Tool
EDR / XDR
VMware Carbon Black
1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,677
high
Moderate
Medium FP
Potential PrintNightmare Exploitation Attempt
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
view Sigma YAML
title: Potential PrintNightmare Exploitation Attempt
id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
status: test
description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
references:
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://github.com/cube0x0/CVE-2021-1675
author: Bhabesh Raj
date: 2021-07-01
modified: 2023-02-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574
- cve.2021-1675
- detection.emerging-threats
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith: '\spoolsv.exe'
TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Privilege Escalation Attempt Via .Exe.Local Technique
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
view Sigma YAML
title: Potential Privilege Escalation Attempt Via .Exe.Local Technique
id: 07a99744-56ac-40d2-97b7-2095967b0e03
status: test
description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
references:
- https://github.com/binderlabs/DirCreate2System
- https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows\System32\logonUI.exe.local'
- 'C:\Windows\System32\werFault.exe.local'
- 'C:\Windows\System32\consent.exe.local'
- 'C:\Windows\System32\narrator.exe.local'
- 'C:\Windows\System32\wermgr.exe.local'
TargetFilename|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
view Sigma YAML
title: Potential Privilege Escalation To LOCAL SYSTEM
id: 207b0396-3689-42d9-8399-4222658efc99
related:
- id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
type: similar
status: test
description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-05-22
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
filter_main_exclude_coverage:
# This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
CommandLine|contains:
- 'paexec'
- 'PsExec'
- 'accepteula'
condition: selection and not 1 of filter_main_*
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
Convert to SIEM query
high
Strong
High FP
Potential Privilege Escalation Using Symlink Between Osk and Cmd
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
view Sigma YAML
title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
id: e9b61244-893f-427c-b287-3e708f321c6b
status: test
description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
- https://ss64.com/nt/mklink.html
author: frack113
date: 2022-12-11
modified: 2022-12-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'mklink'
- '\osk.exe'
- '\cmd.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml
Convert to SIEM query
high
Strong
Medium FP
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
view Sigma YAML
title: Potential Privilege Escalation via Local Kerberos Relay over LDAP
id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
status: test
description: |
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
references:
- https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
author: Elastic, @SBousseaden
date: 2022-04-27
modified: 2024-08-13
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1548
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: 'Kerberos'
IpAddress: '127.0.0.1'
TargetUserSid|startswith: 'S-1-5-21-'
TargetUserSid|endswith: '-500'
filter_main_ip_null:
IpPort: '0'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
view Sigma YAML
title: Potential Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
status: test
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
product: windows
category: process_creation
detection:
selection:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'services'
CommandLine|contains:
- '\ImagePath'
- '\FailureCommand'
- '\ServiceDll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential Process Injection Via Msra.EXE
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
view Sigma YAML
title: Potential Process Injection Via Msra.EXE
id: 744a188b-0415-4792-896f-11ddb0588dbc
status: test
description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
references:
- https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
- https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
author: Alexander McDonald
date: 2022-06-24
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\msra.exe'
ParentCommandLine|endswith: 'msra.exe'
Image|endswith:
- '\arp.exe'
- '\cmd.exe'
- '\net.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\route.exe'
- '\schtasks.exe'
- '\whoami.exe'
condition: selection
falsepositives:
- Legitimate use of Msra.exe
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
view Sigma YAML
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
view Sigma YAML
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
id: 7021255e-5db3-4946-a8b9-0ba7a4644a69
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Swachchhanda Shrawan Poudel
date: 2023-08-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored'
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
view Sigma YAML
title: Potential PsExec Remote Execution
id: ea011323-7045-460b-b2d7-0f7442ea6b38
status: test
description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-09-01
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Accepting EULA in commandline - often used in automated attacks
CommandLine|contains|all:
- 'accepteula'
- ' -u '
- ' -p '
- ' \\\\'
filter_main_localhost:
CommandLine|contains:
- '\\\\localhost'
- '\\\\127.'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Qakbot Registry Activity
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
view Sigma YAML
title: Potential Qakbot Registry Activity
id: 1c8e96cd-2bed-487d-9de0-b46c90cade56
status: test
description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\Software\firm\soft\Name'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Qakbot Rundll32 Execution
Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
view Sigma YAML
title: Potential Qakbot Rundll32 Execution
id: cf879ffb-793a-4753-9a14-bc8f37cc90df
status: test
description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems)
date: 2023-05-24
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_paths:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
selection_extension:
CommandLine|contains: '.dll'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential RCE Exploitation Attempt In NodeJS
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
view Sigma YAML
title: Potential RCE Exploitation Attempt In NodeJS
id: 97661d9d-2beb-4630-b423-68985291a8af
status: test
description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: nodejs
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'node:child_process'
condition: keywords
falsepositives:
- Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential RDP Tunneling Via Plink
Execution of plink to perform data exfiltration and tunneling
view Sigma YAML
title: Potential RDP Tunneling Via Plink
id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da
related:
- id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe
type: similar
status: test
description: Execution of plink to perform data exfiltration and tunneling
references:
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems)
date: 2022-08-04
modified: 2023-01-27
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection_a:
Image|endswith: '\plink.exe'
CommandLine|contains: ':127.0.0.1:3389'
selection_b1:
Image|endswith: '\plink.exe'
CommandLine|contains: ':3389'
selection_b2:
CommandLine|contains:
- ' -P 443'
- ' -P 22'
condition: selection_a or all of selection_b*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential RDP Tunneling Via SSH
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
view Sigma YAML
title: Potential RDP Tunneling Via SSH
id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d
related:
- id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe
type: similar
status: test
description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2023-01-25
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains: ':3389'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
view Sigma YAML
title: Potential Ransomware Activity Using LegalNotice Message
id: 8b9606c9-28be-4a38-b146-0e313cc232c1
status: test
description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
author: frack113
date: 2022-12-11
modified: 2023-08-17
tags:
- attack.impact
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
Details|contains:
- 'encrypted'
- 'Unlock-Password'
- 'paying'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Raspberry Robin Aclui Dll SideLoading
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
view Sigma YAML
title: Potential Raspberry Robin Aclui Dll SideLoading
id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a
status: test
description: |
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
references:
- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html
author: Swachchhanda Shrawan Poudel
date: 2024-07-31
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\OleView.exe'
ImageLoaded|endswith: '\aclui.dll'
filter_main_legit_oleview_paths:
Image|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Microsoft SDKs\'
filter_optional_known_oleview_paths:
Image|contains: '\Windows Resource Kit\'
filter_main_is_signed:
Signed: 'true'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Raspberry Robin CPL Execution Activity
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
This behavior was observed in multiple Raspberry-Robin variants.
view Sigma YAML
title: Potential Raspberry Robin CPL Execution Activity
id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
status: test
description: |
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
This behavior was observed in multiple Raspberry-Robin variants.
references:
- https://tria.ge/240226-fhbe7sdc39/behavioral1
- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
author: Swachchhanda Shrawan Poudel
date: 2024-03-07
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
# Example: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\xxxx\AppData\Local\Temp\xxxx.CPL"
selection_parent_img:
ParentImage|endswith:
- '\rundll32.exe'
- '\control.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'shell32.dll'
- 'Control_RunDLL'
- '.CPL'
selection_path:
CommandLine|contains: '\AppData\Local\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Raspberry Robin Dot Ending File
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
view Sigma YAML
title: Potential Raspberry Robin Dot Ending File
id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
status: test
description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
author: Nasreddine Bencherchali (Nextron Systems)
references:
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
date: 2022-10-28
modified: 2023-02-05
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png
# Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png
# Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png
CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Rcdll.DLL Sideloading
Detects potential DLL sideloading of rcdll.dll
view Sigma YAML
title: Potential Rcdll.DLL Sideloading
id: 6e78b74f-c762-4800-82ad-f66787f10c8a
status: test
description: Detects potential DLL sideloading of rcdll.dll
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-03-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\rcdll.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files (x86)\Windows Kits\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential Recon Activity Using DriverQuery.EXE
Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
view Sigma YAML
title: Potential Recon Activity Using DriverQuery.EXE
id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
related:
- id: a20def93-0709-4eae-9bd2-31206e21e6b2
type: similar
status: test
description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
references:
- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
- https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-19
modified: 2023-09-29
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'driverquery.exe'
- OriginalFileName: 'drvqry.exe'
selection_parent:
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- ParentImage|contains:
- '\AppData\Local\'
- '\Users\Public\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Legitimate usage by some scripts might trigger this as well
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/info.yml
Convert to SIEM query
high
Strong
High FP
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
Detects usage of cmdkey to look for cached credentials on the system
view Sigma YAML
title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
status: test
description: Detects usage of cmdkey to look for cached credentials on the system
references:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey
author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-03-05
tags:
- attack.credential-access
- attack.t1003.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdkey.exe'
- OriginalFileName: 'cmdkey.exe'
selection_cli:
CommandLine|contains|windash: ' -l'
condition: all of selection*
falsepositives:
- Legitimate administrative tasks
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml
simulation:
- type: atomic-red-team
name: Cached Credential Dump via Cmdkey
technique: T1003.005
atomic_guid: 56506854-89d6-46a3-9804-b7fde90791f9
Convert to SIEM query
high
Moderate
Medium FP
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
view Sigma YAML
title: Potential Registry Persistence Attempt Via Windows Telemetry
id: 73a883d0-0348-4be4-a8d8-51031c2564f8
related:
- id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
type: obsolete
status: test
description: |
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Lednyov Alexey, oscd.community, Sreeman
date: 2020-10-16
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: registry_set
product: windows
definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives'
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
TargetObject|endswith: '\Command'
Details|contains:
- '.bat'
- '.bin'
- '.cmd'
- '.dat'
- '.dll'
- '.exe'
- '.hta'
- '.jar'
- '.js'
- '.msi'
- '.ps'
- '.sh'
- '.vb'
filter_main_generic:
Details|contains:
- '\system32\CompatTelRunner.exe'
- '\system32\DeviceCensus.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Remote PowerShell Session Initiated
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
view Sigma YAML
title: Potential Remote PowerShell Session Initiated
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
status: test
description: |
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2024-02-02
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 5985
- 5986
Initiated: 'true' # only matches of the initiating system can be evaluated
SourceIsIpv6: 'false'
filter_main_service_users:
- User|contains: # covers many language settings for Network Service. Please expand
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVICIO DE RED'
- 'SERVIZIO DI RETE'
- User|contains|all:
- 'SERVICE R'
- 'SEAU'
filter_main_localhost:
SourceIp:
- '::1'
- '127.0.0.1'
DestinationIp:
- '::1'
- '127.0.0.1'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
- Network Service user name of a not-covered localization
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
view Sigma YAML
title: Potential Remote SquiblyTwo Technique Execution
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
related:
- id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
type: similar
- id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
type: similar
status: test
description: |
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
references:
- https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://twitter.com/mattifestation/status/986280382042595328 # Deleted
- https://atomicredteam.io/defense-evasion/T1220/
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
- https://x.com/byrne_emmy12099/status/1932346420226658668
author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-01-16
modified: 2026-01-24
tags:
- attack.stealth
- attack.t1047
- attack.t1220
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
- Hashes|contains: # Sysmon field hashes contains all types
- 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
- 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
- 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
- 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
- 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
selection_cli:
CommandLine|contains|windash: '/format:'
CommandLine|contains:
- '://'
- '\\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
view Sigma YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
service: powershell-classic
definition: fields have to be extract from event
detection:
selection:
Data|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
view Sigma YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
view Sigma YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
view Sigma YAML
title: Potential Renamed Rundll32 Execution
id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed
related:
- id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
type: derived
status: test
description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
references:
- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
modified: 2023-02-03
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'DllRegisterServer'
filter:
Image|endswith: '\rundll32.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential RipZip Attack on Startup Folder
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
view Sigma YAML
title: Potential RipZip Attack on Startup Folder
id: a6976974-ea6f-4e97-818e-ea08625c52cb
status: test
description: |
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
references:
- https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
author: Greg (rule)
date: 2022-07-21
modified: 2023-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: file_event
product: windows
detection:
selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
TargetFilename|contains|all:
- '\Microsoft\Windows\Start Menu\Programs\Startup'
- '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
Image|endswith: '\explorer.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
view Sigma YAML
title: Potential RjvPlatform.DLL Sideloading From Non-Default Location
id: 0e0bc253-07ed-43f1-816d-e1b220fe8971
status: test
description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
references:
- https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\RjvPlatform.dll'
Image: '\SystemResetPlatform.exe'
filter_main_legit_path:
Image|startswith: 'C:\Windows\System32\SystemResetPlatform\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
view Sigma YAML
title: Potential Rundll32 Execution With DLL Stored In ADS
id: 9248c7e1-2bf3-4661-a22c-600a8040b446
status: test
description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rundll32
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-21
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
# Example:
# rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
# Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(?:\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
view Sigma YAML
title: Potential Ryuk Ransomware Activity
id: c37510b8-2107-4b78-aa32-72f251e7a844
related:
- id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
type: similar
- id: 0acaad27-9f02-4136-a243-c357202edd74
type: obsolete
status: stable
description: Detects Ryuk ransomware activity
references:
- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
date: 2019-12-16
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_reg:
CommandLine|contains|all:
- 'Microsoft\Windows\CurrentVersion\Run'
- 'C:\users\Public\'
selection_del:
CommandLine|contains|all:
- 'del /s /f /q c:\'
- '\*.bac'
- '\*.bak'
- '\*.bkf'
selection_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains|all:
- ' stop '
- ' /y'
CommandLine|contains:
- 'samss'
- 'audioendpointbuilder'
- 'unistoresvc_'
- 'AcrSch2Svc'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential SAM Database Dump
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
view Sigma YAML
title: Potential SAM Database Dump
id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
status: test
description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
references:
- https://github.com/search?q=CVE-2021-36934
- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
- https://www.google.com/search?q=%22reg.exe+save%22+sam
- https://github.com/HuskyHacks/ShadowSteal
- https://github.com/FireFart/hivenightmare
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\Intel\sam'
- '\sam.hive'
- '\Perflogs\sam'
- '\ProgramData\sam'
- '\Users\Public\sam'
- '\AppData\Local\sam'
- '\AppData\Roaming\sam'
- '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal
- '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/
- ':\sam'
- TargetFilename|contains:
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
condition: selection
falsepositives:
- Rare cases of administrative activity
level: high
Convert to SIEM query
high
Moderate
High FP
Potential SAP NetViewer Webshell Command Execution
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
view Sigma YAML
title: Potential SAP NetViewer Webshell Command Execution
id: 94e12f41-6cb3-45c5-97b1-c783a7bf2e72
status: experimental
description: |
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
references:
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-14
tags:
- attack.persistence
- attack.t1505.003
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-31324
logsource:
category: webserver
detection:
selection_uri:
cs-uri-stem|contains|all:
- '/irj/'
- '.jsp'
selection_query:
- cs-uri-query|startswith:
- 'cmd='
- 'command='
- 'exec_cmd='
- 'exec='
- cs-uri-query|contains:
- '/dev/tcp'
- '/etc/passwd'
- '%2fdev%2ftcp' # URL encoded of /dev/tcp
- '%2fetc%2fpasswd' # URL encoded of /etc/passwd
- '=uname'
- '=whoami'
- 'ifconfig'
- 'ping'
- 'pwd'
- cs-uri-query|contains|all:
- 'echo'
- 'base64'
condition: all of selection_*
falsepositives:
- Legitimate applications using cmd parameter for non-malicious purposes
level: high
Convert to SIEM query
high
Moderate
High FP
Potential SNAKE Malware Installation CLI Arguments Indicator
Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
view Sigma YAML
title: Potential SNAKE Malware Installation CLI Arguments Indicator
id: 02cbc035-b390-49fe-a9ff-3bb402c826db
status: test
description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# This CLI regex is based on the following description from the report:
# The jpsetup.exe installer requires two arguments to be passed via the command line for execution
# The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256
# The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters)
CommandLine|re: '\s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16}'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential SNAKE Malware Persistence Service Execution
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
view Sigma YAML
title: Potential SNAKE Malware Persistence Service Execution
id: f7536642-4a08-4dd9-b6d5-c3286d8975ed
status: test
description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\services.exe'
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\WerFault.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
view Sigma YAML
title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
status: experimental
description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
author: Rory Duncan
date: 2025-07-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
- attack.command-and-control
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_sshd:
CommandLine|contains|all:
- ' /create '
- 'sshd.exe'
- '-f'
selection_cli_ssh:
CommandLine|contains|all:
- ' /create '
- 'ssh.exe'
- '-i'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
view Sigma YAML
title: Potential Server Side Template Injection In Velocity
id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
status: test
description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
references:
- https://antgarsil.github.io/posts/velocity/
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: velocity
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'ParseErrorException'
- 'VelocityException'
- 'TemplateInitException'
condition: keywords
falsepositives:
- Application bugs
- Missing .vm files
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
view Sigma YAML
title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
id: 7477881c-ec3b-49d6-aced-7255944e5c59
status: experimental
description: |
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
references:
- https://research.eye.security/sharepoint-under-siege/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-21
tags:
- attack.initial-access
- attack.t1190
- cve.2025-53770
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\w3wp.exe'
selection_encoded_aspx:
- CommandLine|wide|base64offset|contains: 'spinstall0.aspx'
- CommandLine|base64|contains: 'spinstall0.aspx'
selection_encoded_path:
CommandLine|wide|base64offset|contains:
- ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS'
- ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS'
- ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS'
- ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS'
selection_ioc:
CommandLine|contains:
- '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
- 'TEMPLATE\LAYOUTS\spinstall0.aspx'
condition: (selection_img and 1 of selection_encoded_*) or selection_ioc
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Signing Bypass Via Windows Developer Features
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
view Sigma YAML
title: Potential Signing Bypass Via Windows Developer Features
id: a383dec4-deec-4e6e-913b-ed9249670848
related:
- id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
type: similar
status: test
description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SystemSettingsAdminFlows.exe'
- OriginalFileName: 'SystemSettingsAdminFlows.EXE'
selection_flag:
CommandLine|contains: 'TurnOnDeveloperFeatures'
selection_options:
CommandLine|contains:
- 'DeveloperUnlock'
- 'EnableSideloading'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
view Sigma YAML
title: Potential Signing Bypass Via Windows Developer Features - Registry
id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
related:
- id: a383dec4-deec-4e6e-913b-ed9249670848
type: similar
status: test
description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- https://twitter.com/malmoeb/status/1560536653709598721
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2023-08-17
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
- '\Policies\Microsoft\Windows\Appx\'
TargetObject|endswith:
- '\AllowAllTrustedApps'
- '\AllowDevelopmentWithoutDevLicense'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
view Sigma YAML
title: Potential SmadHook.DLL Sideloading
id: 24b6cf51-6122-469e-861a-22974e9c1e5b
status: test
description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
references:
- https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
- https://www.qurium.org/alerts/targeted-malware-against-crph/
author: X__Junior (Nextron Systems)
date: 2023-06-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\SmadHook32c.dll'
- '\SmadHook64c.dll'
filter_main_legit_path:
Image:
- 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
- 'C:\Program Files\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files\SMADAV\SmadavProtect64.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\SMADAV\'
- 'C:\Program Files\SMADAV\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
view Sigma YAML
title: Potential Snatch Ransomware Activity
id: 5325945e-f1f0-406e-97b8-65104d393fff
status: stable
description: Detects specific process characteristics of Snatch ransomware word document droppers
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
author: Florian Roth (Nextron Systems)
date: 2020-08-26
modified: 2025-10-19
tags:
- attack.execution
- attack.t1204
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|re: 'shutdown\s+/r /f /t 00' # Shutdown in safe mode immediately
- CommandLine|re: 'net\s+stop SuperBackupMan'
condition: selection
falsepositives:
- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential SocGholish Second Stage C2 DNS Query
Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
view Sigma YAML
title: Potential SocGholish Second Stage C2 DNS Query
id: 70761fe8-6aa2-4f80-98c1-a57049c08e66
status: test
description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
references:
- https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations
- https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations
- https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
author: Dusty Miller
date: 2023-02-23
tags:
- attack.command-and-control
- attack.t1219.002
- detection.emerging-threats
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\wscript.exe'
QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
condition: selection
falsepositives:
- Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
view Sigma YAML
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
Convert to SIEM query
high
Strong
High FP
Potential Startup Shortcut Persistence Via PowerShell.EXE
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
view Sigma YAML
title: Potential Startup Shortcut Persistence Via PowerShell.EXE
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
status: test
description: |
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021-10-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|contains: '\start menu\programs\startup\'
TargetFilename|endswith: '.lnk'
condition: selection
falsepositives:
- Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
view Sigma YAML
title: Potential Suspicious BPF Activity - Linux
id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
status: test
description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
references:
- https://redcanary.com/blog/ebpf-malware/
- https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
author: Red Canary (idea), Nasreddine Bencherchali
date: 2023-01-25
tags:
- attack.persistence
- attack.stealth
logsource:
product: linux
detection:
selection:
- 'bpf_probe_write_user'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
view Sigma YAML
title: Potential Suspicious Child Process Of 3CXDesktopApp
id: 63f3605b-979f-48c2-b7cc-7f90523fed88
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\3CXDesktopApp.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Suspicious Mofcomp Execution
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
view Sigma YAML
title: Potential Suspicious Mofcomp Execution
id: 1dd05363-104e-4b4a-b963-196a534b03a1
status: test
description: |
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-04-11
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mofcomp.exe'
- OriginalFileName: 'mofcomp.exe'
selection_case:
- ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\wscript.exe'
- '\cscript.exe'
- CommandLine|contains:
- '\AppData\Local\Temp'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '%temp%'
- '%tmp%'
- '%appdata%'
filter_main_wmiprvse:
ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
filter_optional_null_parent:
# Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 951-1000 of 1,677