Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 1,677
high Strong Medium FP
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
status test author Samir Bousseaden ATT&CK sub-technique id 5bed80b6-b3e8-428e-a3ae-d3c757589e41
carbon_black query
EventID:5156 ((SourcePort:3389 (DestAddress:127.* OR DestAddress:\:\:1)) OR (DestPort:3389 (SourceAddress:127.* OR SourceAddress:\:\:1))) (-(FilterOrigin:AppContainer\ Loopback OR (Application:\\thor.exe OR Application:\\thor64.exe)))
view Sigma YAML 
title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
    - https://twitter.com/SBousseaden/status/1096148422984384514
    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1090.001
    - attack.t1090.002
    - attack.t1021.001
    - car.2013-07-002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
    sourceRDP:
        SourcePort: 3389
        DestAddress:
            - '127.*'
            - '::1'
    destinationRDP:
        DestPort: 3389
        SourceAddress:
            - '127.*'
            - '::1'
    filter_app_container:
        FilterOrigin: 'AppContainer Loopback'
    filter_thor:  # checking BlueKeep vulnerability
        Application|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
    - Programs that connect locally to the RDP port
level: high
Convert to SIEM query
high Moderate Medium FP
RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id b1e5da3b-ca8e-4adf-915c-9921f3d85481
carbon_black query
Image:\\svchost.exe Initiated:true SourcePort:3389 (DestinationPort:80 OR DestinationPort:443)
view Sigma YAML 
title: RDP to HTTP or HTTPS Target Ports
id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
status: test
description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
references:
    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
    - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
author: Florian Roth (Nextron Systems)
date: 2022-04-29
modified: 2022-07-14
tags:
    - attack.command-and-control
    - attack.t1572
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
        DestinationPort:
            - 80
            - 443
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Low FP
RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 91c49341-e2ef-40c0-ac45-49ec5c3fe26c
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 ServiceName:RTCore64
view Sigma YAML 
title: RTCore Suspicious Service Installation
id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c
status: test
description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
references:
    - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: 'RTCore64'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
status test author Florian Roth (Nextron Systems) ATT&CK technique id a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
carbon_black query
(CommandLine:taskkill\ * CommandLine:RaccineSettings.exe*) OR (CommandLine:reg.exe* CommandLine:delete* CommandLine:Raccine\ Tray*) OR (CommandLine:schtasks* CommandLine:\/DELETE* CommandLine:Raccine\ Rules\ Updater*)
view Sigma YAML 
title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: test
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
    - https://github.com/Neo23x0/Raccine
author: Florian Roth (Nextron Systems)
date: 2021-01-21
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - 'taskkill '
            - 'RaccineSettings.exe'
    selection2:
        CommandLine|contains|all:
            - 'reg.exe'
            - 'delete'
            - 'Raccine Tray'
    selection3:
        CommandLine|contains|all:
            - 'schtasks'
            - '/DELETE'
            - 'Raccine Rules Updater'
    condition: 1 of selection*
falsepositives:
    - Legitimate deinstallation by administrative staff
level: high
Convert to SIEM query
high Strong Medium FP
Rar Usage with Password and Compression Level
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
status test author @ROxPinTeddy ATT&CK sub-technique id faa48cae-6b25-4f00-a094-08947fef582f
carbon_black query
CommandLine:\ \-hp* (CommandLine:\ \-m* OR CommandLine:\ a\ *)
view Sigma YAML 
title: Rar Usage with Password and Compression Level
id: faa48cae-6b25-4f00-a094-08947fef582f
status: test
description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
references:
    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
    - https://ss64.com/bash/rar.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-03-16
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_password:
        CommandLine|contains: ' -hp'
    selection_other:
        CommandLine|contains:
            - ' -m'
            - ' a '
    condition: selection_password and selection_other
falsepositives:
    - Legitimate use of Winrar command line version
    - Other command line tools, that use these flags
level: high
Convert to SIEM query
high Strong Medium FP
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
status test author Perez Diego (@darkquassar), oscd.community ATT&CK technique id 02d1d718-dd13-41af-989d-ea85c7fab93f
carbon_black query
(SourceImage:\\bash.exe OR SourceImage:\\cscript.exe OR SourceImage:\\cvtres.exe OR SourceImage:\\defrag.exe OR SourceImage:\\dialer.exe OR SourceImage:\\dnx.exe OR SourceImage:\\esentutl.exe OR SourceImage:\\excel.exe OR SourceImage:\\expand.exe OR SourceImage:\\find.exe OR SourceImage:\\findstr.exe OR SourceImage:\\forfiles.exe OR SourceImage:\\gpupdate.exe OR SourceImage:\\hh.exe OR SourceImage:\\installutil.exe OR SourceImage:\\lync.exe OR SourceImage:\\makecab.exe OR SourceImage:\\mDNSResponder.exe OR SourceImage:\\monitoringhost.exe OR SourceImage:\\msbuild.exe OR SourceImage:\\mshta.exe OR SourceImage:\\mspaint.exe OR SourceImage:\\outlook.exe OR SourceImage:\\ping.exe OR SourceImage:\\provtool.exe OR SourceImage:\\python.exe OR SourceImage:\\regsvr32.exe OR SourceImage:\\robocopy.exe OR SourceImage:\\runonce.exe OR SourceImage:\\sapcimc.exe OR SourceImage:\\smartscreen.exe OR SourceImage:\\spoolsv.exe OR SourceImage:\\tstheme.exe OR SourceImage:\\userinit.exe OR SourceImage:\\vssadmin.exe OR SourceImage:\\vssvc.exe OR SourceImage:\\w3wp.exe OR SourceImage:\\winscp.exe OR SourceImage:\\winword.exe OR SourceImage:\\wmic.exe OR SourceImage:\\wscript.exe) (-(((SourceImage:C\:\\Windows\\System32\\Defrag.exe OR SourceImage:C\:\\Windows\\System32\\makecab.exe) TargetImage:C\:\\Windows\\System32\\conhost.exe) OR (SourceImage:C\:\\Windows\\System32\\provtool.exe TargetImage:C\:\\Windows\\System32\\svchost.exe) OR (SourceImage:C\:\\Windows\\System32\\provtool.exe TargetImage:System) OR (SourceImage:C\:\\Windows\\System32\\userinit.exe TargetImage:C\:\\Windows\\explorer.exe) OR (SourceImage:\\WINWORD.EXE (TargetImage:C\:\\Program\ Files\ \(x86\)\\* OR TargetImage:C\:\\Program\ Files\\*)) OR ((SourceImage:C\:\\Program\ Files\\Microsoft\ Office\\* OR SourceImage:C\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\*) TargetImage:System))) (-(SourceImage:\\SysWOW64\\explorer.exe (TargetImage:C\:\\Program\ Files\ \(x86\)\\VMware\\VMware\ Tools\\vmtoolsd.exe OR TargetImage:C\:\\Program\ Files\\VMware\\VMware\ Tools\\vmtoolsd.exe)))
view Sigma YAML 
title: Rare Remote Thread Creation By Uncommon Source Image
id: 02d1d718-dd13-41af-989d-ea85c7fab93f
related:
    - id: 66d31e5f-52d6-40a4-9615-002d3789a119
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-12-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\bash.exe'
            - '\cscript.exe'
            - '\cvtres.exe'
            - '\defrag.exe'
            - '\dialer.exe'
            - '\dnx.exe'
            - '\esentutl.exe'
            - '\excel.exe'
            - '\expand.exe'
            - '\find.exe'
            - '\findstr.exe'
            - '\forfiles.exe'
            - '\gpupdate.exe'
            - '\hh.exe'
            - '\installutil.exe'
            - '\lync.exe'
            - '\makecab.exe'
            - '\mDNSResponder.exe'
            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\mspaint.exe'
            - '\outlook.exe'
            - '\ping.exe'
            - '\provtool.exe'
            - '\python.exe'
            - '\regsvr32.exe'
            - '\robocopy.exe'
            - '\runonce.exe'
            - '\sapcimc.exe'
            - '\smartscreen.exe'
            - '\spoolsv.exe'
            - '\tstheme.exe'
            - '\userinit.exe'
            - '\vssadmin.exe'
            - '\vssvc.exe'
            - '\w3wp.exe'
            - '\winscp.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_main_conhost:
        SourceImage:
            - 'C:\Windows\System32\Defrag.exe'
            - 'C:\Windows\System32\makecab.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_provtol_svchost:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'C:\Windows\System32\svchost.exe'
    filter_main_provtool_system:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'System'
    filter_main_userinit:
        SourceImage: 'C:\Windows\System32\userinit.exe'
        TargetImage: 'C:\Windows\explorer.exe'
    filter_main_winword:
        SourceImage|endswith: '\WINWORD.EXE'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            - 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
    filter_main_ms_office:
        # Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529
        SourceImage|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        TargetImage: 'System'
    filter_optional_explorer_vmtools:
        SourceImage|endswith: '\SysWOW64\explorer.exe'
        TargetImage:
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: high
Convert to SIEM query
high Strong Medium FP
Raspberry Robin Initial Execution From External Drive
Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
status test author @kostastsale ATT&CK sub-technique id 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
carbon_black query
(ParentImage:\\cmd.exe ParentCommandLine:\/r* (ParentCommandLine:.bin OR ParentCommandLine:.ico OR ParentCommandLine:.lnk OR ParentCommandLine:.lo OR ParentCommandLine:.sv OR ParentCommandLine:.usb)) (Image:\\msiexec.exe (CommandLine:\-q* OR CommandLine:\/q* OR CommandLine:–q* OR CommandLine:—q* OR CommandLine:―q*)) (CommandLine:http\:* OR CommandLine:https\:*)
view Sigma YAML 
title: Raspberry Robin Initial Execution From External Drive
id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
related:
    - id: d52d2e87-eb03-4fac-961d-eb616da79788
      type: similar
status: test
description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
references:
    - https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\cmd.exe'
        ParentCommandLine|contains: '/r'
        ParentCommandLine|endswith:
            - '.bin'
            - '.ico'
            - '.lnk'
            - '.lo'
            - '.sv'
            - '.usb'
    selection_child_img:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains|windash: '/q'
    selection_child_http:
        CommandLine|contains:
            - 'http:'
            - 'https:'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Raspberry Robin Subsequent Execution of Commands
Detects raspberry robin subsequent execution of commands.
status test author @kostastsale ATT&CK sub-technique id d52d2e87-eb03-4fac-961d-eb616da79788
carbon_black query
ParentImage:\\fodhelper.exe (Image:\\rundll32.exe OR Image:\\regsvr32.exe) (CommandLine:odbcconf.exe* CommandLine:regsvr* CommandLine:shellexec_rundll*) (CommandLine:installdriver* OR CommandLine:setfiledsndir* OR CommandLine:vkipdse*) (CommandLine:\-a OR CommandLine:\/a OR CommandLine:–a OR CommandLine:—a OR CommandLine:―a OR CommandLine:\-f OR CommandLine:\/f OR CommandLine:–f OR CommandLine:—f OR CommandLine:―f OR CommandLine:\-s OR CommandLine:\/s OR CommandLine:–s OR CommandLine:—s OR CommandLine:―s)
view Sigma YAML 
title: Raspberry Robin Subsequent Execution of Commands
id: d52d2e87-eb03-4fac-961d-eb616da79788
related:
    - id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
      type: similar
status: test
description: Detects raspberry robin subsequent execution of commands.
references:
    - https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\fodhelper.exe'
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
        CommandLine|contains|all:
            - 'odbcconf.exe'
            - 'regsvr'
            - 'shellexec_rundll'
        CommandLine|contains:
            - 'installdriver'
            - 'setfiledsndir'
            - 'vkipdse'
        CommandLine|endswith|windash:
            - '/a'
            - '/f'
            - '/s'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 5468045b-4fcc-4d1a-973c-c9c9578edacb
carbon_black query
"c-uri":.paste.ee\/r\/* OR "c-uri":.pastebin.com\/raw\/* OR "c-uri":.hastebin.com\/raw\/* OR "c-uri":.ghostbin.co\/paste\/*\/raw\/* OR "c-uri":pastetext.net\/* OR "c-uri":pastebin.pl\/* OR "c-uri":paste.ee\/*
view Sigma YAML 
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
    - https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.001
    - attack.t1102.003
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains:
            - '.paste.ee/r/'
            - '.pastebin.com/raw/'
            - '.hastebin.com/raw/'
            - '.ghostbin.co/paste/*/raw/'
            - 'pastetext.net/'
            - 'pastebin.pl/'
            - 'paste.ee/'
    condition: selection
falsepositives:
    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
Convert to SIEM query
high Strong Low FP
Recon Activity via SASec
Detects remote RPC calls to read information about scheduled tasks via SASec
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id 0a3ff354-93fc-4273-8a03-1078782de5b7
carbon_black query
(EventLog:RPCFW EventID:3 InterfaceUuid:378e52b0\-c0a9\-11cf\-822d\-00aa0051e40f) (-(OpNum:0 OR OpNum:1))
view Sigma YAML 
title: Recon Activity via SASec
id: 0a3ff354-93fc-4273-8a03-1078782de5b7
status: test
description: Detects remote RPC calls to read information about scheduled tasks via SASec
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.discovery
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
    filter:
        OpNum:
            - 0
            - 1
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
status test author Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community ATT&CK sub-technique id 968eef52-9cff-4454-8992-1e74b9cbad6c
carbon_black query
EventID:4661 AccessMask:0x2d (ObjectType:SAM_USER OR ObjectType:SAM_GROUP) ObjectName:S\-1\-5\-21\-* (ObjectName:\-500 OR ObjectName:\-512)
view Sigma YAML 
title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.s0039
logsource:
    product: windows
    service: security
    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
    selection:
        EventID: 4661
        AccessMask: '0x2d'
        ObjectType:
            - 'SAM_USER'
            - 'SAM_GROUP'
        ObjectName|startswith: 'S-1-5-21-'
        ObjectName|endswith:
            - '-500'
            - '-512'
    condition: selection
falsepositives:
    - Administrator activity
level: high
Convert to SIEM query
high Moderate High FP
RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
status test author Alexander Rausch ATT&CK technique id 5b175490-b652-4b02-b1de-5b5b4083c5f8
carbon_black query
TargetObject:HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data*
view Sigma YAML 
title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
    - https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
RedSun - Conhost.exe Spawned by TieringEngineService.exe
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session) Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments. Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost ATT&CK sub-technique id 2ad78473-6978-40f5-b8f1-89c7e1c27a1a
carbon_black query
(ParentImage:\\TieringEngineService.exe Image:\\conhost.exe CommandLine:conhost.exe\" (User:AUTHORI* OR User:AUTORI* OR User:$*)) OR (GrandParentImage:\\TieringEngineService.exe ParentImage:\\conhost.exe (Image:\\cmd.exe OR Image:\\powershell_ise.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) (User:AUTHORI* OR User:AUTORI* OR User:$*))
view Sigma YAML 
title: RedSun - Conhost.exe Spawned by TieringEngineService.exe
id: 2ad78473-6978-40f5-b8f1-89c7e1c27a1a
status: experimental
description: |
    Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
    Observed process chain
      services.exe
        → TieringEngineService.exe
          → conhost.exe             (SYSTEM, CommandLine: bare path, no arguments)
            → cmd.exe / shell       (SYSTEM, TerminalSessionId = attacker's session)

    Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
      After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
      / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
      This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
      calls CreateProcessAsUser to spawn conhost.exe with no arguments.

    Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
      The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
      On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
      The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
references:
    - https://github.com/Nightmare-Eclipse/RedSun
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.002
    - attack.t1036.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
detection:
    # Stage 1: TieringEngineService.exe (malicious) spawns conhost.exe with no arguments
    selection_tiering_to_conhost:
        ParentImage|endswith: '\TieringEngineService.exe'
        Image|endswith: '\conhost.exe'
        CommandLine|endswith: 'conhost.exe"'
        User|contains:
            - 'AUTHORI'
            - 'AUTORI'
            - '$'
    # Stage 2: full three-level chain for EDR sources that expose GrandParentImage
    # GrandParent=TieringEngineService.exe, Parent=conhost.exe, Image=shell process
    selection_shell_full_chain:
        GrandParentImage|endswith: '\TieringEngineService.exe'
        ParentImage|endswith: '\conhost.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        User|contains:
            - 'AUTHORI'
            - 'AUTORI'
            - '$'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
carbon_black query
(Image:\\reg.exe OR OriginalFileName:reg.exe) (CommandLine:\\AppDataLow\\Software\\Microsoft\\* OR CommandLine:\\Policies\\Microsoft\\Windows\\OOBE* OR CommandLine:\\Policies\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon* OR CommandLine:\\SOFTWARE\\Microsoft\\Windows\ NT\\Currentversion\\Winlogon* OR CommandLine:\\CurrentControlSet\\Control\\SecurityProviders\\WDigest* OR CommandLine:\\Microsoft\\Windows\ Defender\\*)
view Sigma YAML 
title: Reg Add Suspicious Paths
id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
status: test
description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2022-10-10
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_path:
        CommandLine|contains:
            # Add more suspicious registry locations below
            - '\AppDataLow\Software\Microsoft\'
            - '\Policies\Microsoft\Windows\OOBE'
            - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
            - '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
            - '\CurrentControlSet\Control\SecurityProviders\WDigest'
            - '\Microsoft\Windows Defender\'
    condition: all of selection_*
falsepositives:
    - Rare legitimate add to registry via cli (to these locations)
level: high
Convert to SIEM query
high Moderate Medium FP
Regedit as Trusted Installer
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
status test author Florian Roth (Nextron Systems) ATT&CK technique id 883835a7-df45-43e4-bf1d-4268768afda4
carbon_black query
Image:\\regedit.exe (ParentImage:\\TrustedInstaller.exe OR ParentImage:\\ProcessHacker.exe)
view Sigma YAML 
title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        ParentImage|endswith:
            - '\TrustedInstaller.exe'
            - '\ProcessHacker.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Low FP
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
status test author Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community ATT&CK sub-technique id 12e6d621-194f-4f59-90cc-1959e21e69f7
carbon_black query
EventID:4611 LogonProcessName:User32LogonProcesss
view Sigma YAML 
title: Register new Logon Process by Rubeus
id: 12e6d621-194f-4f59-90cc-1959e21e69f7
status: test
description: Detects potential use of Rubeus via registered new trusted logon process
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019-10-24
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4611
        LogonProcessName: 'User32LogonProcesss'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
status test author frack113 ATT&CK technique id 5de03871-5d46-4539-a82d-3aa992a69a83
carbon_black query
(TargetObject:\\Policies\\Microsoft\\Windows\ NT\\SystemRestore* OR TargetObject:\\Microsoft\\Windows\ NT\\CurrentVersion\\SystemRestore*) (TargetObject:DisableConfig OR TargetObject:DisableSR) Details:DWORD\ \(0x00000001\)
view Sigma YAML 
title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
related:
    - id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
      type: similar
status: test
description: Detects the modification of the registry to disable a system restore on the computer
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows NT\SystemRestore'
            - '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
        TargetObject|endswith:
            - DisableConfig
            - DisableSR
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
simulation:
    - type: atomic-red-team
      name: Disable System Restore Through Registry
      technique: T1490
      atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
Convert to SIEM query
high Moderate Medium FP
Registry Export of Third-Party Credentials
Detects the use of reg.exe to export registry paths associated with third-party credentials. Credential stealers have been known to use this technique to extract sensitive information from the registry.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
carbon_black query
(Image:\\reg.exe OR OriginalFileName:reg.exe) (CommandLine:save* OR CommandLine:export*) (CommandLine:\\Software\\Aerofox\\Foxmail\\V3.1* OR CommandLine:\\Software\\Aerofox\\FoxmailPreview* OR CommandLine:\\Software\\DownloadManager\\Passwords* OR CommandLine:\\Software\\FTPWare\\COREFTP\\Sites* OR CommandLine:\\Software\\IncrediMail\\Identities* OR CommandLine:\\Software\\Martin\ Prikryl\\WinSCP\ 2\\Sessions* OR CommandLine:\\Software\\Mobatek\\MobaXterm* OR CommandLine:\\Software\\OpenSSH\\Agent\\Keys* OR CommandLine:\\Software\\OpenVPN\-GUI\\configs* OR CommandLine:\\Software\\ORL\\WinVNC3\\Password* OR CommandLine:\\Software\\Qualcomm\\Eudora\\CommandLine* OR CommandLine:\\Software\\RealVNC\\WinVNC4* OR CommandLine:\\Software\\RimArts\\B2\\Settings* OR CommandLine:\\Software\\SimonTatham\\PuTTY\\Sessions* OR CommandLine:\\Software\\SimonTatham\\PuTTY\\SshHostKeys* OR CommandLine:\\Software\\Sota\\FFFTP* OR CommandLine:\\Software\\TightVNC\\Server* OR CommandLine:\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin*)
view Sigma YAML 
title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
    - id: 87a476dc-0079-4583-a985-dee7a20a03de
      type: similar
status: experimental
description: |
    Detects the use of reg.exe to export registry paths associated with third-party credentials.
    Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
    - https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_save:
        CommandLine|contains:
            - 'save'
            - 'export'
    selection_cli_path:
        CommandLine|contains:
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id c0e0bdec-3e3d-47aa-9974-05539c999c89
carbon_black query
(TargetObject:\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLib (-Details:oci.dll*)) OR (TargetObject:\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLibPath (-Details:%SystemRoot%\\System32\\*))
view Sigma YAML 
title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
    Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
    Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1112
    - attack.t1574.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_ocilib:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
    filter_main_ocilib_file:
        # it is looking when oci.dll name is changed to something else like evil.dll
        Details|contains: 'oci.dll'
    selection_ocilibpath:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
    filter_main_ocilibpath:
        # it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
        Details|contains: '%SystemRoot%\System32\'
    condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Registry Persistence Mechanisms in Recycle Bin
Detects persistence registry keys for Recycle Bin
status test author frack113 ATT&CK technique id 277efb8f-60be-4f10-b4d3-037802f37167
carbon_black query
(EventType:RenameKey NewName:\\CLSID\\\{645FF040\-5081\-101B\-9F08\-00AA002F954E\}\\shell\\open*) OR (EventType:SetValue TargetObject:\\CLSID\\\{645FF040\-5081\-101B\-9F08\-00AA002F954E\}\\shell\\open\\command\\\(Default\)*)
view Sigma YAML 
title: Registry Persistence Mechanisms in Recycle Bin
id: 277efb8f-60be-4f10-b4d3-037802f37167
status: test
description: Detects persistence registry keys for Recycle Bin
references:
    - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
    - https://persistence-info.github.io/Data/recyclebin.html
    - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
author: frack113
date: 2021-11-18
modified: 2022-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    selection_create:
        EventType: RenameKey
        NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open'
    selection_set:
        EventType: SetValue
        TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Registry Persistence via Explorer Run Key
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
status test author Florian Roth (Nextron Systems), oscd.community ATT&CK sub-technique id b7916c2a-fa2f-4795-9477-32b731f70f11
carbon_black query
TargetObject:\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run (Details:\:\\$Recycle.bin\\* OR Details:\:\\ProgramData\\* OR Details:\:\\Temp\\* OR Details:\:\\Users\\Default\\* OR Details:\:\\Users\\Public\\* OR Details:\:\\Windows\\Temp\\* OR Details:\\AppData\\Local\\Temp\\*)
view Sigma YAML 
title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
references:
    - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
author: Florian Roth (Nextron Systems), oscd.community
date: 2018-07-18
modified: 2023-12-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
        Details|contains:
            - ':\$Recycle.bin\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
status test author frack113 ATT&CK sub-technique id 1547e27c-3974-43e2-a7d7-7f484fb928ec
carbon_black query
((TargetObject:\\Control\\SafeBoot\\Minimal\\* OR TargetObject:\\Control\\SafeBoot\\Network\\*) TargetObject:\\\(Default\) Details:Service) (-((Image:C\:\\WINDOWS\\system32\\msiexec.exe (TargetObject:\\Control\\SafeBoot\\Minimal\\SAVService\\\(Default\) OR TargetObject:\\Control\\SafeBoot\\Network\\SAVService\\\(Default\))) OR (Image:\\MBAMInstallerService.exe TargetObject:\\MBAMService\\\(Default\) Details:Service) OR (Image:C\:\\Hexnode\\Hexnode\ Agent\\Current\\HexnodeAgent.exe (TargetObject:\\Control\\SafeBoot\\Minimal\\Hexnode\ Updater\\\(Default\) OR TargetObject:\\Control\\SafeBoot\\Network\\Hexnode\ Updater\\\(Default\) OR TargetObject:\\Control\\SafeBoot\\Minimal\\Hexnode\ Agent\\\(Default\) OR TargetObject:\\Control\\SafeBoot\\Network\\Hexnode\ Agent\\\(Default\)) Details:Service)))
view Sigma YAML 
title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Control\SafeBoot\Minimal\'
            - '\Control\SafeBoot\Network\'
        TargetObject|endswith: '\(Default)'
        Details: 'Service'
    filter_optional_sophos:
        Image: 'C:\WINDOWS\system32\msiexec.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\SAVService\(Default)'
            - '\Control\SafeBoot\Network\SAVService\(Default)'
    filter_optional_mbamservice:
        Image|endswith: '\MBAMInstallerService.exe'
        TargetObject|endswith: '\MBAMService\(Default)'
        Details: 'Service'
    filter_optional_hexnode:
        Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
        Details: 'Service'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode without Network
      technique: T1112
      atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode with Network
      technique: T1112
      atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4
Convert to SIEM query
high Moderate High FP
Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
status test author Florian Roth (Nextron Systems), frack113 ATT&CK sub-technique id 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
carbon_black query
(Image:\\regsvr32.exe OR OriginalFileName:REGSVR32.EXE) (CommandLine:.bin OR CommandLine:.bmp OR CommandLine:.cr2 OR CommandLine:.dat OR CommandLine:.eps OR CommandLine:.gif OR CommandLine:.ico OR CommandLine:.jpeg OR CommandLine:.jpg OR CommandLine:.log OR CommandLine:.nef OR CommandLine:.orf OR CommandLine:.png OR CommandLine:.raw OR CommandLine:.rtf OR CommandLine:.sr2 OR CommandLine:.temp OR CommandLine:.tif OR CommandLine:.tiff OR CommandLine:.tmp OR CommandLine:.txt)
view Sigma YAML 
title: Regsvr32 DLL Execution With Suspicious File Extension
id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
related:
    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
      type: obsolete
status: test
description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
references:
    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
    - https://guides.lib.umich.edu/c.php?g=282942&p=1885348
    - https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/
author: Florian Roth (Nextron Systems), frack113
date: 2021-11-29
modified: 2025-08-27
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    selection_cli:
        CommandLine|endswith:
            # Add more image extensions
            # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
            - '.bin'
            - '.bmp'
            - '.cr2'
            - '.dat'
            - '.eps'
            - '.gif'
            - '.ico'
            - '.jpeg'
            - '.jpg'
            - '.log'
            - '.nef'
            - '.orf'
            - '.png'
            - '.raw'
            - '.rtf'
            - '.sr2'
            - '.temp'
            - '.tif'
            - '.tiff'
            - '.tmp'
            - '.txt'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id a133193c-2daa-4a29-8022-018695fcf0ae
carbon_black query
"cs-uri-query":*search=%00\{.* ("cs-uri-query":save|* OR "cs-uri-query":powershell* OR "cs-uri-query":cmd.exe* OR "cs-uri-query":cmd\ \/c* OR "cs-uri-query":cmd\ \/r* OR "cs-uri-query":cmd\ \/k* OR "cs-uri-query":cscript* OR "cs-uri-query":wscript* OR "cs-uri-query":python* OR "cs-uri-query":C\:\\Users\\Public\\* OR "cs-uri-query":%comspec%*)
view Sigma YAML 
title: Rejetto HTTP File Server RCE
id: a133193c-2daa-4a29-8022-018695fcf0ae
status: test
description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
references:
    - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
    - https://www.exploit-db.com/exploits/39161
    - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-19
modified: 2023-01-02
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1190
    - attack.t1505.003
    - cve.2014-6287
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_search:
        cs-uri-query|contains: '?search=%00{.'
    selection_payload:
        cs-uri-query|contains:
            - 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners
            - 'powershell'
            - 'cmd.exe'
            - 'cmd /c'
            - 'cmd /r'
            - 'cmd /k'
            - 'cscript'
            - 'wscript'
            - 'python'
            - 'C:\Users\Public\'
            - '%comspec%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
status test author Florian Roth (Nextron Systems), Arnim Rupp ATT&CK technique id 78bc5783-81d9-4d73-ac97-59f6db4f72a8
carbon_black query
("Adfind" OR "ASP\/BackDoor\ " OR "ATK\/" OR "Backdoor.ASP" OR "Backdoor.Cobalt" OR "Backdoor.JSP" OR "Backdoor.PHP" OR "Blackworm" OR "Brutel" OR "BruteR" OR "Chopper" OR "Cobalt" OR "COBEACON" OR "Cometer" OR "CRYPTES" OR "Cryptor" OR "Destructor" OR "DumpCreds" OR "Exploit.Script.CVE" OR "FastReverseProxy" OR "Filecoder" OR "GrandCrab\ " OR "HackTool" OR "HKTL" OR "HTool\-" OR "\/HTool" OR ".HTool" OR "IISExchgSpawnCMD" OR "Impacket" OR "JSP\/BackDoor\ " OR "Keylogger" OR "Koadic" OR "Krypt" OR "Lazagne" OR "Metasploit" OR "Meterpreter" OR "MeteTool" OR "mikatz" OR "Mimikatz" OR "Mpreter" OR "MsfShell" OR "Nighthawk" OR "Packed.Generic.347" OR "PentestPowerShell" OR "Phobos" OR "PHP\/BackDoor\ " OR "Potato" OR "PowerSploit" OR "PowerSSH" OR "PshlSpy" OR "PSWTool" OR "PWCrack" OR "PWDump" OR "Ransom" OR "Rozena" OR "Ryzerlo" OR "Sbelt" OR "Seatbelt" OR "SecurityTool\ " OR "SharpDump" OR "Shellcode" OR "Sliver" OR "Splinter" OR "Swrort" OR "Tescrypt" OR "TeslaCrypt" OR "TurtleLoader" OR "Valyria" OR "Webshell") (-(("anti_ransomware_service.exe" OR "Anti\-Ransomware" OR "Crack" OR "cyber\-protect\-service.exe" OR "encryptor" OR "Keygen") OR Level:4 OR Provider_Name:Microsoft\-Windows\-RestartManager))
view Sigma YAML 
title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: |
    Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
    - https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2017-02-19
modified: 2024-12-25
tags:
    - attack.resource-development
    - attack.t1588
logsource:
    product: windows
    service: application
detection:
    keywords:
        - 'Adfind'
        - 'ASP/BackDoor '
        - 'ATK/'
        - 'Backdoor.ASP'
        - 'Backdoor.Cobalt'
        - 'Backdoor.JSP'
        - 'Backdoor.PHP'
        - 'Blackworm'
        - 'Brutel'
        - 'BruteR'
        - 'Chopper'
        - 'Cobalt'
        - 'COBEACON'
        - 'Cometer'
        - 'CRYPTES'
        - 'Cryptor'
        - 'Destructor'
        - 'DumpCreds'
        - 'Exploit.Script.CVE'
        - 'FastReverseProxy'
        - 'Filecoder'
        - 'GrandCrab '
        - 'HackTool'
        - 'HKTL'
        - 'HTool-'
        - '/HTool'
        - '.HTool'
        - 'IISExchgSpawnCMD'
        - 'Impacket'
        - 'JSP/BackDoor '
        - 'Keylogger'
        - 'Koadic'
        - 'Krypt'
        - 'Lazagne'
        - 'Metasploit'
        - 'Meterpreter'
        - 'MeteTool'
        - 'mikatz'
        - 'Mimikatz'
        - 'Mpreter'
        - 'MsfShell'
        - 'Nighthawk'
        - 'Packed.Generic.347'
        - 'PentestPowerShell'
        - 'Phobos'
        - 'PHP/BackDoor '
        - 'Potato'
        - 'PowerSploit'
        - 'PowerSSH'
        - 'PshlSpy'
        - 'PSWTool'
        - 'PWCrack'
        - 'PWDump'
        - 'Ransom'
        - 'Rozena'
        - 'Ryzerlo'
        - 'Sbelt'
        - 'Seatbelt'
        - 'SecurityTool '
        - 'SharpDump'
        - 'Shellcode'
        - 'Sliver'
        - 'Splinter'
        - 'Swrort'
        - 'Tescrypt'
        - 'TeslaCrypt'
        - 'TurtleLoader'
        - 'Valyria'
        - 'Webshell'
        # - 'FRP.'
        # - 'Locker'
        # - 'PWS.'
        # - 'PWSX'
        # - 'Razy'
        # - 'Ryuk'
    filter_optional_generic:
        - 'anti_ransomware_service.exe'
        - 'Anti-Ransomware'
        - 'Crack'
        - 'cyber-protect-service.exe'
        - 'encryptor'
        - 'Keygen'
    filter_optional_information:
        Level: 4  # Information level
    filter_optional_restartmanager:
        Provider_Name: 'Microsoft-Windows-RestartManager'
    condition: keywords and not 1 of filter_optional_*
falsepositives:
    - Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
Convert to SIEM query
high Moderate High FP
Relevant ClamAV Message
Detects relevant ClamAV messages
status stable author Florian Roth (Nextron Systems) ATT&CK sub-technique id 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
carbon_black query
"Trojan*FOUND" OR "VirTool*FOUND" OR "Webshell*FOUND" OR "Rootkit*FOUND" OR "Htran*FOUND"
view Sigma YAML 
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
status: stable
description: Detects relevant ClamAV messages
references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-01
tags:
    - attack.resource-development
    - attack.t1588.001
logsource:
    product: linux
    service: clamav
detection:
    keywords:
        - 'Trojan*FOUND'
        - 'VirTool*FOUND'
        - 'Webshell*FOUND'
        - 'Rootkit*FOUND'
        - 'Htran*FOUND'
    condition: keywords
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Remote Access Tool - AnyDesk Silent Installation
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
status test author Ján Trenčanský ATT&CK sub-technique id 114e7f1c-f137-48c8-8f54-3088c24ce4b9
carbon_black query
CommandLine:\-\-install* CommandLine:\-\-start\-with\-win* CommandLine:\-\-silent*
view Sigma YAML 
title: Remote Access Tool - AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
status: test
description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
references:
    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
    - https://support.anydesk.com/Automatic_Deployment
author: Ján Trenčanský
date: 2021-08-06
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--install'
            - '--start-with-win'
            - '--silent'
    condition: selection
falsepositives:
    - Legitimate deployment of AnyDesk
level: high
Convert to SIEM query
high Strong Medium FP
Remote Access Tool - Anydesk Execution From Suspicious Folder
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 065b00ca-5d5c-4557-ac95-64a6d0b64d86
carbon_black query
((Image:\\AnyDesk.exe OR Image:\\AnyDeskMSI.exe) OR Description:AnyDesk OR Product:AnyDesk OR Company:AnyDesk\ Software\ GmbH) (-(Image:\\AppData\\* OR Image:Program\ Files\ \(x86\)\\AnyDesk* OR Image:Program\ Files\\AnyDesk*))
view Sigma YAML 
title: Remote Access Tool - Anydesk Execution From Suspicious Folder
id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
related:
    - id: b52e84a3-029e-4529-b09b-71d19dd27e94
      type: similar
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-05-20
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\AnyDesk.exe'
              - '\AnyDeskMSI.exe'
        - Description: AnyDesk
        - Product: AnyDesk
        - Company: AnyDesk Software GmbH
    filter:
        Image|contains:
            - '\AppData\'
            - 'Program Files (x86)\AnyDesk'
            - 'Program Files\AnyDesk'
    condition: selection and not filter
falsepositives:
    - Legitimate use of AnyDesk from a non-standard folder
level: high
Convert to SIEM query
high Moderate High FP
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
status experimental author Norbert Jaśniewicz (AlphaSOC) ATT&CK sub-technique id bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
carbon_black query
(CommandLine:\-\-meshServiceName* OR OriginalFileName:meshagent*) (-(Image:\/meshagent OR Image:\/meshagent_osx64))
view Sigma YAML 
title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
    - id: b471f462-eb0d-4832-be35-28d94bdb4780
      type: similar
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: macos
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith:
            - '/meshagent'
            - '/meshagent_osx64'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Remote Access Tool - Renamed MeshAgent Execution - Windows
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
status experimental author Norbert Jaśniewicz (AlphaSOC) ATT&CK sub-technique id b471f462-eb0d-4832-be35-28d94bdb4780
carbon_black query
(CommandLine:\-\-meshServiceName* OR OriginalFileName:meshagent*) (-Image:\\meshagent.exe)
view Sigma YAML 
title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
    - id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
      type: similar
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith: '\meshagent.exe'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
status test author Jason Rathbun (Blackpoint Cyber) ATT&CK technique id b19146a3-25d4-41b4-928b-1e2a92641b1b
carbon_black query
ParentImage:\\ScreenConnect.Service.exe (Image:\\cmd.exe OR Image:\\csc.exe)
view Sigma YAML 
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
    - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.Service.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\csc.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Remote AppX Package Downloaded from File Sharing or CDN Domain
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 8b48ad89-10d8-4382-a546-50588c410f0d
carbon_black query
EventID:854 (Path:.githubusercontent.com* OR Path:anonfiles.com* OR Path:cdn.discordapp.com* OR Path:ddns.net* OR Path:dl.dropboxusercontent.com* OR Path:ghostbin.co* OR Path:github.com* OR Path:glitch.me* OR Path:gofile.io* OR Path:hastebin.com* OR Path:mediafire.com* OR Path:mega.nz* OR Path:onrender.com* OR Path:pages.dev* OR Path:paste.ee* OR Path:pastebin.com* OR Path:pastebin.pl* OR Path:pastetext.net* OR Path:privatlab.com* OR Path:privatlab.net* OR Path:send.exploit.in* OR Path:sendspace.com* OR Path:storage.googleapis.com* OR Path:storjshare.io* OR Path:supabase.co* OR Path:temp.sh* OR Path:transfer.sh* OR Path:trycloudflare.com* OR Path:ufile.io* OR Path:w3spaces.com* OR Path:workers.dev*)
view Sigma YAML 
title: Remote AppX Package Downloaded from File Sharing or CDN Domain
id: 8b48ad89-10d8-4382-a546-50588c410f0d
status: test
description: |
    Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
references:
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-10
tags:
    - attack.stealth
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 854
        Path|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: selection
falsepositives:
    - Unlikely, unless the organization uses file sharing or CDN services to distribute internal applications.
level: high
Convert to SIEM query
high Moderate High FP
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id f57c58b3-ee69-4ef5-9041-455bf39aaa89
carbon_black query
(OriginalFileName:HH.exe OR Image:\\hh.exe) (CommandLine:http\:\/\/* OR CommandLine:https\:\/\/* OR CommandLine:\\\\*)
view Sigma YAML 
title: Remote CHM File Download/Execution Via HH.EXE
id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
status: test
description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
references:
    - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
    - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-29
modified: 2024-01-31
tags:
    - attack.stealth
    - attack.t1218.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'HH.exe'
        - Image|endswith: '\hh.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
            - '\\\\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Remote DCOM/WMI Lateral Movement
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
status test author Sagie Dulce, Dekel Paz ATT&CK sub-technique id 68050b10-e477-4377-a99b-3721b422d6ef
carbon_black query
EventLog:RPCFW EventID:3 (InterfaceUuid:4d9f4ab8\-7d1c\-11cf\-861e\-0020af6e7c57 OR InterfaceUuid:99fcfec4\-5260\-101b\-bbcb\-00aa0021347a OR InterfaceUuid:000001a0\-0000\-0000\-c000\-000000000046 OR InterfaceUuid:00000131\-0000\-0000\-c000\-000000000046 OR InterfaceUuid:00000143\-0000\-0000\-c000\-000000000046 OR InterfaceUuid:00000000\-0000\-0000\-c000\-000000000046)
view Sigma YAML 
title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1021.003
    - attack.t1047
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
            - 99fcfec4-5260-101b-bbcb-00aa0021347a
            - 000001a0-0000-0000-c000-000000000046
            - 00000131-0000-0000-c000-000000000046
            - 00000143-0000-0000-c000-000000000046
            - 00000000-0000-0000-c000-000000000046
    condition: selection
falsepositives:
    - Some administrative tasks on remote host
level: high
Convert to SIEM query
high Strong Low FP
Remote Encrypting File System Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id 5f92fff9-82e2-48eb-8fc1-8b133556a551
carbon_black query
EventLog:RPCFW EventID:3 (InterfaceUuid:df1941c5\-fe89\-4e79\-bf10\-463657acf44d OR InterfaceUuid:c681d488\-d850\-11d0\-8c52\-00c04fd90f7e)
view Sigma YAML 
title: Remote Encrypting File System Abuse
id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - df1941c5-fe89-4e79-bf10-463657acf44d
            - c681d488-d850-11d0-8c52-00c04fd90f7e
    condition: selection
falsepositives:
    - Legitimate usage of remote file encryption
level: high
Convert to SIEM query
high Strong Low FP
Remote Event Log Recon
Detects remote RPC calls to get event log information via EVEN or EVEN6
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id 2053961f-44c7-4a64-b62d-f6e72800af0d
carbon_black query
EventLog:RPCFW EventID:3 (InterfaceUuid:82273fdc\-e32a\-18c3\-3f78\-827929dc23ea OR InterfaceUuid:f6beaff7\-1e19\-4fbb\-9f8f\-b89e2018337c)
view Sigma YAML 
title: Remote Event Log Recon
id: 2053961f-44c7-4a64-b62d-f6e72800af0d
status: test
description: Detects remote RPC calls to get event log information via EVEN or EVEN6
references:
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.discovery
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - 82273fdc-e32a-18c3-3f78-827929dc23ea
            - f6beaff7-1e19-4fbb-9f8f-b89e2018337c
    condition: selection
falsepositives:
    - Remote administrative tasks on Windows Events
level: high
Convert to SIEM query
high Strong Medium FP
Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
status stable author Patryk Prauze - ING Tech ATT&CK sub-technique id aa35a627-33fb-4d04-a165-d33b4afca3e8
carbon_black query
(TargetImage:\\lsass.exe SourceImage:\:\\Windows\\system32\\wsmprovhost.exe) (-GrantedAccess:0x80000000)
view Sigma YAML 
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
    filter_main_access:
        GrantedAccess: '0x80000000'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong High FP
Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
status test author Roberto Rodriguez @Cyb3rWard0g, Tim Shelton ATT&CK sub-technique id 96b9f619-aa91-478f-bacb-c3e50f8df575
carbon_black query
(ContextInfo:\ =\ ServerRemoteHost\ * ContextInfo:wsmprovhost.exe*) (-ContextInfo:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1*)
view Sigma YAML 
title: Remote PowerShell Session (PS Module)
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
status: test
description: Detects remote PowerShell sessions
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-10
modified: 2023-01-20
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        ContextInfo|contains|all:
            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =
            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =
    filter_pwsh_archive:
        ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate use remote PowerShell sessions
level: high
Convert to SIEM query
high Strong Low FP
Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
status test author Roberto Rodriguez @Cyb3rWard0g ATT&CK sub-technique id 13acf386-b8c6-4fe0-9a6e-c4756b974698
carbon_black query
EventID:5156 (DestPort:5985 OR DestPort:5986) LayerRTID:44
view Sigma YAML 
title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
status: test
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
        DestPort:
            - 5985
            - 5986
        LayerRTID: 44
    condition: selection
falsepositives:
    - Legitimate use of remote PowerShell execution
level: high
Convert to SIEM query
high Strong Low FP
Remote Printing Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id bc3a4b0c-e167-48e1-aa88-b3020950e560
carbon_black query
EventLog:RPCFW EventID:3 (InterfaceUuid:12345678\-1234\-abcd\-ef00\-0123456789ab OR InterfaceUuid:76f03f96\-cdfd\-44fc\-a22c\-64950a001209 OR InterfaceUuid:0b6edbfa\-4a24\-4fc6\-8a23\-942b1eca65d1 OR InterfaceUuid:ae33069b\-a2a8\-46ee\-a235\-ddfd339be281)
view Sigma YAML 
title: Remote Printing Abuse for Lateral Movement
id: bc3a4b0c-e167-48e1-aa88-b3020950e560
status: test
description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - 12345678-1234-abcd-ef00-0123456789ab
            - 76f03f96-cdfd-44fc-a22c-64950a001209
            - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
            - ae33069b-a2a8-46ee-a235-ddfd339be281
    condition: selection
falsepositives:
    - Actual printing
level: high
Convert to SIEM query
high Strong Low FP
Remote Registry Lateral Movement
Detects remote RPC calls to modify the registry and possible execute code
status test author Sagie Dulce, Dekel Paz ATT&CK technique id 35c55673-84ca-4e99-8d09-e334f3c29539
carbon_black query
EventLog:RPCFW EventID:3 InterfaceUuid:338cd001\-2244\-31f1\-aaaa\-900038001003 (OpNum:6 OR OpNum:7 OR OpNum:8 OR OpNum:13 OR OpNum:18 OR OpNum:19 OR OpNum:21 OR OpNum:22 OR OpNum:23 OR OpNum:35)
view Sigma YAML 
title: Remote Registry Lateral Movement
id: 35c55673-84ca-4e99-8d09-e334f3c29539
status: test
description: Detects remote RPC calls to modify the registry and possible execute code
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1112
    - attack.persistence
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
        OpNum:
            - 6
            - 7
            - 8
            - 13
            - 18
            - 19
            - 21
            - 22
            - 23
            - 35
    condition: selection
falsepositives:
    - Remote administration of registry values
level: high
Convert to SIEM query
high Strong Low FP
Remote Registry Recon
Detects remote RPC calls to collect information
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id d8ffe17e-04be-4886-beb9-c1dd1944b9a8
carbon_black query
(EventLog:RPCFW EventID:3 InterfaceUuid:338cd001\-2244\-31f1\-aaaa\-900038001003) (-(OpNum:6 OR OpNum:7 OR OpNum:8 OR OpNum:13 OR OpNum:18 OR OpNum:19 OR OpNum:21 OR OpNum:22 OR OpNum:23 OR OpNum:35))
view Sigma YAML 
title: Remote Registry Recon
id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
status: test
description: Detects remote RPC calls to collect information
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.discovery
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
    filter:
        OpNum:
            - 6
            - 7
            - 8
            - 13
            - 18
            - 19
            - 21
            - 22
            - 23
            - 35
    condition: selection and not filter
falsepositives:
    - Remote administration of registry values
level: high
Convert to SIEM query
high Strong Low FP
Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
status test author Sagie Dulce, Dekel Paz ATT&CK sub-technique id 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
carbon_black query
EventLog:RPCFW EventID:3 InterfaceUuid:1ff70682\-0a51\-30e8\-076d\-740be8cee98b (OpNum:0 OR OpNum:1)
view Sigma YAML 
title: Remote Schedule Task Lateral Movement via ATSvc
id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
status: test
description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.execution
    - attack.persistence
    - attack.t1053
    - attack.t1053.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
        OpNum:
            - 0
            - 1
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
status test author Sagie Dulce, Dekel Paz ATT&CK sub-technique id ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
carbon_black query
EventLog:RPCFW EventID:3 InterfaceUuid:86d35949\-83c9\-4044\-b424\-db363231fd0c (OpNum:1 OR OpNum:3 OR OpNum:4 OR OpNum:10 OR OpNum:11 OR OpNum:12 OR OpNum:13 OR OpNum:14 OR OpNum:15)
view Sigma YAML 
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.lateral-movement
    - attack.t1053
    - attack.t1053.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
        OpNum:
            - 1
            - 3
            - 4
            - 10
            - 11
            - 12
            - 13
            - 14
            - 15
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
status test author Sagie Dulce, Dekel Paz ATT&CK sub-technique id aff229ab-f8cd-447b-b215-084d11e79eb0
carbon_black query
EventLog:RPCFW EventID:3 InterfaceUuid:378e52b0\-c0a9\-11cf\-822d\-00aa0051e40f (OpNum:0 OR OpNum:1)
view Sigma YAML 
title: Remote Schedule Task Lateral Movement via SASec
id: aff229ab-f8cd-447b-b215-084d11e79eb0
status: test
description: Detects remote RPC calls to create or execute a scheduled task via SASec
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.execution
    - attack.persistence
    - attack.t1053
    - attack.t1053.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
        OpNum:
            - 0
            - 1
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Remote Schedule Task Recon via AtScv
Detects remote RPC calls to read information about scheduled tasks via AtScv
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id f177f2bc-5f3e-4453-b599-57eefce9a59c
carbon_black query
(EventLog:RPCFW EventID:3 InterfaceUuid:1ff70682\-0a51\-30e8\-076d\-740be8cee98b) (-(OpNum:0 OR OpNum:1))
view Sigma YAML 
title: Remote Schedule Task Recon via AtScv
id: f177f2bc-5f3e-4453-b599-57eefce9a59c
status: test
description: Detects remote RPC calls to read information about scheduled tasks via AtScv
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/zeronetworks/rpcfirewall
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.discovery
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
    filter:
        OpNum:
            - 0
            - 1
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Remote Schedule Task Recon via ITaskSchedulerService
Detects remote RPC calls to read information about scheduled tasks
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
carbon_black query
(EventLog:RPCFW EventID:3 InterfaceUuid:86d35949\-83c9\-4044\-b424\-db363231fd0c) (-(OpNum:1 OR OpNum:3 OR OpNum:4 OR OpNum:10 OR OpNum:11 OR OpNum:12 OR OpNum:13 OR OpNum:14 OR OpNum:15))
view Sigma YAML 
title: Remote Schedule Task Recon via ITaskSchedulerService
id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
status: test
description: Detects remote RPC calls to read information about scheduled tasks
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.discovery
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
    filter:
        OpNum:
            - 1
            - 3
            - 4
            - 10
            - 11
            - 12
            - 13
            - 14
            - 15
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Remote Server Service Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
status test author Sagie Dulce, Dekel Paz ATT&CK tactic-only id b6ea3cc7-542f-43ef-bbe4-980fbed444c7
carbon_black query
EventLog:RPCFW EventID:3 InterfaceUuid:4b324fc8\-1670\-01d3\-1278\-5a47bf6ee188
view Sigma YAML 
title: Remote Server Service Abuse
id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
    condition: selection
falsepositives:
    - Legitimate remote share creation
level: high
Convert to SIEM query
high Strong Low FP
Remote Server Service Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
status test author Sagie Dulce, Dekel Paz ATT&CK sub-technique id 10018e73-06ec-46ec-8107-9172f1e04ff2
carbon_black query
EventLog:RPCFW EventID:3 InterfaceUuid:367abb81\-9844\-35f1\-ad32\-98f038001003
view Sigma YAML 
title: Remote Server Service Abuse for Lateral Movement
id: 10018e73-06ec-46ec-8107-9172f1e04ff2
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1569.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
    condition: selection
falsepositives:
    - Administrative tasks on remote services
level: high
Convert to SIEM query
high Moderate Medium FP
Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
status test author Timon Hackenjos ATT&CK sub-technique id 77564cc2-7382-438b-a7f6-395c2ae53b9a
carbon_black query
TargetImage:\\KeePass.exe
view Sigma YAML 
title: Remote Thread Created In KeePass.EXE
id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
status: test
description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
references:
    - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
    - https://github.com/denandz/KeeFarce
    - https://github.com/GhostPack/KeeThief
author: Timon Hackenjos
date: 2022-04-22
modified: 2023-05-05
tags:
    - attack.credential-access
    - attack.t1555.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith: '\KeePass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
Showing 1101-1150 of 1,677
Prev 23 Next
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
Atlas
Search Tools & malware CWE Package vulns
About
All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh