Home/CVE-2021-25032/Sigma rules
Sigma

Sigma rules for CVE-2021-25032

5 rules · scoped to cve · back to CVE-2021-25032
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

5 of 5
direct high
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
status test author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 434c08ba-8406-4d15-8b24-782cb071a691 license Sigma · DRL-1.1
view Sigma YAML 
title: PowerShell Execution With Potential Decryption Capabilities
id: 434c08ba-8406-4d15-8b24-782cb071a691
status: test
description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
references:
    - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-30
modified: 2023-12-05
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        OriginalFileName:
            - 'PowerShell.EXE'
            - 'pwsh.dll'
    selection_cli_dir:
        CommandLine|contains:
            - "Get-ChildItem "
            - "dir "
            - "gci "
            - "ls "
    selection_cli_gc:
        CommandLine|contains:
            - "Get-Content "
            - "gc "
            - 'cat '
            - 'type '
            - 'ReadAllBytes'
    selection_cli_specific:
        - CommandLine|contains|all:
              - ' ^| '
              - '\*.lnk'
              - '-Recurse'
              - '-Skip '
        - CommandLine|contains|all:
              - ' -ExpandProperty '
              - '\*.lnk'
              - 'WriteAllBytes'
              - ' .length '
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
direct medium
PowerShell Script With File Hostname Resolving Capabilities
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
status test author Nasreddine Bencherchali (Nextron Systems) id fbc5e92f-3044-4e73-a5c6-1c4359b539de license Sigma · DRL-1.1
view Sigma YAML 
title: PowerShell Script With File Hostname Resolving Capabilities
id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
status: test
description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
references:
    - https://www.fortypoundhead.com/showcontent.asp?artid=24022
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-content '
            - 'foreach'
            - '[System.Net.Dns]::GetHostEntry'
            - 'Out-File'
    condition: selection
falsepositives:
    - The same functionality can be implemented by admin scripts, correlate with name and creator
level: medium
direct low
Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
status test author Nasreddine Bencherchali (Nextron Systems) id d8d97d51-122d-4cdd-9e2f-01b4b4933530 license Sigma · DRL-1.1
view Sigma YAML 
title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
    - https://github.com/carlospolop/PEASS-ng
    - https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/getcap'
        CommandLine|contains: ' -r '
    condition: selection
falsepositives:
    - Unknown
level: low
direct low
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
status test author Pawel Mazur id fe10751f-1995-40a5-aaa2-c97ccb4123fe license Sigma · DRL-1.1
view Sigma YAML 
title: Linux Capabilities Discovery
id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
status: test
description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
references:
    - https://man7.org/linux/man-pages/man8/getcap.8.html
    - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
    - https://mn3m.info/posts/suid-vs-capabilities/
    - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
author: 'Pawel Mazur'
date: 2021-11-28
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.privilege-escalation
    - attack.t1083
    - attack.t1548
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: getcap
        a1: '-r'
        a2: '/'
    condition: selection
falsepositives:
    - Unknown
level: low
direct low
PowerShell Script With File Upload Capabilities
Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
status test author frack113 id d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb license Sigma · DRL-1.1
view Sigma YAML 
title: PowerShell Script With File Upload Capabilities
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: test
description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
author: frack113
date: 2022-01-07
modified: 2025-07-18
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
    selection_flag:
        ScriptBlockText|contains:
            - '-Method "POST"'
            - '-Method "PUT"'
            - '-Method POST'
            - '-Method PUT'
            - "-Method 'POST'"
            - "-Method 'PUT'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
Showing 1-5 of 5
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh