Sigma
Sigma rules for CVE-2012-3001
4 rules · scoped to cve · back to CVE-2012-3001
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
4 of 4
direct
high
Outbound RDP Connections Over Non-Standard Tools
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
view Sigma YAML
title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis
date: 2019-05-15
modified: 2024-02-09
tags:
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 3389
Initiated: 'true'
filter_main_mstsc:
Image:
- 'C:\Windows\System32\mstsc.exe'
- 'C:\Windows\SysWOW64\mstsc.exe'
filter_optional_dns:
# Note: https://github.com/SigmaHQ/sigma/pull/2249
Image: 'C:\Windows\System32\dns.exe'
SourcePort: 53
Protocol: 'udp'
filter_optional_avast:
Image|endswith:
- '\Avast Software\Avast\AvastSvc.exe'
- '\Avast\AvastSvc.exe'
filter_optional_sysinternals_rdcman:
Image|endswith: '\RDCMan.exe'
filter_optional_chrome:
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_third_party:
Image|endswith:
- '\FSAssessment.exe'
- '\FSDiscovery.exe'
- '\MobaRTE.exe'
- '\mRemote.exe'
- '\mRemoteNG.exe'
- '\Passwordstate.exe'
- '\RemoteDesktopManager.exe'
- '\RemoteDesktopManager64.exe'
- '\RemoteDesktopManagerFree.exe'
- '\RSSensor.exe'
- '\RTS2App.exe'
- '\RTSApp.exe'
- '\spiceworks-finder.exe'
- '\Terminals.exe'
- '\ws_TunnelService.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_splunk:
Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
filter_optional_sentinel_one:
Image|endswith: '\Ranger\SentinelRanger.exe'
filter_optional_firefox:
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tsplus: # Some RAS
Image:
- 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
- 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
filter_optional_null:
Image: null
filter_optional_empty:
Image: ''
filter_optional_unknown:
Image: '<unknown process>'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Third party RDP tools
level: high
direct
high
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
view Sigma YAML
title: Default RDP Port Changed to Non Standard Port
id: 509e84b9-a71a-40e0-834f-05470369bd1e
status: test
description: |
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md
author: frack113
date: 2022-01-01
modified: 2024-03-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber'
filter_main_port:
Details: DWORD (0x00000d3d) # 3389
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml
simulation:
- type: atomic-red-team
name: Changing RDP Port to Non Standard Port via Powershell
technique: T1021.001
atomic_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
- type: atomic-red-team
name: Changing RDP Port to Non Standard Port via Command_Prompt
technique: T1021.001
atomic_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
direct
medium
WinRAR Execution in Non-Standard Folder
Detects a suspicious WinRAR execution in a folder which is not the default installation folder
view Sigma YAML
title: WinRAR Execution in Non-Standard Folder
id: 4ede543c-e098-43d9-a28f-dd784a13132f
status: test
description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder
references:
- https://twitter.com/cyb3rops/status/1460978167628406785
author: Florian Roth (Nextron Systems), Tigzy
date: 2021-11-17
modified: 2025-07-16
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\rar.exe'
- '\winrar.exe'
- Description:
- 'Command line RAR'
- 'WinRAR'
filter_main_unrar:
# Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression
Image|endswith: '\UnRAR.exe'
filter_main_path:
Image|contains:
- ':\Program Files (x86)\WinRAR\'
- ':\Program Files\WinRAR\'
filter_optional_temp:
# Note: in some occasion installers were seen dropping "rar" in TEMP
Image|contains: ':\Windows\Temp\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate use of WinRAR in a folder of a software that bundles WinRAR
level: medium
direct
medium
Standard User In High Privileged Group
Detect standard users login that are part of high privileged groups such as the Administrator group
view Sigma YAML
title: Standard User In High Privileged Group
id: 7ac407cc-0f48-4328-aede-de1d2e6fef41
status: test
description: Detect standard users login that are part of high privileged groups such as the Administrator group
references:
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
author: frack113
date: 2023-01-13
modified: 2023-05-05
tags:
- attack.credential-access
- attack.privilege-escalation
logsource:
product: windows
service: lsa-server
definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'
detection:
selection:
EventID: 300
TargetUserSid|startswith: 'S-1-5-21-' # Standard user
SidList|contains:
- 'S-1-5-32-544' # Local admin
- '-500}' # Domain admin
- '-518}' # Schema admin
- '-519}' # Enterprise admin
filter_main_admin:
TargetUserSid|endswith:
- '-500' # Domain admin
- '-518' # Schema admin
- '-519' # Enterprise admin
condition: selection and not 1 of filter_main_*
falsepositives:
- Standard domain users who are part of the administrator group.
These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field
level: medium
Showing 1-4 of 4