Sigma rules for CVE-2010-1168
3 rules · scoped to cve · back to CVE-2010-1168
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Perl Reverse Shell Execution
id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
status: test
description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/perl'
CommandLine|contains: ' -e '
selection_content:
- CommandLine|contains|all:
- 'fdopen('
- '::Socket::INET'
- CommandLine|contains|all:
- 'Socket'
- 'connect'
- 'open'
- 'exec'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Perl Inline Command Execution
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: test
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\perl.exe'
- OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SafeBoot\Minimal\'
- '\Control\SafeBoot\Network\'
TargetObject|endswith: '\(Default)'
Details: 'Service'
filter_optional_sophos:
Image: 'C:\WINDOWS\system32\msiexec.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\SAVService\(Default)'
- '\Control\SafeBoot\Network\SAVService\(Default)'
filter_optional_mbamservice:
Image|endswith: '\MBAMInstallerService.exe'
TargetObject|endswith: '\MBAMService\(Default)'
Details: 'Service'
filter_optional_hexnode:
Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
- '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
Details: 'Service'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode without Network
technique: T1112
atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode with Network
technique: T1112
atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4