Sigma rules · CVE-2002-0057 · threatengine.sh

Home/CVE-2002-0057/Sigma rules

Sigma

Sigma rules for CVE-2002-0057

3 rules · scoped to cve · back to CVE-2002-0057

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

3 of 3

direct medium

Internet Explorer DisableFirstRunCustomize Enabled

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

status test author Nasreddine Bencherchali (Nextron Systems) id ab567429-1dfb-4674-b6d2-979fd2f9d125 license Sigma · DRL-1.1

view Sigma YAML

title: Internet Explorer DisableFirstRunCustomize Enabled
id: ab567429-1dfb-4674-b6d2-979fd2f9d125
status: test
description: |
    Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
    - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2025-10-07
tags:
    - attack.defense-impairment
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
        Details:
            - 'DWORD (0x00000001)' # Home Page
            - 'DWORD (0x00000002)' # Welcome To IE
    filter_main_generic:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\ie4uinit.exe'
    filter_optional_avira:
        Image|contains|all:
            - '\Temp\'
            - '\.cr\avira_'
        Details|contains: 'DWORD (0x00000001)'
    filter_optional_foxit:
        Image:
            - 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
            - 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
        Details|contains: 'DWORD (0x00000001)'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - As this is controlled by group policy as well as user settings. Some false positives may occur.
level: medium

direct medium

Internet Explorer Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

status test author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) id a80f662f-022f-4429-9b8c-b1a41aaa6688 license Sigma · DRL-1.1

view Sigma YAML

title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    ie:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Internet Explorer'
            - '\Software\Microsoft\Internet Explorer'
    ie_details:
        TargetObject|contains:
            - '\Toolbar'
            - '\Extensions'
            - '\Explorer Bars'
    filter_empty:
        Details: '(Empty)'
    filter_extensions:
        TargetObject|contains:
            - '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
            - '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
            - '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
            - '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
    filter_toolbar:
        TargetObject|endswith:
            - '\Toolbar\ShellBrowser\ITBar7Layout'
            - '\Toolbar\ShowDiscussionButton'
            - '\Toolbar\Locked'
    condition: ie and ie_details and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

direct high

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

status test author FPT.EagleEye Team, wagga id 869b9ca7-9ea2-4a5a-8325-e80e62f75445 license Sigma · DRL-1.1

view Sigma YAML

title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
    - id: 344482e4-a477-436c-aa70-7536d18a48c7
      type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
    - Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
    - attack.t1505.003
    - attack.t1190
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sqlservr.exe'
        Image|endswith:
            # You can add other uncommon or suspicious processes
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\sh.exe'
            - '\systeminfo.exe'
            - '\tasklist.exe'
            - '\wsl.exe'
    filter_optional_datev:
        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
        Image: 'C:\Windows\System32\cmd.exe'
        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
    condition: selection and not 1 of filter_optional_*
level: high

Showing 1-3 of 3

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin