Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 1,677
high Moderate Medium FP
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 4cbef972-f347-4170-b62a-8253f6168e6d
carbon_black query
ParentImage:\\DllHost.exe ParentCommandLine:\ \/Processid\:\{12C21EA7\-2EB8\-4B55\-9249\-AC243DA8C666\}* (IntegrityLevel:High OR IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384 OR IntegrityLevel:S\-1\-16\-12288)
view Sigma YAML 
title: UAC Bypass Using IDiagnostic Profile
id: 4cbef972-f347-4170-b62a-8253f6168e6d
status: test
description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
references:
    - https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
modified: 2024-12-01
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 48ea844d-19b1-4642-944e-fe39c2cc1fec
carbon_black query
Image:\\DllHost.exe TargetFilename:C\:\\Windows\\System32\\* TargetFilename:.dll
view Sigma YAML 
title: UAC Bypass Using IDiagnostic Profile - File
id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
status: test
description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
references:
    - https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\DllHost.exe'
        TargetFilename|startswith: 'C:\Windows\System32\'
        TargetFilename|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id bdd8157d-8e85-4397-bb82-f06cc9c71dbb
carbon_black query
Image:C\:\\Program\ Files\\Internet\ Explorer\\IEInstal.exe TargetFilename:C\:\\Users\\* TargetFilename:\\AppData\\Local\\Temp\\* TargetFilename:consent.exe
view Sigma YAML 
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith: 'consent.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 80fc36aa-945e-4181-89f2-2f907ab6775d
carbon_black query
(IntegrityLevel:High OR IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384 OR IntegrityLevel:S\-1\-16\-12288) ParentImage:\\ieinstal.exe Image:\\AppData\\Local\\Temp\\* Image:consent.exe
view Sigma YAML 
title: UAC Bypass Using IEInstal - Process
id: 80fc36aa-945e-4181-89f2-2f907ab6775d
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\ieinstal.exe'
        Image|contains: '\AppData\Local\Temp\'
        Image|endswith: 'consent.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 9ed5959a-c43c-4c59-84e3-d28628429456
carbon_black query
(Image:C\:\\Windows\\SysWOW64\\iscsicpl.exe ImageLoaded:\\iscsiexe.dll) (-(ImageLoaded:C\:\\Windows\\* ImageLoaded:iscsiexe.dll*))
view Sigma YAML 
title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: test
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
    - https://twitter.com/wdormann/status/1547583317410607110
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2022-07-25
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image: C:\Windows\SysWOW64\iscsicpl.exe
        ImageLoaded|endswith: '\iscsiexe.dll'
    filter:
        ImageLoaded|contains|all:
            - 'C:\Windows\'
            - 'iscsiexe.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 41bb431f-56d8-4691-bb56-ed34e390906f
carbon_black query
TargetFilename:C\:\\Users\\* TargetFilename:\\AppData\\Local\\Temp\\pkgmgr.exe
view Sigma YAML 
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id ad92e3f9-7eb6-460e-96b1-582b0ccbb980
carbon_black query
(IntegrityLevel:High OR IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384 OR IntegrityLevel:S\-1\-16\-12288) ParentImage:\\AppData\\Local\\Temp\\pkgmgr.exe CommandLine:\"C\:\\Windows\\system32\\msconfig.exe\"\ \-5
view Sigma YAML 
title: UAC Bypass Using MSConfig Token Modification - Process
id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe'
        CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 7fff6773-2baa-46de-a24a-b6eec1aba2d1
carbon_black query
TargetFilename:C\:\\Users\\* TargetFilename:\\AppData\\Local\\Temp\\api\-ms\-win\-core\-kernel32\-legacy\-l1.DLL
view Sigma YAML 
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 39ed3c80-e6a1-431b-9df3-911ac53d08a7
carbon_black query
(CommandLine:\"C\:\\Windows\\system32\\wusa.exe\"\ \ \/quiet\ C\:\\Users\\* CommandLine:\\AppData\\Local\\Temp\\update.msu (IntegrityLevel:High OR IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384 OR IntegrityLevel:S\-1\-16\-12288)) OR (ParentCommandLine:\"C\:\\Windows\\system32\\dism.exe\"\ \/online\ \/quiet\ \/norestart\ \/add\-package\ \/packagepath\:\"C\:\\Windows\\system32\\pe386\"\ \/ignorecheck (IntegrityLevel:High OR IntegrityLevel:System) (CommandLine:C\:\\Users\\* CommandLine:\\AppData\\Local\\Temp\\* CommandLine:\\dismhost.exe\ \{*) Image:\\DismHost.exe)
view Sigma YAML 
title: UAC Bypass Using NTFS Reparse Point - Process
id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|startswith: '"C:\Windows\system32\wusa.exe"  /quiet C:\Users\'
        CommandLine|endswith: '\AppData\Local\Temp\update.msu'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    selection2:
        ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
        IntegrityLevel:
            - 'High'
            - 'System'
        CommandLine|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Temp\'
            - '\dismhost.exe {'
        Image|endswith: '\DismHost.exe'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id a743ceba-c771-4d75-97eb-8a90f7f4844c
carbon_black query
ParentImage:\\pkgmgr.exe Image:\\dism.exe (IntegrityLevel:High OR IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384 OR IntegrityLevel:S\-1\-16\-12288)
view Sigma YAML 
title: UAC Bypass Using PkgMgr and DISM
id: a743ceba-c771-4d75-97eb-8a90f7f4844c
status: test
description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\pkgmgr.exe'
        Image|endswith: '\dism.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
carbon_black query
SourceImage:\:\\Windows\\SysWOW64\\* GrantedAccess:0x1fffff CallTrace:UNKNOWN\(0000000000000000\)|UNKNOWN\(0000000000000000\)|*
view Sigma YAML 
title: UAC Bypass Using WOW64 Logger DLL Hijack
id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
status: test
description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|contains: ':\Windows\SysWOW64\'
        GrantedAccess: '0x1fffff'
        CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 68578b43-65df-4f81-9a9b-92f32711a951
carbon_black query
(TargetFilename:C\:\\Users\\* TargetFilename:\\AppData\\Local\\Temp\\OskSupport.dll) OR (Image:C\:\\Windows\\system32\\DllHost.exe TargetFilename:C\:\\Program\ Files\\Windows\ Media\ Player\\osk.exe)
view Sigma YAML 
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection1:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
    selection2:
        Image: 'C:\Windows\system32\DllHost.exe'
        TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
carbon_black query
(Image:C\:\\Program\ Files\\Windows\ Media\ Player\\osk.exe OR (Image:C\:\\Windows\\System32\\cmd.exe ParentCommandLine:\"C\:\\Windows\\system32\\mmc.exe\"\ \"C\:\\Windows\\system32\\eventvwr.msc\"\ \/s)) (IntegrityLevel:High OR IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384 OR IntegrityLevel:S\-1\-16\-12288)
view Sigma YAML 
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_1:
        Image: 'C:\Program Files\Windows Media Player\osk.exe'
    selection_img_2:
        Image: 'C:\Windows\System32\cmd.exe'
        ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
    selection_integrity:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: 1 of selection_img_* and selection_integrity
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Windows Media Player - Registry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 5f9db380-ea57-4d1e-beab-8a2d33397e93
carbon_black query
TargetObject:\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\AppCompatFlags\\Compatibility\ Assistant\\Store\\C\:\\Program\ Files\\Windows\ Media\ Player\\osk.exe Details:Binary\ Data
view Sigma YAML 
title: UAC Bypass Using Windows Media Player - Registry
id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
        Details: 'Binary Data'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
status test author oscd.community, Dmitry Uchakin ATT&CK sub-technique id 6ea3bf32-9680-422d-9f50-e90716b12a66
carbon_black query
TargetObject:\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command
view Sigma YAML 
title: UAC Bypass Via Wsreset
id: 6ea3bf32-9680-422d-9f50-e90716b12a66
status: test
description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
references:
    - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
author: oscd.community, Dmitry Uchakin
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 89a9a0e0-f61a-42e5-8957-b1479565a658
carbon_black query
Image:\\wsreset.exe (IntegrityLevel:High OR IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384 OR IntegrityLevel:S\-1\-16\-12288)
view Sigma YAML 
title: UAC Bypass WSReset
id: 89a9a0e0-f61a-42e5-8957-b1479565a658
status: test
description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
    - https://github.com/hfiref0x/UACME
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wsreset.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
status test author oscd.community, Dmitry Uchakin ATT&CK sub-technique id a5ea83a7-05a5-44c1-be2e-addccbbd8c03
carbon_black query
(Image:\\dism.exe ImageLoaded:\\dismcore.dll) (-ImageLoaded:C\:\\Windows\\System32\\Dism\\dismcore.dll)
view Sigma YAML 
title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
    - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1548.002
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\dism.exe'
        ImageLoaded|endswith: '\dismcore.dll'
    filter:
        ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
    condition: selection and not filter
falsepositives:
    - Actions of a legitimate telnet client
level: high
Convert to SIEM query
high Moderate High FP
UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 7c81fec3-1c1d-43b0-996a-46753041b1b6
carbon_black query
TargetObject:\\mscfile\\shell\\open\\command
view Sigma YAML 
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: test
description: Detects UAC bypass method using Windows event viewer
references:
    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
    - attack.privilege-escalation
    - attack.t1548.002
    - car.2019-04-001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\mscfile\shell\open\command'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
status test author Florian Roth (Nextron Systems), Elastic (idea) ATT&CK sub-technique id 49f2f17b-b4c8-4172-a68b-d5bf95d05130
carbon_black query
(ParentImage:\\dllhost.exe (ParentCommandLine:\/Processid\:\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\}* OR ParentCommandLine:\/Processid\:\{D2E7041B\-2927\-42FB\-8E9F\-7CE93B6DC937\}*)) (-(Image:\\WerFault.exe OR OriginalFileName:WerFault.exe))
view Sigma YAML 
title: UAC Bypass via ICMLuaUtil
id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
status: test
description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
references:
    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
author: Florian Roth (Nextron Systems), Elastic (idea)
date: 2022-09-13
modified: 2022-09-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dllhost.exe'
        ParentCommandLine|contains:
            - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
            - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
    filter:
        - Image|endswith: '\WerFault.exe'
        - OriginalFileName: 'WerFault.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass via Sdclt
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
status test author Omer Yampel, Christian Burkard (Nextron Systems) ATT&CK sub-technique id 5b872a46-3b90-45c1-8419-f675db8053aa
carbon_black query
TargetObject:Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand OR (TargetObject:Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue Details:-1[0-9]{3}\\\\Software\\\\Classes\\\\)
view Sigma YAML 
title: UAC Bypass via Sdclt
id: 5b872a46-3b90-45c1-8419-f675db8053aa
status: test
description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
references:
    - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
    - https://github.com/hfiref0x/UACME
author: Omer Yampel, Christian Burkard (Nextron Systems)
date: 2017-03-17
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
    - car.2019-04-001
logsource:
    category: registry_set
    product: windows
detection:
    selection1:
        TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand'
    selection2:
        TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
        Details|re: '-1[0-9]{3}\\Software\\Classes\\'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UEFI Persistence Via Wpbbin - FileCreation
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
carbon_black query
TargetFilename:C\:\\Windows\\System32\\wpbbin.exe
view Sigma YAML 
title: UEFI Persistence Via Wpbbin - FileCreation
id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
status: test
description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
references:
    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
    - https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
    - attack.persistence
    - attack.stealth
    - attack.t1542.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename: 'C:\Windows\System32\wpbbin.exe'
    condition: selection
falsepositives:
    - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high Moderate Medium FP
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 4abc0ec4-db5a-412f-9632-26659cddf145
carbon_black query
Image:C\:\\Windows\\System32\\wpbbin.exe
view Sigma YAML 
title: UEFI Persistence Via Wpbbin - ProcessCreation
id: 4abc0ec4-db5a-412f-9632-26659cddf145
status: test
description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
references:
    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
    - https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
    - attack.persistence
    - attack.stealth
    - attack.t1542.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image: 'C:\Windows\System32\wpbbin.exe'
    condition: selection
falsepositives:
    - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high Strong Medium FP
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
carbon_black query
((CommandLine:7z.exe\ a\ \-v500m\ \-mx9\ \-r0\ \-p* OR CommandLine:7z.exe\ a\ \-mx9\ \-r0\ \-p*) (CommandLine:.zip* CommandLine:.txt*)) OR ((CommandLine:7z.exe\ a\ \-v500m\ \-mx9\ \-r0\ \-p* OR CommandLine:7z.exe\ a\ \-mx9\ \-r0\ \-p*) (CommandLine:.zip* CommandLine:.log*)) OR ((ParentCommandLine:wscript.exe* ParentCommandLine:.vbs*) (CommandLine:rundll32.exe* CommandLine:C\:\\Windows* CommandLine:.dll,Tk_*)) OR (ParentImage:\\rundll32.exe (ParentCommandLine:C\:\\Windows* ParentCommandLine:.dll*) CommandLine:cmd.exe\ \/C\ *) OR (ParentImage:\\rundll32.exe Image:\\dllhost.exe CommandLine:)
view Sigma YAML 
title: UNC2452 Process Creation Patterns
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
status: test
description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
references:
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Florian Roth (Nextron Systems)
date: 2021-01-22
modified: 2024-09-12
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
    # - sunburst
    # - unc2452
logsource:
    category: process_creation
    product: windows
detection:
    # To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used.
    selection_generic_1:
        CommandLine|contains:
            - '7z.exe a -v500m -mx9 -r0 -p'
            - '7z.exe a -mx9 -r0 -p'
        CommandLine|contains|all:
            - '.zip'
            - '.txt'
    selection_generic_2:
        CommandLine|contains:
            - '7z.exe a -v500m -mx9 -r0 -p'
            - '7z.exe a -mx9 -r0 -p'
        CommandLine|contains|all:
            - '.zip'
            - '.log'
    selection_generic_3:
        ParentCommandLine|contains|all:
            - 'wscript.exe'
            - '.vbs'
        CommandLine|contains|all:
            - 'rundll32.exe'
            - 'C:\Windows'
            - '.dll,Tk_'
    selection_generic_4:
        ParentImage|endswith: '\rundll32.exe'
        ParentCommandLine|contains|all:
            - 'C:\Windows'
            - '.dll'
        CommandLine|contains: 'cmd.exe /C '
    selection_generic_5:
        ParentImage|endswith: '\rundll32.exe'
        Image|endswith: '\dllhost.exe'
        CommandLine: ''
    condition: 1 of selection_generic_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
UNC4841 - Barracuda ESG Exploitation Indicators
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 5627c337-a9b2-407a-a82d-5fd97035ff39
carbon_black query
TargetFilename:\/11111.tar OR TargetFilename:\/aacore.sh OR TargetFilename:\/appcheck.sh OR TargetFilename:\/autoins OR TargetFilename:\/BarracudaMailService OR TargetFilename:\/etc\/cron.daily\/core_check.sh OR TargetFilename:\/etc\/cron.daily\/core.sh OR TargetFilename:\/etc\/cron.hourly\/aacore.sh OR TargetFilename:\/etc\/cron.hourly\/appcheck.sh OR TargetFilename:\/etc\/cron.hourly\/core.sh OR TargetFilename:\/get_fs_info.pl OR TargetFilename:\/imgdata.jpg OR TargetFilename:\/install_att_v2.tar OR TargetFilename:\/install_bvp74_auth.tar OR TargetFilename:\/install_helo.tar OR TargetFilename:\/install_reuse.tar OR TargetFilename:\/intent_helo OR TargetFilename:\/intent_reuse OR TargetFilename:\/intentbas OR TargetFilename:\/mod_attachment.lua OR TargetFilename:\/mod_content.lua OR TargetFilename:\/mod_require_helo.lua OR TargetFilename:\/mod_rtf OR TargetFilename:\/mod_sender.lua OR TargetFilename:\/mod_udp.so OR TargetFilename:\/nfsd_stub.ko OR TargetFilename:\/resize_reisertab OR TargetFilename:\/resize_risertab OR TargetFilename:\/resize2fstab OR TargetFilename:\/rverify OR TargetFilename:\/saslautchd OR TargetFilename:\/sendscd OR TargetFilename:\/snapshot.tar OR TargetFilename:\/tmp\/p OR TargetFilename:\/tmp\/p7 OR TargetFilename:\/tmp\/t OR TargetFilename:\/update_v2.sh OR TargetFilename:\/update_v31.sh OR TargetFilename:\/update_v35.sh OR TargetFilename:\/update_version
view Sigma YAML 
title: UNC4841 - Barracuda ESG Exploitation Indicators
id: 5627c337-a9b2-407a-a82d-5fd97035ff39
status: test
description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
modified: 2025-08-19
tags:
    - attack.execution
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '/11111.tar'
            - '/aacore.sh'
            - '/appcheck.sh'
            - '/autoins'
            - '/BarracudaMailService'
            - '/etc/cron.daily/core_check.sh'
            - '/etc/cron.daily/core.sh'
            - '/etc/cron.hourly/aacore.sh'
            - '/etc/cron.hourly/appcheck.sh'
            - '/etc/cron.hourly/core.sh'
            - '/get_fs_info.pl'
            - '/imgdata.jpg'
            - '/install_att_v2.tar'
            - '/install_bvp74_auth.tar'
            - '/install_helo.tar'
            - '/install_reuse.tar'
            - '/intent_helo'
            - '/intent_reuse'
            - '/intentbas'
            # - '/mknod'
            - '/mod_attachment.lua'
            - '/mod_content.lua'
            - '/mod_require_helo.lua'
            - '/mod_rtf'
            - '/mod_sender.lua'
            - '/mod_udp.so'
            - '/nfsd_stub.ko'
            - '/resize_reisertab'
            - '/resize_risertab'
            - '/resize2fstab'
            - '/rverify'
            - '/saslautchd'
            - '/sendscd'
            - '/snapshot.tar'
            - '/tmp/p'
            - '/tmp/p7'
            - '/tmp/t'
            - '/update_v2.sh'
            - '/update_v31.sh'
            - '/update_v35.sh'
            - '/update_version'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
UNC4841 - Download Compressed Files From Temp.sh Using Wget
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 60d050c4-e253-4d9a-b673-5ac100cfddfb
carbon_black query
Image:\/wget CommandLine:https\:\/\/temp.sh\/* (CommandLine:.rar OR CommandLine:.zip)
view Sigma YAML 
title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
status: test
description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.stealth
    - attack.t1140
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/wget'
        CommandLine|contains: 'https://temp.sh/'
        CommandLine|endswith:
            - '.rar'
            - '.zip'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 23835beb-ec38-4e74-a5d4-b99af6684e91
carbon_black query
(Image:\/wget CommandLine:https://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3} CommandLine:\-\-no\-check\-certificate* CommandLine:.tar) (-(CommandLine:https\:\/\/10.* OR CommandLine:https\:\/\/192.168.* OR CommandLine:https\:\/\/172.16.* OR CommandLine:https\:\/\/172.17.* OR CommandLine:https\:\/\/172.18.* OR CommandLine:https\:\/\/172.19.* OR CommandLine:https\:\/\/172.20.* OR CommandLine:https\:\/\/172.21.* OR CommandLine:https\:\/\/172.22.* OR CommandLine:https\:\/\/172.23.* OR CommandLine:https\:\/\/172.24.* OR CommandLine:https\:\/\/172.25.* OR CommandLine:https\:\/\/172.26.* OR CommandLine:https\:\/\/172.27.* OR CommandLine:https\:\/\/172.28.* OR CommandLine:https\:\/\/172.29.* OR CommandLine:https\:\/\/172.30.* OR CommandLine:https\:\/\/172.31.* OR CommandLine:https\:\/\/127.* OR CommandLine:https\:\/\/169.254.*))
view Sigma YAML 
title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
id: 23835beb-ec38-4e74-a5d4-b99af6684e91
status: test
description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.stealth
    - attack.t1140
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/wget'
        CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
        CommandLine|contains: '--no-check-certificate'
        CommandLine|endswith: '.tar'
    filter_main_local_ips:
        # Note: Uncomment this filter if you want to exclude local IPs
        CommandLine|contains:
            - 'https://10.' # 10.0.0.0/8
            - 'https://192.168.' # 192.168.0.0/16
            - 'https://172.16.' # 172.16.0.0/12
            - 'https://172.17.'
            - 'https://172.18.'
            - 'https://172.19.'
            - 'https://172.20.'
            - 'https://172.21.'
            - 'https://172.22.'
            - 'https://172.23.'
            - 'https://172.24.'
            - 'https://172.25.'
            - 'https://172.26.'
            - 'https://172.27.'
            - 'https://172.28.'
            - 'https://172.29.'
            - 'https://172.30.'
            - 'https://172.31.'
            - 'https://127.' # 127.0.0.0/8
            - 'https://169.254.' # 169.254.0.0/16
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 0785f462-60b0-4031-9ff4-b4f3a0ba589a
carbon_black query
TargetFilename:/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\\.tar\\.gz
view Sigma YAML 
title: UNC4841 - Email Exfiltration File Pattern
id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
status: test
description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
references:
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.execution
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 60911c07-f989-4362-84af-c609828ef829
carbon_black query
Image:\/openssl CommandLine:[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3} (CommandLine:s_client* CommandLine:\-quiet* CommandLine:\-connect*) (CommandLine:\:443* OR CommandLine:\:8080*)
view Sigma YAML 
title: UNC4841 - SSL Certificate Exfiltration Via Openssl
id: 60911c07-f989-4362-84af-c609828ef829
status: test
description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
references:
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.stealth
    - attack.t1140
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/openssl'
        CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
        CommandLine|contains|all:
            - 's_client'
            - '-quiet'
            - '-connect'
        CommandLine|contains:
            - ':443'
            - ':8080'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Uncommon Child Process Of Setres.EXE
Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
status test author @gott_cyber, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
carbon_black query
(ParentImage:\\setres.exe Image:\\choice*) (-(Image:C\:\\Windows\\System32\\choice.exe OR Image:C\:\\Windows\\SysWOW64\\choice.exe))
view Sigma YAML 
title: Uncommon Child Process Of Setres.EXE
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: test
description: |
    Detects uncommon child process of Setres.EXE.
    Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
    It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Setres/
    - https://twitter.com/0gtweet/status/1583356502340870144
    - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-12-11
modified: 2024-06-26
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\setres.exe'
        Image|contains: '\choice'
    filter_main_legit_location:
        Image|endswith:
            - 'C:\Windows\System32\choice.exe'
            - 'C:\Windows\SysWOW64\choice.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong High FP
Uncommon Extension In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
status test author X__Junior (Nextron Systems) ATT&CK technique id b888e3f2-224d-4435-b00b-9dd66e9ea1f1
carbon_black query
(TargetObject:\\Control\\Keyboard\ Layouts\\* TargetObject:Ime\ File*) (-Details:.ime)
view Sigma YAML 
title: Uncommon Extension In Keyboard Layout IME File Registry Value
id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1
related:
    - id: 9d8f9bb8-01af-4e15-a3a2-349071530530
      type: derived
status: test
description: |
    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
    Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
    IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
references:
    - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
author: X__Junior (Nextron Systems)
date: 2023-11-21
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains|all:
            - '\Control\Keyboard Layouts\'
            - 'Ime File'
    filter_main_known_extension:
        Details|endswith: '.ime'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
level: high
Convert to SIEM query
high Strong Medium FP
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id a10a2c40-2c4d-49f8-b557-1a946bc55d9d
carbon_black query
(((TargetFilename:\\Microsoft\\Word\\STARTUP* OR (TargetFilename:\\Office* TargetFilename:\\Program\ Files* TargetFilename:\\STARTUP*)) (-(TargetFilename:.docb OR TargetFilename:.docm OR TargetFilename:.docx OR TargetFilename:.dotm OR TargetFilename:.mdb OR TargetFilename:.mdw OR TargetFilename:.pdf OR TargetFilename:.wll OR TargetFilename:.wwl))) OR ((TargetFilename:\\Microsoft\\Excel\\XLSTART* OR (TargetFilename:\\Office* TargetFilename:\\Program\ Files* TargetFilename:\\XLSTART*)) (-(TargetFilename:.xll OR TargetFilename:.xls OR TargetFilename:.xlsm OR TargetFilename:.xlsx OR TargetFilename:.xlt OR TargetFilename:.xltm OR TargetFilename:.xlw)))) (-((Image:\:\\Program\ Files\\Common\ Files\\Microsoft\ Shared\\ClickToRun\\* Image:\\OfficeClickToRun.exe) OR ((Image:\:\\Program\ Files\\Microsoft\ Office\\* OR Image:\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\*) (Image:\\winword.exe OR Image:\\excel.exe))))
view Sigma YAML 
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
    - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
    - http://addbalance.com/word/startup.htm
    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
    - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    product: windows
    category: file_event
detection:
    selection_word_paths:
        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\STARTUP'
    filter_exclude_word_ext:
        TargetFilename|endswith:
            - '.docb' # Word binary document introduced in Microsoft Office 2007
            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
            - '.docx' # Word document
            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
            - '.mdb' # MS Access DB
            - '.mdw' # MS Access DB
            - '.pdf' # PDF documents
            - '.wll' # Word add-in
            - '.wwl' # Word add-in
    selection_excel_paths:
        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\XLSTART'
    filter_exclude_excel_ext:
        TargetFilename|endswith:
            - '.xll'
            - '.xls'
            - '.xlsm'
            - '.xlsx'
            - '.xlt'
            - '.xltm'
            - '.xlw'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\winword.exe'
            - '\excel.exe'
    condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
    - False positive might stem from rare extensions used by other Office utilities.
level: high
Convert to SIEM query
high Strong Medium FP
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
carbon_black query
Image:\\gup.exe (-((TargetFilename:C\:\\Program\ Files\\Notepad\+\+\\* OR TargetFilename:C\:\\Program\ Files\ \(x86\)\\Notepad\+\+\\*) OR (TargetFilename:C\:\\Users\\* (TargetFilename:\\AppData\\Local\\Temp\\* TargetFilename:npp.* TargetFilename:.Installer.* TargetFilename:.exe*)) OR (TargetFilename:C\:\\Users\\* (TargetFilename:\\AppData\\Local\\Temp\\* TargetFilename:.zip*)) OR TargetFilename:C\:\\$Recycle.Bin\\S\-1\-5\-21* OR ((TargetFilename:\\plugins\\JsonTools\\testfiles\\* OR TargetFilename:\\Notepad\+\+\\plugins\\ComparePlugin\\*) OR (TargetFilename:npp.* TargetFilename:.portable.* TargetFilename:\\plugins\\*))))
view Sigma YAML 
title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
    Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
    This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
    - https://notepad-plus-plus.org/news/v889-released/
    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
    - https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1195.002
    - attack.initial-access
    - attack.t1557
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\gup.exe'
    filter_main_legit_paths:
        TargetFilename|startswith:
            - 'C:\Program Files\Notepad++\'
            - 'C:\Program Files (x86)\Notepad++\'
    filter_main_temp_update_installer:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - 'npp.'
            - '.Installer.'
            - '.exe'
    filter_main_temp_generic_zip:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '.zip'
    filter_main_recycle_bin:
        TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
    filter_main_plugins:
        - TargetFilename|contains:
              - '\plugins\JsonTools\testfiles\'
              - '\Notepad++\plugins\ComparePlugin\'
        - TargetFilename|contains|all:
              - 'npp.'
              - '.portable.'
              - '\plugins\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Custom or portable Notepad++ installations in non-standard directories.
    - Legitimate update processes creating temporary files in unexpected locations.
level: high
Convert to SIEM query
high Moderate Medium FP
Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
status test author Joseph Kamau ATT&CK tactic-only id c61daa90-3c1e-4f18-af62-8f288b5c9aaf
carbon_black query
(Image:\\mysqld.exe OR Image:\\mysqld\-nt.exe) (TargetFilename:.bat OR TargetFilename:.dat OR TargetFilename:.dll OR TargetFilename:.exe OR TargetFilename:.ps1 OR TargetFilename:.psm1 OR TargetFilename:.vbe OR TargetFilename:.vbs)
view Sigma YAML 
title: Uncommon File Creation By Mysql Daemon Process
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
status: test
description: |
    Detects the creation of files with scripting or executable extensions by Mysql daemon.
    Which could be an indicator of "User Defined Functions" abuse to download malware.
references:
    - https://asec.ahnlab.com/en/58878/
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
author: Joseph Kamau
date: 2024-05-27
tags:
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - \mysqld.exe
            - \mysqld-nt.exe
        TargetFilename|endswith:
            - '.bat'
            - '.dat'
            - '.dll'
            - '.exe'
            - '.ps1'
            - '.psm1'
            - '.vbe'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
status test author Florian Roth (Nextron Systems) ATT&CK tactic-only id 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
carbon_black query
(Image:\\format.com CommandLine:\/fs\:*) (-(CommandLine:\/fs\:exFAT* OR CommandLine:\/fs\:FAT* OR CommandLine:\/fs\:NTFS* OR CommandLine:\/fs\:ReFS* OR CommandLine:\/fs\:UDF*))
view Sigma YAML 
title: Uncommon FileSystem Load Attempt By Format.com
id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
status: test
description: |
    Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
references:
    - https://twitter.com/0gtweet/status/1477925112561209344
    - https://twitter.com/wdormann/status/1478011052130459653?s=20
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2024-05-13
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\format.com'
        CommandLine|contains: '/fs:'
    filter_main_known_fs:
        CommandLine|contains:
            - '/fs:exFAT'
            - '/fs:FAT'
            - '/fs:NTFS'
            - '/fs:ReFS'
            - '/fs:UDF'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id f742bde7-9528-42e5-bd82-84f51a8387d2
carbon_black query
(TargetObject:Security\\Trusted\ Locations\\Location* TargetObject:\\Path) (-((Image:\:\\Program\ Files\\Common\ Files\\Microsoft\ Shared\\ClickToRun\\* Image:\\OfficeClickToRun.exe) OR (Image:\:\\Program\ Files\\Microsoft\ Office\\* OR Image:\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\*))) (-(Details:%APPDATA%\\Microsoft\\Templates* OR Details:%%APPDATA%%\\Microsoft\\Templates* OR Details:%APPDATA%\\Microsoft\\Word\\Startup* OR Details:%%APPDATA%%\\Microsoft\\Word\\Startup* OR Details:\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\root\\Templates\\* OR Details:\:\\Program\ Files\\Microsoft\ Office\ \(x86\)\\Templates* OR Details:\:\\Program\ Files\\Microsoft\ Office\\root\\Templates\\* OR Details:\:\\Program\ Files\\Microsoft\ Office\\Templates\\*))
view Sigma YAML 
title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
    - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
      type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
    - Internal Research
    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Security\Trusted Locations\Location'
        TargetObject|endswith: '\Path'
    filter_exclude_known_paths:
        Details|contains:
            - '%APPDATA%\Microsoft\Templates'
            - '%%APPDATA%%\Microsoft\Templates'
            - '%APPDATA%\Microsoft\Word\Startup'
            - '%%APPDATA%%\Microsoft\Word\Startup'
            - ':\Program Files (x86)\Microsoft Office\root\Templates\'
            - ':\Program Files\Microsoft Office (x86)\Templates'
            - ':\Program Files\Microsoft Office\root\Templates\'
            - ':\Program Files\Microsoft Office\Templates\'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
    - Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high
Convert to SIEM query
high Moderate Medium FP
Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
status test author frack113, Florian Roth (Nextron Systems) ATT&CK technique id 0dba975d-a193-4ed1-a067-424df57570d1
carbon_black query
Image:\\certutil.exe Initiated:true (DestinationPort:80 OR DestinationPort:135 OR DestinationPort:443 OR DestinationPort:445)
view Sigma YAML 
title: Uncommon Network Connection Initiated By Certutil.EXE
id: 0dba975d-a193-4ed1-a067-424df57570d1
status: test
description: |
    Detects a network connection initiated by the certutil.exe utility.
    Attackers can abuse the utility in order to download malware or additional payloads.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: frack113, Florian Roth (Nextron Systems)
date: 2022-09-02
modified: 2024-05-31
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\certutil.exe'
        Initiated: 'true'
        DestinationPort:
            - 80
            - 135
            - 443
            - 445
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
status test author pH-T (Nextron Systems) ATT&CK sub-technique id 970823b7-273b-460a-8afc-3a6811998529
carbon_black query
(Image:\\schtasks.exe* OR OriginalFileName:schtasks.exe) (CommandLine:wscript* OR CommandLine:vbscript* OR CommandLine:cscript* OR CommandLine:wmic\ * OR CommandLine:wmic.exe* OR CommandLine:regsvr32.exe* OR CommandLine:powershell* OR CommandLine:\\AppData\\*) (CommandLine:once* CommandLine:00\:00*)
view Sigma YAML 
title: Uncommon One Time Only Scheduled Task At 00:00
id: 970823b7-273b-460a-8afc-3a6811998529
status: test
description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
references:
    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-02-03
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1053.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli:
        CommandLine|contains:
            - 'wscript'
            - 'vbscript'
            - 'cscript'
            - 'wmic '
            - 'wmic.exe'
            - 'regsvr32.exe'
            - 'powershell'
            - '\AppData\'
    selection_time:
        CommandLine|contains|all:
            - 'once'
            - '00:00'
    condition: all of selection_*
falsepositives:
    - Software installation
level: high
Convert to SIEM query
high Moderate Medium FP
Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' ATT&CK technique id 128faeef-79dd-44ca-b43c-a9e236a60f49
carbon_black query
riskEventType:unfamiliarFeatures
view Sigma YAML 
title: Unfamiliar Sign-In Properties
id: 128faeef-79dd-44ca-b43c-a9e236a60f49
status: test
description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'unfamiliarFeatures'
    condition: selection
falsepositives:
    - User changing to a new device, location, browser, etc.
level: high
Convert to SIEM query
high Moderate High FP
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
status test author frack113 ATT&CK technique id f0f7be61-9cf5-43be-9836-99d6ef448a18
carbon_black query
CommandLine:\\WindowsSensor.exe* CommandLine:\ \/uninstall* CommandLine:\ \/quiet*
view Sigma YAML 
title: Uninstall Crowdstrike Falcon Sensor
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
date: 2021-07-12
modified: 2023-03-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\WindowsSensor.exe'
            - ' /uninstall'
            - ' /quiet'
    condition: selection
falsepositives:
    - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated
level: high
Convert to SIEM query
high Strong High FP
Uninstall Sysinternals Sysmon
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
status test author frack113 ATT&CK technique id 6a5f68d1-c4b5-46b9-94ee-5324892ea939
carbon_black query
((Image:\\Sysmon64.exe OR Image:\\Sysmon.exe) OR Description:System\ activity\ monitor) (CommandLine:\-u* OR CommandLine:\/u* OR CommandLine:–u* OR CommandLine:—u* OR CommandLine:―u*)
view Sigma YAML 
title: Uninstall Sysinternals Sysmon
id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939
status: test
description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
author: frack113
date: 2022-01-12
modified: 2024-03-13
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Image|endswith:
              - \Sysmon64.exe
              - \Sysmon.exe
        - Description: 'System activity monitor'
    selection_cli:
        CommandLine|contains|windash: '-u'
    condition: all of selection_*
falsepositives:
    - Legitimate administrators might use this command to remove Sysmon for debugging purposes
level: high
Convert to SIEM query
high Moderate Medium FP
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10
carbon_black query
(EventID:11 OR EventID:12) (ImageName:\\Users\\Public\\* OR ImageName:\\PerfLogs\\* OR ImageName:\\Desktop\\* OR ImageName:\\Downloads\\* OR ImageName:\\AppData\\Local\\Temp\\* OR ImageName:C\:\\Windows\\TEMP\\*)
view Sigma YAML 
title: Unsigned Binary Loaded From Suspicious Location
id: 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10
status: test
description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2022-09-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: security-mitigations
detection:
    selection:
        EventID:
            - 11
            - 12
        ImageName|contains:
            - '\Users\Public\'
            - '\PerfLogs\'
            - '\Desktop\'
            - '\Downloads\'
            - '\AppData\Local\Temp\'
            - 'C:\Windows\TEMP\'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 948a0953-f287-4806-bbcb-3b2e396df89f
carbon_black query
ImageLoaded:\\mfdetours.dll (-(ImageLoaded:\:\\Program\ Files\ \(x86\)\\Windows\ Kits\\10\\bin\\* SignatureStatus:Valid))
view Sigma YAML 
title: Unsigned Mfdetours.DLL Sideloading
id: 948a0953-f287-4806-bbcb-3b2e396df89f
related:
    - id: d2605a99-2218-4894-8fd3-2afb7946514d
      type: similar
status: test
description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-11
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\mfdetours.dll'
    filter_main_legit_path:
        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
        SignatureStatus: 'Valid'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch, Elastic (idea) ATT&CK technique id a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
carbon_black query
ParentImage:\\dns.exe (-Image:\\conhost.exe)
view Sigma YAML 
title: Unusual Child Process of dns.exe
id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: test
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2023-02-05
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dns.exe'
    filter:
        Image|endswith: '\conhost.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch (Nextron Systems), Elastic (idea) ATT&CK technique id 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
carbon_black query
Image:\\dns.exe (-TargetFilename:\\dns.log)
view Sigma YAML 
title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
      type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
status test author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) ATT&CK sub-technique id 025bd229-fd1f-4fdb-97ab-20006e1a5368
carbon_black query
Contents:http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3} (TargetFilename:.ps1\:Zone* OR TargetFilename:.bat\:Zone* OR TargetFilename:.exe\:Zone* OR TargetFilename:.vbe\:Zone* OR TargetFilename:.vbs\:Zone* OR TargetFilename:.dll\:Zone* OR TargetFilename:.one\:Zone* OR TargetFilename:.cmd\:Zone* OR TargetFilename:.hta\:Zone* OR TargetFilename:.xll\:Zone* OR TargetFilename:.lnk\:Zone*)
view Sigma YAML 
title: Unusual File Download from Direct IP Address
id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
status: test
description: Detects the download of suspicious file type from URLs with IP
references:
    - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
    - https://labs.withsecure.com/publications/detecting-onenote-abuse
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-10
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    product: windows
    category: create_stream_hash
detection:
    selection:
        Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
        TargetFilename|contains:
            - '.ps1:Zone'
            - '.bat:Zone'
            - '.exe:Zone'
            - '.vbe:Zone'
            - '.vbs:Zone'
            - '.dll:Zone'
            - '.one:Zone'
            - '.cmd:Zone'
            - '.hta:Zone'
            - '.xll:Zone'
            - '.lnk:Zone'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch (Nextron Systems), Elastic (idea) ATT&CK technique id 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
carbon_black query
Image:\\dns.exe (-TargetFilename:\\dns.log)
view Sigma YAML 
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
      type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_change
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Ursnif Malware Download URL Pattern
Detects download of Ursnif malware done by dropper documents.
status stable author Thomas Patzke ATT&CK sub-technique id a36ce77e-30db-4ea0-8795-644d7af5dfb4
carbon_black query
("c-uri":\/* "c-uri":.php?l=*) "c-uri":.cab "sc-status":200
view Sigma YAML 
title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
references:
    - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
author: Thomas Patzke
date: 2019-12-19
modified: 2022-08-15
logsource:
    category: proxy
tags:
    - attack.command-and-control
    - attack.t1071.001
    - detection.emerging-threats
detection:
    selection:
        c-uri|contains|all:
            - '/'
            - '.php\?l='
        c-uri|endswith: '.cab'
        sc-status: 200
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Ursnif Redirection Of Discovery Commands
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
status test author @kostastsale ATT&CK technique id 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
carbon_black query
ParentImage:\\explorer.exe Image:\\cmd.exe (CommandLine:\/C\ * CommandLine:\ >>\ *\\AppData\\local\\temp\*.bin*)
view Sigma YAML 
title: Ursnif Redirection Of Discovery Commands
id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
status: test
description: |
    Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
references:
    - Internal Research
author: '@kostastsale'
date: 2023-07-16
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/C '
            - ' >> *\AppData\local\temp\*.bin'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Low FP
Use of Legacy Authentication Protocols
Alert on when legacy authentication has been used on an account
status test author Yochana Henderson, '@Yochana-H' ATT&CK sub-technique id 60f6535a-760f-42a9-be3f-c9a0a025906e
carbon_black query
ActivityDetails:Sign\-ins (ClientApp:Other\ client OR ClientApp:IMAP OR ClientApp:POP3 OR ClientApp:MAPI OR ClientApp:SMTP OR ClientApp:Exchange\ ActiveSync OR ClientApp:Exchange\ Web\ Services) Username:UPN
view Sigma YAML 
title: Use of Legacy Authentication Protocols
id: 60f6535a-760f-42a9-be3f-c9a0a025906e
status: test
description: Alert on when legacy authentication has been used on an account
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        ActivityDetails: Sign-ins
        ClientApp:
            - Other client
            - IMAP
            - POP3
            - MAPI
            - SMTP
            - Exchange ActiveSync
            - Exchange Web Services
        Username: 'UPN'
    condition: selection
falsepositives:
    - User has been put in acception group so they can use legacy authentication
level: high
Convert to SIEM query
high Strong High FP
Use of W32tm as Timer
When configured with suitable command line arguments, w32tm can act as a delay mechanism
status test author frack113 ATT&CK technique id 6da2c9f5-7c53-401b-aacb-92c040ce1215
carbon_black query
(Image:\\w32tm.exe OR OriginalFileName:w32time.dll) (CommandLine:\/stripchart* CommandLine:\/computer\:* CommandLine:\/period\:* CommandLine:\/dataonly* CommandLine:\/samples\:*)
view Sigma YAML 
title: Use of W32tm as Timer
id: 6da2c9f5-7c53-401b-aacb-92c040ce1215
status: test
description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
    - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
author: frack113
date: 2022-09-25
tags:
    - attack.discovery
    - attack.t1124
logsource:
    category: process_creation
    product: windows
detection:
    selection_w32tm:
        - Image|endswith: '\w32tm.exe'
        - OriginalFileName: 'w32time.dll'
    selection_cmd:
        CommandLine|contains|all:
            - '/stripchart'
            - '/computer:'
            - '/period:'
            - '/dataonly'
            - '/samples:'
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: high
Convert to SIEM query
Showing 1551-1600 of 1,677
Prev 32 Next
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh