Sigma rules for CVE-2018-20250
204 rules · scoped to cve · back to CVE-2018-20250
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: test
description: Find local accounts being created or modified as well as remote authentication configurations
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'username'
- 'aaa'
condition: keywords
falsepositives:
- When remote authentication is in place, this should not change often
level: high
title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: test
description: Detects wannacry killswitch domain dns queries
references:
- https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
author: Mike Wade
date: 2020-09-16
modified: 2022-03-24
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
condition: selection
falsepositives:
- Analyst testing
level: high
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: DNS Query to External Service Interaction Domains
id: aff715fa-4dd5-497a-8db3-910bea555566
status: test
description: |
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
references:
- https://twitter.com/breakersall/status/1533493587828260866
- https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
- https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
date: 2022-06-07
modified: 2026-01-24
tags:
- attack.initial-access
- attack.t1190
- attack.reconnaissance
- attack.t1595.002
logsource:
category: dns
detection:
selection:
query|endswith:
- '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
- '.canarytokens.com' # Thinkst Canary Canarytokens
- '.ceye.io'
- '.ddns.1443.eu.org' # dig.pm
- '.ddns.bypass.eu.org' # dig.pm
- '.ddns.xn--gg8h.eu.org' # dig.pm
- '.digimg.store' # dnslog.ink
- '.dns.su18.org' # javaweb.org
- '.dnshook.site' # webhook.site
- '.dnslog.cn'
- '.dnslog.ink' # dnslog.ink
- '.instances.httpworkbench.com' # httpworkbench.com
- '.interact.sh' # Project Discovery Interactsh
- '.log.dnslog.pp.ua' # dnslog.org
- '.log.dnslog.qzz.io' # dnslog.org
- '.log.dnslogs.dpdns.org' # dnslog.org
- '.log.javaweb.org' # javaweb.org
- '.log.nat.cloudns.ph' # dnslog.org
- '.oast.fun' # Project Discovery Interactsh
- '.oast.live' # Project Discovery Interactsh
- '.oast.me' # Project Discovery Interactsh
- '.oast.online' # Project Discovery Interactsh
- '.oast.pro' # Project Discovery Interactsh
- '.oast.site' # Project Discovery Interactsh
- '.oastify.com' # Portswigger Burpsuite Collaborator
- '.p8.lol' # javaweb.org
- '.requestbin.net'
filter_main_polling:
query|contains: 'polling.oastify.com'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate security scanning.
level: high