887279b 0 0
Invocations - Rule Set (GitHub)
03e6ea4735bef7d
Generic
Suspicious
d0b30db49f680fc7c412d09dc
PowerShell Sigma Integrated
Florian Roth (rule) 2099e655eb262fd5ef5b03fb5 0 0
Invocations - Rule Set (GitHub)
304663ab79137a
Generic
Suspicious
355b439d3a90c89090f6f266
PowerShell Florian Roth (rule), Jonhnathan Sigma Integrated
afd2306ad6a03e5ca79228ad 0 0
Invocations - Ribeiro Rule Set (GitHub)

.in
1be6e9cb6940491b
Specific
Suspicious
7d262d8417cb03b2a9d2b93
PowerShell Florian Roth (rule), Jonhnathan Sigma Integrated
5ae55980f22abc3aa7cffc36e 0 0
Invocations - Ribeiro Rule Set (GitHub)
df 57eda761068226dc
Specific
Suspicious
bdf323dec5fa58a6655db6a0
PowerShell Sigma Integrated
Florian Roth ae8ed9322f1fae8288502705c 0 0
Mailbox Export Rule Set (GitHub)
60e0b1f38761a06
ap
to Share
Suspicious
5e2ea8c055dd73ea66238735
PowerShell Sigma Integrated
frack113 323d0318c2a6c11404713714 0 0
WindowStyle Rule Set (GitHub)
6357b85f764b1101
Option
st

f04c595ca66281cfe11a9157f
Suspicious Sigma Integrated
Samir Bousseaden beef36ddbee45cc4a5391471 0 0
PsExec Execution Rule Set (GitHub)
d010a08e4c14863

Suspicious SOC Prime Threat 5c9d17e0b9843d06a6bdc67a


In

PsExec Execution SOC Prime Team Detection a64f2d0c4823a01681a54c83 0 0


- Zeek Marketplace d94c7e3c0bbe2c66
Suspicious eee9047f1507bcd02b641cb2
Sigma Integrated
PsExec Execution Samir Bousseaden, @neu5ron 29c21f615af4fb70ba87dbff05 0 0
Rule Set (GitHub)
- Zeek 842699503530b4
Suspicious RDP 2d1baec06e45f7d7bbd54048
Sigma Integrated
Redirect Using Florian Roth 6a817a6738253b8960068c5a 0 0
Rule Set (GitHub)
TSCON ee89c3123cfa1ac0
Suspicious
b656a8d4ce3cfd0545afa9a87
RazerInstaller Sigma Integrated
Florian Roth, Maxime Thiebaut 54e22d2d051bd71f469b2d3d 0 0
Explorer Rule Set (GitHub)
844ecf580dd0532
Subprocess
1e5c4651907cea569ba4493f
Suspicious Reg Sigma Integrated
frack113 c4d9c634d654da730dcdfa36 0 0
Add BitLocker Rule Set (GitHub)
412180bfb694dba9
Suspicious cff1e1978dab401a82f456bac
Sigma Integrated
Registration via Austin Songer @austinsonger 2436b263ce457f5ad9e3283c 0 0
Rule Set (GitHub)
cscript.exe 8d77f7ab885b87a
Suspicious
f1f470f63c4d9b600bbc20921
Rejected SMB Florian Roth, KevTheHermit, Sigma Integrated
2d3f1806b7b41154d14a15f0 0 0
Guest Logon fuzzyf10w Rule Set (GitHub)
666241f96f786b1
From IP
Suspicious
oscd.community, Teymur 3f8d6ccb4e7555cba08aa888
Remote Logon Sigma Integrated
Kheirkhabarov @HeirhabarovT, 810b970a1a0a1f79d2a65b51 0 0
with Explicit Rule Set (GitHub)
Zach Stanford @svch0st f323b466542ae099
Credentials
Suspicious 8e3a8f0b4e0bf72703dfa7509
Sigma Integrated
Reverse Shell Florian Roth e194c8bd77b591184bf65292 0 0
Rule Set (GitHub)
Command Line cf9c554fe5d7149

Suspicious f4b9a5aba26ac1d465f55970
Sigma Integrated
Rundll32 Activity Florian Roth b8defeab4a4704def7889e6c 0 0
Rule Set (GitHub)
Invoking Sys File 296b0f33cd1fad27
Suspicious
40e3e97976c84f512b11ec48
Rundll32 Sigma Integrated
Florian Roth 5b8dc54ce731851327fe05bef 0 0
Invoking Inline Rule Set (GitHub)
f6b567fdfe2b91b
VBScript

.in
Suspicious ee7fc4aa3dcf06ddc37a9dc24
Sigma Integrated
Rundll32 Script in frack113 c2fe5a2d394cc53d560d2214 0 0
Rule Set (GitHub)
CommandLine a8f5455eedb6291
Suspicious 11391eae2fbdc6dde630d274
Sigma Integrated
df
Runscripthelper. Victor Sergeev, oscd.community 16798a88f2a185e1dc68c55e 0 0
Rule Set (GitHub)
exe 40fe03a2a85412de
25642d4ac27c9f3036a71243
Suspicious SQL Sigma Integrated
Bjoern Kimminich 92a66d0dad8e15e7f323995c 0 0
Error Messages Rule Set (GitHub)
ap
82b1b9460ae3ffb5
Suspicious
3da113395881b8606ab3568
Scheduled Task Sigma Integrated
Florian Roth 4394038c9c59eb8dae1b899e 0 0
Writ to System32 Rule Set (GitHub)
d92a2c40df104f5aa
Tasks
st

Suspicious Serv- 7456e5b742cfbd4f35bce253


Sigma Integrated
U Process Florian Roth 6feed29bf8c22343e4f695fdd 0 0
Rule Set (GitHub)
Pattern 04fbf7070d41396
Suspicious Spool Justin C. (@endisphotic), 2445eef8bbfc5d52245783f3d
Sigma Integrated
In

Service Child @dreadphones (detection), Thomas 3a39b67d2a9e863e057b971 0 0


Rule Set (GitHub)
Process Patzke (Sigma rule) 0358f473c4a0d9ed
Suspicious
dfbb51364e0deb6fd01f82a70
Subsystem for Sigma Integrated
frack113 9f96be117d3f57ab06c8ac571 0 0
Linux Bash Rule Set (GitHub)
8d944050856808
Execution
Suspicious 0e577377d486c7998da21b8b
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
System.Drawing f8adfad459d2ee2c932fddd9a 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Load a595b43b009916c
Suspicious ef15288703ebef641a550ecf3
Sigma Integrated
TSCON Start as Florian Roth efe69b3c2eae2d9d03b9828e 0 0
Rule Set (GitHub)
SYSTEM bc27e4474bd138a
Suspicious
c819b1c2210c6c76f29e7d15
Typical Malware Sigma Integrated
Florian Roth 825b104bbd98de4d9561a6c 0 0
Back Connect Rule Set (GitHub)
86a8b158afd0d2be9
Ports
Suspicious ab4f3a9eb0931d1b25be0e6e
Sigma Integrated
Unattend.xml frack113 c70048514d987acda1b98b07 0 0
Rule Set (GitHub)
File Access 8b334de53d084360
Suspicious Usage ed5e62dadca0230ffc2a8a11c
oscd.community, Natalia Sigma Integrated
of the Manage- f9e699200080030ffff4d0d2fd 0 0
Shornikova Rule Set (GitHub)
bde.wsf Script 4df79510c64c3
acaf2d56329609a17ef157534
Suspicious Use of Sigma Integrated
frack113 fe784b3570d4c344a3eff25b4 0 0
/dev/tcp Rule Set (GitHub)
93f541a2526056
Suspicious Use of
a4fc89bb3700fe0a55cf04c68
CSharp Sigma Integrated
Michael R. (@nahamike01) 919916827d349edffbb82042f 0 0
Interactive Rule Set (GitHub)
cceed68a55944d
Console
2a651ab66176323248a00a1c
Suspicious Use of Nasreddine Bencherchali Sigma Integrated
8f2e0c1d6e82ebbcb2c316bd 0 0
PsLogList @nas_bench Rule Set (GitHub)
3a1bce5391cc6b28
d91df9da12337a7f5ee75bb0
Suspicious User Sigma Integrated
Florian Roth 73c3410a058eb5ed6b7c86b1 0 0
Agent Rule Set (GitHub)
48e725f9059f75a0
Suspicious 7fb1daa4a8edb7a5b90b062c
Sigma Integrated
VBScript UN2452 Florian Roth 058870ef63fc97c3ef0e3208a 0 0
Rule Set (GitHub)
Pattern 4ebe707c2f77f8f

.in
Suspicious 7f57d3ad9551dc7e9826a092
Konstantin Grishchenko, Sigma Integrated
VBoxDrvInst.exe 68d6311674527871cd948f12 0 0
oscd.community Rule Set (GitHub)
Parameters 3fe51b8ad1b701aa
Suspicious bbc1da4633ad6413fded7309
Sigma Integrated
df
VSFTPD Error Florian Roth 5affb9717c6e165f62cd9aad1 0 0
Rule Set (GitHub)
Messages ecfef998aa8db78

Suspicious WMIC
c96db484de175e1b250b815
ActiveScriptEven Sigma Integrated
ap
Florian Roth 7c4e848f441ffb92c370fec9a8 0 0
tConsumer Rule Set (GitHub)
5857f015c6b8db8
Creation

Suspicious 33e7351552f382831af6bf73d
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
WSMAN Provider 86054bced055e64df091f572 0 0
st

OTR (Open Threat Research) Rule Set (GitHub)


Image Loads c94e9fc9e9a2a97
Suspicious
Werfault.exe 16c36a9e42bc4413ac1329f5
Sigma Integrated
In

Network Sreeman dd42431a817722b75cea05ac 0 0


Rule Set (GitHub)
Connection 07ebb3f65876cb0f
Outbound
46ae66dd22967fe384fb2758
Suspicious Sigma Integrated
frack113 be37ee4bc4eb6756891eb9d7 0 0
Where Execution Rule Set (GitHub)
ebb29342e2dd03d1

Suspicious
Windows 95f1c4af26ab73ade968853c4
Sigma Integrated
ANONYMOUS James Pemberton / @4A616D6573 fcf97de23d5c6004b49db4a0 0 0
Rule Set (GitHub)
LOGON Local 7a2616054591b05
Account Created

Suspicious Word 81b716bb22121eaedb94185


Sigma Integrated
Cab File Write Florian Roth, Sittikorn S 0fff6c213e7492ff4ee7564ae5 0 0
Rule Set (GitHub)
CVE-2021-40444 4606bc9dbb4fa57
Suspicious XOR
3df27b5ffb8110f82c5da9120
Encoded Teymur Kheirkhabarov, Harish Sigma Integrated
fd9c1c88c792ef65770b7f270 0 0
PowerShell Segar (rule) Rule Set (GitHub)
6fc60a04b9cc9c
Command Line
Suspicious 4299b17cc3fb6f5ed2bc90d61
Sigma Integrated
ZipExec frack113 2e461452723118f5b71a8523 0 0
Rule Set (GitHub)
Execution 1879dcf7c197ead
Svchost DLL db5441b38e2fcbf39fea3bb39
Sigma Integrated
Search Order SBousseaden c740232381bd1357c8ff96f6d 0 0
Rule Set (GitHub)
Hijack f1ce0020169259
e6c712d0b47b9ca26b149341
Symlink Etc Sigma Integrated
Florian Roth 4298a9db2aa7d1a7a22ae1dd 0 0
Passwd Rule Set (GitHub)
2bbe3d98be6ebccd

SyncAppvPublishi
bd38197f39431ccbcd7225ea
ngServer Execute Sigma Integrated
frack113 e0595eed4788e30dee52b6d 0 0
Arbitrary Rule Set (GitHub)
b845bb259cc8a5490
PowerShell Code

SyncAppvPublishi

.in
ngServer
15b8bc2b4085ebae022c2b20
Execution to Ensar Şamil, @sblmsrsn, OSCD Sigma Integrated
c71b4ff925bb2def0f422752e 0 0
Bypass Community Rule Set (GitHub)
477ef64090acbb5
Powershell
Restriction
SyncAppvPublishi
ngServer
df 2f6c3876a6bf6c6982f41c7a3
Execution to Ensar Şamil, @sblmsrsn, OSCD Sigma Integrated
1019b9025028a80428d75d0f 0 0
ap
Bypass Community Rule Set (GitHub)
bfadc485780f478
Powershell
Restriction
SyncAppvPublishi
ngServer
72c39d73d55d9033eaf48b23
st

Execution to Ensar Şamil, @sblmsrsn, OSCD Sigma Integrated


45a2731c21be042d5b6a492d 0 0
Bypass Community Rule Set (GitHub)
d732ad728d06da24
Powershell
Restriction
In

SyncAppvPublishi
ngServer
8326a878ec5c1017e74941a7
Execution to Ensar Şamil, @sblmsrsn, OSCD Sigma Integrated
f45b60cfacf514ecaf4c2f5a78 0 0
Bypass Community Rule Set (GitHub)
7bfbecdc6bdf84
Powershell
Restriction
SyncAppvPublishi
ngServer
da7ba86aeba5af6786083f79
Execution to Ensar Şamil, @sblmsrsn, OSCD Sigma Integrated
201143e96dfb9aaa6f81136c 0 0
Bypass Community Rule Set (GitHub)
b9deeffbda13a236
Powershell
Restriction
00368348746af494ae487116
SysKey Registry Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 2a2c3187af955e35e20fc2de3 0 0
Keys Access Rule Set (GitHub)
4bda349b1883860
Sysinternals 13320004e8b7f532ff0dcbcc7
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
SDelete File a564fd60fa782490cdaf6e553 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Deletion e89088ded28e41
Sysmon Channel f9f553ae3b418546ce1d60bc5
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Reference be320fb809f42d2184eea0be 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Deletion 3ebe38529115176
Sysmon 1cd7d30672aa97bf7ad987f1
Sigma Integrated
Configuration frack113 430427c4badcaf9359b200f28 0 0
Rule Set (GitHub)
Error 071d8b243834f07
Sysmon 3bb0c88834d7140b8c654b55
Sigma Integrated
Configuration frack113 212f61356f2c8817acf24f1a8 0 0
Rule Set (GitHub)
Modification 691d358280b0541
Sysmon abdfcf563f91cb4c9b132baa9
Sigma Integrated
Configuration frack113 fd47b92a1e20294c09c02d75 0 0
Rule Set (GitHub)
Modification 71f6fe5505f21d7
Sysmon d46e95fee1af14f21e84edea5
Sigma Integrated
Configuration frack113 4e4ff0adc9b091c82e403fd89 0 0
Rule Set (GitHub)
Modification cc53d93506d609
897e81991ba93eae2ef049be
System Eventlog Sigma Integrated
Florian Roth c91493dcbc61908766ac3d56 0 0
Cleared Rule Set (GitHub)
284ce87250a69aed
System 0e346973181b79cd813d4507
Sigma Integrated
Information Ömer Günal, oscd.community ff8c38d8a584a417939557faa 0 0

.in
Rule Set (GitHub)
Discovery 5fa7158cf2ba7d0
System 3745b67648a34091bd1ecf4cf
Sigma Integrated
Information Ömer Günal, oscd.community eeaba7bc12bfe1ffc83c8aea5 0 0
Rule Set (GitHub)
Discovery 19f5888c1714ef
System
Information
Discovery
Ömer Günal, oscd.community
df
Sigma Integrated
Rule Set (GitHub)
9920fd14e241024bdb1ef7da
4f1d69e5ac14e3d81aa324f23
95de1464b61d679
0 0

System de46e7313e69231a74908294
Sigma Integrated
ap
Information Ömer Günal, oscd.community 6337322d32ab9e628663e5d 0 0
Rule Set (GitHub)
Discovery 92b61586d9c24d47f
System fa3e44c9641ee88a3df1944a7
Sigma Integrated
Information Ömer Günal, oscd.community 42869e28a10d6f37c0aab69e 0 0
Rule Set (GitHub)
Discovery 06413014fd5c890
st

System fb1fcb86cdb589a2d0fc7810a
Sigma Integrated
Information Pawel Mazur a7796360737fe3205f5d847d 0 0
Rule Set (GitHub)
Discovery 75ecf94876c080f
System Network 036282b9889ec8d8a1cdaf90
Daniil Yugoslavskiy, Sigma Integrated
In

Connections 2e26133c4af06ef02c074d48c 0 0
oscd.community Rule Set (GitHub)
Discovery 4e063674b97b784
System Network bcce343b1b60fe2c9b0a19e6
Daniil Yugoslavskiy, Sigma Integrated
Connections c49cd613e3cd470f7a5a4dc8 0 0
oscd.community Rule Set (GitHub)
Discovery 5811f8188fbdc872
780133161bc77c6fd8e998a4
System Network Ömer Günal and remotephone, Sigma Integrated
0218c5d992ba90b4ee08ea1e 0 0
Discovery - Linux oscd.community Rule Set (GitHub)
489f112b4f5739e6
System Network 90acea841b97b3b53a1119f2
Sigma Integrated
Discovery - remotephone, oscd.community 2723d62839805d36487dbabf 0 0
Rule Set (GitHub)
macOS 612a9b724c86798b
db8f6a3c12b8841963a472ba
System Owner or Sigma Integrated
Timur Zinniatullin, oscd.community a0be9f352507e250365446a6 0 0
User Discovery Rule Set (GitHub)
638700e5e7035e32
System 96710ba7369fb8bd38beca23
Igor Fits, Mikhail Larin, Sigma Integrated
Shutdown/Rebo 61ac7b7447c02e93a2142697 0 0
oscd.community Rule Set (GitHub)
ot 0ee43af5e1e039dc
System a915654969a7479839f83e15
Sigma Integrated
Shutdown/Rebo Igor Fits, oscd.community 7606f0d49d87567ec32f31c4 0 0
Rule Set (GitHub)
ot b16352afecd90f27
SystemNightmar c8b63d7e7a86cd816ca0855c
Sigma Integrated
e Exploitation Florian Roth 66d0465f223a68621bc59cdb 0 0
Rule Set (GitHub)
Script Execution 85639e382e022118
2b9f58e2da3f441d888d64d4
Systemd Service Sigma Integrated
Jakob Weinzettl, oscd.community aca75b8c4f27198a10b76961 0 0
Reload or Start Rule Set (GitHub)
e1a593881f018af3
T1021 DCOM
InternetExplorer. 325801736478f2eeb21dc4d2
Roberto Rodriguez @Cyb3rWard0g, Sigma Integrated
Application 7671455172bd5ba8978fd1c1 0 0
Open Threat Research (OTR) Rule Set (GitHub)
Iertutil DLL 53bbf1bb560f4617
Hijack
T1021 DCOM
InternetExplorer. 9140e60563fcdfeb01d8d885f
Roberto Rodriguez @Cyb3rWard0g, Sigma Integrated
Application 102c4b30ed9435ca18d2a4d8 0 0
Open Threat Research (OTR), wagga Rule Set (GitHub)
Iertutil DLL df9db6020ba2d0a
Hijack

.in
T1047 Wmiprvse 1ed7550018ff4afc8c6f1d36e
Roberto Rodriguez @Cyb3rWard0g, Sigma Integrated
Wbemcomn DLL b7b0bbb2f831f5ac43cb0a16 0 0
Open Threat Research (OTR) Rule Set (GitHub)
Hijack bbb96205616d858
T1086 83cb47f5a4ddfd9c34da01fa9
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
df
PowerShell f873a03f0cc58cc2778580cc7 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Execution 26de414c3c0baf

TA410 LookBack
and FlowCloud
ap
SOC Prime Threat 2d3ca95295f2fe12c6cbd5a13
malware
Den Iuzvyk Detection bb6f9b54f0f22d3a81dbc5b82 0 0
campaigns
Marketplace c9bfbdae44f83b
(Sysmon
Behavior)
st

SOC Prime Threat 680dcdde1b8bfe90bf9acba2


TAIDOOR -
Ariel Millahuel Detection d0f5e4c1c8b437fe2e5aa5068 0 0
Chinese RAT
Marketplace 855ccda40180966
In

SOC Prime Threat 68bb411fd4bf6a1ffe552b343


TAIDOOR -
Ariel Millahuel Detection dac5d14f00ce686424e3b32e 0 0
Chinese RAT
Marketplace 68ee2176ab8bce3

SOC Prime Threat 97b2c02dfa95bb4aaaff73fc5


TAIDOOR -
Ariel Millahuel Detection 48ad854d0cdd79e40c67de40 0 0
Chinese RAT
Marketplace 9e716ba04f8b372
TAINTEDSCRIBE -
SOC Prime Threat fefa666b9dddab06dca15eb5c
North Korean
Ariel Millahuel Detection 3a044757bbf7420794f45914 0 0
Trojan (Hidden
Marketplace 0fae014af5988af
Cobra)
Tamper 207c25c9408a94a6ab4fd795
Sigma Integrated
Windows frack113 71c6f71741248f188bf163b2c 0 0
Rule Set (GitHub)
Defender a9ea8531bdf439e
358d68998add69c3d9057a82
Tap Driver Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
193ae58f278aa61103f23b98 0 0
Installation oscd.community Rule Set (GitHub)
603b6f2d7e59cb22
a23d7badd6ad7bc64986003d
Tap Driver Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
146002a8cd02c1adab85136c 0 0
Installation oscd.community Rule Set (GitHub)
45c522d5ab23e706
c1693fcd30d2082a9f64e5a15
Tap Driver Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
8f8acfbdb23a2e5ef0cb5c125 0 0
Installation oscd.community Rule Set (GitHub)
a34a46c29a60d1
e60d92b6ad7c18d80d842937
Tap Driver Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
fb0a3b1e49a9339611f31cf7f 0 0
Installation oscd.community Rule Set (GitHub)
9fa688f0d1fc1fa
f64fba8ff6db3ee854baecf3e2
Tap Driver Daniil Yugoslavskiy, Ian Davis, Sigma Integrated
08e1be45b8dd29c23b509f62 0 0
Installation oscd.community Rule Set (GitHub)
062e55ebe28bb9
8a8587aaa3d307de3f020fd9
Telegram API Sigma Integrated
Florian Roth ddb543581dd561447576a46 0 0
Access Rule Set (GitHub)
3e570558a6e78a023
8119b0f5e55bcc32efeebba67
Telegram Bot API Sigma Integrated
Florian Roth 7769c41f458947ed836a4332 0 0
Request Rule Set (GitHub)
6d94ce77e2a6a0a

SOC Prime Threat 758c4cbf66a128098c5bfb6ab

.in
Terdot Trojan Ariel Millahuel Detection c15633535d24cb73c1c583c8 0 0
Marketplace b2e6453a93c6f80

SOC Prime Threat a05609887fbb50f52f95231da


Terdot Trojan Ariel Millahuel Detection
df e41088de78c48b2f3559cbe4 0 0
Marketplace 761af7069777c41
Terminal Server
f864355e26341358045facaf6
Client Sigma Integrated
Christian Burkard f66106b0bf475ff0cd2a56ea6 0 0
ap
Connection Rule Set (GitHub)
c2157735727c35
History Cleared
0232a28f98329276f53deac4f
Terminal Service Sigma Integrated
Florian Roth fd7ee149f868c8def851948c4 0 0
Process Spawn Rule Set (GitHub)
af8e750be1b910
st

69295716b447993c5584f18e
TerraMaster TOS Sigma Integrated
Bhabesh Raj 294250daf69aa8bc979708f8 0 0
CVE-2020-28188 Rule Set (GitHub)
8313e47ca01e6793
Time Travel 41bae2ae89409b6a1ff355df6
Ensar Şamil, @sblmsrsn, Sigma Integrated
In

Debugging Utility e25112c56884876b18f7a5ca 0 0


@oscd_initiative Rule Set (GitHub)
Usage 827d634fc1847f4
Time Travel ac619a6a73b5c0668aeb218c
Ensar Şamil, @sblmsrsn, Sigma Integrated
Debugging Utility 1580100bf9e6f7791822b923 0 0
@oscd_initiative Rule Set (GitHub)
Usage 60cb51fb09394ccd
Time Travel afad13c67de2842888c6d467
Ensar Şamil, @sblmsrsn, Sigma Integrated
Debugging Utility 8ab0ab46d7369e91b6c7fb52 0 0
@oscd_initiative Rule Set (GitHub)
Usage 5482e91294e4ccad
Time Travel c5cd42b219e3389810b80d30
Ensar Şamil, @sblmsrsn, Sigma Integrated
Debugging Utility f0df29501f964191e806ce3ad 0 0
@oscd_initiative Rule Set (GitHub)
Usage 063b9cf5c621fb4
Time Travel f2baa9e77eedc1ad2bcabc55
Ensar Şamil, @sblmsrsn, Sigma Integrated
Debugging Utility acff8e7d6273352d961c3bf3b 0 0
@oscd_initiative Rule Set (GitHub)
Usage 07d58b3b7fd8bb7

SOC Prime Threat af02ff0def6aec347fa7d49ff1


Tinba Banking
Ariel Millahuel Detection 8febb8c477a257f2e7dc8ca67 0 0
Trojan
Marketplace d0cdbe9dddb0a
Tirbot Trojan SOC Prime Threat 985b4d1a9a38675b5a51222
(Sysmon Ariel Millahuel Detection 1d45a61dfdf349da41c92df19 0 0
detection) Marketplace ae3776b712fe20e0

Transferring Files
b901cdb66cb3627f3cf9d5084
with Credential Teymur Kheirkhabarov, Sigma Integrated
21eb3e34409337ecfea0476c 0 0
Data via Network oscd.community Rule Set (GitHub)
0896c63c71dbd74
Shares

Transferring Files
c32a3e7518848a21d37b9b5d
with Credential @neu5ron, Teymur Kheirkhabarov, Sigma Integrated
6a00e756e5ce36f0ba6f2b79a 0 0
Data via Network oscd.community Rule Set (GitHub)
1304a7fa9f1369d
Shares - Zeek
TropicTrooper 2490e3004ac94fbdd6f3d694
@41thexplorer, Microsoft Defender Sigma Integrated
Campaign aa2c24ec00b0193bcac04aad 0 0
ATP Rule Set (GitHub)
November 2018 389d62a43350ce61
f8b1e8439f6b16f86828128a0
Sigma Integrated
Turla ComRAT Florian Roth 5821dfc35b5cedac0b0ef9588 0 0
Rule Set (GitHub)
c00d9a12d0ef31

.in
Turla Group 13b646717610af0f26e60da5f
Sigma Integrated
Commands May Florian Roth 245b187d697983865f41f842 0 0
Rule Set (GitHub)
2020 6677226a1dd67e9
Turla Group 4ac69336261d41d0d7c5dabb
Sigma Integrated
df
Lateral Markus Neis 3bbf3be9deae948f76c2139e 0 0
Rule Set (GitHub)
Movement 4061f519c6fb043f
Turla Group 4ad16e7f0f86e364c4e7a74f2
Sigma Integrated
Lateral Markus Neis 40c76737de2845d3ff13e38a 0 0
Rule Set (GitHub)
ap
Movement 2c4437cfea2af8b
Turla Group a84f3c195555e22fcc4045469
Sigma Integrated
Lateral Markus Neis fd306dbb60cf28e91ae7b932 0 0
Rule Set (GitHub)
Movement 5eb49aeda608af7
Turla Group baa2e26b5f61d81ea9128226
Sigma Integrated
st

Lateral Markus Neis f369bdc536ba0a183e703eaaf 0 0


Rule Set (GitHub)
Movement c23228dffbd64bc
Turla Group dca19d018ba977a72de3571d
Sigma Integrated
Lateral Markus Neis c1f68228d2444d8b447b50e2 0 0
Rule Set (GitHub)
In

Movement 5b07422b5b014d9c
5c1a908c4195fe1b85776a2a
Turla Group Sigma Integrated
Markus Neis 1c86cef843d6c40a00070ca9c 0 0
Named Pipes Rule Set (GitHub)
5ab3043dc19a164
2181500508cba32078d248a6
Turla PNG Sigma Integrated
Florian Roth 1c926bf73a4bb6ebc4bececfd 0 0
Dropper Service Rule Set (GitHub)
9d4ac607b57151d

SOC Prime Threat a1c44f103e75c8295cdbb587


Tycoon
Ariel Millahuel Detection af4bac07f2b77445d54c17a42 0 0
Ransomware
Marketplace 4e7dce924a981ce
Typical f89983755305fab46f3677eda
Sigma Integrated
HiveNightmare Florian Roth de72743effd233979db77ffa6 0 0
Rule Set (GitHub)
SAM File Export c51a9d1fb4a18c
UAC Bypass
bb336c05f65b92ba4f8c0776
Abusing Winsat Sigma Integrated
Christian Burkard 75fd297597dc9e6a58d623eb 0 0
Path Parsing - Rule Set (GitHub)
2a05ba80991cf674
File
UAC Bypass
3336002627a5fff9960ca0a12
Abusing Winsat Sigma Integrated
Christian Burkard f53f9173bf13d359096c010f8 0 0
Path Parsing - Rule Set (GitHub)
18ad83f0bd3d60
Process
UAC Bypass
27a9b69a6e2addb8fe0735e9
Abusing Winsat Sigma Integrated
Christian Burkard 6f0d27ace4b79d17eefd764ce 0 0
Path Parsing - Rule Set (GitHub)
3f0288f74cb21c1
Registry

UAC Bypass e72fb1b5f98a1609a868416e


Sigma Integrated
Using .NET Code Christian Burkard e85fb716eb8e4705f84b33fd4 0 0
Rule Set (GitHub)
Profiler on MMC 71cf747357dea7c
UAC Bypass
0bc48db9b102772d4daac62f
Using Consent Sigma Integrated
Christian Burkard 85032a7501fed1102a95f95e 0 0
and Comctl32 - Rule Set (GitHub)
8414a0dd3e51732c
File
UAC Bypass
45716a61474d8af25ba7318e
Using Consent Sigma Integrated
Christian Burkard 0bcc946490ebaf1a0ea6c9a7 0 0
and Comctl32 - Rule Set (GitHub)
3d6fa3d572e58ae6
Process

.in
UAC Bypass 639d8d816b374bf0b59c239c
Sigma Integrated
Using Disk Christian Burkard 80f872bc5c00756e4888cc79 0 0
Rule Set (GitHub)
Cleanup 34f8a33386306d57
84ae6514a422f3ac64733fe09
UAC Bypass Sigma Integrated
df
Christian Burkard e8c77e483ddc11d6eec7b8b1 0 0
Using DismHost Rule Set (GitHub)
f5bf41dade82970
UAC Bypass
Using MSConfig 1d94cdf7ebb62637f664d4e5
Sigma Integrated
ap
Token Christian Burkard 6943049dfd2e84e3a534202d 0 0
Rule Set (GitHub)
Modification - 08775a957375ee59
File
UAC Bypass
Using MSConfig fed3f4e9a7b7505b5d9cf3fa3
Sigma Integrated
st

Token Christian Burkard 8366c77ae1afaf2a73f5ec6e4 0 0


Rule Set (GitHub)
Modification - e82353cb87e312
Process
UAC Bypass
b61e713566d145c79ce59678
In

Using NTFS Sigma Integrated


Christian Burkard aadb8a675e19a1177e0477c9 0 0
Reparse Point - Rule Set (GitHub)
916dae6960d75e1e
File
UAC Bypass
b04ae33635c5e4e7fe2dc959
Using NTFS Sigma Integrated
Christian Burkard 2b339835bcf2233b6e640991 0 0
Reparse Point - Rule Set (GitHub)
cf271389ea49fb2d
Process
UAC Bypass
136d5312f0c32e4f8a7ed592
Using WOW64 Sigma Integrated
Christian Burkard 3499a1fb0d03c457a9b9ff2e6 0 0
Logger DLL Rule Set (GitHub)
6d2d833900dd856
Hijack
UAC Bypass
dea23a2bff0dfc0ed3530c94c
Using Windows Sigma Integrated
Christian Burkard c3fa73835c8ee53d7dc7b642 0 0
Media Player - Rule Set (GitHub)
6775799cb4c719e
File
UAC Bypass
ddadf6d9fd6af912e7f512980
Using Windows Sigma Integrated
Christian Burkard 649fd8c1628beae5483c5f009 0 0
Media Player - Rule Set (GitHub)
920946687a91c0
Process
UAC Bypass
06a48f1443d5688a49e7b4d5
Using Windows Sigma Integrated
Christian Burkard 436e507df7fcfeb8780da328f 0 0
Media Player - Rule Set (GitHub)
16235c4c06d927f
Registry
46af1a978d9d6da64e0730a4
UAC Bypass Via Sigma Integrated
oscd.community, Dmitry Uchakin b0d6dfeb8cab34fe21a2fdc0d 0 0
Wsreset Rule Set (GitHub)
3b8e0a428e12c21
03fc63d53dd6f6eeb7fef5848
UAC Bypass Sigma Integrated
Christian Burkard db2e4cd11fc7177c187c3983 0 0
WSReset Rule Set (GitHub)
20bb3934b751d87
f7b3aa6e9bcd6bb0bf047e63
UAC Bypass With Sigma Integrated
oscd.community, Dmitry Uchakin 3bb513434546a05f9322c433 0 0
Fake DLL Rule Set (GitHub)
f8df8c2355115339
3a5e9509b313781bf9324f49
UAC Bypass via Sigma Integrated
Florian Roth cac4a71e1e5e822abacd7f270 0 0
Event Viewer Rule Set (GitHub)
7c6d32f8920aea1
4134cd9d74207db899c24fb7
UAC Bypass via Sigma Integrated
Florian Roth 3563c311684932a317e61fe9 0 0
Event Viewer Rule Set (GitHub)
05fdc29a75f69109
d95ca36c302040f620589faab

.in
UIPromptForCre Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
34078391fb9db19ee77118e3 0 0
dentials DLLs OTR (Open Threat Research) Rule Set (GitHub)
ad298784775d65b
UMWorkerProce
ss Creating
SOC Prime Threat 282370a5b2c99cb2055e32a9
df
Unusual Child
SOC Prime Team, Microsoft Detection c50853be0a162c16914c919e 0 0
Process CVE-
Marketplace e60730f93e7a1902
2021-26857 (via
cmdline)
ap
UNC2452 f91a07dae0817dd517cae478
Sigma Integrated
PowerShell Florian Roth 2092e392760c32e680fb4b40 0 0
Rule Set (GitHub)
Pattern f69789c8ea2642c7
f231038326d2da7583778551
USB Device Sigma Integrated
Florian Roth de319d33b9b9529e55671b6 0 0
Plugged Rule Set (GitHub)
st

2cbdd58a4a4697507

UnReCom RAT SOC Prime Threat 4d7d569ef6ec13af576994a6


(Possible New Ariel Millahuel Detection 2b027bbec44b85374393abed 0 0
Adwind variant) Marketplace c5f477ee650e0455
In

UnReCom RAT SOC Prime Threat 5dee39e59001813316f98d63


(Possible New Ariel Millahuel Detection 213edd768463d33a5450727 0 0
Adwind variant) Marketplace 3b7feb22753fb9a32
Unauthenticated
file read in Cisco
SOC Prime Threat 0cfd9195be7ced6620371c11
ASA & Cisco
Roman Ranskyi Detection ca6323fee3c0b5d0b9ea805f0 0 0
Firepower CVE-
Marketplace 17a841110683b91
2020-3452 (via
web)
Unauthenticated
file read in Cisco
SOC Prime Threat 789fc5bb01e3f3b18df9537ea
ASA & Cisco
Roman Ranskyi Detection d68abfcaacecbf0a526ab8207 0 0
Firepower CVE-
Marketplace c7e6f198d8a5e3
2020-3452 (via
web)
Uncommon
SOC Prime Threat 1c5a833abe2b826a6d444da7
External Facing
SOC Prime Team Detection 2f62ea23742c5770ece40773 0 0
Application
Marketplace 0a66ef8300dbdcfd
Service
Unidentified 120841a228484caff2f660319
@41thexplorer, Microsoft Defender Sigma Integrated
Attacker 625b672d8b268d649f0522d9 0 0
ATP Rule Set (GitHub)
November 2018 9d2a59c6c60f3b3
Unidentified 8f2c777b3dc85aa4c4663fc4d
@41thexplorer, Microsoft Defender Sigma Integrated
Attacker e3a1d8bd273ea3506fd8481a 0 0
ATP Rule Set (GitHub)
November 2018 76de1a0ffb2c6b4
Unidentified b08d52ecad9f030d424d9663
@41thexplorer, Microsoft Defender Sigma Integrated
Attacker 403423559c1951018ae4cafc 0 0
ATP Rule Set (GitHub)
November 2018 8f10b0ef2ad0f77f
Unidentified b5002bc251d42658f759ab88
@41thexplorer, Microsoft Defender Sigma Integrated
Attacker 719976f8698c099d4450bc79 0 0
ATP Rule Set (GitHub)
November 2018 8cdbf9e219cfab1e
Unidentified c02ac5aedb6c89eac4725d7a
@41thexplorer, Microsoft Defender Sigma Integrated
Attacker 30df43b4631994b8ad7cee34 0 0
ATP Rule Set (GitHub)
November 2018 73099d0926df9a80
Uninstall 7319e259606b1d76ca31570f

.in
Sigma Integrated
Crowdstrike frack113 4a8256ad40f0297486f907c0 0 0
Rule Set (GitHub)
Falcon 0ae96d5721d87794
Unknown
Exchange 0day SOC Prime Threat df18dcdc7e0de08d0a24ac99
Relevant Crash
Event (via
application)
SOC Prime Team, Microsoft df
Detection
Marketplace
b5e39af9106c4594de1e2139
61a00f36bb1fb7cf
0 0

Unsigned Image 41a3e620fba7b86366fe885b


Teymur Kheirkhabarov, Sigma Integrated
ap
Loaded Into a1b20dbaae2be7596e2e9b19 0 0
oscd.community Rule Set (GitHub)
LSASS Process 4ab65dae5e4a7b53

SOC Prime Threat 8aa514ad684698cba9daddea


Ursa Trojan Ariel Millahuel Detection 167e737b38eac3917d5a8c44 0 0
Marketplace b11684e4fe0819f3
st

SOC Prime Threat d16ef015b59d30d0df3ba7fbe


Ursa Trojan Ariel Millahuel Detection 07aa8edeac37ec141c0ee585 0 0
Marketplace 2c1a88ce602094a
In

4e3571c62f910de9f4ea1bd6
Sigma Integrated
Ursnif megan201296 2ee26b408ad26db209250c61 0 0
Rule Set (GitHub)
eb74239ce71fc827
d983b04ec090162c842c6284
Ursnif Malware Sigma Integrated
Thomas Patzke 5c96abbce6bba8d1a7611826 0 0
C2 URL Pattern Rule Set (GitHub)
053d7ba25fd8918c
Ursnif Malware f320e891edef939c4d89f2e96
Sigma Integrated
Download URL Thomas Patzke 4476f57bf9d8a92415164cce6 0 0
Rule Set (GitHub)
Pattern 50183f1820be10
Usage of 6caf06038ef037f3ac3da6237
Sigma Integrated
Sysinternals Markus Neis 7560d3544dd6d6b89ac3959e 0 0
Rule Set (GitHub)
Tools cb666489940b9aa
Usage of
SOC Prime Threat c21c41fa3a1749d217cfe78b9
renamed
Den Iuzvyk Detection 97b24c415176f9c5f587ddb4 0 0
binaries(wmic,
Marketplace 17fb4893325d908
regsvr32)
Use Get- 84f3662b966321c45129926b
Sigma Integrated
NetTCPConnecti frack113 0bf88e5845313e0cd9f0b7ec8 0 0
Rule Set (GitHub)
on 9f79f37c2fbeaef
Use Get- e69f9e383811e595a9561c92
Sigma Integrated
NetTCPConnecti frack113 3eddfc5df48f9e54f4df8fa281 0 0
Rule Set (GitHub)
on fcef6b501048ac

User Access
c40f9bf14b74802e89f6f64d7
Blocked by Azure Sigma Integrated
AlertIQ 6fd9c7700fe103474cfc637cd 0 0
Conditional Rule Set (GitHub)
33d1fef4c7f287
Access

User Added to an 339c344d69b808b4c773cb49


Sigma Integrated
Administrator's Raphaël CALVET, @MetallicHack 2f914a59b8d3d67cc415f392e 0 0
Rule Set (GitHub)
Azure AD Role f0202cbe4837d7c
User Couldn't
Call a Privileged 11a18935f3a8e1e4c4cc09e5
Roberto Rodriguez (source), Ilyas Sigma Integrated
Service 9d69155a1777e2762605adcc 0 0
Ochkov (rule), oscd.community Rule Set (GitHub)
'LsaRegisterLogo 495c58cc96abce1d
nProcess'

.in
Using AppVLP To e95a64931dc936ea0b79a4d4
Sigma Integrated
Circumvent ASR Sreeman 8a5cf5f247dc55a78f0cb7544 0 0
Rule Set (GitHub)
File Path Rule 80de9f58dcd9ce2
Using
SettingSyncHost. Anton Kutepov, oscd.community
exe as LOLBin
df
Sigma Integrated
Rule Set (GitHub)
90604343649b0a434f2aaf1ac
225f1535b3d2b0766ba92bc8
0cfaed426f07695
0 0

Using Sticky-keys
ap
To Obtain 62e0a8cc199a4d0a9766d75e
Sigma Integrated
Unauthenticated, Sreeman f3213180a3865b74ce2be594 0 0
Rule Set (GitHub)
Privileged 8d1bc1fc5aa68e49
Console Access

Utilization of
st

SOC Prime Threat ade628a427870c8c3442dd7a


"expand.exe" to
Ariel Millahuel Detection ac9c2d401c3e96ef82d4b92d 0 0
deploy files from
Marketplace 8128cdeeff3062e9
"Temp" folders
In

VBA DLL Loaded 1c4b9974eadae6764e88b628


Sigma Integrated
Via Microsoft Antonlovesdnb 7305d477f5d777a06dd5a75e 0 0
Rule Set (GitHub)
Word 4773cea197fb1b0a
VMware vCenter
307fdbfc019c602d9b897165
Server File Sigma Integrated
Sittikorn S bdfdff09e71bae733f6e0a8b5 0 0
Upload CVE-2021- Rule Set (GitHub)
305ca81f5f7cc6d
22005

Valak Behavior SOC Prime Threat bd88e7274c701ecb8921074e


(Sysmon and Ariel Millahuel Detection b102f73f8f0d4a5ac0708ddae 0 0
Cmdline) Marketplace 5a1e369ef71569b
Valid Users
Failing to
a3ae92169de3a473b385950d
Authenticate Sigma Integrated
Mauricio Velazco, frack113 6a3e85b2a991c8be31e68ccb 0 0
From Single Rule Set (GitHub)
84577f16515c3407
Source Using
Kerberos
Valid Users
Failing to
05e5abf2c5d151e82602b134
Authenticate Sigma Integrated
Mauricio Velazco f795f3449e651ab33f591a2f4 0 0
from Single Rule Set (GitHub)
a98aab8d54031f9
Source Using
NTLM
VeeamBackup
912e511ef1e7ba499a5cf1552
Database Sigma Integrated
frack113 134869bb633ba21adbdddb2 0 0
Credentials Rule Set (GitHub)
0785e6c3ab04e761
Dump

SOC Prime Threat a274e14c306334155818a086


Vjworm Trojan Ariel Millahuel Detection 04184fc950850cf7facfe0df87 0 0
Marketplace 9c1608fda2cc4e
632fbc79a450be1208f0c3c12
Volume Shadow Roberto Rodriguez @Cyb3rWard0g, Sigma Integrated
46793ff703d551fb7163488d 0 0
Copy Mount Open Threat Research (OTR) Rule Set (GitHub)
b4d1de2b2483d5a
Vulnerable
Netlogon Secure 3f84718f22c39831d8b99ef0d
Sigma Integrated
Channel NVISO c98874d6e50b02602ada051c 0 0

.in
Rule Set (GitHub)
Connection 9eafb98360fc647
Allowed
183cf5523bdd58d20e93e3b2
WCE wceaux.dll Sigma Integrated
Thomas Patzke bb367c38caec4fe344a0aea45 0 0
Access Rule Set (GitHub)
df 722954e9fe9ed9f
WMI Event
01446bc086a25ac157aacfacf
Consumer Sigma Integrated
Florian Roth 8ca447f2f195cd8dd67c3a8cb 0 0
Created Named Rule Set (GitHub)
6a881dc5ac53be
ap
Pipe
fb092b3aee3feb316c048a12
WMI Modules Sigma Integrated
Roberto Rodriguez @Cyb3rWard0g 49e1ac9639a63cac318318af 0 0
Loaded Rule Set (GitHub)
d45bf38887b31b0c
58154fd247cd9b589c6903a1
Florian Roth, Gleb Sukhodolskiy, Sigma Integrated
st

WMI Persistence 5ffa196e0e50cca640eeadc0c 0 0


Timur Zinniatullin oscd.community Rule Set (GitHub)
a86c289dbeae3bf
85bc7739560701dd55a0c7ea
Florian Roth, Gleb Sukhodolskiy, Sigma Integrated
WMI Persistence b1ee7b00c0ddea32b913c6e0 0 0
Timur Zinniatullin oscd.community Rule Set (GitHub)
In

b6798b889419591b
a9246010da9b679de378be0
Florian Roth, Gleb Sukhodolskiy, Sigma Integrated
WMI Persistence 5b2d90c9171220c5fd5b0545 0 0
Timur Zinniatullin oscd.community Rule Set (GitHub)
883bdad8a49e9811c
aa847a1640b2ae82a6149c6f
Florian Roth, Gleb Sukhodolskiy, Sigma Integrated
WMI Persistence 0b44f8ec7170516b4502113a 0 0
Timur Zinniatullin oscd.community Rule Set (GitHub)
92de7898285ff89b
f674f8881516524de991b843
Florian Roth, Gleb Sukhodolskiy, Sigma Integrated
WMI Persistence 9ddd2248fd25bacea659a067 0 0
Timur Zinniatullin oscd.community Rule Set (GitHub)
680337c89b7a6c5b

WMI Persistence - 2d6a5c8b5ff6663f305abc5b7


Sigma Integrated
Command Line Thomas Patzke d611b99089e2cf4ad71b0b3f 0 0
Rule Set (GitHub)
Event Consumer 9a89d8d05d71a89
WMI
122d74917c1ba5d7e854a6a2
Reconnaissance Sigma Integrated
frack113 5e2ce8bd997bfe1398c7b5dd 0 0
List Remote Rule Set (GitHub)
aaecb88edf02edd8
Services
WMI Script Host 81314be6adb2ae8f1bd104c4
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Process Image f35d68c8ff62ddfea655e64c5 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Loaded b1c92082b72d5ae
WMIC Loading 022ee32433f415a35cf214d6
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Scripting 89b7c20ea4d29ed50a5be045 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Libraries 95877663d8128997
860cd791b52ed03d76e28424
WMIExec VBS Sigma Integrated
Florian Roth 29f67b1ac870f8f77a5a09b47 0 0
Script Rule Set (GitHub)
2fbbf3c964ee708
6b93b7bce89874009dd0ecb1
WMImplant Hack Sigma Integrated
NVISO 0a52f610736bcb6d33fe425d 0 0
Tool Rule Set (GitHub)
9295732660f6b7ab

SOC Prime Threat 0d8ca71c713cdf5f939ca8eea


WSH RAT
Ariel Millahuel Detection 9288f6c9c665f224016b4672 0 0
behavior
Marketplace 972ff569c13bb16

SOC Prime Threat c542efb138f0e8fde0df28089


WSH RAT
Ariel Millahuel Detection aa73fd35cd12a439000e607e 0 0
behavior
Marketplace 4e10b10ecb3f743

.in
4deaea65e083744047018aa4
oscd.community, Zach Stanford Sigma Integrated
WSL Execution fd0ccf242ffa901cc82a5f427d 0 0
@svch0st Rule Set (GitHub)
710fbb717c213e
WScript dd10c5eb1b4cfd51330d892c
Joe Security Rule
df
Launched By Joe Security 57a9cfe7ce41ac02ee121c141 0 0
Set (GitHub)
Powershell 435ea97a71bb073
Wannacry 1835f85f70bcf5e9613228e05
Sigma Integrated
Killswitch Mike Wade d8ab33dae73c11d41a4e5876 0 0
Rule Set (GitHub)
ap
Domain ceb6f2002b31167

Wbadmin Delete 9aae4742b47a403c0d2871d3


Sigma Integrated
Systemstateback frack113 44a6076cd6b797a267bbe2d0 0 0
Rule Set (GitHub)
up b85e607927ef3dc9
st

Wdigest
6b2853b0e68d3b3c786df7c3
CredGuard Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
960aa8764840caaee74ca35f 0 0
Registry OTR (Open Threat Research) Rule Set (GitHub)
04ee828c6df43a68
Modification
In

Wdigest Enable 549fd181a20cb87efd19fddc8


Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
UseLogonCreden 58140d8495cd434cc6a9b662 0 0
OTR (Open Threat Research) Rule Set (GitHub)
tial dcc7d8bb35804ae

Weak Encryption 2be706f3f2686605d5ee19c8


Sigma Integrated
Enabled and @neu5ron 99ca7bdb688e826ad3b82c1c 0 0
Rule Set (GitHub)
Kerberoast 873627c8aad568bf
52301a573727517b97c30691
WebDav Put Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
78ccee0ad367c8581abc440b 0 0
Request OTR (Open Threat Research) Rule Set (GitHub)
bad2eec03af8c709
Webshell 82f06847ea3a21b3565bc4d6
Sigma Integrated
Detection by Florian Roth d23aa0872cca19e1c69046bff 0 0
Rule Set (GitHub)
Keyword fc795ba9dc7f76e
Webshell
3b59889f7c01566d9506c1b2
ReGeorg Sigma Integrated
Cian Heasley b7b8b37af0e7f21424d03390f 0 0
Detection Via Rule Set (GitHub)
c64c4f32e4328f6
Web Logs
Webshell Recon
d9519d30d9c273a67a5b26f6
Detection Via Sigma Integrated
Cian Heasley 4e780cfeec59454accd4f3237 0 0
CommandLine & Rule Set (GitHub)
419da2afbb82c8d
Processes
Webshell
6f8b96808977daa36d34a099
Remote Ilyas Ochkov, Beyu Denis, Sigma Integrated
23e361bdd17a9353c89c25c7 0 0
Command oscd.community Rule Set (GitHub)
3253f29bb35b833d
Execution
31e555cd1c55ce445dfd8bd7
WhoAmI as Sigma Integrated
Florian Roth c10843187298b45b39b33ddf 0 0
Parameter Rule Set (GitHub)
41b5bce83e212c86
5ad71f4134dddf8bef6aed441
WinRM Access Sigma Integrated
frack113 20ca9d774108b3c4e8b7e322 0 0
with Evil-WinRM Rule Set (GitHub)
ca38e989a8cf176

Windows 9944cda138f9f219e918f109c
Sigma Integrated
Defender AMSI Bhabesh Raj e968902b602a32f60c6ed006 0 0
Rule Set (GitHub)
Trigger Detected bb112b15ba2dede
Windows
0de6e296fdb440317bd15b3a
Defender Sigma Integrated

.in
Matthew Matchen a29b6d99b17b08dea792264 0 0
Download Rule Set (GitHub)
888e93fa3c62f9514
Activity
Windows 29051fc71a16779223e0e3bf
Sigma Integrated
Defender @BarryShooshooga 42ba8b7a5e0b066a0b0cf3a3 0 0
Rule Set (GitHub)
df
Exclusion Set 4684da1337ca0f4b

Windows 20ee93291281ad45d4704a39
Sigma Integrated
Defender Christian Burkard eb182e955d4353c917a1872e 0 0
Rule Set (GitHub)
Exclusions Added 15423a2ebfef6378
ap
Windows 2231f93169c7efed228559b8
Sigma Integrated
Defender Christian Burkard ba20664ec6cf05f5a2df8494b 0 0
Rule Set (GitHub)
Exclusions Added 89151752237fb8c
st

Windows 52d226d49903df8a4f8ad9d9
Sigma Integrated
Defender Christian Burkard c7932a887e76679a19f5dc4a 0 0
Rule Set (GitHub)
Exclusions Added 55db4471cb55b454
In

Windows aa5b43fba93f194b9cb53e92
Sigma Integrated
Defender Christian Burkard 15833465cb9fbfb8f9787ee9a 0 0
Rule Set (GitHub)
Exclusions Added c6ec99db12d40b7
Windows
Defender a69f67541c11d90298cb228b
Sigma Integrated
Malware Cian Heasley ee82651387015e4cd30917b3 0 0
Rule Set (GitHub)
Detection 511fde5c028f1eb0
History Deletion
Windows cf90b923dcb2c8192e665142
Sigma Integrated
Defender Threat Ján Trenčanský 5886607684aac6680bf25b20 0 0
Rule Set (GitHub)
Detected c39ae3f8743aebf1
Windows
41872a2c86ff9bf310cf8a81b
Defender Threat Sigma Integrated
Ján Trenčanský, frack113 0235040c25793f1fe6255fdc5 0 0
Detection Rule Set (GitHub)
bf771cd716ddfc
Disabled
Windows
7998082d3f734247061e2d59
Defender Threat Sigma Integrated
Ján Trenčanský, frack113 f83e2a3a523414bed9e74c2a 0 0
Detection Rule Set (GitHub)
db7bcb0404abce97
Disabled
Windows
a6317aefcc7e070bf2d65b66a
Defender Threat Sigma Integrated
Ján Trenčanský, frack113 15af84858276fd8c4350ccb4c 0 0
Detection Rule Set (GitHub)
c0bc93261757ea
Disabled
Windows
ed87c230c6d4207b37197d5b
Defender Threat Sigma Integrated
Ján Trenčanský, frack113 9085406475eec57fdb0315aa 0 0
Detection Rule Set (GitHub)
3f474a07c39806f6
Disabled
Windows
f2d1be0ba54a53b3a9599c96
Defender Threat Sigma Integrated
Ján Trenčanský, frack113 97ecd28df209373ff460d809e 0 0
Detection Rule Set (GitHub)
0da374627734853
Disabled
Windows
f41376cbd0bf111c80a06c14f
Defender Threat Sigma Integrated
Ján Trenčanský, frack113 23ee727ec0a64de4ab379cc3 0 0
Detection Rule Set (GitHub)
853b54b5d945035
Disabled

.in
Windows 489692e72dc0017d68cdd218
Sigma Integrated
Firewall Profile Austin Songer @austinsonger 8f43e162f46de9955dce51c32 0 0
Rule Set (GitHub)
Disabled 323345919b76b0e
Windows Kernel
df 25ad3dcfbd1578bd1784acb1
and 3rd-Party Teymur Kheirkhabarov (source), Sigma Integrated
66bf4273467664ef291ec472 0 0
Drivers Exploits Daniil Yugoslavskiy (rule) Rule Set (GitHub)
2fa1e4361346b135
Token Stealing
Windows
ap
Management 3e47f5ae1f3a80668c79b22b
Sigma Integrated
Instrumentation Michael R. (@nahamike01) b11fbfefb4a1a9c5078948a80 0 0
Rule Set (GitHub)
DLL Loaded Via bb884fa77e652e4
Microsoft Word
c93c0cd47a9a01f1270c2cc43
Windows Pcap Sigma Integrated
st

Cian Heasley da3d19744639e155de50e64 0 0


Drivers Rule Set (GitHub)
311df30ce6763d16
Windows
80e1441e8251586c742da610
PowerShell Sigma Integrated
frack113 b4bceb4d94fbe79f4e8b64b9 0 0
In

Upload Web Rule Set (GitHub)


745b6a11da90d7c1
Request
Windows 107a4de06e843fc296a19ef46
Sigma Integrated
PowerShell User Florian Roth 26692a39338e909a237bf863 0 0
Rule Set (GitHub)
Agent 6b24aef02e6dbba
Windows 8f476a2016a135fab1327681
Sigma Integrated
PowerShell Web James Pemberton / @4A616D6573 2845b457aa420dac974d15d9 0 0
Rule Set (GitHub)
Request 09682f6d25fefbec

Windows
3a5176242220f6a6e49fd00b
Registry Sigma Integrated
Kutepov Anton, oscd.community 2b47af50918dae9ca9edecfcf 0 0
Persistence COM Rule Set (GitHub)
a843475d2e01df0
Key Linking
Windows
9292d14bdf79582c701fad33
Registry Trust Sigma Integrated
Antonlovesdnb de8f018f0151bb6acfc181fba 0 0
Record Rule Set (GitHub)
0dd5d223cee498c
Modification
Windows Screen f8a626af728b3adf32c5a523d
Sigma Integrated
Capture with frack113 a76b149e1f41d45e55c4f3b2c 0 0
Rule Set (GitHub)
CopyFromScreen b7895c3920b449

Windows
36004bbb9055623fa5dd3851
Spooler Service FPT.EagleEye, Thomas Patzke Sigma Integrated
566dfcd02d35df3bb87caf7ba 0 0
Suspicious Binary (improvements) Rule Set (GitHub)
2e7e876268fb66d
Load
Windows
2905d462b4ac73a3e5bd0955
Spooler Service Sigma Integrated
Bhabesh Raj b9303d3a939f9fd1715035a3 0 0
Suspicious File Rule Set (GitHub)
5ceccc567892e882
Deletion

SOC Prime Threat 3d8c9cb6ebe5a3e7f4ebd189


Windows Sysvol
SOC Prime Team Detection 8e2d1b488d7b3118afdd8cf4 0 0
File Modification
Marketplace e5a3e5bfd012a7ba
dab442a95ac4a7904c20db69
Windows Update Sigma Integrated
FPT.EagleEye Team e9f390b99d4b5268e3afd391 0 0
Client LOLBIN Rule Set (GitHub)
c43a1c522ad4b3f7

.in
879bef301d05e0c53bf1deb8
Windows Update Sigma Integrated
frack113 7f0ccdd7cba387cea145b72e 0 0
Error Rule Set (GitHub)
6110cabcc2a30343
Windows 917187eb4a5bcdd061118cd2
Sigma Integrated
df
WebDAV User Florian Roth 392a86d4b4a05e138f59f268 0 0
Rule Set (GitHub)
Agent c5906f5df879ff88
Winlogon Notify 4edd1b8a91c2781bd88eb5be
Sigma Integrated
Key Logon frack113 92c3ab1e0f5498018cb1efb7d 0 0
Rule Set (GitHub)
ap
Persistence 6fe4df7f2be05c3
c1e10ac2693c07c301e475b8
Winnti Pipemon Sigma Integrated
Florian Roth, oscd.community 76c1c19fee91b87063b89084 0 0
Characteristics Rule Set (GitHub)
41ea3c5279ae0f65
Winrar 751aa9f10bb034af3fd96ddfd
Sigma Integrated
st

Compressing Florian Roth 10baf6ff799f92e0d2802249e 0 0


Rule Set (GitHub)
Dump Files 1d957644c16591
Winword.exe 1441bc53b94995e7a28e23c9
Sigma Integrated
Loads Suspicious Victor Sergeev, oscd.community 6d5c3742700e48b1cb9d1954 0 0
Rule Set (GitHub)
In

DLL b559f58eba877e94
db017371e0e4d727e167ff37
Wmic Launch Joe Security Rule
Joe Security 855a4a5e1c6a2341edbbe11b 0 0
Msiexec Set (GitHub)
eb3b97caecdcca09
deb3cdf84cc34aa311e6bb92
Wmic Uninstall Sigma Integrated
Florian Roth 3cb0b259584940b4e6d724a3 0 0
Security Product Rule Set (GitHub)
2706971b5147607f
0104f72cd9f54a0c07ad11f45
Wmic download Joe Security Rule
Joe Security d22d923453e62473b89d3af0 0 0
via msiexec Set (GitHub)
a474a3bc1dceae7
Wmiprvse 15aaaaea2f031734f9cdf2b6b
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Wbemcomn DLL 2daccee96287228d9b63de3e 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Hijack f8ae60bb64c31d5
Wmiprvse 62987a80e784c70fc4631c63
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Wbemcomn DLL 515a0e98b3c705e1d044ad44 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Hijack 5298bdbe93ef6002
Wmiprvse b20f50174b7445b6c6fde810
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Wbemcomn DLL dcacb4c33c3a76f0102c37667 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Hijack f15cf44550c8ea8
Wmiprvse b2fa9548d438421a3ea1321b
Roberto Rodriguez (Cyb3rWard0g), Sigma Integrated
Wbemcomn DLL 77228fbd3bd81a77dc8dc2f6 0 0
OTR (Open Threat Research) Rule Set (GitHub)
Hijack b7c5ca51b335f139

Wow6432Node Victor Sergeev, Daniil Yugoslavskiy,


b8e0eed90b7762f65047e747
Classes Autorun Gleb Sukhodolskiy, Timur Sigma Integrated
e751f1b66397e091c997b892 0 0
Keys Zinniatullin, oscd.community, Tim Rule Set (GitHub)
70e3f30cef044193
Modification Shelton, frack113 (split)
909789172b6e132b51b9baf5
Write Protect For Sigma Integrated
Sreeman ca447732e8d01ea892f0b2af3 0 0
Storage Disabled Rule Set (GitHub)
d78463800617785
e62e7dc0b12394b319cbb70f
Writing Local Sigma Integrated
frack113 3b434d86a1a4e97c05c4cf39 0 0
Admin Share Rule Set (GitHub)
39efba22e4c603c7
Wscript
download file e4fa44290012b08a6024fd72
Joe Security Rule
into temp Joe Security 59647320ed7bcccd8f789391 0 0
Set (GitHub)
location from 420ae07ec797c56c
wordpress site

.in
Zeppelin SOC Prime Threat 1dd1813f8e36c59d89368c56
Ransomware Ariel Millahuel Detection 8c00d0b7df113cf1294162c9a 0 0
detection Marketplace a9daa50f72759d0
Zerologon
Demyan Sokolin @_drd0c, Teymur df b78e7cfa9a545243900dd20e
Exploitation Sigma Integrated
Kheirkhabarov @HeirhabarovT, 214093ca8ccdfb84c4e2701d 0 0
Using Well- Rule Set (GitHub)
oscd.community 711df94c2325ad45
known Tools

SOC Prime Threat 2903b1fee135b2ab2e99ea7d


ap
Zeropadypt
Ariel Millahuel Detection 454b87f0387bb5adbf0a87b8 0 0
Ransomware
Marketplace a952cdf559cc0fc0

Zip A Folder With 14067c72922c986650e783f9


Sigma Integrated
PowerShell For frack113 228ddb9fe698c382df3698e1 0 0
st

Rule Set (GitHub)


Staging In Temp 63c4f670cf050465

Zip A Folder With 4d383989e445c74fd8a77bd2


Sigma Integrated
PowerShell For frack113 cf57f7a1ffccaa221d9d197cc2 0 0
In

Rule Set (GitHub)


Staging In Temp 167b4023e34425

Zip A Folder With 4f19758bce122aae71a35611


Sigma Integrated
PowerShell For frack113 0cf88e95df101e099a2b95e2 0 0
Rule Set (GitHub)
Staging In Temp 472e44201244475d

Zip A Folder With 70e3421aca89a28b1d599aaf


Sigma Integrated
PowerShell For frack113 ae9fdd903822e32a691eb397 0 0
Rule Set (GitHub)
Staging In Temp 31812bc02f3b9dcb

Zip A Folder With c85d82a8951189fc9e17094e


Sigma Integrated
PowerShell For frack113 9738f8f03ee60e483cb4725d 0 0
Rule Set (GitHub)
Staging In Temp 6062de14e1663ff1

Zip A Folder With deeb1a213004e4f328c59f03


Sigma Integrated
PowerShell For frack113 5fe5bdbfe766ac3d8a0ea7f9a 0 0
Rule Set (GitHub)
Staging In Temp 916c12bc145491f
Zip A Folder With f9da722f2b9be68744c84591
Sigma Integrated
PowerShell For frack113 d71fc78f53410669a0b7da80 0 0
Rule Set (GitHub)
Staging In Temp 2cb3abdb56d3fd72
dotNET DLL
df9179ffc950a7d9549e0d76b
Loaded Via Sigma Integrated
Antonlovesdnb 5a95a94d3b366fcfde63b70a 0 0
Office Rule Set (GitHub)
6b7a7215d0d97b5
Applications
c902b9b5f87c7faea1b8d8427
iOS Implant URL Sigma Integrated
Florian Roth 47d3620db497a294d8484a4 0 0
Pattern Rule Set (GitHub)
d4f30d8efb95f770

SOC Prime Threat 8b103e0e94ed879b2e67034


ixware Stealer Ariel Millahuel Detection 57646fa5fdedf95419931f137 0 0
Marketplace df2e5938b4c484be

SOC Prime Threat c1badf4bce1bace265e5cf652


ixware Stealer Ariel Millahuel Detection abbe2eb12efdb34e62690f36 0 0
Marketplace 7fcb35a7dfa2c64

.in
SOC Prime Threat 3199f91af1499ae38d1caaccd
njRat payload Den Iuzvyk Detection ebf0b49c00acab265a73ae55 0 0
Marketplace 22d9c9bb2d4178b

notepad++.exe df
SOC Prime Threat 088db9822e808265d50798b
DLL search order
Den Iuzvyk Detection 894fa0f13dc765ec299836dd 0 0
hijacking(Sysmon
Marketplace dc752dfe4b8829071
)
ap
powershell
f33d9692bdb337bf2369df43
registry Joe Security Rule
Joe Security be996b214f4819827e400c79 0 0
execution via Set (GitHub)
8075464804b0c4e2
wmic
rundll32 launch
529f06043b5ec852cb07ebe7
st

mshta and run Joe Security Rule


Joe Security 880eaedad5dfcb5b041100dd 0 0
script from Set (GitHub)
85458b5ae5d43c1c
internet
smbexec.py 5a4bf43081cef897622ab39e
Sigma Integrated
In

Service Omer Faruk Celik b1011671616e9b2dd0dbea9 0 0


Rule Set (GitHub)
Installation e10669d85790dcd9c

tencentsoso.exe
SOC Prime Threat e11fbf7c8ec3e7d6d9b7b81e
DLL search order
Den Iuzvyk Detection 6199ac7b3c7ff5da85494aa95 0 0
hijacking(Sysmon
Marketplace 78263862a0bc54a
)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy