Sigma rules for CVE-2018-1387
4 rules · scoped to cve · back to CVE-2018-1387
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_binary:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- '-DisableBehaviorMonitoring $true'
- '-DisableRuntimeMonitoring $true'
selection_sc_binary:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_tamper_cmd_stop:
CommandLine|contains|all:
- 'stop'
- 'WinDefend'
selection_sc_tamper_cmd_delete:
CommandLine|contains|all:
- 'delete'
- 'WinDefend'
selection_sc_tamper_cmd_disabled:
CommandLine|contains|all:
- 'config'
- 'WinDefend'
- 'start=disabled'
condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
- 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high
title: AWS EnableRegion Command Monitoring
id: a5ffb6ea-c784-4e01-b30a-deb6e58ca2ab
status: experimental
description: |
Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
references:
- https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html
- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html
author: Ivan Saakov, Sergey Zelenskiy
date: 2025-10-19
tags:
- attack.persistence
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'EnableRegion'
eventSource: 'account.amazonaws.com'
condition: selection
falsepositives:
- Legitimate use of the EnableRegion command by authorized administrators.
level: medium
title: Monitoring For Persistence Via BITS
id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
status: test
description: |
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
When the job runs on the system the command specified in the BITS job will be executed.
This can be abused by actors to create a backdoor within the system and for persistence.
It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
- https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
author: Sreeman
date: 2020-10-29
modified: 2024-01-25
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_cli_notify_1:
CommandLine|contains: '/SetNotifyCmdLine'
selection_cli_notify_2:
CommandLine|contains:
- '%COMSPEC%'
- 'cmd.exe'
- 'regsvr32.exe'
selection_cli_add_1:
CommandLine|contains: '/Addfile'
selection_cli_add_2:
CommandLine|contains:
- 'http:'
- 'https:'
- 'ftp:'
- 'ftps:'
condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)
falsepositives:
- Unknown
level: medium
title: Azure AD Health Monitoring Agent Registry Keys Access
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'Key'
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
filter:
ProcessName|contains:
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium