Sigma rules for Killnet
218 rules · scoped to actor · back to Killnet
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Bitbucket User Details Export Attempt Detected
id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
status: test
description: Detects user data export activity.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.reconnaissance
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User permissions export failed'
- 'User permissions export started'
- 'User permissions exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: Bitbucket User Permissions Export Attempt
id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
status: test
description: Detects user permission data export attempt.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.reconnaissance
- attack.collection
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User details export failed'
- 'User details export started'
- 'User details exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: DNS Query Request By QuickAssist.EXE
id: 882e858a-3233-4ba8-855e-2f3d3575803d
status: experimental
description: |
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
references:
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://x.com/cyb3rops/status/1862406110365245506
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
- attack.command-and-control
- attack.initial-access
- attack.lateral-movement
- attack.t1071.001
- attack.t1210
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\QuickAssist.exe'
QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
condition: selection
falsepositives:
- Legitimate use of Quick Assist in the environment.
level: low
title: Guest Account Enabled Via Sysadminctl
id: d7329412-13bd-44ba-a072-3387f804a106
status: test
description: Detects attempts to enable the guest account using the sysadminctl utility
references:
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.t1078.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
# By default the guest account is not active
- ' -guestAccount'
- ' on'
condition: selection
falsepositives:
- Unknown
level: low
title: Measurable Increase Of Successful Authentications
id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae
status: test
description: Detects when successful sign-ins increased by 10% or greater.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: Success
Count: "<10%"
condition: selection
falsepositives:
- Increase of users in the environment
level: low
title: Cisco LDP Authentication Failures
id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
status: test
description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: ldp
definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
detection:
selection_protocol:
- 'LDP'
selection_keywords:
- 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
- 'TCPMD5AuthenFail'
condition: selection_protocol and selection_keywords
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: Cisco BGP Authentication Failures
id: 56fa3cd6-f8d6-4520-a8c7-607292971886
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: bgp
definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
detection:
keywords_bgp_cisco:
'|all':
- ':179' # Protocol
- 'IP-TCP-3-BADAUTH'
condition: keywords_bgp_cisco
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: Huawei BGP Authentication Failures
id: a557ffe6-ac54-43d2-ae69-158027082350
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: huawei
service: bgp
definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
detection:
keywords_bgp_huawei:
'|all':
- ':179' # Protocol
- 'BGP_AUTH_FAILED'
condition: keywords_bgp_huawei
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: Juniper BGP Missing MD5
id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
status: test
description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: juniper
service: bgp
definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
detection:
keywords_bgp_juniper:
'|all':
- ':179' # Protocol
- 'missing MD5 digest'
condition: keywords_bgp_juniper
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: test
description: Detects setting proxy configuration
author: Ömer Günal
date: 2020-06-17
modified: 2022-10-05
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- 'http_proxy='
- 'https_proxy='
condition: selection
falsepositives:
- Legitimate administration activities
level: low
title: Deployment Deleted From Kubernetes Cluster
id: 40967487-139b-4811-81d9-c9767a92aa5a
status: test
description: |
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1498
- attack.impact
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: low
title: Download From Suspicious TLD - Blacklist
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
related:
- id: b5de2919-b74a-4805-91a7-5049accbaefe
type: similar
status: test
description: Detects download of certain file types from hosts in suspicious TLDs
references:
- https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
- https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
- https://www.spamhaus.org/statistics/tlds/
- https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth (Nextron Systems)
date: 2017-11-07
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
# Symantec / Chris Larsen analysis
- '.country'
- '.stream'
- '.gdn'
- '.mom'
- '.xin'
- '.kim'
- '.men'
- '.loan'
- '.download'
- '.racing'
- '.online'
- '.science'
- '.ren'
- '.gb'
- '.win'
- '.top'
- '.review'
- '.vip'
- '.party'
- '.tech'
- '.xyz'
- '.date'
- '.faith'
- '.zip'
- '.cricket'
- '.space'
# McAfee report
- '.info'
- '.vn'
- '.cm'
- '.am'
- '.cc'
- '.asia'
- '.ws'
- '.tk'
- '.biz'
- '.su'
- '.st'
- '.ro'
- '.ge'
- '.ms'
- '.pk'
- '.nu'
- '.me'
- '.ph'
- '.to'
- '.tt'
- '.name'
- '.tv'
- '.kz'
- '.tc'
- '.mobi'
# Spamhaus
- '.study'
- '.click'
- '.link'
- '.trade'
- '.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- '.cf'
- '.gq'
- '.ml'
- '.ga'
# Custom
- '.pw'
condition: selection
falsepositives:
- All kinds of software downloads
level: low
title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
- id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
cs-host|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filter
falsepositives:
- All kind of software downloads
level: low
title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
- id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2026-01-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
TargetFilename|contains: '\~$' # Temporary files created by Office applications
condition: selection and not 1 of filter_main_*
falsepositives:
- Very common in environments that rely heavily on macro documents
level: low
title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
- id: 91174a41-dc8f-401b-be89-7bfc140612a0
type: similar
status: test
description: |
Detects the creation of a new office macro files on the system via an application (browser, mail client).
This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_processes:
Image|endswith:
# Email clients
- '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
- '\outlook.exe'
- '\thunderbird.exe'
# Browsers
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
selection_ext:
- TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
- TargetFilename|contains:
- '.docm:Zone'
- '.dotm:Zone'
- '.xlsm:Zone'
- '.xltm:Zone'
- '.potm:Zone'
- '.pptm:Zone'
condition: all of selection_*
falsepositives:
- Legitimate macro files downloaded from the internet
- Legitimate macro files sent as attachments via emails
level: low
title: Windows Update Error
id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
status: stable
description: |
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
author: frack113
date: 2021-12-04
modified: 2023-09-07
tags:
- attack.impact
- attack.resource-development
- attack.t1584
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Microsoft-Windows-WindowsUpdateClient
EventID:
- 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule
- 20 # Installation Failure: Windows failed to install the following update with error
- 24 # Uninstallation Failure: Windows failed to uninstall the following update with error
- 213 # Revert Failure: Windows failed to revert the following update with error
- 217 # Commit Failure: Windows failed to commit the following update with error
condition: selection
falsepositives:
- Unknown
level: informational
title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
- attack.resource-development
- attack.t1588.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|windash: ' -accepteula'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same command line flag
level: low
title: PUA - Sysinternal Tool Execution - Registry
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: test
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\EulaAccepted'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
level: low
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml