Sigma rules · CVE-2019-5515 · threatengine.sh

Home/CVE-2019-5515/Sigma rules

Sigma

Sigma rules for CVE-2019-5515

2 rules · scoped to cve · back to CVE-2019-5515

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

2 of 2

direct medium

Suspicious Workstation Locking via Rundll32

Detects a suspicious call to the user32.dll function that locks the user workstation

status test author frack113 id 3b5b0213-0460-4e3f-8937-3abf98ff7dcc license Sigma · DRL-1.1

view Sigma YAML

title: Suspicious Workstation Locking via Rundll32
id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc
status: test
description: Detects a suspicious call to the user32.dll function that locks the user workstation
references:
    - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/
author: frack113
date: 2022-06-04
modified: 2023-02-09
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_call_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_call_parent:
        ParentImage|endswith: '\cmd.exe'
    selection_call_cli:
        CommandLine|contains: 'user32.dll,'
    selection_function:
        CommandLine|contains: 'LockWorkStation'
    condition: all of selection_*
falsepositives:
    - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
level: medium

direct informational

Locked Workstation

Detects locked workstation session events that occur automatically after a standard period of inactivity.

status stable author Alexandr Yampolskyi, SOC Prime id 411742ad-89b0-49cb-a7b0-3971b5c1e0a4 license Sigma · DRL-1.1

view Sigma YAML

title: Locked Workstation
id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4
status: stable
description: Detects locked workstation session events that occur automatically after a standard period of inactivity.
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
author: Alexandr Yampolskyi, SOC Prime
date: 2019-03-26
modified: 2023-12-11
tags:
    - attack.impact
    # - CSC16
    # - CSC16.11
    # - ISO27002-2013 A.9.1.1
    # - ISO27002-2013 A.9.2.1
    # - ISO27002-2013 A.9.2.2
    # - ISO27002-2013 A.9.2.3
    # - ISO27002-2013 A.9.2.4
    # - ISO27002-2013 A.9.2.5
    # - ISO27002-2013 A.9.2.6
    # - ISO27002-2013 A.9.3.1
    # - ISO27002-2013 A.9.4.1
    # - ISO27002-2013 A.9.4.3
    # - ISO27002-2013 A.11.2.8
    # - PCI DSS 3.1 7.1
    # - PCI DSS 3.1 7.2
    # - PCI DSS 3.1 7.3
    # - PCI DSS 3.1 8.7
    # - PCI DSS 3.1 8.8
    # - NIST CSF 1.1 PR.AC-1
    # - NIST CSF 1.1 PR.AC-4
    # - NIST CSF 1.1 PR.AC-6
    # - NIST CSF 1.1 PR.AC-7
    # - NIST CSF 1.1 PR.PT-3
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4800
    condition: selection
falsepositives:
    - Likely
level: informational

Showing 1-2 of 2

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin