Home/CVE-2008-3014/Sigma rules
Sigma

Sigma rules for CVE-2008-3014

56 rules · scoped to cve · back to CVE-2008-3014
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

6 of 56
direct medium
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
status test author frack113 id dd857d3e-0c6e-457b-9b48-e82ae7f86bd7 license Sigma · DRL-1.1
view Sigma YAML 
title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/add'
    filter_main_builtin:
        NewValue:
            - 'AnonymousAuthenticationModule'
            - 'CustomErrorModule'
            - 'DefaultDocumentModule'
            - 'DirectoryListingModule'
            - 'FileCacheModule'
            - 'HttpCacheModule'
            - 'HttpLoggingModule'
            - 'ProtocolSupportModule'
            - 'RequestFilteringModule'
            - 'StaticCompressionModule'
            - 'StaticFileModule'
            - 'TokenCacheModule'
            - 'UriCacheModule'
    filter_main_remove:
        NewValue: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium
direct medium
OpenSSH Server Listening On Socket
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
status test author mdecrevoisier id 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781 license Sigma · DRL-1.1
view Sigma YAML 
title: OpenSSH Server Listening On Socket
id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
status: test
description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
references:
    - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
    - https://winaero.com/enable-openssh-server-windows-10/
    - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
    - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: mdecrevoisier
date: 2022-10-25
tags:
    - attack.lateral-movement
    - attack.t1021.004
logsource:
    product: windows
    service: openssh
detection:
    selection:
        EventID: 4
        process: sshd
        payload|startswith: 'Server listening on '
    condition: selection
falsepositives:
    - Legitimate administrator activity
level: medium
direct medium
New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
status test author Nasreddine Bencherchali (Nextron Systems) id ee9ca27c-9bd7-4cee-9b01-6e906be7cae3 license Sigma · DRL-1.1
view Sigma YAML 
title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
    Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
    PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
    - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'PDQDeployService.exe'
        - ServiceName:
              - 'PDQDeploy'
              - 'PDQ Deploy'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
direct medium
NTLMv1 Logon Between Client and Server
Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
status test author Tim Shelton, Nasreddine Bencherchali (Nextron Systems) id e9d4ab66-a532-4ef7-a502-66a9e4a34f5d license Sigma · DRL-1.1
view Sigma YAML 
title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: test
description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-04-26
modified: 2023-06-06
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: "LsaSrv"
        EventID:
            - 6038
            - 6039
    condition: selection
falsepositives:
    - Environments that use NTLMv1
level: medium
direct low
DNS Server Discovery Via LDAP Query
Detects DNS server discovery via LDAP query requests from uncommon applications
status test author frack113 id a21bcd7e-38ec-49ad-b69a-9ea17e69509e license Sigma · DRL-1.1
view Sigma YAML 
title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
    - attack.discovery
    - attack.t1482
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|startswith: '_ldap.'
    filter_main_generic:
        Image|contains:
            - ':\Program Files\'
            - ':\Program Files (x86)\'
            - ':\Windows\'
    filter_main_defender:
        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith: '\MsMpEng.exe'
    filter_main_unknown:
        Image: '<unknown process>'
    filter_optional_azure:
        Image|startswith: 'C:\WindowsAzure\GuestAgent'
    filter_main_null:
        Image: null
    filter_optional_browsers:
        # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\opera.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
# Note: Incrase the level once a baseline is established
level: low
direct low
MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
status test author Nasreddine Bencherchali (Nextron Systems), j4son id 218d2855-2bba-4f61-9c85-81d0ea63ac71 license Sigma · DRL-1.1
view Sigma YAML 
title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
    - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
      type: similar
status: test
description: Detects failed logon attempts from clients to MSSQL server.
references:
    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: Nasreddine Bencherchali (Nextron Systems), j4son
date: 2023-10-11
modified: 2024-06-26
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: application
    definition: 'Requirements: Must enable MSSQL authentication.'
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 18456
    condition: selection
falsepositives:
    - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
level: low
Showing 51-56 of 56
Prev 2 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin