Sigma rules · CVE-2011-0190 · threatengine.sh

Home/CVE-2011-0190/Sigma rules

Sigma

Sigma rules for CVE-2011-0190

4 rules · scoped to cve · back to CVE-2011-0190

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

4 of 4

direct high

Regedit as Trusted Installer

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

status test author Florian Roth (Nextron Systems) id 883835a7-df45-43e4-bf1d-4268768afda4 license Sigma · DRL-1.1

view Sigma YAML

title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        ParentImage|endswith:
            - '\TrustedInstaller.exe'
            - '\ProcessHacker.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

direct medium

Suspicious Installer Package Child Process

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

status test author Sohan G (D4rkCiph3r) id e0cfaecd-602d-41af-988d-f6ccebb2af26 license Sigma · DRL-1.1

view Sigma YAML

title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
    - https://redcanary.com/blog/clipping-silver-sparrows-wings/
    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
    - attack.t1059
    - attack.t1059.007
    - attack.t1071
    - attack.t1071.001
    - attack.execution
    - attack.command-and-control
logsource:
    category: process_creation
    product: macos
detection:
    selection_installer:
        ParentImage|endswith:
            - '/package_script_service'
            - '/installer'
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/dash'
            - '/python'
            - '/ruby'
            - '/perl'
            - '/php'
            - '/javascript'
            - '/osascript'
            - '/tclsh'
            - '/curl'
            - '/wget'
        CommandLine|contains:
            - 'preinstall'
            - 'postinstall'
    condition: selection_installer
falsepositives:
    - Legitimate software uses the scripts (preinstall, postinstall)
level: medium

direct medium

Tap Installer Execution

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

status test author Daniil Yugoslavskiy, Ian Davis, oscd.community id 99793437-3e16-439b-be0f-078782cf953d license Sigma · DRL-1.1

view Sigma YAML

title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\tapinstall.exe'
    filter_optional_avast:
        Image|contains:
            - ':\Program Files\Avast Software\SecureLine VPN\'
            - ':\Program Files (x86)\Avast Software\SecureLine VPN\'
    filter_optional_openvpn:
        Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
    filter_optional_protonvpn:
        Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate OpenVPN TAP installation
level: medium

direct medium

Always Install Elevated Windows Installer

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

status test author Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community id cd951fdc-4b2f-47f5-ba99-a33bf61e3770 license Sigma · DRL-1.1

view Sigma YAML

title: Always Install Elevated Windows Installer
id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
status: test
description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_image_1:
        Image|contains|all:
            - '\Windows\Installer\'
            - 'msi'
        Image|endswith: 'tmp'
    selection_image_2:
        Image|endswith: '\msiexec.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_installer:
        ParentImage: 'C:\Windows\System32\services.exe'
    filter_repair:
        - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
        - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
    filter_sophos:
        ParentImage|startswith: 'C:\ProgramData\Sophos\'
    filter_avira:
        ParentImage|startswith: 'C:\ProgramData\Avira\'
    filter_avast:
        ParentImage|startswith:
            - 'C:\Program Files\Avast Software\'
            - 'C:\Program Files (x86)\Avast Software\'
    filter_google_update:
        ParentImage|startswith:
            - 'C:\Program Files\Google\Update\'
            - 'C:\Program Files (x86)\Google\Update\'
    condition: 1 of selection_image_* and selection_user and not 1 of filter_*
falsepositives:
    - System administrator usage
    - Anti virus products
    - WindowsApps located in "C:\Program Files\WindowsApps\"
level: medium

Showing 1-4 of 4

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin