API tools faq
paste
pandazheng

VirusTotal + Sigma Rules

pandazheng
Jan 27th, 2021
102
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.81 KB | None | 0 0
raw download clone embed print report diff
  1. Sigma rules currently running on VirusTotal, and what request to use on VirusTotal to find file matches :
  2.  
  3. - Shadow Copies Deletion Using Operating System Utilities : sigma_rule:ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b
  4.  
  5. - Modification of Boot Configuration : sigma_rule:2da0b3cba5dc2b56e1426049598590c54a224e6d15740b9b07c108e089c84520
  6. - Suspicious RUN Key from Download : sigma_rule:9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c
  7. - Autorun Keys Modification : sigma_rule:c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1
  8. - Suspicious WMI Execution : sigma_rule:29ea4c436137aafe4f4ab08ff716f2a03e416beb0802c5a009cfb266b5d948c6
  9. - Hiding Files with Attrib.exe : sigma_rule:5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b
  10. - File Created with System Process Name : sigma_rule:e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e
  11. - Notepad Making Network Connection : sigma_rule:eebf53f371a18d7f8d6992a935d2fbfe811f3d78552949a0597456693cffd553
  12. - System File Execution Location Anomaly : sigma_rule:25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f
  13. - Wannacry Ransomware : sigma_rule:b8a9a3d755cac11238eb37aa06d27255714356075872c2e2e140acfb3e8ab8b0
  14. - Suspicious Svchost Process : sigma_rule:a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008
  15. - Wmiprvse Spawning Process : sigma_rule:1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22
  16. - Shadow Copies Creation Using Operating Systems Utilities : sigma_rule:16e1527c32b0f67a6b8e3dfaa73ba62c13f73f46a6b0d5962dd823d9ecac933c
  17.  
  18. - Stop Windows Service : sigma_rule:9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e
  19. - File or Folder Permissions Modifications : sigma_rule:d1b3909fc498977f2008254e9e38903c16568e7a8aaaeb2eb0d1d4f155373408
  20. - Direct Autorun Keys Modification : sigma_rule:b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b
  21. - RDP Sensitive Settings Changed : sigma_rule:c1a07dc6104bfa9dcd638f1c9f04504dafbbb28fdf3a4f36dc6af48802194787
  22. - Powershell DownloadFile : sigma_rule:f0282b9dc90a1761ed8cfb90b52bc5f53c2c8ccbff1ca29790e8d17c7eae56dd
  23. - Suspicious Eventlog Clear or Configuration Using Wevtutil : sigma_rule:b8f19be4c7bf862dce0d4d1f7885f2207ddf93b3a33d8a6e16f3968c4fbb6491
  24.  
  25. - Windows Powershell Web Request : sigma_rule:2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236
  26. - RDP Registry Modification : sigma_rule:7aaf54115e7c0d8450b858520101c04264b58e033da253ad20a672a00b52b5ae
  27. - Suspicious Csc.exe Source File Folder : sigma_rule:b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7
  28. - Net.exe User Account Creation : sigma_rule:d83c79bbca4183561b4591dd3ce69faed2e6cfed3217f2658b85c237af7aceea
  29. - Non Interactive PowerShell : sigma_rule:1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f
  30. - Netsh RDP Port Opening : sigma_rule:0edbdff715350e06427add8d168d0d14de79ec048ea17f4a243589e2ccdc63df
  31. - Netsh Port or Application Allowed : sigma_rule:7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112
  32. - PowerShell Download from URL : sigma_rule:24c9049c81b149aa4537cce166e36f3697878dcdad3fab8b662889d154056d7c
  33. - Windows Powershell Web Request : sigma_rule:2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236
  34. - Suspicious Encoded PowerShell Command Line : sigma_rule:09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425
  35.  
  36. - Local Account Discovery : sigma_rule:ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c
  37. - Net.exe Execution : sigma_rule:f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89
  38. - Service Execution : sigma_rule:3edfb66bbbe5056c7df0064ed6164a68632d8d476ab015091e0e33f5159d9052
  39. - Windows Processes Suspicious Parent Directory : sigma_rule:afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535
  40.  
  41. - Suspect Svchost Activity : sigma_rule:dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a
  42. - Suspicious Remote Thread Created : sigma_rule:5242ae9a7c0bb9967f443e598ba4d27edfa69ca76b6fbb7ad0d569f7e9067668
  43. - Suspicious Double Extension : sigma_rule:5ead81ee12f2097316af35270a1ac0f8623db054349c52ef366fc42a4b7d2de2
  44. - Suspicious desktop.ini Action : sigma_rule:cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829
  45. - Regsvr32 Network Activity : sigma_rule:a9fd3d8b393121d910bdb6416807881b8e231fde412098c46594fc45821d23ce
  46. - Regsvr32 Anomaly : sigma_rule:455818bf9dc4423de74cdfa396a0735e0fd29acee7f47632575decb468b11cb5
  47. - BlueMashroom DLL Load : sigma_rule:fa6fe737f5145762e909801e31b442ca6e73fb112f26179762cd60b5c64a4867
  48. - Suspicious MsiExec Directory : sigma_rule:709fa572c6d4a06b81742c9cefd264b1debafc1f9b2aedc9798d5cb749d52458
  49. - Suspicious File Characteristics Due to Missing Fields : sigma_rule:608e0e17d25bcba31de608552a073a6677d4f626ab55bce353a686eda3f60bcc
  50.  
  51. - Suspicious PowerShell Parameter Substring : sigma_rule:1929e853315b3b5398e0837b2b8928a28ae8eec0611ebb41efc5e6b33e78cd6c
  52. - Suspicious XOR Encoded PowerShell Command Line : sigma_rule:312888984ff0222cd7bd45936afd14feea146948ac0e6941f3e0513e56d51e65
  53.  
  54. - Empire PowerShell Launch Parameters : sigma_rule:dae7277357ad237d5dfceb985bdbbaffa777a494f5cab14f067003795d395650
  55. - MSHTA Spawning Windows Shell : sigma_rule:b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05
  56. - Scheduled Task Creation : sigma_rule:3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790
  57. - Windows Shell Spawning Suspicious Program : sigma_rule:80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422
  58. - WSF/JSE/JS/VBA/VBE File Execution : sigma_rule:8b884f70bb47a8e06faf8f548fcfef77fe3802d22c310c4cdfa01f35cb030bac
  59. - Mshta JavaScript Execution : sigma_rule:f6f3741fe71241687646386731e58cbb9eb5dd4b8db836bb8840c3d02e5462b8
  60. - Netsh Program Allowed with Suspcious Location : sigma_rule:adbbf1b1fe76c2a86e148fcc66a37c2f361f6d40ce55e510f70409c09d434ea2
  61.  
  62. - Windows Registry Persistence COM Search Order Hijacking : sigma_rule:7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4
  63.  
  64. - WMI Event Subscription : sigma_rule:07b95c7eb376ac65a345dc6a2c1cb03732e085818d93bd1ea2e7d3706619d78e
  65. - Suspicious Scripting in a WMI Consumer : sigma_rule:aa9824d65395eec625b665851ca4456503a8111e058eab9487c34500b30ee31f
  66. - WMI Persistence - Script Event Consumer File Write : sigma_rule:f4ab9cd44db2481795fe0edd858471bda0d0b73d8e406124bf76a2a074ac5360
  67.  
  68. - Sysprep on AppData Folder : sigma_rule:76d39c4238c645e864f006400ab59ebda393cfe12db20d6f7ec44eac3b27f6b3
  69. - Windows Network Enumeration : sigma_rule:7cb4a3985bd24a137550fa4c49b1da3fb949c3cf182a90950438e97aaad46378
  70. - Copy from Admin Share : sigma_rule:253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3
  71. - AppLocker Bypass : sigma_rule:b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5
  72. - Executables Started in Suspicious Folder : sigma_rule:934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2
  73. - Suspicious Program Location with Network Connections : sigma_rule:01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2
  74.  
  75. - Execution in Non-Executable Folder : sigma_rule:f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8
  76. - New RUN Key Pointing to Suspicious Folder : sigma_rule:27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039
  77. - Suspicious Program Location Process Starts : sigma_rule:c593fd1eac248d2f05a155e6c8ef2682b9022a12bc03104ff8e9e7c40f585268
  78. - Windows Credential Editor : sigma_rule:8c09b5d8aeac44d4ad6b76333ab77edf4453d9c7f7db00d879591acfc9f98479
  79. - FromBase64String Command Line : sigma_rule:e75e9983c2277304aa1294c0b077a3139a8405cd1661ccf513a6c05a002acacf
  80. - Suspicious PowerShell Invocation Based on Parent Process : sigma_rule:c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b
  81.  
  82. - WMI Spawning Windows PowerShell : sigma_rule:1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938
  83. - Suspicious PowerShell Parent Process : sigma_rule:a4d012f0f7c21ebed94f8e82f4910702fcbcd9d21bf70e4b1b039f48970d1bbc
  84. - Encoded FromBase64String : sigma_rule:b079b9bebaa7ac01f379d6d83aa123ec20bc9068b9a097e09aec5f87b42d91d1
  85. - Bypass UAC via CMSTP : sigma_rule:ae5debad574fb4590d5efc9d2e3614bb603a5670f3f9f926a42d2ecbf0de0291
  86. - CMSTP Execution : sigma_rule:ba18b1afcbf41aa13fd2cd7dc8e323b09854c6f046b4a98d07c2ea5d751d7584
  87. - CMSTP UAC Bypass via COM Object Access : sigma_rule:a30845acd045e920f165087e59ac6d9461f6c4bfadfa52e4c518e3bcb9d8cb0c
  88. - XSL Script Processing : sigma_rule:e80db9df819552f83bb1bc542be2503390d7a47f3c26ea4db86797b530411d2c
  89. - PowerShell Script Run in AppData : sigma_rule:4975d97d556849fe2e336bf1c8a5012b84eefe1d4059c527aaa8ec3f903022b2
  90. - Whoami Execution : sigma_rule:4f50c176af3c65d3b67381b2eb36baf45f7c58aa2934ba1b9d94703fb60d977c
  91. - Koadic Execution : sigma_rule:c5d484cc0502bed15307c6bcc483ba03518aaa99ca3cca09b01da3ea57317777
  92. - Local Accounts Discovery : sigma_rule:ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c
  93. - Dridex Process Pattern : sigma_rule:11ef2fbb89770dbec860f554810a4e34a33e1326589f9eaf562412ceba567f00
  94. - Indirect Command Execution : sigma_rule:949493fff309832e61eefbc1517c38dc21116f3e97310be0dfd27ee7544382e1
  95. - Highly Relevant Renamed Binary : sigma_rule:6a0e84509806d4477d42410fb267c817a01015e3dcc33e48330f8db0ba9709da
  96. - Renamed Binary : sigma_rule:686a5b6d5e098e507256a7207e9e4a237bb378c824f67f13ee0402525833b257
  97. - Renamed PowerShell : sigma_rule:52606fbb97633e0a2c2581ff33bcb2bb212da3c00b02cbf971e5a0aa2f7b4cab
  98. - Mimikatz Command Line : sigma_rule:338397ed109954fb8f766d6849691b20570aadf79c77ac5509047b25b9af2859
  99. - CrackMapExec PowerShell Obfuscation : sigma_rule:c5f36e07dfb01984d08d19db1fe7f194936f079b371ab900d58eff493b972744
  100. - Fsutil Suspicious Invocation : sigma_rule:4b8a086b898ff9eb51b0489b98e2619d0c9fe2cd94e29325ec8a4c2250220b8e
  101. - Suspicious Copy From or To System32 : sigma_rule:de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856
  102. - MSHTA Suspicious Execution 01 : sigma_rule:7a63d1c1bf6ebb277b02d4893066d3732e3d7df562cfdbfee275bbc5c4de0951
  103. - WScript or CScript Dropper : sigma_rule:2020feadc9b3cf47558c219948361d9d3eb5347af91135f21bf711f6032bc817
  104. - Suspicious Calculator Usage : sigma_rule:379786e3d43f4df15525494f022a5e59f58acf961a0f2536f20ae374717a9fa0
  105. - Covenant Launcher Indicators : sigma_rule:2957c0808592ab632134afd63650be8c47697a8350bb5cb19a8272b9da595777
  106. - Malicious Base64 Encoded PowerShell Keywords in Command Lines : sigma_rule:2741e38c5a55999659c8e2ffe6365a21db8ec070e03a5a2f78326209ada99b63
  107.  
  108. - Taskmgr as Parent : sigma_rule:bd4c20ecc3fa26779f917ddf7cd594af5a64805084e11c2a680ade82d77b01ed
  109. - Bitsadmin Download : sigma_rule:aca8c04f52d20c1f8ac7c5fda7686124759166ab9439145354e331faaf792bb9
  110. - Conhost Parent Process Execution : sigma_rule:7b87fbdccf3c12011b709aab8b9bd4642bd61dc9880e0e1ce9ebb9901e2a3497
  111. - Discovery of a System Time : sigma_rule:18ed38c04ceafb2aa0b9dcb106310ce76cb1473a4109b6a489663f5c250bd2a6
  112. - Sticky Key Like Backdoor Usage : sigma_rule:bec9d927518cb9af8ee98a6cde08e6a1f05090534e3b3c24e8ced8ae93e15311
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!