Sigma rules for Wintego Systems
166 rules · scoped to actor · back to Wintego Systems
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
- https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
- https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
- https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1036.003
- attack.t1036
- attack.t1027.005
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rcedit-x64.exe'
- '\rcedit-x86.exe'
- Description: 'Edit resources of exe'
- Product: 'rcedit'
selection_flags:
CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
selection_attributes:
CommandLine|contains:
- 'OriginalFileName'
- 'CompanyName'
- 'FileDescription'
- 'ProductName'
- 'ProductVersion'
- 'LegalCopyright'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium
title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-exportPFX '
condition: all of selection_*
falsepositives:
- There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml
title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
- id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://redcanary.com/blog/yellow-cockatoo/
- https://zero2auto.com/2020/05/19/netwalker-re/
- https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
selection_cli_xor:
CommandLine|contains: 'bxor'
selection_cli_other:
CommandLine|contains:
- 'ForEach'
- 'for('
- 'for '
- '-join '
- "-join'"
- '-join"'
- '-join`'
- '::Join'
- '[char]'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
CommandLine|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
- 'readtoend('
condition: selection
falsepositives:
- Unknown
level: medium
title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-02-24
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
condition: all of selection_*
falsepositives:
- As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml
title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'ConvertTo-SecureString'
condition: all of selection_*
falsepositives:
- Legitimate use to pass password to different powershell commands
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
filter: # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
TargetName|contains: '\Temporary Internet Files\Content.Outlook'
condition: selection and not filter
falsepositives:
- Legitimate used of encrypted ZIP files
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
- id: 175997c5-803c-4b08-8bb0-70b099f47595
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ServiceFileName|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ImagePath|contains:
- ':system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: test
description: Show when a monitor or a span/rspan is setup or modified
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'monitor capture point'
- 'set span'
- 'set rspan'
condition: keywords
falsepositives:
- Admins may setup new or modify old spans, or use a monitor for troubleshooting
level: medium
title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
id: da34e323-1e65-42db-83be-a6725ac2caa3
status: test
description: |
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
author: frack113
date: 2024-05-12
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Start-NetEventSession'
condition: selection
falsepositives:
- Legitimate network diagnostic scripts.
level: medium
title: Potential Network Sniffing Activity Using Network Tools
id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
status: test
description: |
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2023-02-20
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_tshark:
Image|endswith: '\tshark.exe'
CommandLine|contains: '-i'
selection_windump:
Image|endswith: '\windump.exe'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activity to troubleshoot network issues
level: medium
title: New Network Trace Capture Started Via Netsh.EXE
id: d3c3861d-c504-4c77-ba55-224ba82d0118
status: test
description: Detects the execution of netsh with the "trace" flag in order to start a network capture
references:
- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
- https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
author: Kutepov Anton, oscd.community
date: 2019-10-24
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'trace'
- 'start'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: medium
title: PktMon.EXE Execution
id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
status: test
description: Detects execution of PktMon, a tool that captures network packets.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
author: frack113
date: 2022-03-17
modified: 2023-06-23
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\pktmon.exe'
- OriginalFileName: 'PktMon.exe'
condition: selection
falsepositives:
- Legitimate use
level: medium
title: Harvesting Of Wifi Credentials Via Netsh.EXE
id: 42b1a5b8-353f-4f10-b256-39de4467faff
status: test
description: Detect the harvesting of wifi credentials using netsh.exe
references:
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
author: Andreas Hunkeler (@Karneades), oscd.community
date: 2020-04-20
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'wlan'
- ' s'
- ' p'
- ' k'
- '=clear'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Windows Pcap Drivers
id: 7b687634-ab20-11ea-bb37-0242ac130002
status: test
description: Detects Windows Pcap driver installation based on a list of associated .sys files.
references:
- https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
author: Cian Heasley
date: 2020-06-10
modified: 2023-04-14
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'pcap'
- 'npcap'
- 'npf'
- 'nm3'
- 'ndiscap'
- 'nmnt'
- 'windivert'
- 'USBPcap'
- 'pktmon'
condition: selection
falsepositives:
- Unknown
level: medium
title: Bitbucket User Login Failure
id: 70ed1d26-0050-4b38-a599-92c53d57d45a
status: test
description: |
Detects user authentication failure events.
Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Authentication'
auditType.action: 'User login failed'
condition: selection
falsepositives:
- Legitimate user wrong password attempts.
level: medium
title: Bitbucket User Login Failure Via SSH
id: d3f90469-fb05-42ce-b67d-0fded91bbef3
status: test
description: |
Detects SSH user login access failures.
Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
references:
- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.lateral-movement
- attack.credential-access
- attack.t1021.004
- attack.t1110
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Authentication'
auditType.action: 'User login failed(SSH)'
condition: selection
falsepositives:
- Legitimate user wrong password attempts.
level: medium
title: AWS ConsoleLogin Failed Authentication
id: 6393e346-1977-46ef-8987-ad414a145fad
status: experimental
description: |
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
references:
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
author: Ivan Saakov, Nasreddine Bencherchali
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1110
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
errorMessage: 'Failed authentication'
condition: selection
falsepositives:
- Legitimate failed login attempts by authorized users. Investigate the source of repeated failed login attempts.
level: medium
title: User Access Blocked by Azure Conditional Access
id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
status: test
description: |
Detect access has been blocked by Conditional Access policies.
The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.credential-access
- attack.initial-access
- attack.stealth
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
condition: selection
falsepositives:
- Unknown
level: medium
title: Multifactor Authentication Denied
id: e40f4962-b02b-4192-9bfe-245f7ece1f99
status: test
description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
references:
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
author: AlertIQ
date: 2022-03-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
- attack.t1621
logsource:
product: azure
service: signinlogs
detection:
selection:
AuthenticationRequirement: 'multiFactorAuthentication'
Status|contains: 'MFA Denied'
condition: selection
falsepositives:
- Users actually login but miss-click into the Deny button when MFA prompt.
level: medium
title: Account Lockout
id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
status: test
description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50053
condition: selection
falsepositives:
- Unknown
level: medium
title: Multifactor Authentication Interrupted
id: 5496ff55-42ec-4369-81cb-00f417029e25
status: test
description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
- attack.t1621
logsource:
product: azure
service: signinlogs
detection:
selection_50074:
ResultType: 50074
ResultDescription|contains: 'Strong Auth required'
selection_500121:
ResultType: 500121
ResultDescription|contains: 'Authentication failed during strong authentication request'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
title: Successful Authentications From Countries You Do Not Operate Out Of
id: 8c944ecb-6970-4541-8496-be554b8e2846
status: test
description: Detect successful authentications from countries you do not operate out of.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
filter:
Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
- id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
type: similar
status: test
description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: j4son
date: 2023-10-11
modified: 2025-05-28
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
- 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
- 'CLIENT: 172.20.'
- 'CLIENT: 172.21.'
- 'CLIENT: 172.22.'
- 'CLIENT: 172.23.'
- 'CLIENT: 172.24.'
- 'CLIENT: 172.25.'
- 'CLIENT: 172.26.'
- 'CLIENT: 172.27.'
- 'CLIENT: 172.28.'
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
- 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
- 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
- 'CLIENT: <local machine>'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: External Remote RDP Logon from Public IP
id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
related:
- id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
type: derived
status: test
description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
references:
- https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
- https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1133
- attack.t1078
- attack.t1110
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
filter_main_local_ranges:
IpAddress|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
filter_main_empty:
IpAddress: '-'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate or intentional inbound connections from public IP addresses on the RDP port.
level: medium
title: NTLM Brute Force
id: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
status: test
description: Detects common NTLM brute force device names
references:
- https://www.varonis.com/blog/investigate-ntlm-brute-force
author: Jerry Shockley '@jsh0x'
date: 2022-02-02
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: ntlm
definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8004
devicename:
WorkstationName:
- 'Rdesktop'
- 'Remmina'
- 'Freerdp'
- 'Windows7'
- 'Windows8'
- 'Windows2012'
- 'Windows2016'
- 'Windows2019'
condition: selection and devicename
falsepositives:
- Systems with names equal to the spoofed ones used by the brute force tools
level: medium
title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
status: test
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
references:
- https://twitter.com/KevTheHermit/status/1410203844064301056
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w
date: 2021-06-30
modified: 2023-01-02
tags:
- attack.credential-access
- attack.t1110.001
logsource:
product: windows
service: smbclient-security
detection:
selection:
EventID: 31017
UserName: ''
ServerName|startswith: '\1'
condition: selection
falsepositives:
- Account fallback reasons (after failed login with specific account)
level: medium
title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1199
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'User restricted from sending email'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
title: Bitbucket User Details Export Attempt Detected
id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
status: test
description: Detects user data export activity.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.reconnaissance
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User permissions export failed'
- 'User permissions export started'
- 'User permissions exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: Bitbucket User Permissions Export Attempt
id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
status: test
description: Detects user permission data export attempt.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.reconnaissance
- attack.collection
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User details export failed'
- 'User details export started'
- 'User details exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: Github Delete Action Invoked
id: 16a71777-0b2e-4db7-9888-9d59cb75200b
status: test
description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-19
modified: 2026-03-09
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events#codespaces
tags:
- attack.impact
- attack.collection
- attack.t1213.003
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'codespaces.destroy'
- 'environment.delete'
- 'project.delete'
- 'repo.destroy'
condition: selection
falsepositives:
- Validate the deletion activity is permitted. The "actor" field need to be validated.
level: medium
title: Github Outside Collaborator Detected
id: eaa9ac35-1730-441f-9587-25767bde99d7
status: test
description: |
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
tags:
- attack.privilege-escalation
- attack.persistence
- attack.collection
- attack.t1098.001
- attack.t1098.003
- attack.t1213.003
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'org.remove_outside_collaborator'
- 'project.update_user_permission'
condition: selection
falsepositives:
- Validate the actor if permitted to access the repo.
- Validate the Multifactor Authentication changes.
level: medium
title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
- id: 6ad91e31-53df-4826-bd27-0166171c8040
type: similar
status: test
description: |
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'admissionregistration.k8s.io'
objectRef.resource:
- 'mutatingwebhookconfigurations'
- 'validatingwebhookconfigurations'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Added Owner To Application
id: 74298991-9fc4-460e-a92e-511aa60baec1
status: test
description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.t1552
- attack.credential-access
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add owner to application
condition: selection
falsepositives:
- When a new application owner is added by an administrator
level: medium
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
status: test
description: Identifies when secrets are modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
status: test
description: Identifies when a Keyvault Key is modified or deleted in Azure.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
condition: selection
falsepositives:
- Key being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
status: test
description: |
Identifies when an admission controller is executed in Azure Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
operationName|endswith:
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Key Vault Modified or Deleted
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
status: test
description: Identifies when a key vault is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1552
- attack.t1552.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
- MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
condition: selection
falsepositives:
- Key Vault being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
gcp.audit.method_name|contains:
- '.mutatingwebhookconfigurations.'
- '.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
condition: selection
falsepositives:
- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
related:
- id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
type: derived
status: test
description: |
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-09-09
modified: 2025-12-02
tags:
- attack.credential-access
- attack.discovery
- attack.t1552
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_wmi:
CommandLine|contains|all:
- 'Select'
- 'Win32_NTLogEvent'
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wmic_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
selection_logs_name:
CommandLine|contains:
# Note: Add more event log channels that are interesting for attackers
- 'Microsoft-Windows-PowerShell'
- 'Microsoft-Windows-Security-Auditing'
- 'Microsoft-Windows-TerminalServices-LocalSessionManager'
- 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
- 'Microsoft-Windows-Windows Defender'
- 'PowerShellCore'
- 'Security'
- 'Windows PowerShell'
selection_logs_eid:
CommandLine|contains:
# Note: We use the "?" to account for both a single and a double quote
# Note: Please add additional interesting event IDs
# Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
# This covers EID 4624 and 4628 from Security Log
- '-InstanceId 462?'
- '.eventid -eq 462?'
- '.ID -eq 462?'
- 'EventCode=?462?'
- 'EventIdentifier=?462?'
- 'System[EventID=462?]'
# This covers EID 4778 from Security Log
- '-InstanceId 4778'
- '.eventid -eq 4778'
- '.ID -eq 4778'
- 'EventCode=?4778?'
- 'EventIdentifier=?4778?'
- 'System[EventID=4778]'
# This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 25'
- '.eventid -eq 25'
- '.ID -eq 25'
- 'EventCode=?25?'
- 'EventIdentifier=?25?'
- 'System[EventID=25]'
# This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
- '-InstanceId 1149'
- '.eventid -eq 1149'
- '.ID -eq 1149'
- 'EventCode=?1149?'
- 'EventIdentifier=?1149?'
- 'System[EventID=1149]'
# This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 21'
- '.eventid -eq 21'
- '.ID -eq 21'
- 'EventCode=?21?'
- 'EventIdentifier=?21?'
- 'System[EventID=21]'
# This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 22'
- '.eventid -eq 22'
- '.ID -eq 22'
- 'EventCode=?22?'
- 'EventIdentifier=?22?'
- 'System[EventID=22]'
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
falsepositives:
- Legitimate usage of the utility by administrators to query the event log
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml
title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_notepad_legit_domain:
QueryName: 'notepad-plus-plus.org'
filter_optional_sourceforge_legit_domain:
QueryName|endswith: '.sourceforge.net'
filter_optional_github_legit_domain:
- QueryName|endswith: '.githubusercontent.com'
- QueryName: 'github.com'
filter_optional_google_storage_legit_domain:
QueryName|endswith: '.googleapis.com'
filter_optional_uncommon_domains:
QueryName|endswith:
- '.azurewebsites.net'
- 'block.opendns.com'
- 'gateway.zscalerthree.net'
# Add other known legitimate domains if any
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
- Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
title: ISATAP Router Address Was Set
id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
status: experimental
description: |
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
references:
- https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
- https://redfoxsec.com/blog/ipv6-dns-takeover/
- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
- https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
author: hamid
date: 2025-10-19
tags:
- attack.impact
- attack.credential-access
- attack.collection
- attack.initial-access
- attack.privilege-escalation
- attack.execution
- attack.t1557
- attack.t1565.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 4100
Provider_Name: 'Microsoft-Windows-Iphlpsvc'
filter_main_localhost:
IsatapRouter:
- '127.0.0.1'
- '::1'
filter_optional_null:
IsatapRouter: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate ISATAP router configuration in enterprise environments
- IPv6 transition projects and network infrastructure changes
- Network administrators configuring dual-stack networking
- Automatic ISATAP configuration in some Windows deployments
level: medium
title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: test
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020-04-16
modified: 2022-10-05
tags:
- attack.collection
- attack.t1005
- attack.exfiltration
- attack.t1537
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'CreateInstanceExportTask'
eventSource: 'ec2.amazonaws.com'
filter1:
errorMessage|contains: '*'
filter2:
errorCode|contains: '*'
filter3:
responseElements|contains: 'Failure'
condition: selection and not 1 of filter*
level: low
title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
- https://blog.router-switch.com/2013/11/show-running-config/
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.discovery
- attack.credential-access
- attack.collection
- attack.t1087.001
- attack.t1552.001
- attack.t1005
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
falsepositives:
- Commonly run by administrators
level: low
title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: macos
detection:
selection:
Image: '/usr/bin/base64'
CommandLine|contains: '-d'
condition: selection
falsepositives:
- Legitimate activities
level: low