Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

27 shown of 1,677
high Strong Medium FP
Windows Defender Context Menu Removed
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
status experimental author Matt Anderson (Huntress) ATT&CK technique id b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
carbon_black query
((Image:\\powershell_ise.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\reg.exe) OR (OriginalFileName:powershell_ise.EXE OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:reg.exe)) (CommandLine:del* OR CommandLine:Remove\-Item* OR CommandLine:ri\ *) CommandLine:\\shellex\\ContextMenuHandlers\\EPP*
view Sigma YAML 
title: Windows Defender Context Menu Removed
id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
related:
    - id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
      type: similar
status: experimental
description: |
    Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
    This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
    Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
references:
    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell_ise.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_action:
        CommandLine|contains:
            - 'del'
            - 'Remove-Item'
            - 'ri '
    selection_reg_path:
        CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
    condition: all of selection_*
falsepositives:
    - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
level: high
Convert to SIEM query
high Moderate High FP
Windows Defender Definition Files Removed
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
status test author frack113 ATT&CK technique id 9719a8aa-401c-41af-8108-ced7ec9cd75c
carbon_black query
(Image:\\MpCmdRun.exe OR OriginalFileName:MpCmdRun.exe) (CommandLine:\ \-RemoveDefinitions* CommandLine:\ \-All*)
view Sigma YAML 
title: Windows Defender Definition Files Removed
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
author: frack113
date: 2021-07-07
modified: 2023-07-18
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\MpCmdRun.exe'
        - OriginalFileName: MpCmdRun.exe
    selection_cli:
        CommandLine|contains|all:
            - ' -RemoveDefinitions'
            - ' -All'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id a3ab73f1-bd46-4319-8f06-4b20d0617886
carbon_black query
((EventID:5007 NewValue:\\Windows\ Defender\\Windows\ Defender\ Exploit\ Guard\\Controlled\ Folder\ Access\\AllowedApplications\\*) (NewValue:\\Users\\Public\\* OR NewValue:\\AppData\\Local\\Temp\\* OR NewValue:\\Desktop\\* OR NewValue:\\PerfLogs\\* OR NewValue:\\Windows\\Temp\\*)) OR (EventID:5007 OldValue:\\Windows\ Defender\\Windows\ Defender\ Exploit\ Guard\\Controlled\ Folder\ Access\\ProtectedFolders\\*)
view Sigma YAML 
title: Windows Defender Exploit Guard Tamper
id: a3ab73f1-bd46-4319-8f06-4b20d0617886
status: test
description: |
    Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
references:
    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2022-12-06
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    allowed_apps_key:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
    allowed_apps_path:
        NewValue|contains:
            # Add more paths you don't allow in your org
            - '\Users\Public\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\PerfLogs\'
            - '\Windows\Temp\'
    protected_folders:
        EventID: 5007 # The antimalware platform configuration changed.
        # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
        OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
    condition: all of allowed_apps* or protected_folders
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Windows Defender Grace Period Expired
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
status stable author Ján Trenčanský, frack113 ATT&CK technique id 360a1340-398a-46b6-8d06-99b905dc69d2
carbon_black query
EventID:5101
view Sigma YAML 
title: Windows Defender Grace Period Expired
id: 360a1340-398a-46b6-8d06-99b905dc69d2
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: |
    Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5101 # The antimalware platform is expired.
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Windows Defender Malware And PUA Scanning Disabled
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
status stable author Ján Trenčanský, frack113 ATT&CK technique id bc275be9-0bec-4d77-8c8f-281a2df6710f
carbon_black query
EventID:5010
view Sigma YAML 
title: Windows Defender Malware And PUA Scanning Disabled
id: bc275be9-0bec-4d77-8c8f-281a2df6710f
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5010 # Scanning for malware and other potentially unwanted software is disabled.
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Windows Defender Real-time Protection Disabled
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
status stable author Ján Trenčanský, frack113 ATT&CK technique id b28e58e4-2a72-4fae-bdee-0fbe904db642
carbon_black query
EventID:5001
view Sigma YAML 
title: Windows Defender Real-time Protection Disabled
id: b28e58e4-2a72-4fae-bdee-0fbe904db642
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: |
    Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5001 # Real-time protection is disabled.
    condition: selection
falsepositives:
    - Administrator actions (should be investigated)
    - Seen being triggered occasionally during Windows 8 Defender Updates
level: high
Convert to SIEM query
high Strong Medium FP
Windows Defender Service Disabled - Registry
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
status test author Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali ATT&CK technique id e1aa95de-610a-427d-b9e7-9b46cfafbe6a
carbon_black query
TargetObject:\\Services\\WinDefend\\Start Details:DWORD\ \(0x00000004\)
view Sigma YAML 
title: Windows Defender Service Disabled - Registry
id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
status: test
description: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry
references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
date: 2022-08-01
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Services\WinDefend\Start'
        Details: 'DWORD (0x00000004)'
    condition: selection
falsepositives:
    - Administrator actions
level: high
Convert to SIEM query
high Moderate Medium FP
Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines
status stable author Ján Trenčanský ATT&CK technique id 57b649ef-ff42-4fb0-8bf6-62da243a1708
carbon_black query
EventID:1006 OR EventID:1015 OR EventID:1116 OR EventID:1117
view Sigma YAML 
title: Windows Defender Threat Detected
id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
status: stable
description: Detects actions taken by Windows Defender malware detection engines
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
author: Ján Trenčanský
date: 2020-07-28
tags:
    - attack.execution
    - attack.t1059
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID:
            - 1006 # The antimalware engine found malware or other potentially unwanted software.
            - 1015 # The antimalware platform detected suspicious behavior.
            - 1116 # The antimalware platform detected malware or other potentially unwanted software.
            - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
status experimental author Matt Anderson (Huntress) ATT&CK technique id 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
carbon_black query
TargetObject:\\Microsoft\\Windows\ Defender\\Threats\\ThreatSeverityDefaultAction\\* (TargetObject:\\1 OR TargetObject:\\2 OR TargetObject:\\4 OR TargetObject:\\5) (Details:DWORD\ \(0x00000006\) OR Details:DWORD\ \(0x00000009\))
view Sigma YAML 
title: Windows Defender Threat Severity Default Action Modified
id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
related:
    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
      type: similar
status: experimental
description: |
    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
        TargetObject|endswith:
            - '\1' # Low severity
            - '\2' # Moderate severity
            - '\4' # High severity
            - '\5' # Severe severity
        Details:
            - 'DWORD (0x00000006)' # Allow
            - 'DWORD (0x00000009)' # NoAction
    condition: selection
falsepositives:
    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
    - Software installations that legitimately modify Defender settings (less common for these specific keys).
level: high
Convert to SIEM query
high Moderate Medium FP
Windows Defender Virus Scanning Feature Disabled
Detects disabling of the Windows Defender virus scanning feature
status stable author Ján Trenčanský, frack113 ATT&CK technique id 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb
carbon_black query
EventID:5012
view Sigma YAML 
title: Windows Defender Virus Scanning Feature Disabled
id: 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: Detects disabling of the Windows Defender virus scanning feature
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5012 # Scanning for viruses is disabled.
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Windows EventLog Autologger Session Registry Modification Via CommandLine
Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id d7b81144-b866-48a4-9bcc-275dc69d870e
carbon_black query
((Image:\\reg.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:reg.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:add\ * OR CommandLine:Set\-ItemProperty* OR CommandLine:New\-ItemProperty* OR CommandLine:si\ *) CommandLine:\\Control\\WMI\\Autologger\\* (CommandLine:Start* OR CommandLine:Enabled*)
view Sigma YAML 
title: Windows EventLog Autologger Session Registry Modification Via CommandLine
id: d7b81144-b866-48a4-9bcc-275dc69d870e
related:
    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows EventLog autologger sessions via registry modification.
    The AutoLogger event tracing session records events that occur early in the operating system boot process.
    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
    - https://ptylu.github.io/content/report/report.html?report=25
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\reg.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'reg.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_action:
        CommandLine|contains:
            - 'add '
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - 'si ' # Set-ItemProperty alias
    selection_cli_base:
        CommandLine|contains: '\Control\WMI\Autologger\'
    selection_cli_key:
        CommandLine|contains:
            - 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
            - 'Enabled' # Key used to disable specific provider of autologger session
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
Convert to SIEM query
high Moderate Medium FP
Windows Filtering Platform Blocked Connection From EDR Agent Binary
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
status test author @gott_cyber ATT&CK technique id bacf58c6-e199-4040-a94f-95dea0f1e45a
carbon_black query
EventID:5157 (Application:\\AmSvc.exe OR Application:\\cb.exe OR Application:\\CETASvc.exe OR Application:\\CNTAoSMgr.exe OR Application:\\CrAmTray.exe OR Application:\\CrsSvc.exe OR Application:\\CSFalconContainer.exe OR Application:\\CSFalconService.exe OR Application:\\CybereasonAV.exe OR Application:\\CylanceSvc.exe OR Application:\\cyserver.exe OR Application:\\CyveraService.exe OR Application:\\CyvrFsFlt.exe OR Application:\\EIConnector.exe OR Application:\\elastic\-agent.exe OR Application:\\elastic\-endpoint.exe OR Application:\\EndpointBasecamp.exe OR Application:\\ExecutionPreventionSvc.exe OR Application:\\filebeat.exe OR Application:\\fortiedr.exe OR Application:\\hmpalert.exe OR Application:\\hurukai.exe OR Application:\\LogProcessorService.exe OR Application:\\mcsagent.exe OR Application:\\mcsclient.exe OR Application:\\MsMpEng.exe OR Application:\\MsSense.exe OR Application:\\Ntrtscan.exe OR Application:\\PccNTMon.exe OR Application:\\QualysAgent.exe OR Application:\\RepMgr.exe OR Application:\\RepUtils.exe OR Application:\\RepUx.exe OR Application:\\RepWAV.exe OR Application:\\RepWSC.exe OR Application:\\sedservice.exe OR Application:\\SenseCncProxy.exe OR Application:\\SenseIR.exe OR Application:\\SenseNdr.exe OR Application:\\SenseSampleUploader.exe OR Application:\\SentinelAgent.exe OR Application:\\SentinelAgentWorker.exe OR Application:\\SentinelBrowserNativeHost.exe OR Application:\\SentinelHelperService.exe OR Application:\\SentinelServiceHost.exe OR Application:\\SentinelStaticEngine.exe OR Application:\\SentinelStaticEngineScanner.exe OR Application:\\sfc.exe OR Application:\\sophos\ ui.exe OR Application:\\sophosfilescanner.exe OR Application:\\sophosfs.exe OR Application:\\sophoshealth.exe OR Application:\\sophosips.exe OR Application:\\sophosLivequeryservice.exe OR Application:\\sophosnetfilter.exe OR Application:\\sophosntpservice.exe OR Application:\\sophososquery.exe OR Application:\\sspservice.exe OR Application:\\TaniumClient.exe OR Application:\\TaniumCX.exe OR Application:\\TaniumDetectEngine.exe OR Application:\\TMBMSRV.exe OR Application:\\TmCCSF.exe OR Application:\\TmListen.exe OR Application:\\TmWSCSvc.exe OR Application:\\Traps.exe OR Application:\\winlogbeat.exe OR Application:\\WSCommunicator.exe OR Application:\\xagt.exe)
view Sigma YAML 
title: Windows Filtering Platform Blocked Connection From EDR Agent Binary
id: bacf58c6-e199-4040-a94f-95dea0f1e45a
status: test
description: |
    Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.
    Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
references:
    - https://github.com/netero1010/EDRSilencer
    - https://github.com/amjcyber/EDRNoiseMaker
    - https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
author: '@gott_cyber'
date: 2024-01-08
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Filtering Platform Connection needs to be enabled'
detection:
    selection:
        EventID: 5157
        Application|endswith:
            - '\AmSvc.exe' # Cybereason
            - '\cb.exe' # Carbon Black EDR
            - '\CETASvc.exe' # TrendMicro Apex One
            - '\CNTAoSMgr.exe' # TrendMicro Apex One
            - '\CrAmTray.exe' # Cybereason
            - '\CrsSvc.exe' # Cybereason
            - '\CSFalconContainer.exe' # CrowdStrike Falcon
            - '\CSFalconService.exe' # CrowdStrike Falcon
            - '\CybereasonAV.exe' # Cybereason
            - '\CylanceSvc.exe' # Cylance
            - '\cyserver.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\CyveraService.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\CyvrFsFlt.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\EIConnector.exe' # ESET Inspect
            - '\elastic-agent.exe' # Elastic EDR
            - '\elastic-endpoint.exe' # Elastic EDR
            - '\EndpointBasecamp.exe' # TrendMicro Apex One
            - '\ExecutionPreventionSvc.exe' # Cybereason
            - '\filebeat.exe' # Elastic EDR
            - '\fortiedr.exe' # FortiEDR
            - '\hmpalert.exe' # Sophos EDR
            - '\hurukai.exe' # Harfanglab EDR
            - '\LogProcessorService.exe' # SentinelOne
            - '\mcsagent.exe' # Sophos EDR
            - '\mcsclient.exe' # Sophos EDR
            - '\MsMpEng.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\MsSense.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\Ntrtscan.exe' # TrendMicro Apex One
            - '\PccNTMon.exe' # TrendMicro Apex One
            - '\QualysAgent.exe' # Qualys EDR
            - '\RepMgr.exe' # Carbon Black Cloud
            - '\RepUtils.exe' # Carbon Black Cloud
            - '\RepUx.exe' # Carbon Black Cloud
            - '\RepWAV.exe' # Carbon Black Cloud
            - '\RepWSC.exe' # Carbon Black Cloud
            - '\sedservice.exe' # Sophos EDR
            - '\SenseCncProxy.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseIR.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseNdr.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseSampleUploader.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SentinelAgent.exe' # SentinelOne
            - '\SentinelAgentWorker.exe' # SentinelOne
            - '\SentinelBrowserNativeHost.exe' # SentinelOne
            - '\SentinelHelperService.exe' # SentinelOne
            - '\SentinelServiceHost.exe' # SentinelOne
            - '\SentinelStaticEngine.exe' # SentinelOne
            - '\SentinelStaticEngineScanner.exe' # SentinelOne
            - '\sfc.exe' # Cisco Secure Endpoint (Formerly Cisco AMP)
            - '\sophos ui.exe' # Sophos EDR
            - '\sophosfilescanner.exe' # Sophos EDR
            - '\sophosfs.exe' # Sophos EDR
            - '\sophoshealth.exe' # Sophos EDR
            - '\sophosips.exe' # Sophos EDR
            - '\sophosLivequeryservice.exe' # Sophos EDR
            - '\sophosnetfilter.exe' # Sophos EDR
            - '\sophosntpservice.exe' # Sophos EDR
            - '\sophososquery.exe' # Sophos EDR
            - '\sspservice.exe' # Sophos EDR
            - '\TaniumClient.exe' # Tanium
            - '\TaniumCX.exe' # Tanium
            - '\TaniumDetectEngine.exe' # Tanium
            - '\TMBMSRV.exe' # TrendMicro Apex One
            - '\TmCCSF.exe' # TrendMicro Apex One
            - '\TmListen.exe' # TrendMicro Apex One
            - '\TmWSCSvc.exe' # TrendMicro Apex One
            - '\Traps.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\winlogbeat.exe' # Elastic EDR
            - '\WSCommunicator.exe' # TrendMicro Apex One
            - '\xagt.exe' # Trellix EDR
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Windows Hypervisor Enforced Code Integrity Disabled
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
status test author Nasreddine Bencherchali (Nextron Systems), Anish Bogati ATT&CK technique id 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
carbon_black query
(TargetObject:\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity OR TargetObject:\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled OR TargetObject:\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity) Details:DWORD\ \(0x00000000\)
view Sigma YAML 
title: Windows Hypervisor Enforced Code Integrity Disabled
id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
related:
    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
      type: similar
status: test
description: |
    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
references:
    - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
    - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2023-03-14
modified: 2024-07-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
            - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
            - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Hypervisor-Enforced Code Integrity (HVCI)
      technique: T1562.001
      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
Convert to SIEM query
high Moderate High FP
Windows Internet Hosted WebDav Share Mount Via Net.EXE
Detects when an internet hosted webdav share is mounted using the "net.exe" utility
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
carbon_black query
((Image:\\net.exe OR Image:\\net1.exe) OR (OriginalFileName:net.exe OR OriginalFileName:net1.exe)) (CommandLine:\ use\ * CommandLine:\ http*)
view Sigma YAML 
title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' use '
            - ' http'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Windows LAPS Credential Dump From Entra ID
Detects when an account dumps the LAPS password from Entra ID.
status test author andrewdanis ATT&CK sub-technique id a4b25073-8947-489c-a8dd-93b41c23f26d
carbon_black query
category:Device activityType:Recover\ device\ local\ administrator\ password* "additionalDetails.additionalInfo":Successfully\ recovered\ local\ credential\ by\ device\ id*
view Sigma YAML 
title: Windows LAPS Credential Dump From Entra ID
id: a4b25073-8947-489c-a8dd-93b41c23f26d
status: test
description: Detects when an account dumps the LAPS password from Entra ID.
references:
    - https://twitter.com/NathanMcNulty/status/1785051227568632263
    - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
    - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
author: andrewdanis
date: 2024-06-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098.005
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        category: 'Device'
        activityType|contains: 'Recover device local administrator password'
        additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
    condition: selection
falsepositives:
    - Approved activity performed by an Administrator.
level: high
Convert to SIEM query
high Moderate Medium FP
Windows Shell/Scripting Application File Write to Suspicious Folder
Detects Windows shells and scripting applications that write files to suspicious folders
status test author Florian Roth (Nextron Systems) ATT&CK technique id 1277f594-a7d1-4f28-a2d3-73af5cbeab43
carbon_black query
((Image:\\bash.exe OR Image:\\cmd.exe OR Image:\\cscript.exe OR Image:\\msbuild.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\sh.exe OR Image:\\wscript.exe) (TargetFilename:C\:\\PerfLogs\\* OR TargetFilename:C\:\\Users\\Public\\*)) OR ((Image:\\certutil.exe OR Image:\\forfiles.exe OR Image:\\mshta.exe OR Image:\\schtasks.exe OR Image:\\scriptrunner.exe OR Image:\\wmic.exe) (TargetFilename:C\:\\PerfLogs\\* OR TargetFilename:C\:\\Users\\Public\\* OR TargetFilename:C\:\\Windows\\Temp\\*))
view Sigma YAML 
title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection_1:
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\sh.exe'
            - '\wscript.exe'
        TargetFilename|startswith:
            - 'C:\PerfLogs\'
            - 'C:\Users\Public\'
    selection_2:
        Image|endswith:
            - '\certutil.exe'
            - '\forfiles.exe'
            - '\mshta.exe'
            # - '\rundll32.exe' # Potential FP
            - '\schtasks.exe'
            - '\scriptrunner.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
        TargetFilename|contains:
            - 'C:\PerfLogs\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Temp\'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
status test author Florian Roth (Nextron Systems), Tim Shelton ATT&CK sub-technique id 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
carbon_black query
((ParentImage:\\mshta.exe OR ParentImage:\\powershell.exe OR ParentImage:\\pwsh.exe OR ParentImage:\\rundll32.exe OR ParentImage:\\cscript.exe OR ParentImage:\\wscript.exe OR ParentImage:\\wmiprvse.exe OR ParentImage:\\regsvr32.exe) (Image:\\schtasks.exe OR Image:\\nslookup.exe OR Image:\\certutil.exe OR Image:\\bitsadmin.exe OR Image:\\mshta.exe)) (-(CurrentDirectory:\\ccmcache\\* OR (ParentCommandLine:\\Program\ Files\\Amazon\\WorkSpacesConfig\\Scripts\\setup\-scheduledtask.ps1* OR ParentCommandLine:\\Program\ Files\\Amazon\\WorkSpacesConfig\\Scripts\\set\-selfhealing.ps1* OR ParentCommandLine:\\Program\ Files\\Amazon\\WorkSpacesConfig\\Scripts\\check\-workspacehealth.ps1* OR ParentCommandLine:\\nessus_*) OR CommandLine:\\nessus_* OR (ParentImage:\\mshta.exe Image:\\mshta.exe (ParentCommandLine:C\:\\MEM_Configmgr_* ParentCommandLine:\\splash.hta* ParentCommandLine:\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}*) (CommandLine:C\:\\MEM_Configmgr_* CommandLine:\\SMSSETUP\\BIN\\* CommandLine:\\autorun.hta* CommandLine:\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}*))))
view Sigma YAML 
title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.001
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            # - '\cmd.exe'  # too many false positives
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\wmiprvse.exe'
            - '\regsvr32.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\nslookup.exe'
            - '\certutil.exe'
            - '\bitsadmin.exe'
            - '\mshta.exe'
    filter_ccmcache:
        CurrentDirectory|contains: '\ccmcache\'
    filter_amazon:
        ParentCommandLine|contains:
            # FP - Amazon Workspaces
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
            - '\nessus_' # Tenable/Nessus VA Scanner
    filter_nessus:
        CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
    filter_sccm_install:
        ParentImage|endswith: '\mshta.exe'
        Image|endswith: '\mshta.exe'
        ParentCommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\splash.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
        CommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\SMSSETUP\BIN\'
            - '\autorun.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
    condition: selection and not 1 of filter_*
falsepositives:
    - Administrative scripts
    - Microsoft SCCM
level: high
Convert to SIEM query
high Strong Medium FP
Windows Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell). Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync(). If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked. For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali ATT&CK technique id 271de298-cc0e-4842-acd8-079a0a99ea65
carbon_black query
(ParentImage:\\node.exe (ParentCommandLine:\-\-experimental\-https* OR ParentCommandLine:\-\-experimental\-next\-config\-strip\-types* OR ParentCommandLine:\\node_modules\\next* OR ParentCommandLine:next\ dev* OR ParentCommandLine:next\ start* OR ParentCommandLine:next\"\ start* OR ParentCommandLine:node_modules\\.bin\\\\..\\next* OR ParentCommandLine:react\-scripts\ start* OR ParentCommandLine:start\-server.js*)) ((((Image:\\bash.exe OR Image:\\bitsadmin.exe OR Image:\\certutil.exe OR Image:\\cscript.exe OR Image:\\curl.exe OR Image:\\ipconfig.exe OR Image:\\mshta.exe OR Image:\\net.exe OR Image:\\net1.exe OR Image:\\netsh.exe OR Image:\\nslookup.exe OR Image:\\OpenConsole.exe OR Image:\\perl.exe OR Image:\\ping.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\py.exe OR Image:\\python.exe OR Image:\\pythonw.exe OR Image:\\pyw.exe OR Image:\\reg.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\sc.exe OR Image:\\sh.exe OR Image:\\systeminfo.exe OR Image:\\wget.exe OR Image:\\whoami.exe OR Image:\\wmic.exe OR Image:\\wscript.exe OR Image:\\wt.exe) OR Image:\\python*) OR (CommandLine:\\net* OR CommandLine:bitsadmin* OR CommandLine:certutil\ * OR CommandLine:conhost\ \-\-headless* OR CommandLine:cscript\ * OR CommandLine:curl* OR CommandLine:ipconfig* OR CommandLine:java* OR CommandLine:lua* OR CommandLine:mshta* OR CommandLine:netsh* OR CommandLine:nslookup\ * OR CommandLine:perl* OR CommandLine:ping\ * OR CommandLine:powershell* OR CommandLine:pwsh* OR CommandLine:python* OR CommandLine:reg\ * OR CommandLine:reg.exe* OR CommandLine:regsvr32* OR CommandLine:ruby* OR CommandLine:rundll32* OR CommandLine:sc.exe* OR CommandLine:systeminfo* OR CommandLine:wget* OR CommandLine:whoami* OR CommandLine:wmic* OR CommandLine:wscript*)) OR (Image:\\cmd.exe (-CommandLine:\/d\ \/s\ \/c\ *)) OR ((Image:\\cmd.exe CommandLine:\/d\ \/s\ \/c\ *) (-(CommandLine:git\ config\ \-\-local\ \-\-get\ remote.origin.url* OR (CommandLine:netstat\ \-ano\ |\ findstr\ \/C\:* CommandLine:\ |\ findstr\ LISTENING*) OR (CommandLine:\\mkcert\\* CommandLine:\ \-install\ *) OR (CommandLine:\\mkcert\\* CommandLine:\ \-CAROOT*)))))
view Sigma YAML 
title: Windows Suspicious Child Process from Node.js - React2Shell
id: 271de298-cc0e-4842-acd8-079a0a99ea65
related:
    - id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
      type: similar
status: experimental
description: |
    Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
    Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
    If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
    For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
references:
    - https://github.com/msanft/CVE-2025-55182
    - https://nodejs.org/api/child_process.html#class-childprocess
    - https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
    - https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
    - attack.execution
    - attack.t1059
    - attack.initial-access
    - attack.t1190
    - detection.emerging-threats
    - cve.2025-55182
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
        ParentCommandLine|contains:
            - '--experimental-https'
            - '--experimental-next-config-strip-types'
            - '\node_modules\next'
            - 'next dev'
            - 'next start'
            - 'next" start'
            - 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion
            - 'react-scripts start'
            - 'start-server.js'
    selection_generic_child_img:
        # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method  is used to spawn suspicious processes
        - Image|endswith:
              - '\bash.exe'
              - '\bitsadmin.exe'
              - '\certutil.exe'
              - '\cscript.exe'
              - '\curl.exe'
              - '\ipconfig.exe'
              - '\mshta.exe'
              - '\net.exe'
              - '\net1.exe'
              - '\netsh.exe'
              - '\nslookup.exe'
              - '\OpenConsole.exe'
              - '\perl.exe'
              - '\ping.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\py.exe'
              - '\python.exe'
              - '\pythonw.exe'
              - '\pyw.exe'
              - '\reg.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\sc.exe'
              - '\sh.exe'
              - '\systeminfo.exe'
              - '\wget.exe'
              - '\whoami.exe'
              - '\wmic.exe'
              - '\wscript.exe'
              - '\wt.exe'
        - Image|contains: '\python'
    selection_generic_child_cli_susp_pattern:
        # Observed when child_process.execSync() is used to spawn suspicious processes
        # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
        # In default, the cli will look something like `C:\WINDOWS\System32\cmd.exe /d /s /c "...susp..cli...."`
        CommandLine|contains:
            - '\net'
            - 'bitsadmin'
            - 'certutil '
            - 'conhost --headless'
            - 'cscript '
            - 'curl'
            - 'ipconfig'
            - 'java'
            - 'lua'
            - 'mshta'
            - 'netsh'
            - 'nslookup '
            - 'perl'
            - 'ping '
            - 'powershell'
            - 'pwsh'
            - 'python'
            - 'reg '
            - 'reg.exe'
            - 'regsvr32'
            - 'ruby'
            - 'rundll32'
            - 'sc.exe'
            - 'systeminfo'
            - 'wget'
            - 'whoami'
            - 'wmic'
            - 'wscript'
    selection_specific_cmd:
        Image|endswith: '\cmd.exe'
    selection_specific_cli:
        CommandLine|contains: '/d /s /c '
    filter_main_default_shell_flag:
        CommandLine|contains: '/d /s /c '
    filter_main_cli_git:
        CommandLine|contains: 'git config --local --get remote.origin.url'
    filter_main_cli_netstat:
        CommandLine|contains|all:
            - 'netstat -ano | findstr /C:'
            - ' | findstr LISTENING'
    filter_main_cli_mkcert_install:
        CommandLine|contains|all:
            - '\mkcert\'
            - ' -install '
    filter_main_cli_mkcert_caroot:
        CommandLine|contains|all:
            - '\mkcert\'
            - ' -CAROOT'
    condition:
        selection_parent and
        (
            1 of selection_generic_*
            or
            (selection_specific_cmd and not filter_main_default_shell_flag)
            or
            (all of selection_specific_* and not 1 of filter_main_cli_*)
        )
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml
Convert to SIEM query
high Moderate Medium FP
Windows Vulnerable Driver Blocklist Disabled
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id d526c60a-e236-4011-b165-831ffa52ab70
carbon_black query
TargetObject:\\Control\\CI\\Config\\VulnerableDriverBlocklistEnable Details:DWORD\ \(0x00000000\)
view Sigma YAML 
title: Windows Vulnerable Driver Blocklist Disabled
id: d526c60a-e236-4011-b165-831ffa52ab70
related:
    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
      type: similar
status: experimental
description: |
    Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
    and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
    particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
    This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
    Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely and should be investigated immediately.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml
Convert to SIEM query
high Moderate Medium FP
Windows WebDAV User Agent
Detects WebDav DownloadCradle
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id e09aed7a-09e0-4c9a-90dd-f0d52507347e
carbon_black query
"c-useragent":Microsoft\-WebDAV\-MiniRedir\/* "cs-method":GET
view Sigma YAML 
title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
        cs-method: 'GET'
    condition: selection
falsepositives:
    - Administrative scripts that download files from the Internet
    - Administrative scripts that retrieve certain website contents
    - Legitimate WebDAV administration
level: high
Convert to SIEM query
high Moderate Medium FP
Windows Webshell Strings
Detects common commands used in Windows webshells
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 7ff9db12-1b94-4a79-ba68-a2402c5d6729
carbon_black query
"cs-method":GET ("=whoami" OR "=net%20user" OR "=net\+user" OR "=net%2Buser" OR "=cmd%20\/c%" OR "=cmd\+\/c\+" OR "=cmd%2B\/c%" OR "=cmd%20\/r%" OR "=cmd\+\/r\+" OR "=cmd%2B\/r%" OR "=cmd%20\/k%" OR "=cmd\+\/k\+" OR "=cmd%2B\/k%" OR "=powershell%" OR "=powershell\+" OR "=tasklist%" OR "=tasklist\+" OR "=wmic%" OR "=wmic\+" OR "=ssh%" OR "=ssh\+" OR "=python%" OR "=python\+" OR "=python3%" OR "=python3\+" OR "=ipconfig" OR "=wget%" OR "=wget\+" OR "=curl%" OR "=curl\+" OR "=certutil" OR "=copy%20%5C%5C" OR "=dsquery%" OR "=dsquery\+" OR "=nltest%" OR "=nltest\+")
view Sigma YAML 
title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
    - https://bad-jubies.github.io/RCE-NOW-WHAT/
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: webserver
detection:
    selection_method:
        cs-method: 'GET'
    selection_keywords:
        # The "%20" is URL encoded version of the space
        # The "%2B" is URL encoded version of the "+"
        - '=whoami'
        - '=net%20user'
        - '=net+user'
        - '=net%2Buser'
        - '=cmd%20/c%'
        - '=cmd+/c+'
        - '=cmd%2B/c%'
        - '=cmd%20/r%'
        - '=cmd+/r+'
        - '=cmd%2B/r%'
        - '=cmd%20/k%'
        - '=cmd+/k+'
        - '=cmd%2B/k%'
        - '=powershell%'
        - '=powershell+'
        - '=tasklist%'
        - '=tasklist+'
        - '=wmic%'
        - '=wmic+'
        - '=ssh%'
        - '=ssh+'
        - '=python%'
        - '=python+'
        - '=python3%'
        - '=python3+'
        - '=ipconfig'
        - '=wget%'
        - '=wget+'
        - '=curl%'
        - '=curl+'
        - '=certutil'
        - '=copy%20%5C%5C'
        - '=dsquery%'
        - '=dsquery+'
        - '=nltest%'
        - '=nltest+'
    condition: all of selection_*
falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
level: high
Convert to SIEM query
high Moderate Medium FP
Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
status test author frack113 ATT&CK sub-technique id bbf59793-6efb-4fa1-95ca-a7d288e52c88
carbon_black query
TargetObject:\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Notify\\logon Details:.dll
view Sigma YAML 
title: Winlogon Notify Key Logon Persistence
id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
status: test
description: |
    Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
author: frack113
date: 2021-12-30
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
        Details|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
status experimental author Liran Ravich, Nasreddine Bencherchali ATT&CK sub-technique id bcfece3d-56fe-4545-9931-3b8e92927db1
carbon_black query
((Image:\\winrs.exe OR OriginalFileName:winrs.exe) (CommandLine:\-r\:localhost* OR CommandLine:\/r\:localhost* OR CommandLine:–r\:localhost* OR CommandLine:—r\:localhost* OR CommandLine:―r\:localhost* OR CommandLine:\-r\:127.0.0.1* OR CommandLine:\/r\:127.0.0.1* OR CommandLine:–r\:127.0.0.1* OR CommandLine:—r\:127.0.0.1* OR CommandLine:―r\:127.0.0.1* OR CommandLine:\-r\:\[\:\:1\]* OR CommandLine:\/r\:\[\:\:1\]* OR CommandLine:–r\:\[\:\:1\]* OR CommandLine:—r\:\[\:\:1\]* OR CommandLine:―r\:\[\:\:1\]* OR CommandLine:\-remote\:localhost* OR CommandLine:\/remote\:localhost* OR CommandLine:–remote\:localhost* OR CommandLine:—remote\:localhost* OR CommandLine:―remote\:localhost* OR CommandLine:\-remote\:127.0.0.1* OR CommandLine:\/remote\:127.0.0.1* OR CommandLine:–remote\:127.0.0.1* OR CommandLine:—remote\:127.0.0.1* OR CommandLine:―remote\:127.0.0.1* OR CommandLine:\-remote\:\[\:\:1\]* OR CommandLine:\/remote\:\[\:\:1\]* OR CommandLine:–remote\:\[\:\:1\]* OR CommandLine:—remote\:\[\:\:1\]* OR CommandLine:―remote\:\[\:\:1\]*)) OR ((Image:\\winrs.exe OR OriginalFileName:winrs.exe) (-(CommandLine:\-r\:* OR CommandLine:\/r\:* OR CommandLine:–r\:* OR CommandLine:—r\:* OR CommandLine:―r\:* OR CommandLine:\-remote\:* OR CommandLine:\/remote\:* OR CommandLine:–remote\:* OR CommandLine:—remote\:* OR CommandLine:―remote\:*)))
view Sigma YAML 
title: Winrs Local Command Execution
id: bcfece3d-56fe-4545-9931-3b8e92927db1
status: experimental
description: |
    Detects the execution of Winrs.exe where it is used to execute commands locally.
    Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
references:
    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
author: Liran Ravich, Nasreddine Bencherchali
date: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.006
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe
        - Image|endswith: '\winrs.exe'
        - OriginalFileName: 'winrs.exe'
    selection_local_ip:
        CommandLine|contains|windash:
            - '/r:localhost'
            - '/r:127.0.0.1'
            - '/r:[::1]'
            - '/remote:localhost'
            - '/remote:127.0.0.1'
            - '/remote:[::1]'
    filter_main_remote:
        CommandLine|contains|windash:
            - "/r:"
            - "/remote:"
    condition: all of selection_* or (selection_img and not 1 of filter_main_*)
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK sub-technique id 7707a579-e0d8-4886-a853-ce47e4575aaa
carbon_black query
Image:\\wmiprvse.exe ImageLoaded:\\wbem\\wbemcomn.dll
view Sigma YAML 
title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\wmiprvse.exe'
        ImageLoaded|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
status test author X__Junior (Nextron Systems) ATT&CK tactic-only id ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
carbon_black query
Image:\\wusa.exe ((ParentImage:\:\\Perflogs\\* OR ParentImage:\:\\Users\\Public\\* OR ParentImage:\:\\Windows\\Temp\\* OR ParentImage:\\Appdata\\Local\\Temp\\* OR ParentImage:\\Temporary\ Internet*) OR ((ParentImage:\:\\Users\\* ParentImage:\\Favorites\\*) OR (ParentImage:\:\\Users\\* ParentImage:\\Favourites\\*) OR (ParentImage:\:\\Users\\* ParentImage:\\Contacts\\*) OR (ParentImage:\:\\Users\\* ParentImage:\\Pictures\\*))) (-CommandLine:.msu*)
view Sigma YAML 
title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
status: test
description: |
    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
    Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
references:
    - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
author: X__Junior (Nextron Systems)
date: 2023-11-26
modified: 2024-08-15
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\wusa.exe'
    selection_paths_1:
        ParentImage|contains:
            # Note: Add additional suspicious locations to increase coverage
            - ':\Perflogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Appdata\Local\Temp\'
            - '\Temporary Internet'
    selection_paths_2:
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_msu:
        # Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.
        CommandLine|contains: '.msu'
    condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
carbon_black query
(Image:\\xwizard.exe OR OriginalFileName:xwizard.exe) (-(Image:C\:\\Windows\\System32\\* OR Image:C\:\\Windows\\SysWOW64\\* OR Image:C\:\\Windows\\WinSxS\\*))
view Sigma YAML 
title: Xwizard.EXE Execution From Non-Default Location
id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
status: test
description: |
    Detects the execution of Xwizard tool from a non-default directory.
    When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
    - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Christian Burkard (Nextron Systems)
date: 2021-09-20
modified: 2024-08-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\xwizard.exe'
        - OriginalFileName: 'xwizard.exe'
    filter_main_legit_location:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Windows installed on non-C drive
level: high
Convert to SIEM query
high Strong Low FP
smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation
status test author Omer Faruk Celik ATT&CK sub-technique id 52a85084-6989-40c3-8f32-091e12e13f09
carbon_black query
(Provider_Name:Service\ Control\ Manager EventID:7045) (ServiceName:BTOBTO OR (ImagePath:.bat\ &\ del\ * OR ImagePath:__output\ 2\^>\^&1\ >*))
view Sigma YAML 
title: smbexec.py Service Installation
id: 52a85084-6989-40c3-8f32-091e12e13f09
status: test
description: Detects the use of smbexec.py tool by detecting a specific service installation
references:
    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
    - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
    - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name
author: Omer Faruk Celik
date: 2018-03-20
modified: 2023-11-09
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1021.002
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service_name:
        ServiceName: 'BTOBTO'
    selection_service_image:
        ImagePath|contains:
            - '.bat & del '
            - '__output 2^>^&1 >'
    condition: selection_eid and 1 of selection_service_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
Showing 1651-1677 of 1,677
Prev 34 Next
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh