Tool
EDR / XDR
VMware Carbon Black
1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,677
high
Moderate
Medium FP
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
view Sigma YAML
title: Potential Suspicious Winget Package Installation
id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2
status: test
description: Detects potential suspicious winget package installation from a suspicious source.
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|startswith: '[ZoneTransfer] ZoneId=3'
Contents|contains:
# Note: Add any untrusted sources that are custom to your env
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains: '\AppData\Local\Temp\WinGet\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential SysInternals ProcDump Evasion
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
view Sigma YAML
title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
- https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'copy procdump'
- 'move procdump'
selection_2:
CommandLine|contains|all:
- 'copy '
- '.dmp '
CommandLine|contains:
- '2.dmp'
- 'lsass'
- 'out.dmp'
selection_3:
CommandLine|contains:
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
condition: 1 of selection_*
falsepositives:
- False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
view Sigma YAML
title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\aclui.dll'
- '\activeds.dll'
- '\adsldpc.dll'
- '\aepic.dll'
- '\apphelp.dll'
- '\applicationframe.dll'
- '\appvpolicy.dll'
- '\appxalluserstore.dll'
- '\appxdeploymentclient.dll'
- '\archiveint.dll'
- '\atl.dll'
- '\audioses.dll'
- '\auditpolcore.dll'
- '\authfwcfg.dll'
- '\authz.dll'
- '\avrt.dll'
- '\batmeter.dll'
- '\bcd.dll'
- '\bcp47langs.dll'
- '\bcp47mrm.dll'
- '\bcrypt.dll'
- '\bderepair.dll'
- '\bootmenuux.dll'
- '\bootux.dll'
- '\cabinet.dll'
- '\cabview.dll'
- '\certcli.dll'
- '\certenroll.dll'
- '\cfgmgr32.dll'
- '\cldapi.dll'
- '\clipc.dll'
- '\clusapi.dll'
- '\cmpbk32.dll'
- '\cmutil.dll'
- '\coloradapterclient.dll'
- '\colorui.dll'
- '\comdlg32.dll'
- '\configmanager2.dll'
- '\connect.dll'
- '\coredplus.dll'
- '\coremessaging.dll'
- '\coreuicomponents.dll'
- '\credui.dll'
- '\cryptbase.dll'
- '\cryptdll.dll'
- '\cryptsp.dll'
- '\cryptui.dll'
- '\cryptxml.dll'
- '\cscapi.dll'
- '\cscobj.dll'
- '\cscui.dll'
- '\d2d1.dll'
- '\d3d10_1.dll'
- '\d3d10_1core.dll'
- '\d3d10.dll'
- '\d3d10core.dll'
- '\d3d10warp.dll'
- '\d3d11.dll'
- '\d3d12.dll'
- '\d3d9.dll'
- '\d3dx9_43.dll'
- '\dataexchange.dll'
- '\davclnt.dll'
- '\dcntel.dll'
- '\dcomp.dll'
- '\defragproxy.dll'
- '\desktopshellext.dll'
- '\deviceassociation.dll'
- '\devicecredential.dll'
- '\devicepairing.dll'
- '\devobj.dll'
- '\devrtl.dll'
- '\dhcpcmonitor.dll'
- '\dhcpcsvc.dll'
- '\dhcpcsvc6.dll'
- '\directmanipulation.dll'
- '\dismapi.dll'
- '\dismcore.dll'
- '\dmcfgutils.dll'
- '\dmcmnutils.dll'
- '\dmcommandlineutils.dll'
- '\dmenrollengine.dll'
- '\dmenterprisediagnostics.dll'
- '\dmiso8601utils.dll'
- '\dmoleaututils.dll'
- '\dmprocessxmlfiltered.dll'
- '\dmpushproxy.dll'
- '\dmxmlhelputils.dll'
- '\dnsapi.dll'
- '\dot3api.dll'
- '\dot3cfg.dll'
- '\dpx.dll'
- '\drprov.dll'
- '\drvstore.dll'
- '\dsclient.dll'
- '\dsparse.dll'
- '\dsprop.dll'
- '\dsreg.dll'
- '\dsrole.dll'
- '\dui70.dll'
- '\duser.dll'
- '\dusmapi.dll'
- '\dwmapi.dll'
- '\dwmcore.dll'
- '\dwrite.dll'
- '\dxcore.dll'
- '\dxgi.dll'
- '\dxva2.dll'
- '\dynamoapi.dll'
- '\eappcfg.dll'
- '\eappprxy.dll'
- '\edgeiso.dll'
- '\edputil.dll'
- '\efsadu.dll'
- '\efsutil.dll'
- '\esent.dll'
- '\execmodelproxy.dll'
- '\explorerframe.dll'
- '\fastprox.dll'
- '\faultrep.dll'
- '\fddevquery.dll'
- '\feclient.dll'
- '\fhcfg.dll'
- '\fhsvcctl.dll'
- '\firewallapi.dll'
- '\flightsettings.dll'
- '\fltlib.dll'
- '\framedynos.dll'
- '\fveapi.dll'
- '\fveskybackup.dll'
- '\fvewiz.dll'
- '\fwbase.dll'
- '\fwcfg.dll'
- '\fwpolicyiomgr.dll'
- '\fwpuclnt.dll'
- '\fxsapi.dll'
- '\fxsst.dll'
- '\fxstiff.dll'
- '\getuname.dll'
- '\gpapi.dll'
- '\hid.dll'
- '\hnetmon.dll'
- '\httpapi.dll'
- '\icmp.dll'
- '\idstore.dll'
- '\ieadvpack.dll'
- '\iedkcs32.dll'
- '\iernonce.dll'
- '\iertutil.dll'
- '\ifmon.dll'
- '\ifsutil.dll'
- '\inproclogger.dll'
- '\iphlpapi.dll'
- '\iri.dll'
- '\iscsidsc.dll'
- '\iscsium.dll'
- '\isv.exe_rsaenh.dll'
- '\iumbase.dll'
- '\iumsdk.dll'
- '\joinutil.dll'
- '\kdstub.dll'
- '\ksuser.dll'
- '\ktmw32.dll'
- '\licensemanagerapi.dll'
- '\licensingdiagspp.dll'
- '\linkinfo.dll'
- '\loadperf.dll'
- '\lockhostingframework.dll'
- '\logoncli.dll'
- '\logoncontroller.dll'
- '\lpksetupproxyserv.dll'
- '\lrwizdll.dll'
- '\magnification.dll'
- '\maintenanceui.dll'
- '\mapistub.dll'
- '\mbaexmlparser.dll'
- '\mdmdiagnostics.dll'
- '\mfc42u.dll'
- '\mfcore.dll'
- '\mfplat.dll'
- '\mi.dll'
- '\midimap.dll'
- '\mintdh.dll'
- '\miutils.dll'
- '\mlang.dll'
- '\mmdevapi.dll'
- '\mobilenetworking.dll'
- '\mpr.dll'
- '\mprapi.dll'
- '\mrmcorer.dll'
- '\msacm32.dll'
- '\mscms.dll'
- '\mscoree.dll'
- '\msctf.dll'
- '\msctfmonitor.dll'
- '\msdrm.dll'
- '\msdtctm.dll'
- '\msftedit.dll'
- '\msi.dll'
- '\msiso.dll'
- '\msutb.dll'
- '\msvcp110_win.dll'
- '\mswb7.dll'
- '\mswsock.dll'
- '\msxml3.dll'
- '\mtxclu.dll'
- '\napinsp.dll'
- '\ncrypt.dll'
- '\ndfapi.dll'
- '\netapi32.dll'
- '\netid.dll'
- '\netiohlp.dll'
- '\netjoin.dll'
- '\netplwiz.dll'
- '\netprofm.dll'
- '\netprovfw.dll'
- '\netsetupapi.dll'
- '\netshell.dll'
- '\nettrace.dll'
- '\netutils.dll'
- '\networkexplorer.dll'
- '\newdev.dll'
- '\ninput.dll'
- '\nlaapi.dll'
- '\nlansp_c.dll'
- '\npmproxy.dll'
- '\nshhttp.dll'
- '\nshipsec.dll'
- '\nshwfp.dll'
- '\ntdsapi.dll'
- '\ntlanman.dll'
- '\ntlmshared.dll'
- '\ntmarta.dll'
- '\ntshrui.dll'
- '\oleacc.dll'
- '\omadmapi.dll'
- '\onex.dll'
- '\opcservices.dll'
- '\osbaseln.dll'
- '\osksupport.dll'
- '\osuninst.dll'
- '\p2p.dll'
- '\p2pnetsh.dll'
- '\p9np.dll'
- '\pcaui.dll'
- '\pdh.dll'
- '\peerdistsh.dll'
- '\pkeyhelper.dll'
- '\pla.dll'
- '\playsndsrv.dll'
- '\pnrpnsp.dll'
- '\policymanager.dll'
- '\polstore.dll'
- '\powrprof.dll'
- '\printui.dll'
- '\prntvpt.dll'
- '\profapi.dll'
- '\propsys.dll'
- '\proximitycommon.dll'
- '\proximityservicepal.dll'
- '\prvdmofcomp.dll'
- '\puiapi.dll'
- '\radcui.dll'
- '\rasapi32.dll'
- '\rasdlg.dll'
- '\rasgcw.dll'
- '\rasman.dll'
- '\rasmontr.dll'
- '\reagent.dll'
- '\regapi.dll'
- '\reseteng.dll'
- '\resetengine.dll'
- '\resutils.dll'
- '\rmclient.dll'
- '\rpcnsh.dll'
- '\rsaenh.dll'
- '\rtutils.dll'
- '\rtworkq.dll'
- '\samcli.dll'
- '\samlib.dll'
- '\sapi_onecore.dll'
- '\sas.dll'
- '\scansetting.dll'
- '\scecli.dll'
- '\schedcli.dll'
- '\secur32.dll'
- '\security.dll'
- '\sensapi.dll'
- '\shell32.dll'
- '\shfolder.dll'
- '\slc.dll'
- '\snmpapi.dll'
- '\spectrumsyncclient.dll'
- '\spp.dll'
- '\sppc.dll'
- '\sppcext.dll'
- '\srclient.dll'
- '\srcore.dll'
- '\srmtrace.dll'
- '\srpapi.dll'
- '\srvcli.dll'
- '\ssp_isv.exe_rsaenh.dll'
- '\ssp.exe_rsaenh.dll'
- '\sspicli.dll'
- '\ssshim.dll'
- '\staterepository.core.dll'
- '\structuredquery.dll'
- '\sxshared.dll'
- '\systemsettingsthresholdadminflowui.dll'
- '\tapi32.dll'
- '\tbs.dll'
- '\tdh.dll'
- '\textshaping.dll'
- '\timesync.dll'
- '\tpmcoreprovisioning.dll'
- '\tquery.dll'
- '\tsworkspace.dll'
- '\ttdrecord.dll'
- '\twext.dll'
- '\twinapi.dll'
- '\twinui.appcore.dll'
- '\uianimation.dll'
- '\uiautomationcore.dll'
- '\uireng.dll'
- '\uiribbon.dll'
- '\umpdc.dll'
- '\unattend.dll'
- '\updatepolicy.dll'
- '\upshared.dll'
- '\urlmon.dll'
- '\userenv.dll'
- '\utildll.dll'
- '\uxinit.dll'
- '\uxtheme.dll'
- '\vaultcli.dll'
- '\vdsutil.dll'
- '\version.dll'
- '\virtdisk.dll'
- '\vssapi.dll'
- '\vsstrace.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\wcmapi.dll'
- '\wcnnetsh.dll'
- '\wdi.dll'
- '\wdscore.dll'
- '\webservices.dll'
- '\wecapi.dll'
- '\wer.dll'
- '\wevtapi.dll'
- '\whhelper.dll'
- '\wimgapi.dll'
- '\winbio.dll'
- '\winbrand.dll'
- '\windows.storage.dll'
- '\windows.storage.search.dll'
- '\windows.ui.immersive.dll'
- '\windowscodecs.dll'
- '\windowscodecsext.dll'
- '\windowsudk.shellcommon.dll'
- '\winhttp.dll'
- '\wininet.dll'
- '\winipsec.dll'
- '\winmde.dll'
- '\winmm.dll'
- '\winnsi.dll'
- '\winrnr.dll'
- '\winscard.dll'
- '\winsqlite3.dll'
- '\winsta.dll'
- '\winsync.dll'
- '\wkscli.dll'
- '\wlanapi.dll'
- '\wlancfg.dll'
- '\wldp.dll'
- '\wlidprov.dll'
- '\wmiclnt.dll'
- '\wmidcom.dll'
- '\wmiutils.dll'
- '\wmpdui.dll'
- '\wmsgapi.dll'
- '\wofutil.dll'
- '\wpdshext.dll'
- '\wscapi.dll'
- '\wsdapi.dll'
- '\wshbth.dll'
- '\wshelper.dll'
- '\wsmsvc.dll'
- '\wtsapi32.dll'
- '\wwancfg.dll'
- '\wwapi.dll'
- '\xmllite.dll'
- '\xolehlp.dll'
- '\xpsservices.dll'
- '\xwizards.dll'
- '\xwtpw32.dll'
# From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
- '\amsi.dll'
- '\appraiser.dll'
- '\COMRES.DLL'
- '\cryptnet.dll'
- '\DispBroker.dll'
- '\dsound.dll'
- '\dxilconv.dll'
- '\FxsCompose.dll'
- '\FXSRESM.DLL'
- '\msdtcVSp1res.dll'
- '\PrintIsolationProxy.dll'
- '\rdpendp.dll'
- '\rpchttp.dll'
- '\storageusage.dll'
- '\utcutil.dll'
- '\WfsR.dll'
# The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
- '\igd10iumd64.dll'
- '\igd12umd64.dll'
- '\igdumdim64.dll'
- '\igdusc64.dll'
# Other
- '\TSMSISrv.dll'
- '\TSVIPSrv.dll'
- '\wbemcomn.dll'
- '\WLBSCTRL.dll'
- '\wow64log.dll'
- '\WptsExtensions.dll'
filter_main_generic:
# Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
ImageLoaded|contains:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
filter_main_windows_temp:
ImageLoaded|startswith: 'C:\Windows\Temp\'
Image|startswith:
- 'C:\Windows\WinSxS\arm64'
- 'C:\Windows\UUS\arm64\'
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
filter_main_dot_net:
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
ImageLoaded|endswith: '\cscui.dll'
filter_main_defender:
ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ImageLoaded|endswith: '\version.dll'
filter_main_directx:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
ImageLoaded|endswith: '\d3dx9_43.dll'
filter_optional_exchange:
ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
ImageLoaded|endswith: '\mswb7.dll'
filter_optional_arsenal_image_mounter:
ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
ImageLoaded|endswith:
- '\mi.dll'
- '\miutils.dl'
filter_optional_office_appvpolicy:
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
filter_optional_azure:
ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_optional_dell:
Image|contains:
- 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
- 'C:\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
filter_optional_dell_wldp:
Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|endswith: '\wldp.dll'
filter_optional_checkpoint:
Image|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
Image|endswith: '\SmartConsole.exe'
ImageLoaded|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
ImageLoaded|endswith: '\PolicyManager.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
view Sigma YAML
title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2025-11-22
tags:
- attack.persistence
- attack.lateral-movement
- attack.defense-impairment
- attack.t1021.001
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection_main_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_main_cli:
CommandLine|contains|all:
- ' add '
- '\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection_values_1:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection_values_2:
CommandLine|contains:
- 'AllowTSConnections'
- 'fDenyTSConnections'
- 'fEnableWinStation'
- 'fSingleSessionPerUser'
- 'IdleWinStationPoolCount'
- 'MaxInstanceCount'
- 'SecurityLayer'
- 'TSAdvertise'
- 'TSAppCompat'
- 'TSEnabled'
- 'TSUserEnabled'
- 'WinStations\RDP-Tcp'
filter_main_values_tls:
CommandLine|contains|all:
- 'SecurityLayer'
- '02' # TLS Enabled
condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
view Sigma YAML
title: Potential Tampering With Security Products Via WMIC
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
related:
- id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
type: derived
status: test
description: Detects uninstallation or termination of security products using the WMIC utility
references:
- https://twitter.com/cglyer/status/1355171195654709249
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-01-30
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'wmic'
- 'product where '
- 'call'
- 'uninstall'
- '/nointeractive'
selection_cli_2:
CommandLine|contains|all:
- 'wmic'
- 'caption like '
CommandLine|contains:
- 'call delete'
- 'call terminate'
selection_cli_3:
CommandLine|contains|all:
- 'process '
- 'where '
- 'delete'
selection_product:
CommandLine|contains:
- '%carbon%'
- '%cylance%'
- '%endpoint%'
- '%eset%'
- '%malware%'
- '%Sophos%'
- '%symantec%'
- 'Antivirus'
- 'AVG '
- 'Carbon Black'
- 'CarbonBlack'
- 'Cb Defense Sensor 64-bit'
- 'Crowdstrike Sensor'
- 'Cylance '
- 'Dell Threat Defense'
- 'DLP Endpoint'
- 'Endpoint Detection'
- 'Endpoint Protection'
- 'Endpoint Security'
- 'Endpoint Sensor'
- 'ESET File Security'
- 'LogRhythm System Monitor Service'
- 'Malwarebytes'
- 'McAfee Agent'
- 'Microsoft Security Client'
- 'Sophos Anti-Virus'
- 'Sophos AutoUpdate'
- 'Sophos Credential Store'
- 'Sophos Management Console'
- 'Sophos Management Database'
- 'Sophos Management Server'
- 'Sophos Remote Management System'
- 'Sophos Update Manager'
- 'Threat Protection'
- 'VirusScan'
- 'Webroot SecureAnywhere'
- 'Windows Defender'
condition: 1 of selection_cli_* and selection_product
falsepositives:
- Legitimate administration
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
view Sigma YAML
title: Potential Ursnif Malware Activity - Registry
id: 21f17060-b282-4249-ade0-589ea3591558
status: test
description: Detects registry keys related to Ursnif malware.
references:
- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
author: megan201296
date: 2019-02-13
modified: 2025-10-22
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
product: windows
category: registry_add
detection:
selection:
TargetObject|endswith: '\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-7C9D-AB0E-15700F2219A4'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Vcruntime140 DLL Sideloading
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
view Sigma YAML
title: Potential Vcruntime140 DLL Sideloading
id: d7a63acb-1284-49bc-bfea-7771146c8b1c
status: experimental
description: |
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
references:
- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
- https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-12
modified: 2026-05-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vcruntime140.dll'
filter_main_legitimate_path:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_legitimate_signer:
Signed: true
SignatureStatus: 'Valid'
Description|endswith: 'C Runtime Library'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
view Sigma YAML
title: Potential Waveedit.DLL Sideloading
id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
status: test
description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
author: X__Junior (Nextron Systems)
date: 2023-06-14
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\waveedit.dll'
filter_main_legit_path:
Image:
- 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
- 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\'
- 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential WerFault ReflectDebugger Registry Value Abuse
Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
view Sigma YAML
title: Potential WerFault ReflectDebugger Registry Value Abuse
id: 0cf2e1c6-8d10-4273-8059-738778f981ad
related:
- id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
type: derived
status: test
description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
references:
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior
date: 2023-05-18
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential WinAPI Calls Via CommandLine
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
view Sigma YAML
title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: derived
status: test
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
- https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-06
modified: 2025-03-06
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreatePseudoConsole'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
# - 'msvcrt'
- 'ntdll'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
- 'SetThreadToken'
# - 'user32'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_optional_mpcmdrun:
Image|endswith: '\MpCmdRun.exe'
CommandLine|contains: 'GetLoadLibraryWAddress32'
filter_optional_compatTelRunner:
ParentImage|endswith: '\CompatTelRunner.exe'
CommandLine|contains:
- 'FreeHGlobal'
- 'PtrToString'
- 'kernel32'
- 'CloseHandle'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
view Sigma YAML
title: Potential WinAPI Calls Via PowerShell Scripts
id: 03d83090-8cba-44a0-b02f-0b756a050306
related:
- id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
type: similar
status: test
description: Detects use of WinAPI functions in PowerShell scripts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-06-20
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
# Note: Add more suspicious combinations in the form of different selections
selection_injection:
ScriptBlockText|contains|all:
- 'VirtualAlloc'
- 'OpenProcess'
- 'WriteProcessMemory'
- 'CreateRemoteThread'
selection_token_steal:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'LookupPrivilegeValue'
- 'AdjustTokenPrivileges'
selection_duplicate_token:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'DuplicateTokenEx'
- 'CloseHandle'
selection_process_write_read:
ScriptBlockText|contains|all:
- 'WriteProcessMemory'
- 'VirtualAlloc'
- 'ReadProcessMemory'
- 'VirtualFree'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
view Sigma YAML
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
view Sigma YAML
title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
- attack.execution
- attack.defense-impairment
- attack.t1047
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Winnti Dropper Activity
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
view Sigma YAML
title: Potential Winnti Dropper Activity
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
references:
- https://redmimicry.com/posts/redmimicry-winnti/#dropper
author: Alexander Rausch
date: 2020-06-24
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\gthread-3.6.dll'
- '\sigcmm-2.4.dll'
- '\Windows\Temp\tmp.bat'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
view Sigma YAML
title: Potential WizardUpdate Malware Infection
id: f68c4a4f-19ef-4817-952c-50dce331f4b0
status: test
description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
- https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/sh'
CommandLine|contains|all:
- '=$(curl '
- 'eval'
selection_2:
Image|endswith: '/curl'
CommandLine|contains: '_intermediate_agent_'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
view Sigma YAML
title: Potential XXE Exploitation Attempt In JVM Based Application
id: c4e06896-e27c-4583-95ac-91ce2279345d
status: test
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
references:
- https://rules.sonarsource.com/java/RSPEC-2755
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'SAXParseException'
- 'DOMException'
condition: keywords
falsepositives:
- If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
level: high
Convert to SIEM query
high
Strong
Low FP
Potential Zerologon (CVE-2020-1472) Exploitation
Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
view Sigma YAML
title: Potential Zerologon (CVE-2020-1472) Exploitation
id: dd7876d8-0f09-11eb-adc1-0242ac120002
status: test
description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
date: 2020-10-15
modified: 2023-12-15
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2020-1472
logsource:
product: windows
service: security
detection:
selection:
EventID: 4742
SubjectUserName: 'ANONYMOUS LOGON'
TargetUserName|expand: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
filter_main:
PasswordLastSet: '-'
condition: selection and not filter_main
falsepositives:
- Automatic DC computer account password change
- Legitimate DC computer account password change
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
view Sigma YAML
title: Potential appverifUI.DLL Sideloading
id: ee6cea48-c5b6-4304-a332-10fc6446f484
status: test
description: Detects potential DLL sideloading of "appverifUI.dll"
references:
- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\appverifUI.dll'
filter_main_legit_path:
Image:
- 'C:\Windows\SysWOW64\appverif.exe'
- 'C:\Windows\System32\appverif.exe'
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
view Sigma YAML
title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
modified: 2025-02-24
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\aspnet_compiler.exe'
CommandLine|contains:
# Note: add other potential suspicious paths
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
view Sigma YAML
title: Potentially Suspicious Call To Win32_NTEventlogFile Class
id: caf201a9-c2ce-4a26-9c3a-2b9525413711
related:
- id: e2812b49-bae0-4b21-b366-7c142eafcde2
type: similar
status: test
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection_class:
CommandLine|contains: 'Win32_NTEventlogFile'
selection_function:
CommandLine|contains:
- '.BackupEventlog('
- '.ChangeSecurityPermissions('
- '.ChangeSecurityPermissionsEx('
- '.ClearEventLog('
- '.Delete('
- '.DeleteEx('
- '.Rename('
- '.TakeOwnerShip('
- '.TakeOwnerShipEx('
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
view Sigma YAML
title: Potentially Suspicious Child Process Of Regsvr32
id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects potentially suspicious child processes of "regsvr32.exe".
references:
- https://redcanary.com/blog/intelligence-insights-april-2022/
- https://www.echotrail.io/insights/search/regsvr32.exe
- https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-05
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\regsvr32.exe'
Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\explorer.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\werfault.exe'
- '\wscript.exe'
filter_main_werfault:
Image|endswith: '\werfault.exe'
CommandLine|contains: ' -u -p '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but can rarely occur. Apply additional filters accordingly.
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
view Sigma YAML
title: Potentially Suspicious Child Processes Spawned by ConHost
id: dfa03a09-8b92-4d83-8e74-f72839b1c407
related:
- id: 7dc2dedd-7603-461a-bc13-15803d132355
type: similar
status: experimental
description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.stealth
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\conhost.exe'
selection_child:
- Image|endswith:
- '\cmd.exe' # Windows Command Prompt
- '\cscript.exe' # Windows Script Host (used for scripting exploits)
- '\mshta.exe' # MSHTA (HTML Application Host, often abused)
- '\powershell_ise.exe' # PowerShell ISE
- '\powershell.exe' # Windows PowerShell
- '\pwsh.exe' # PowerShell Core
- '\regsvr32.exe' # Windows Registry Server (commonly used for exploits)
- '\wscript.exe' # Windows Script Host (for executing scripts)
- OriginalFileName:
- 'cmd.exe'
- 'cscript.exe'
- 'mshta.exe'
- 'powershell_ise.exe'
- 'powershell.exe'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
view Sigma YAML
title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
related:
- id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://www.forensafe.com/blogs/runmrukey.html
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_powershell_command:
Details|contains:
- 'powershell'
- 'pwsh'
selection_powershell_susp_keywords:
Details|contains:
- ' -e '
- ' -ec '
- ' -en '
- ' -enc '
- ' -enco'
- 'ftp'
- 'Hidden'
- 'http'
- 'iex'
- 'Invoke-'
selection_wmic_command:
Details|contains: 'wmic'
selection_wmic_susp_keywords:
Details|contains:
- 'shadowcopy'
- 'process call create'
condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
view Sigma YAML
title: Potentially Suspicious DLL Registered Via Odbcconf.EXE
id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
related:
- id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
type: derived
status: test
description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains: 'REGSVR '
filter_main_dll_ext:
CommandLine|contains: '.dll'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
view Sigma YAML
title: Potentially Suspicious Event Viewer Child Process
id: be344333-921d-4c4d-8bb8-e584cf584780
related:
- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
type: derived
status: test
description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\eventvwr.exe'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\System32\WerFault.exe'
- ':\Windows\SysWOW64\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
view Sigma YAML
title: Potentially Suspicious Execution From Parent Process In Public Folder
id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
status: test
description: |
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-25
modified: 2024-07-12
tags:
- attack.execution
- attack.stealth
- attack.t1564
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: ':\Users\Public\'
selection_child:
- Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'cscript'
- 'mshta'
- 'powershell'
- 'regsvr32'
- 'rundll32'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
view Sigma YAML
title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
id: b6e04788-29e1-4557-bb14-77f761848ab8
status: test
description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-12-10
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_websites:
CommandLine|contains:
# Note: You might want to baseline the github domain before including it
# - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea).
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
# - 'github.com' See note above
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_download:
CommandLine|contains:
- '.DownloadString('
- '.DownloadFile('
- 'Invoke-WebRequest '
- 'iwr '
- 'wget '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
view Sigma YAML
title: Potentially Suspicious File Download From ZIP TLD
id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe
status: test
description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
references:
- https://twitter.com/cyb3rops/status/1659175181695287297
- https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
author: Florian Roth (Nextron Systems)
date: 2023-05-18
tags:
- attack.stealth
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|contains: '.zip/'
TargetFilename|contains:
- '.bat:Zone'
- '.dat:Zone'
- '.dll:Zone'
- '.doc:Zone'
- '.docm:Zone'
- '.exe:Zone'
- '.hta:Zone'
- '.pptm:Zone'
- '.ps1:Zone'
- '.rar:Zone'
- '.rtf:Zone'
- '.sct:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.ws:Zone'
- '.wsf:Zone'
- '.xll:Zone'
- '.xls:Zone'
- '.xlsm:Zone'
- '.zip:Zone'
condition: selection
falsepositives:
- Legitimate file downloads from a websites and web services that uses the ".zip" top level domain.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potentially Suspicious Malware Callback Communication
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
view Sigma YAML
title: Potentially Suspicious Malware Callback Communication
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
related:
- id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
type: similar
status: test
description: |
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
- attack.persistence
- attack.command-and-control
- attack.t1571
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort:
- 100
- 198
- 200
- 243
- 473
- 666
- 700
- 743
- 777
- 1443
- 1515
- 1777
- 1817
- 1904
- 1960
- 2443
- 2448
- 3360
- 3675
- 3939
- 4040
- 4433
- 4438
- 4443
- 4444
- 4455
- 5445
- 5552
- 5649
- 6625
- 7210
- 7777
- 8143
- 8843
- 9631
- 9943
- 10101
- 12102
- 12103
- 12322
- 13145
- 13394
- 13504
- 13505
- 13506
- 13507
- 14102
- 14103
- 14154
- 49180
- 65520
- 65535
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_optional_sys_directories:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious Malware Callback Communication - Linux
Detects programs that connect to known malware callback ports based on threat intelligence reports.
view Sigma YAML
title: Potentially Suspicious Malware Callback Communication - Linux
id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
related:
- id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
type: derived
status: test
description: |
Detects programs that connect to known malware callback ports based on threat intelligence reports.
references:
- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
- https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
author: hasselj
date: 2024-05-10
tags:
- attack.persistence
- attack.command-and-control
- attack.t1571
logsource:
category: network_connection
product: linux
detection:
selection:
Initiated: 'true'
DestinationPort:
- 888
- 999
- 2200
- 2222
- 4000
- 4444
- 6789
- 8531
- 50501
- 51820
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious ODBC Driver Registered
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious ODBC Driver Registered
id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
status: test
description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.persistence
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
TargetObject|endswith:
- '\Driver'
- '\Setup'
Details|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
- ':\Windows\System32\com\dmp\'
- ':\Windows\System32\FxsTmp\'
- ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- ':\Windows\System32\spool\drivers\color\'
- ':\Windows\System32\spool\PRINTERS\'
- ':\Windows\System32\spool\SERVERS\'
- ':\Windows\System32\Tasks_Migrated\'
- ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\SysWOW64\com\dmp\'
- ':\Windows\SysWOW64\FxsTmp\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious Office Document Executed From Trusted Location
Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
view Sigma YAML
title: Potentially Suspicious Office Document Executed From Trusted Location
id: f99abdf0-6283-4e71-bd2b-b5c048a94743
status: test
description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
references:
- Internal Research
- https://twitter.com/Max_Mal_/status/1633863678909874176
- https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
- https://twitter.com/_JohnHammond/status/1588155401752788994
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-10-18
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
# Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
ParentImage|endswith:
- '\explorer.exe'
- '\dopus.exe'
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_trusted_location:
CommandLine|contains:
# Note: these are the default locations. Admins/Users could add additional ones that you need to cover
- '\AppData\Roaming\Microsoft\Templates'
- '\AppData\Roaming\Microsoft\Word\Startup\'
- '\Microsoft Office\root\Templates\'
- '\Microsoft Office\Templates\'
filter_main_dotx:
# Note: We add this filter to avoid curious people clicking on template files
CommandLine|endswith:
- '.dotx'
- '.xltx'
- '.potx'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potentially Suspicious Regsvr32 HTTP IP Pattern
Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
view Sigma YAML
title: Potentially Suspicious Regsvr32 HTTP IP Pattern
id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
status: test
description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-24
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_ip:
CommandLine|contains:
- ' /i:http://1'
- ' /i:http://2'
- ' /i:http://3'
- ' /i:http://4'
- ' /i:http://5'
- ' /i:http://6'
- ' /i:http://7'
- ' /i:http://8'
- ' /i:http://9'
- ' /i:https://1'
- ' /i:https://2'
- ' /i:https://3'
- ' /i:https://4'
- ' /i:https://5'
- ' /i:https://6'
- ' /i:https://7'
- ' /i:https://8'
- ' /i:https://9'
- ' -i:http://1'
- ' -i:http://2'
- ' -i:http://3'
- ' -i:http://4'
- ' -i:http://5'
- ' -i:http://6'
- ' -i:http://7'
- ' -i:http://8'
- ' -i:http://9'
- ' -i:https://1'
- ' -i:https://2'
- ' -i:https://3'
- ' -i:https://4'
- ' -i:https://5'
- ' -i:https://6'
- ' -i:https://7'
- ' -i:https://8'
- ' -i:https://9'
condition: all of selection_*
falsepositives:
- FQDNs that start with a number such as "7-Zip"
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell ADRecon Execution
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
view Sigma YAML
title: PowerShell ADRecon Execution
id: bf72941a-cba0-41ea-b18c-9aca3925690d
status: test
description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
references:
- https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
author: Bhabesh Raj
date: 2021-07-16
modified: 2022-09-06
tags:
- attack.discovery
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Function Get-ADRExcelComOb'
- 'Get-ADRGPO'
- 'Get-ADRDomainController'
- 'ADRecon-Report.xlsx' # Default
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
view Sigma YAML
title: PowerShell Base64 Encoded FromBase64String Cmdlet
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-24
modified: 2023-04-06
tags:
- attack.stealth
- attack.t1140
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains: '::FromBase64String'
# UTF-16 LE
- CommandLine|contains:
- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
view Sigma YAML
title: PowerShell Base64 Encoded IEX Cmdlet
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-23
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'IEX (['
- 'iex (['
- 'iex (New'
- 'IEX (New'
- 'IEX(['
- 'iex(['
- 'iex(New'
- 'IEX(New'
- "IEX(('"
- "iex(('"
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
- 'kARQBYACAAKABbA'
- 'JAEUAWAAgACgAWw'
- 'aQBlAHgAIAAoAFsA'
- 'kAZQB4ACAAKABbA'
- 'pAGUAeAAgACgAWw'
- 'aQBlAHgAIAAoAE4AZQB3A'
- 'kAZQB4ACAAKABOAGUAdw'
- 'pAGUAeAAgACgATgBlAHcA'
- 'SQBFAFgAIAAoAE4AZQB3A'
- 'kARQBYACAAKABOAGUAdw'
- 'JAEUAWAAgACgATgBlAHcA'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
view Sigma YAML
title: PowerShell Base64 Encoded Invoke Keyword
id: 6385697e-9f1b-40bd-8817-f4a91f40508e
related:
- id: fd6e2919-3936-40c9-99db-0aa922c356f7
type: obsolete
status: test
description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
date: 2022-05-20
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_enc:
CommandLine|contains: ' -e'
selection_cli_invoke:
CommandLine|contains:
# Invoke-
# UTF-16LE
- 'SQBuAHYAbwBrAGUALQ'
- 'kAbgB2AG8AawBlAC0A'
- 'JAG4AdgBvAGsAZQAtA'
# UTF-8
- 'SW52b2tlL'
- 'ludm9rZS'
- 'JbnZva2Ut'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
view Sigma YAML
title: PowerShell Base64 Encoded Reflective Assembly Load
id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
related:
- id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
type: similar
status: test
description: Detects base64 encoded .NET reflective loading of Assembly
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
- attack.t1620
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# [Reflection.Assembly]::Load(
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
# [reflection.assembly]::("Load")
- 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC'
- 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp'
- 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK'
# [Reflection.Assembly]::("Load")
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA'
# [reflection.assembly]::Load(
- 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
PowerShell Base64 Encoded WMI Classes
Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
view Sigma YAML
title: PowerShell Base64 Encoded WMI Classes
id: 1816994b-42e1-4fb1-afd2-134d88184f71
related:
- id: 47688f1b-9f51-4656-b013-3cc49a166a36
type: obsolete
status: test
description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_shadowcopy:
# Win32_ShadowCopy
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'
- 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'
- 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'
- 'V2luMzJfU2hhZG93Y29we'
- 'dpbjMyX1NoYWRvd2NvcH'
- 'XaW4zMl9TaGFkb3djb3B5'
selection_cli_scheduledJob:
# Win32_ScheduledJob
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA'
- 'cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA'
- 'XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg'
- 'V2luMzJfU2NoZWR1bGVkSm9i'
- 'dpbjMyX1NjaGVkdWxlZEpvY'
- 'XaW4zMl9TY2hlZHVsZWRKb2'
selection_cli_process:
# Win32_Process
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw'
- 'cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA'
- 'XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA'
- 'V2luMzJfUHJvY2Vzc'
- 'dpbjMyX1Byb2Nlc3'
- 'XaW4zMl9Qcm9jZXNz'
selection_cli_useraccount:
# Win32_UserAccount
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A'
- 'cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA'
- 'XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA'
- 'V2luMzJfVXNlckFjY291bn'
- 'dpbjMyX1VzZXJBY2NvdW50'
- 'XaW4zMl9Vc2VyQWNjb3Vud'
selection_cli_loggedonuser:
# Win32_LoggedOnUser
CommandLine|contains:
- 'VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA'
- 'cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA'
- 'XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg'
- 'V2luMzJfTG9nZ2VkT25Vc2Vy'
- 'dpbjMyX0xvZ2dlZE9uVXNlc'
- 'XaW4zMl9Mb2dnZWRPblVzZX'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
view Sigma YAML
title: PowerShell Called from an Executable Version Mismatch
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
status: test
description: Detects PowerShell called from an executable by the version mismatch method
references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-10-27
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection_engine:
Data|contains:
- 'EngineVersion=2.'
- 'EngineVersion=4.'
- 'EngineVersion=5.'
selection_host:
Data|contains: 'HostVersion=3.'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt
view Sigma YAML
title: PowerShell Credential Prompt
id: ca8b77a9-d499-4095-b793-5d5f330d450e
status: test
description: Detects PowerShell calling a credential prompt
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
author: John Lambert (idea), Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2022-12-25
tags:
- attack.credential-access
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'PromptForCredential'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
view Sigma YAML
title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
related:
- id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
type: similar
status: experimental
description: |
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
references:
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cmdlet:
CommandLine|contains: 'Set-MpPreference'
selection_action:
CommandLine|contains:
- '-LowThreatDefaultAction'
- '-ModerateThreatDefaultAction'
- '-HighThreatDefaultAction'
- '-SevereThreatDefaultAction'
- '-ltdefac '
- '-mtdefac '
- '-htdefac '
- '-stdefac '
selection_value:
CommandLine|contains:
- 'Allow'
- '6'
- 'NoAction'
- '9'
condition: all of selection_*
falsepositives:
- Highly unlikely
level: high
Convert to SIEM query
high
Strong
High FP
PowerShell Download and Execution Cradles
Detects PowerShell download and execution cradles.
view Sigma YAML
title: PowerShell Download and Execution Cradles
id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
status: test
description: Detects PowerShell download and execution cradles.
references:
- https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Florian Roth (Nextron Systems)
date: 2022-03-24
modified: 2025-07-18
tags:
- attack.execution
- attack.t1059
logsource:
product: windows
category: process_creation
detection:
selection_download:
CommandLine|contains:
- '.DownloadString('
- '.DownloadFile('
- 'Invoke-WebRequest '
- 'iwr '
- 'Invoke-RestMethod '
- 'irm ' # powershell -ep bypass -w h -c irm test.domain/ffe | iex
selection_iex:
CommandLine|contains:
- ';iex $'
- '| IEX'
- '|IEX '
- 'I`E`X'
- 'I`EX'
- 'IE`X'
- 'iex '
- 'IEX ('
- 'IEX('
- 'Invoke-Expression'
condition: all of selection_*
falsepositives:
- Some PowerShell installers were seen using similar combinations. Apply filters accordingly
level: high
Convert to SIEM query
high
Strong
Medium FP
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
view Sigma YAML
title: PowerShell Execution With Potential Decryption Capabilities
id: 434c08ba-8406-4d15-8b24-782cb071a691
status: test
description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
references:
- https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-30
modified: 2023-12-05
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_dir:
CommandLine|contains:
- "Get-ChildItem "
- "dir "
- "gci "
- "ls "
selection_cli_gc:
CommandLine|contains:
- "Get-Content "
- "gc "
- 'cat '
- 'type '
- 'ReadAllBytes'
selection_cli_specific:
- CommandLine|contains|all:
- ' ^| '
- '\*.lnk'
- '-Recurse'
- '-Skip '
- CommandLine|contains|all:
- ' -ExpandProperty '
- '\*.lnk'
- 'WriteAllBytes'
- ' .length '
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
view Sigma YAML
title: PowerShell Get-Process LSASS
id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
status: test
description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1552.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# You can add more permutation as you see fit
- 'Get-Process lsas'
- 'ps lsas'
- 'gps lsas'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
view Sigma YAML
title: PowerShell Get-Process LSASS in ScriptBlock
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
status: test
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Get-Process lsass'
condition: selection
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level: high
Convert to SIEM query
high
Strong
Medium FP
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
view Sigma YAML
title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1564.001
- attack.t1112
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\PowerShell\' # PowerShell 5
- '\Microsoft\PowerShellCore\' # PowerShell 7
TargetObject|endswith:
- '\ModuleLogging\EnableModuleLogging'
- '\ScriptBlockLogging\EnableScriptBlockLogging'
- '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
- '\Transcription\EnableTranscripting'
- '\Transcription\EnableInvocationHeader'
- '\EnableScripts'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable PowerShell Logging via Registry
technique: T1112
atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8
Convert to SIEM query
high
Moderate
High FP
PowerShell PSAttack
Detects the use of PSAttack PowerShell hack tool
view Sigma YAML
title: PowerShell PSAttack
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
status: test
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'PS ATTACK!!!'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
PowerShell SAM Copy
Detects suspicious PowerShell scripts accessing SAM hives
view Sigma YAML
title: PowerShell SAM Copy
id: 1af57a4b-460a-4738-9034-db68b880c665
status: test
description: Detects suspicious PowerShell scripts accessing SAM hives
references:
- https://twitter.com/splinter_code/status/1420546784250769408
author: Florian Roth (Nextron Systems)
date: 2021-07-29
modified: 2023-01-06
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '\HarddiskVolumeShadowCopy'
- 'System32\config\sam'
selection_2:
CommandLine|contains:
- 'Copy-Item'
- 'cp $_.'
- 'cpi $_.'
- 'copy $_.'
- '.File]::Copy('
condition: all of selection*
falsepositives:
- Some rare backup scenarios
- PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Script Change Permission Via Set-Acl
Detects PowerShell execution to set the ACL of a file or a folder
view Sigma YAML
title: PowerShell Script Change Permission Via Set-Acl
id: bdeb2cff-af74-4094-8426-724dc937f20a
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
type: derived
status: test
description: Detects PowerShell execution to set the ACL of a file or a folder
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cmdlet:
CommandLine|contains|all:
- 'Set-Acl '
- '-AclObject '
- '-Path '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1001-1050 of 1,677