Sigma
Sigma rules for CVE-2007-6232
20 rules · scoped to cve · back to CVE-2007-6232
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
20 of 20
direct
high
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
view Sigma YAML
title: Okta New Admin Console Behaviours
id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
status: test
description: Detects when Okta identifies new activity in the Admin Console.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: okta
service: okta
detection:
selection_event:
eventType: 'policy.evaluate_sign_on'
target.displayName: 'Okta Admin Console'
selection_positive:
- debugContext.debugData.behaviors|contains: 'POSITIVE'
- debugContext.debugData.logOnlySecurityData|contains: 'POSITIVE'
condition: all of selection_*
falsepositives:
- When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
level: high
direct
high
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
view Sigma YAML
title: Users Added to Global or Device Admin Roles
id: 11c767ae-500b-423b-bae3-b234450736ed
status: test
description: Monitor and alert for users added to device admin roles.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: RoleManagement
OperationName|contains|all:
- 'Add'
- 'member to role'
TargetResources|contains:
- '7698a772-787b-4ac8-901f-60d6b08affd2'
- '62e90394-69f5-4237-9190-012177145e10'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
view Sigma YAML
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
direct
high
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
view Sigma YAML
title: Suspicious Redirection to Local Admin Share
id: ab9e3b40-0c85-4ba1-aede-455d226fd124
status: test
description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-01-16
modified: 2023-12-28
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
CommandLine|contains: '>'
selection_share:
CommandLine|contains:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
direct
high
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
view Sigma YAML
title: SMB Create Remote File Admin Share
id: b210394c-ba12-4f89-9117-44a2464b9511
status: test
description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
- https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
date: 2020-08-06
modified: 2025-10-17
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|endswith: 'C$'
AccessMask: '0x2'
filter_main_subjectusername:
SubjectUserName|endswith: '$'
filter_optional_local_ip:
IpAddress: '::1'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
direct
medium
Okta Admin Role Assignment Created
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
view Sigma YAML
title: Okta Admin Role Assignment Created
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
status: test
description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Nikita Khalimonenkov
date: 2023-01-19
modified: 2026-04-27
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'iam.resourceset.bindings.add'
condition: selection
falsepositives:
- Legitimate creation of a new admin role assignment
level: medium
direct
medium
Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
view Sigma YAML
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
- attack.credential-access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
direct
medium
Okta Admin Role Assigned to an User or Group
Detects when an the Administrator role is assigned to an user or group.
view Sigma YAML
title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
status: test
description: Detects when an the Administrator role is assigned to an user or group.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- group.privilege.grant
- user.account.privilege.grant
condition: selection
falsepositives:
- Administrator roles could be assigned to users or group by other admin users.
level: medium
direct
medium
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
view Sigma YAML
title: User Added To Admin Group Via DseditGroup
id: 5d0fdb62-f225-42fb-8402-3dfe64da468a
status: test
description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos
- https://ss64.com/osx/dseditgroup.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dseditgroup'
CommandLine|contains|all:
- ' -o edit ' # edit operation
- ' -a ' # username
- ' -t user'
- 'admin' # Group name
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
direct
medium
User Added To Admin Group Via Sysadminctl
Detects attempts to create and add an account to the admin group via "sysadminctl"
view Sigma YAML
title: User Added To Admin Group Via Sysadminctl
id: 652c098d-dc11-4ba6-8566-c20e89042f2b
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "sysadminctl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
# Creates and adds new user to admin group
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
- ' -addUser '
- ' -admin '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
direct
medium
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
view Sigma YAML
title: User Added To Admin Group Via Dscl
id: b743623c-2776-40e0-87b1-682b975d0ca5
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "dscl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
- https://ss64.com/osx/dscl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection: # adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
- ' /Groups/admin '
- ' GroupMembership '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
direct
medium
Google Workspace User Granted Admin Privileges
Detects when an Google Workspace user is granted admin privileges.
view Sigma YAML
title: Google Workspace User Granted Admin Privileges
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
status: test
description: Detects when an Google Workspace user is granted admin privileges.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- GRANT_ADMIN_PRIVILEGE
condition: selection
falsepositives:
- Google Workspace admin role privileges, may be modified by system administrators.
level: medium
direct
medium
Suspicious New-PSDrive to Admin Share
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: Suspicious New-PSDrive to Admin Share
id: 1c563233-030e-4a07-af8c-ee0490a66d3a
status: test
description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
author: frack113
date: 2022-08-13
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-PSDrive'
- '-psprovider '
- 'filesystem'
- '-root '
- '\\\\'
- '$'
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
view Sigma YAML
title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Remove-ADGroupMember'
- '-Identity '
- '-Members '
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
Writing Local Admin Share
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
view Sigma YAML
title: Writing Local Admin Share
id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
status: test
description: |
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
author: frack113
date: 2022-01-01
modified: 2022-08-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.lateral-movement
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- '\\\\127.0.0'
- '\ADMIN$\'
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
view Sigma YAML
title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
- attack.lateral-movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1048
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_target:
CommandLine|contains:
- '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
- '\Sysvol\'
selection_other_tools:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'copy'
selection_pwsh_img:
- Image|contains:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- ' move-item'
- ' mi '
- ' mv '
condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
- Administrative scripts
level: medium
direct
medium
Windows Admin Share Mount Via Net.EXE
Detects when an admin share is mounted using net.exe
view Sigma YAML
title: Windows Admin Share Mount Via Net.EXE
id: 3abd6094-7027-475f-9630-8ab9be7b9725
related:
- id: f117933c-980c-4f78-b384-e3d838111165
type: similar
status: test
description: Detects when an admin share is mounted using net.exe
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
date: 2020-10-05
modified: 2023-02-21
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' \\\\*\\*$'
condition: all of selection_*
falsepositives:
- Administrators
level: medium
direct
low
Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
view Sigma YAML
title: Access To ADMIN$ Network Share
id: 098d7118-55bc-4912-a836-dc6483a8d150
status: test
description: Detects access to ADMIN$ network share
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140
author: Florian Roth (Nextron Systems)
date: 2017-03-04
modified: 2024-01-16
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5140
ShareName: 'Admin$'
filter_main_computer_account:
SubjectUserName|endswith: '$'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate administrative activity
level: low
direct
low
Admin User Remote Logon
Detect remote login by Administrator user (depending on internal pattern).
view Sigma YAML
title: Admin User Remote Logon
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
status: test
description: Detect remote login by Administrator user (depending on internal pattern).
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
author: juju4
date: 2017-10-29
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.lateral-movement
- attack.initial-access
- attack.stealth
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005
logsource:
product: windows
service: security
definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
detection:
selection:
EventID: 4624
LogonType: 10
AuthenticationPackageName: Negotiate
TargetUserName|startswith: 'Admin'
condition: selection
falsepositives:
- Legitimate administrative activity.
level: low
direct
low
Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
view Sigma YAML
title: Winget Admin Settings Modification
id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
status: test
description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
- https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
Image|endswith: '\winget.exe'
TargetObject|startswith: '\REGISTRY\A\'
TargetObject|endswith: '\LocalState\admin_settings'
condition: selection
falsepositives:
- The event doesn't contain information about the type of change. False positives are expected with legitimate changes
level: low
Showing 1-20 of 20