related
critical
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status stable
author Florian Roth (Nextron Systems), Arnim Rupp
id 78cc2dd2-7d20-4d32-93ff-057084c38b93
license Sigma · DRL-1.1
view Sigma YAML
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Mimikatz'
- 'MultiDump'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'TrickDump'
condition: selection
falsepositives:
- Unlikely
level: critical
related
critical
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
status test
author Florian Roth (Nextron Systems)
id 24e3e58a-646b-4b50-adef-02ef935b9fc8
license Sigma · DRL-1.1
view Sigma YAML
title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
condition: selection
falsepositives:
- Legitimate use of one of these tools
level: critical
related
critical
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
status stable
author Florian Roth (Nextron Systems)
id 7ec2c172-dceb-4c10-92c9-87c1881b7e18
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
- id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
- attack.credential-access
- attack.t1003
- attack.t1558.003
- attack.lateral-movement
- attack.t1550.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Rubeus.exe'
- OriginalFileName: 'Rubeus.exe'
- Description: 'Rubeus'
- CommandLine|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- 'dump /luid:0x'
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
condition: selection
falsepositives:
- Unlikely
level: critical
related
critical
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
status test
author Florian Roth (Nextron Systems), Samir Bousseaden
id c8da0dfd-4ed0-4b68-962d-13c9c884384e
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Windows\System32\lsass.exe'
Image|endswith: '\Windows\System32\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
status test
author Thomas Patzke
id 1de68c67-af5c-4097-9c85-fe5578e09e67
license Sigma · DRL-1.1
view Sigma YAML
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
- attack.credential-access
- attack.t1003
- attack.s0005
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
status test
author Florian Roth (Nextron Systems)
id 93d94efc-d7ad-4161-ad7d-1638c4f908d8
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: 'dumpert.dmp'
condition: selection
falsepositives:
- Very unlikely
level: critical
related
critical
HackTool - Credential Dumping Tools Named Pipe Created
Detects well-known credential dumping tools execution via specific named pipe creation
status test
author Teymur Kheirkhabarov, oscd.community
id 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: critical
related
critical
HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
status test
author Nasreddine Bencherchali (Nextron Systems)
id b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
- https://github.com/Kevin-Robertson/Inveigh
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Inveigh.exe'
- OriginalFileName:
- '\Inveigh.exe'
- '\Inveigh.dll'
- Description: 'Inveigh'
- CommandLine|contains:
- ' -SpooferIP'
- ' -ReplyToIPs '
- ' -ReplyToDomains '
- ' -ReplyToMACs '
- ' -SnifferIP'
condition: selection
falsepositives:
- Very unlikely
level: critical
related
critical
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
status test
author Nasreddine Bencherchali (Nextron Systems)
id b1876533-4ed5-4a83-90f3-b8645840a413
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
- https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SafetyKatz.exe'
- OriginalFileName: 'SafetyKatz.exe'
- Description: 'SafetyKatz'
condition: selection
falsepositives:
- Unlikely
level: critical
related
critical
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
status test
author Florian Roth (Nextron Systems)
id 2704ab9e-afe2-4854-a3b1-0c0706d03578
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2025-01-22
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
- CommandLine|contains: 'Dumpert.dll'
condition: selection
falsepositives:
- Very unlikely
level: critical
related
critical
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
status test
author Florian Roth (Nextron Systems)
id 7aa7009a-28b9-4344-8c1f-159489a390df
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\WCE.exe'
- '\WCE64.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
- 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
- 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
- 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
- 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
- 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
- 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
- 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
- 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
related
critical
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
status test
author Florian Roth (Nextron Systems)
id a6b33c02-8305-488f-8585-03cb2a7763f2
license Sigma · DRL-1.1
view Sigma YAML
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
status test
author Florian Roth (Nextron Systems)
id 55e29995-75e7-451a-bef0-6225e2f13597
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 36803969-5421-41ec-b92f-8500f79c23b0
type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
related
critical
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
status test
author Florian Roth (Nextron Systems)
id f1086bf7-a0c4-4a37-9102-01e573caf4a0
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'whoami.exe'
filter:
Image|endswith: '\whoami.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
related
critical
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
status test
author Florian Roth (Nextron Systems), Wojciech Lesicki
id d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
license Sigma · DRL-1.1
view Sigma YAML
title: CobaltStrike Named Pipe
id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
related:
- id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
type: similar
- id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
type: similar
status: test
description: Detects the creation of a named pipe as used by CobaltStrike
references:
- https://twitter.com/d4rksystem/status/1357010969264873472
- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
- https://github.com/SigmaHQ/sigma/issues/253
- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
- https://redcanary.com/threat-detection-report/threats/cobalt-strike/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-25
modified: 2022-10-31
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection_MSSE:
PipeName|contains|all:
- '\MSSE-'
- '-server'
selection_postex:
PipeName|startswith: '\postex_' # Also include the pipe "\postex_ssh_"
selection_status:
PipeName|startswith: '\status_'
selection_msagent:
PipeName|startswith: '\msagent_'
selection_mojo:
PipeName|startswith: '\mojo_'
selection_interprocess:
PipeName|startswith: '\interprocess_'
selection_samr:
PipeName|startswith: '\samr_'
selection_netlogon:
PipeName|startswith: '\netlogon_'
selection_srvsvc:
PipeName|startswith: '\srvsvc_'
selection_lsarpc:
PipeName|startswith: '\lsarpc_'
selection_wkssvc:
PipeName|startswith: '\wkssvc_'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
related
critical
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
status test
author Florian Roth (Nextron Systems), blueteam0ps, elhoim
id fe3ac066-98bb-432a-b1e7-a5229cb39d4a
license Sigma · DRL-1.1
view Sigma YAML
title: Malicious Named Pipe Created
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: test
description: Detects the creation of a named pipe seen used by known APTs or malware.
references:
- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
- https://securelist.com/faq-the-projectsauron-apt/75533/
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
- https://www.us-cert.gov/ncas/alerts/TA17-117A
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://github.com/RiccardoAncarani/LiquidSnake
- https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
date: 2017-11-06
modified: 2023-08-07
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName:
- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron
- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware
- '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake
- '\9f81f59bc58452127884ce513865ed20' # Project Sauron
- '\adschemerpc' # Turla HyperStack
- '\ahexec' # Sofacy group malware
- '\AnonymousPipe' # Hidden Cobra Hoplight
- '\bc31a7' # Pacifier
- '\bc367' # Pacifier
- '\bizkaz' # Snatch Ransomware
- '\csexecsvc' # CSEXEC default
- '\dce_3d' # Qbot
- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron
- '\gruntsvc' # Covenant default
- '\isapi_dg' # Uroburos Malware
- '\isapi_dg2' # Uroburos Malware
- '\isapi_http' # Uroburos Malware
- '\jaccdpqnvbrrxlaf' # PoshC2 default
- '\lsassw' # Wild Neutron APT malware
- '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves
- '\pcheap_reuse' # Pipe used by Equation Group malware
- '\Posh*' # PoshC2 default
- '\rpchlp_3' # Project Sauron
- '\sdlrpc' # Cobra Trojan
- '\svcctl' # Crackmapexec smbexec default
- '\testPipe' # Emissary Panda Hyperbro
- '\winsession' # Wild Neutron APT malware
# - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
status test
author Florian Roth (Nextron Systems)
id 0e7163d4-9e19-4fa7-9be6-000c61aad77a
license Sigma · DRL-1.1
view Sigma YAML
title: CobaltStrike Named Pipe Pattern Regex
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
related:
- id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
type: similar
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
type: similar
status: test
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth (Nextron Systems)
date: 2021-07-30
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
- PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'
- PipeName|re: '\\wkssvc_?[0-9a-f]{2}'
- PipeName|re: '\\ntsvcs[0-9a-f]{2}'
- PipeName|re: '\\DserNamePipe[0-9a-f]{2}'
- PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}'
- PipeName|re: '\\mypipe-(?:f|h)[0-9a-f]{2}'
- PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}'
- PipeName|re: '\\ntsvcs_[0-9a-f]{2}'
- PipeName|re: '\\scerpc_?[0-9a-f]{2}'
- PipeName|re: '\\PGMessagePipe[0-9a-f]{2}'
- PipeName|re: '\\MsFteWds[0-9a-f]{2}'
- PipeName|re: '\\f4c3[0-9a-f]{2}'
- PipeName|re: '\\fullduplex_[0-9a-f]{2}'
- PipeName|re: '\\msrpc_[0-9a-f]{4}'
- PipeName|re: '\\win\\msrpc_[0-9a-f]{2}'
- PipeName|re: '\\f53f[0-9a-f]{2}'
- PipeName|re: '\\rpc_[0-9a-f]{2}'
- PipeName|re: '\\spoolss_[0-9a-f]{2}'
- PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,'
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
status test
author Florian Roth (Nextron Systems)
id d78b5d61-187d-44b6-bf02-93486a80de5a
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - DInjector PowerShell Cradle Execution
id: d78b5d61-187d-44b6-bf02-93486a80de5a
status: test
description: Detects the use of the Dinject PowerShell cradle based on the specific flags
references:
- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' /am51'
- ' /password'
condition: selection
falsepositives:
- Unlikely
level: critical
related
critical
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
status test
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
id 42333b2c-b425-441c-b70e-99404a17170f
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Sliver C2 Implant Activity Pattern
id: 42333b2c-b425-441c-b70e-99404a17170f
status: test
description: Detects process activity patterns as seen being used by Sliver C2 framework implants
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-08-25
modified: 2023-03-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'
condition: selection
falsepositives:
- Unlikely
level: critical
related
critical
Bad Opsec Powershell Code Artifacts
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
status test
author ok @securonix invrep_de, oscd.community
id 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
license Sigma · DRL-1.1
view Sigma YAML
title: Bad Opsec Powershell Code Artifacts
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: test
description: |
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
author: 'ok @securonix invrep_de, oscd.community'
date: 2020-10-09
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains:
- '$DoIt'
- 'harmj0y'
- 'mattifestation'
- '_RastaMouse'
- 'tifkin_'
- '0xdeadbeef'
condition: selection_4103
falsepositives:
- 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
level: critical
related
critical
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
status test
author Alina Stepchenkova, Group-IB, oscd.community
id 3ceb2083-a27f-449a-be33-14ec1b7cc973
license Sigma · DRL-1.1
view Sigma YAML
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1071.004
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
empire:
# better to randomise the order
ScriptBlockText|contains|all:
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
# better to randomise the order
ScriptBlockText|contains|all:
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical
related
critical
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
status test
author Florian Roth (Nextron Systems)
id 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
license Sigma · DRL-1.1
view Sigma YAML
title: Possible Coin Miner CPU Priority Param
id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
status: test
description: Detects command line parameter very often used with coin miners
references:
- https://xmrig.com/docs/miner/command-line-options
author: Florian Roth (Nextron Systems)
date: 2021-10-09
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
product: linux
service: auditd
detection:
cmd1:
a1|startswith: '--cpu-priority'
cmd2:
a2|startswith: '--cpu-priority'
cmd3:
a3|startswith: '--cpu-priority'
cmd4:
a4|startswith: '--cpu-priority'
cmd5:
a5|startswith: '--cpu-priority'
cmd6:
a6|startswith: '--cpu-priority'
cmd7:
a7|startswith: '--cpu-priority'
condition: 1 of cmd*
falsepositives:
- Other tools that use a --cpu-priority flag
level: critical
related
critical
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
status test
author Florian Roth (Nextron Systems)
id 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - SysmonEOP Execution
id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
status: test
description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
references:
- https://github.com/Wh04m1001/SysmonEoP
author: Florian Roth (Nextron Systems)
date: 2022-12-04
modified: 2024-11-23
tags:
- cve.2022-41120
- attack.t1068
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\SysmonEOP.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
- 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
related
critical
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
Unfortunately, that is about the only instance of CVEs being written to this log.
status test
author Florian Roth (Nextron Systems), Zach Mathis
id 48d91a3a-2363-43ba-a456-ca71ac3da5c2
license Sigma · DRL-1.1
view Sigma YAML
title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: test
description: |
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
Unfortunately, that is about the only instance of CVEs being written to this log.
references:
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
- https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
- https://nullsec.us/windows-event-log-audit-cve/
author: Florian Roth (Nextron Systems), Zach Mathis
date: 2020-01-15
modified: 2022-10-22
tags:
- attack.execution
- attack.stealth
- attack.t1203
- attack.privilege-escalation
- attack.t1068
- attack.t1211
- attack.credential-access
- attack.t1212
- attack.lateral-movement
- attack.t1210
- attack.impact
- attack.t1499.004
logsource:
product: windows
service: application
detection:
selection:
Provider_Name:
- 'Microsoft-Windows-Audit-CVE'
- 'Audit-CVE'
EventID: 1
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
status test
author Florian Roth (Nextron Systems)
id 304810ed-8853-437f-9e36-c4975c3dfd7e
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
- https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: 'momyshark\?key='
condition: selection
falsepositives:
- Unlikely
level: critical
related
critical
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
status test
author Florian Roth (Nextron Systems)
id 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
license Sigma · DRL-1.1
view Sigma YAML
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
status test
author elhoim
id 39698b3f-da92-4bc6-bfb5-645a98386e45
license Sigma · DRL-1.1
view Sigma YAML
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
- https://twitter.com/malmoeb/status/1511760068743766026
- https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
- attack.initial-access
- cve.2021-42278
- cve.2021-42287
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
service: security
product: windows
detection:
# Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
selection1:
SamAccountName|startswith: 'SAMTHEADMIN-'
SamAccountName|endswith: '$'
selection2:
TargetUserName|startswith: 'SAMTHEADMIN-'
TargetUserName|endswith: '$'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
related
critical
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
status test
author Trent Liffick
id f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
license Sigma · DRL-1.1
view Sigma YAML
title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
references:
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020-05-08
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
EventID:
- 12
- 13
TargetObject|contains: 'SYSTEM\'
TargetObject|endswith: '\services\localNETService'
condition: selection
falsepositives:
- Unknown
level: critical
related
critical
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status stable
author Florian Roth (Nextron Systems), Arnim Rupp
id 238527ad-3c2c-4e4f-a1f6-92fd63adb864
license Sigma · DRL-1.1
view Sigma YAML
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'Backdoor.Cobalt'
- 'Brutel'
- 'BruteR'
- 'CobaltStr'
- 'CobaltStrike'
- 'COBEACON'
- 'Cometer'
- 'Exploit.Script.CVE'
- 'IISExchgSpawnCMD'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mpreter'
- 'MsfShell'
- 'PowerSploit'
- 'Razy'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'Sliver'
- 'Swrort'
condition: selection
falsepositives:
- Unlikely
level: critical
related
high
OpenCanary - MSSQL Login Attempt Via Windows Authentication
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
status test
author Security Onion Solutions
id 6e78f90f-0043-4a01-ac41-f97681613a66
license Sigma · DRL-1.1
view Sigma YAML
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
related
high
OpenCanary - MySQL Login Attempt
Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
status test
author Security Onion Solutions
id e7d79a1b-25ed-4956-bd56-bd344fa8fd06
license Sigma · DRL-1.1
view Sigma YAML
title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 8001
condition: selection
falsepositives:
- Unlikely
level: high
related
high
OpenCanary - MSSQL Login Attempt Via SQLAuth
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
status test
author Security Onion Solutions
id 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
license Sigma · DRL-1.1
view Sigma YAML
title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9001
condition: selection
falsepositives:
- Unlikely
level: high
related
high
OpenCanary - REDIS Action Command Attempt
Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
status test
author Security Onion Solutions
id 547dfc53-ebf6-4afe-8d2e-793d9574975d
license Sigma · DRL-1.1
view Sigma YAML
title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 17001
condition: selection
falsepositives:
- Unlikely
level: high
related
high
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
status test
author Pawel Mazur
id 49aae26c-450e-448b-911d-b3c13d178dfc
license Sigma · DRL-1.1
view Sigma YAML
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
related
high
Potential Invoke-Mimikatz PowerShell Script
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
status test
author Tim Rauch, Elastic (idea)
id 189e3b02-82b2-4b90-9662-411eb64486d4
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: test
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
- https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
tags:
- attack.credential-access
- attack.t1003
logsource:
category: ps_script
product: windows
detection:
selection_1:
ScriptBlockText|contains|all:
- 'DumpCreds'
- 'DumpCerts'
selection_2:
ScriptBlockText|contains: 'sekurlsa::logonpasswords'
selection_3:
ScriptBlockText|contains|all:
- 'crypto::certificates'
- 'CERT_SYSTEM_STORE_LOCAL_MACHINE'
condition: 1 of selection*
falsepositives:
- Mimikatz can be useful for testing the security of networks
level: high
related
high
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
status test
author Max Altgelt (Nextron Systems)
id cd185561-4760-45d6-a63e-a51325112cae
license Sigma · DRL-1.1
view Sigma YAML
title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-StorageDiagnosticInfo'
- '-IncludeLiveDump'
condition: selection
falsepositives:
- Diagnostics
level: high
related
high
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
status test
author Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
id 3245cd30-e015-40ff-a31d-5cadd5f377ec
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
- id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://github.com/GhostPack/Rubeus
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-27
tags:
- attack.credential-access
- attack.t1003
- attack.t1558.003
- attack.lateral-movement
- attack.t1550.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- 'dump /luid:0x'
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
status test
author SecurityAura
id 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
- https://github.com/Porchetta-Industries/CrackMapExec
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
author: SecurityAura
date: 2022-11-16
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
# CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Potential Credential Dumping Attempt Using New NetworkProvider - CLI
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
status test
author Nasreddine Bencherchali (Nextron Systems)
id baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
- id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-02-02
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
# filter:
# CommandLine|contains:
# - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
# - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
# - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
condition: selection
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
related
high
Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
status test
author Tim Rauch, Janantha Marasinghe, Elastic (original idea)
id 2d3cdeec-c0db-45b4-aa86-082f7eb75701
license Sigma · DRL-1.1
view Sigma YAML
title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
- https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
- https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
date: 2022-11-08
modified: 2023-01-22
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_base_name:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_base_list:
CommandLine|contains: 'list '
selection_standalone:
CommandLine|contains:
- ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
- ' /xml'
# We cover the "-" version just in case :)
- ' -config'
- ' -xml'
selection_cmd_flags:
CommandLine|contains:
- ' /@t' # Covers both "/@text:*" and "/@t:*"
- ' /text'
- ' /show'
# We cover the "-" version just in case :)
- ' -@t'
- ' -text'
- ' -show'
selection_cmd_grep:
CommandLine|contains:
- ':\*'
- 'password'
condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
falsepositives:
- Unknown
level: high
related
high
Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
status test
author Tim Rauch, Elastic (idea)
id 97dbf6e2-e436-44d8-abee-4261b24d3e41
license Sigma · DRL-1.1
view Sigma YAML
title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2022-12-30
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_name:
- Image|endswith: '\aspnet_regiis.exe'
- OriginalFileName: 'aspnet_regiis.exe'
selection_args:
CommandLine|contains|all:
- 'connectionStrings'
- ' -pdf'
condition: all of selection*
falsepositives:
- Unknown
level: high
related
high
Hacktool Execution - PE Metadata
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
status test
author Florian Roth (Nextron Systems)
id 37c1333a-a0db-48be-b64b-7393b2386e3b
license Sigma · DRL-1.1
view Sigma YAML
title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
- https://github.com/cube0x0
- https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2024-01-15
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Company: 'Cube0x0' # Detects the use of tools created by a well-known hacktool producer named "Cube0x0", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.)
condition: selection
falsepositives:
- Unlikely
level: high
related
high
PUA - Memory Dump Mount Via MemProcFS
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
status experimental
author Swachchhanda Shrawan Poudel (Nextron Systems)
id 8a1b2c3d-4e5f-6789-abcd-ef1234567890
license Sigma · DRL-1.1
view Sigma YAML
title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
references:
- https://github.com/ufrisk/MemProcFS
- https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
- https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
- attack.t1003.004
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MemProcFS.exe'
- OriginalFileName: 'MemProcFS.exe'
- Description: 'MemProcFS'
selection_cli:
CommandLine|contains: '-device'
condition: all of selection_*
falsepositives:
- Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml
related
high
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
status test
author Florian Roth (Nextron Systems), David ANDRE (additional keywords)
id 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
related
high
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
status experimental
author Swachchhanda Shrawan Poudel (Nextron Systems)
id 416bc4a2-7217-4519-8dc7-c3271817f1d5
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
- id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
type: similar
status: experimental
description: |
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
- https://blog.axelarator.net/hunting-for-edr-freeze/
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
Image|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\Contacts\'
# - '\Desktop\'
- '\Documents\'
# - '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
# - '\AppData\Local\Temp\' some installers may load from here
selection_dll:
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml
related
high
Potentially Suspicious ODBC Driver Registered
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
status test
author Nasreddine Bencherchali (Nextron Systems)
id e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
license Sigma · DRL-1.1
view Sigma YAML
title: Potentially Suspicious ODBC Driver Registered
id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
status: test
description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.persistence
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
TargetObject|endswith:
- '\Driver'
- '\Setup'
Details|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
- ':\Windows\System32\com\dmp\'
- ':\Windows\System32\FxsTmp\'
- ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- ':\Windows\System32\spool\drivers\color\'
- ':\Windows\System32\spool\PRINTERS\'
- ':\Windows\System32\spool\SERVERS\'
- ':\Windows\System32\Tasks_Migrated\'
- ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\SysWOW64\com\dmp\'
- ':\Windows\SysWOW64\FxsTmp\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
status test
author Florian Roth (Nextron Systems)
id 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
license Sigma · DRL-1.1
view Sigma YAML
title: PowerShell Get-Process LSASS in ScriptBlock
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
status: test
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Get-Process lsass'
condition: selection
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level: high
related
high
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
status test
author Teymur Kheirkhabarov, oscd.community
id 8fbf3271-1ef6-4e94-8210-03c2317947f6
license Sigma · DRL-1.1
view Sigma YAML
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.003
- attack.t1003.004
- attack.t1003.005
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains:
- '\fgdump-log'
- '\kirbi'
- '\pwdump'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- TargetFilename|endswith:
- '\cachedump.exe'
- '\cachedump64.exe'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\Dumpy.exe'
- '\fgexec.exe'
- '\lsremora.dll'
- '\lsremora64.dll'
- '\NTDS.out'
- '\procdump.exe'
- '\procdump64.exe'
- '\procdump64a.exe'
- '\pstgdump.exe'
- '\pwdump.exe'
- '\SAM.out'
- '\SECURITY.out'
- '\servpw.exe'
- '\servpw64.exe'
- '\SYSTEM.out'
- '\test.pwd'
- '\wceaux.dll'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
related
high
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
status test
author Swachchhanda Shrawan Poudel
id 69ca12af-119d-44ed-b50f-a47af0ebc364
license Sigma · DRL-1.1
view Sigma YAML
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- ':\Windows\system32\taskmgr.exe'
- ':\Windows\SysWOW64\taskmgr.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '\lsass'
- '.DMP'
condition: selection
falsepositives:
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
related
high
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
status test
author @pbssubhash
id 6902955a-01b7-432c-b32a-6f5f81d8f625
license Sigma · DRL-1.1
view Sigma YAML
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high