Sigma rules for CVE-2001-0509
2 rules · scoped to cve · back to CVE-2001-0509
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
id: 480421f9-417f-4d3b-9552-fd2728443ec8
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_wow_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
selection_wow_nt_current_version:
TargetObject|contains:
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options'
- '\Drivers32'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_file_exec_options:
Details|endswith: '\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
- id: 344482e4-a477-436c-aa70-7536d18a48c7
type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
- Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
- attack.t1505.003
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
# You can add other uncommon or suspicious processes
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\wsl.exe'
filter_optional_datev:
ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
Image: 'C:\Windows\System32\cmd.exe'
CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
condition: selection and not 1 of filter_optional_*
level: high