Tool
EDR / XDR
VMware Carbon Black
1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,677
high
Moderate
High FP
Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
view Sigma YAML
title: Disable Macro Runtime Scan Scope
id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
status: test
date: 2022-10-25
modified: 2023-08-17
author: Nasreddine Bencherchali (Nextron Systems)
references:
- https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
- https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
- https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\'
- '\Microsoft\Office\'
- '\Common\Security'
TargetObject|endswith: '\MacroRuntimeScanScope'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
view Sigma YAML
title: Disable PUA Protection on Windows Defender
id: 8ffc5407-52e3-478f-9596-0a7371eafe13
status: test
description: Detects disabling Windows Defender PUA protection
references:
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
view Sigma YAML
title: Disable Powershell Command History
id: 602f5669-6927-4688-84db-0d4b7afb2150
status: test
description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module
references:
- https://twitter.com/DissectMalware/status/1062879286749773824
author: Ali Alwashali
date: 2022-08-21
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Remove-Module
- psreadline
condition: selection
falsepositives:
- Legitimate script that disables the command history
level: high
Convert to SIEM query
high
Moderate
Medium FP
Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
view Sigma YAML
title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
- https://twitter.com/0gtweet/status/1182516740955226112
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_event
product: windows
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
# key rename
- NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
view Sigma YAML
title: Disable System Firewall
id: 53059bc0-1472-438b-956a-7508a94a91f0
status: test
description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
- https://firewalld.org/documentation/man-pages/firewall-cmd.html
author: 'Pawel Mazur'
date: 2022-01-22
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SERVICE_STOP'
unit:
- 'firewalld'
- 'iptables'
- 'ufw'
condition: selection
falsepositives:
- Admin activity
level: high
Convert to SIEM query
high
Strong
Medium FP
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
view Sigma YAML
title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_binary:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- '-DisableBehaviorMonitoring $true'
- '-DisableRuntimeMonitoring $true'
selection_sc_binary:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_tamper_cmd_stop:
CommandLine|contains|all:
- 'stop'
- 'WinDefend'
selection_sc_tamper_cmd_delete:
CommandLine|contains|all:
- 'delete'
- 'WinDefend'
selection_sc_tamper_cmd_disabled:
CommandLine|contains|all:
- 'config'
- 'WinDefend'
- 'start=disabled'
condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
- 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high
Convert to SIEM query
high
Strong
Medium FP
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
view Sigma YAML
title: Disable Windows Defender Functionalities Via Registry Keys
id: 0eb46774-f1ab-4a74-8238-1155855f2263
related:
- id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
type: obsolete
- id: fd115e64-97c7-491f-951c-fc8da7e042fa
type: obsolete
status: test
description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
date: 2022-08-01
modified: 2024-10-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows Defender\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_1:
TargetObject|endswith:
- '\DisableAntiSpyware'
- '\DisableAntiVirus'
- '\DisableBehaviorMonitoring'
- '\DisableBlockAtFirstSeen'
- '\DisableEnhancedNotifications'
- '\DisableIntrusionPreventionSystem'
- '\DisableIOAVProtection'
- '\DisableOnAccessProtection'
- '\DisableRealtimeMonitoring'
- '\DisableScanOnRealtimeEnable'
- '\DisableScriptScanning'
Details: 'DWORD (0x00000001)'
selection_dword_0:
TargetObject|endswith:
- '\DisallowExploitProtectionOverride'
- '\Features\TamperProtection'
- '\MpEngine\MpEnablePus'
- '\PUAProtection'
- '\Signature Update\ForceUpdateFromMU'
- '\SpyNet\SpynetReporting'
- '\SpyNet\SubmitSamplesConsent'
- '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
Details: 'DWORD (0x00000000)'
filter_optional_symantec:
Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
Image|endswith: '\sepWscSvc64.exe'
condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
falsepositives:
- Administrator actions via the Windows Defender interface
- Third party Antivirus
level: high
Convert to SIEM query
high
Moderate
High FP
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
view Sigma YAML
title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'set'
- 'config'
- 'section:httplogging'
- 'dontLog:true'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
view Sigma YAML
title: Disable of ETW Trace - Powershell
id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
related:
- id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
type: derived
status: test
description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
references:
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2022-11-25
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_pwsh_remove: # Autologger provider removal
ScriptBlockText|contains: 'Remove-EtwTraceProvider '
selection_pwsh_set: # Provider “Enable” property modification
ScriptBlockText|contains|all:
- 'Set-EtwTraceProvider '
- '0x11'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
view Sigma YAML
title: Disable-WindowsOptionalFeature Command PowerShell
id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
status: test
description: |
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
author: frack113
date: 2022-09-10
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- 'Disable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any important windows features
ScriptBlockText|contains:
- 'Windows-Defender-Gui'
- 'Windows-Defender-Features'
- 'Windows-Defender'
- 'Windows-Defender-ApplicationGuard'
# - 'Containers-DisposableClientVM' # Windows Sandbox
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
view Sigma YAML
title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Florian Roth (Nextron Systems)
date: 2020-06-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- ' -name IEHarden '
- ' -value 0 '
selection2:
CommandLine|contains|all:
- ' -name DEPOff '
- ' -value 1 '
selection3:
CommandLine|contains|all:
- ' -name DisableFirstRunCustomize '
- ' -value 2 '
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
view Sigma YAML
title: Disabled Volume Snapshots
id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
status: test
description: Detects commands that temporarily turn off Volume Snapshots
references:
- https://twitter.com/0gtweet/status/1354766164166115331
author: Florian Roth (Nextron Systems)
date: 2021-01-28
modified: 2023-12-15
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Services\VSS\Diag'
- '/d Disabled'
condition: selection
falsepositives:
- Legitimate administration
level: high
Convert to SIEM query
high
Strong
Medium FP
Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
view Sigma YAML
title: Disabled Windows Defender Eventlog
id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
status: test
description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
author: Florian Roth (Nextron Systems)
date: 2022-07-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
view Sigma YAML
title: Disabling Multi Factor Authentication
id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
status: test
description: Detects disabling of Multi Factor Authentication.
references:
- https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.006
logsource:
service: audit
product: m365
detection:
selection:
Operation|contains: 'Disable Strong Authentication.'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
view Sigma YAML
title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_path:
CommandLine|contains:
- '\Control\WMI\Autologger\DefenderApiLogger\Start'
- '\Control\WMI\Autologger\DefenderAuditLogger\Start'
selection_reg_add:
CommandLine|contains|all:
- 'add'
- '0'
filter_main_enable:
CommandLine|contains: '0x00000001'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Highly unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
view Sigma YAML
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
view Sigma YAML
title: DotNet CLR DLL Loaded By Scripting Applications
id: 4508a70e-97ef-4300-b62b-ff27992990ea
status: test
description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
references:
- https://github.com/tyranid/DotNetToJScript
- https://thewover.github.io/Introducing-Donut/
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
author: omkar72, oscd.community
date: 2020-10-14
modified: 2023-02-23
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\cmstp.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msxsl.exe'
- '\regsvr32.exe'
# - '\svchost.exe'
- '\wmic.exe'
- '\wscript.exe'
ImageLoaded|endswith:
- '\clr.dll'
- '\mscoree.dll'
- '\mscorlib.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Driver Added To Disallowed Images In HVCI - Registry
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
view Sigma YAML
title: Driver Added To Disallowed Images In HVCI - Registry
id: 555155a2-03bf-4fe7-af74-d176b3fdbe16
related:
- id: 44cee399-f6b1-45cc-a87c-ea14c6064d6b
type: similar
status: test
description: |
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
references:
- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf
- https://x.com/yarden_shafir/status/1822667605175324787
author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)
date: 2023-12-05
modified: 2024-08-21
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\Control\CI\'
- '\HVCIDisallowedImages'
condition: selection
falsepositives:
- Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended
level: high
Convert to SIEM query
high
Moderate
Medium FP
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
view Sigma YAML
title: Driver Load From A Temporary Directory
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
status: test
description: Detects a driver load from a temporary directory
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-02-12
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: driver_load
product: windows
detection:
selection:
ImageLoaded|contains: '\Temp\'
condition: selection
falsepositives:
- There is a relevant set of false positives depending on applications in the environment
level: high
Convert to SIEM query
high
Strong
Medium FP
Dumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
view Sigma YAML
title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
- id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
type: obsolete
- id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- car.2013-07-001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_flag:
CommandLine|contains:
- ' save '
- ' export '
- ' ˢave '
- ' eˣport '
selection_cli_hklm:
CommandLine|contains:
- 'hklm'
- 'hk˪m'
- 'hkey_local_machine'
- 'hkey_˪ocal_machine'
- 'hkey_loca˪_machine'
- 'hkey_˪oca˪_machine'
selection_cli_hive:
CommandLine|contains:
- '\system'
- '\sam'
- '\security'
- '\ˢystem'
- '\syˢtem'
- '\ˢyˢtem'
- '\ˢam'
- '\ˢecurity'
condition: all of selection_*
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
Convert to SIEM query
high
Strong
High FP
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
view Sigma YAML
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
Convert to SIEM query
high
Strong
Medium FP
ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
selection_complus:
EventID: 4657
ObjectName|contains: '\Environment'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
- id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_etw_enabled:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
selection_complus:
TargetObject|endswith:
- '\COMPlus_ETWEnabled'
- '\COMPlus_ETWFlags'
Details:
- 0 # For REG_SZ type
- 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Tamper In .NET Processes Via CommandLine
id: 41421f44-58f9-455d-838a-c398859841d4
status: test
description: |
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-12-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
view Sigma YAML
title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://abuse.io/lockergoga.txt
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_clear_1:
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: # ETW provider removal from a trace session
CommandLine|contains|all:
- 'logman'
- 'update'
- 'trace'
- '--p'
- '-ets'
selection_pwsh_remove: # Autologger provider removal
CommandLine|contains: 'Remove-EtwTraceProvider'
selection_pwsh_set: # Provider “Enable” property modification
CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '0x11'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
view Sigma YAML
title: Email Exifiltration Via Powershell
id: 312d0384-401c-4b8b-abdf-685ffba9a332
status: test
description: Detects email exfiltration via powershell cmdlets
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)
date: 2022-09-09
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Add-PSSnapin'
- 'Get-Recipient'
- '-ExpandProperty'
- 'EmailAddresses'
- 'SmtpAddress'
- '-hidetableheaders'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Emotet Loader Execution Via .LNK File
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
view Sigma YAML
title: Emotet Loader Execution Via .LNK File
id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
status: test
description: |
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
references:
- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338
- https://twitter.com/Cryptolaemus1/status/1517634855940632576
- https://tria.ge/220422-1pw1pscfdl/
- https://tria.ge/220422-1nnmyagdf2/
author: '@kostastsale'
date: 2022-04-22
modified: 2024-08-15
tags:
- attack.execution
- attack.t1059.006
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\explorer.exe'
- '\powershell.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains|all:
- 'findstr'
- '.vbs'
- '.lnk'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
view Sigma YAML
title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
- id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Enable LM Hash Storage - ProcCreation
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
view Sigma YAML
title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
- id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'NoLMHash'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
view Sigma YAML
title: Enabled User Right in AD to Control User Objects
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
status: test
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
references:
- https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
author: '@neu5ron'
date: 2017-07-30
modified: 2021-12-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
selection_base:
EventID: 4704
selection_keywords:
PrivilegeList|contains: 'SeEnableDelegationPrivilege'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Equation Group C2 Communication
Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
view Sigma YAML
title: Equation Group C2 Communication
id: 881834a4-6659-4773-821e-1c151789d873
status: test
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
references:
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
author: Florian Roth (Nextron Systems)
date: 2017-04-15
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.command-and-control
- attack.g0020
- attack.t1041
- detection.emerging-threats
logsource:
category: firewall
detection:
selection:
- dst_ip:
- '69.42.98.86'
- '89.185.234.145'
- src_ip:
- '69.42.98.86'
- '89.185.234.145'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
view Sigma YAML
title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
status: test
description: Detects suspicious shell commands used in various Equation Group scripts and tools
references:
- https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
author: Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2021-11-27
tags:
- attack.execution
- attack.g0020
- attack.t1059.004
logsource:
product: linux
detection:
keywords:
# evolvingstrategy, elgingamble, estesfox
- 'chown root*chmod 4777 '
- 'cp /bin/sh .;chown'
# tmpwatch
- 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
- 'chown root:root /tmp/.scsi/dev/bin/'
# estesfox
- 'chown root:root x;'
# ratload
- '/bin/telnet locip locport < /dev/console | /bin/sh'
- '/tmp/ratload'
# ewok
- 'ewok -t '
# xspy
- 'xspy -display '
# elatedmonkey
- 'cat > /dev/tcp/127.0.0.1/80 <<END'
# ftshell
- 'rm -f /current/tmp/ftshell.latest'
# ghost
- 'ghost_* -v '
# morerats client
- ' --wipe > /dev/null'
# noclient
- 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
- 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
# auditcleaner
- '> /var/log/audit/audit.log; rm -f .'
- 'cp /var/log/audit/audit.log .tmp'
# reverse shell
- 'sh >/dev/tcp/* <&1 2>&1'
# packrat
- 'ncat -vv -l -p * <'
- 'nc -vv -l -p * <'
# empty bowl
- '< /dev/console | uudecode && uncompress'
- 'sendmail -osendmail;chmod +x sendmail'
# echowrecker
- '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
# dubmoat
- 'chmod 666 /var/run/utmp~'
# poptop
- 'chmod 700 nscd crond'
# abopscript
- 'cp /etc/shadow /tmp/.'
# ys
- '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
# jacktelnet
- 'chmod 700 jp&&netstat -an|grep'
# others
- 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
- 'chmod 700 crond'
- 'wget http*; chmod +x /tmp/sendmail'
- 'chmod 700 fp sendmail pt'
- 'chmod 755 /usr/vmsys/bin/pipe'
- 'chmod -R 755 /usr/vmsys'
- 'chmod 755 $opbin/*tunnel'
- 'chmod 700 sendmail'
- 'chmod 0700 sendmail'
- '/usr/bin/wget http*sendmail;chmod +x sendmail;'
- '&& telnet * 2>&1 </dev/console'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Esentutl Volume Shadow Copy Service Keys
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
view Sigma YAML
title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
status: test
description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
filter:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
view Sigma YAML
title: Exchange Exploitation Used by HAFNIUM
id: 67bce556-312f-4c81-9162-c3c9ff2599b2
status: test
description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Florian Roth (Nextron Systems)
date: 2021-03-03
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- attack.g0125
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_1:
cs-method: 'POST'
cs-uri-query|contains: '/owa/auth/Current/themes/resources/'
selection_2:
cs-method: 'POST'
cs-uri-query|contains: '/owa/auth/Current/'
cs-user-agent:
- 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'
- 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
- 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'
- 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'
- 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'
- 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'
- 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'
- 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'
selection_3:
cs-uri-query|contains: '/ecp/'
cs-method: 'POST'
cs-user-agent:
- 'ExchangeServicesClient/0.0.0.0'
- 'python-requests/2.19.1'
- 'python-requests/2.25.1'
selection_4:
cs-uri-query|contains:
- '/aspnet_client/'
- '/owa/'
cs-method: 'POST'
cs-user-agent:
- 'antSword/v2.1'
- 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
selection_5:
cs-uri-query|contains:
- '/owa/auth/Current/'
- '/ecp/default.flt'
- '/ecp/main.css'
cs-method: 'POST'
selection_6:
cs-method: 'POST'
cs-uri-query|contains|all:
- '/ecp/'
- '.js'
condition: 1 of selection_*
falsepositives:
- Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
level: high
Convert to SIEM query
high
Strong
Medium FP
Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
TargetFilename|contains: '_Cmdlet_'
condition: selection
falsepositives:
- Possible FP during log rotation
level: high
Convert to SIEM query
high
Strong
Medium FP
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
view Sigma YAML
title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
- attack.execution
- attack.t1059.001
- attack.collection
- attack.t1114
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'Add-PSSnapin'
selection_module:
CommandLine|contains:
- 'Microsoft.Exchange.Powershell.Snapin'
- 'Microsoft.Exchange.Management.PowerShell.SnapIn'
filter_msiexec:
# ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
ParentImage: 'C:\Windows\System32\msiexec.exe'
CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Exchange ProxyShell Pattern
Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
view Sigma YAML
title: Exchange ProxyShell Pattern
id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
status: test
description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
references:
- https://youtu.be/5mqid-7zp8k?t=2231
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
author: Florian Roth (Nextron Systems), Rich Warren
date: 2021-08-07
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_1:
sc-status: 401
selection_1_auto:
cs-uri-query|contains: '/autodiscover.json'
selection_1_uri:
cs-uri-query|contains:
- '/powershell'
- '/mapi/nspi'
- '/EWS'
- 'X-Rps-CAT'
selection_poc:
sc-status: 401
cs-uri-query|contains:
# since we don't know how it will appear in the log files, we'll just use all versions
- 'autodiscover.json?@'
- 'autodiscover.json%3f@'
- '%[email protected]'
- 'Email=autodiscover/autodiscover.json'
- '[email protected]'
condition: all of selection_1* or selection_poc
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Exchange Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
view Sigma YAML
title: Exchange Set OabVirtualDirectory ExternalUrl Property
id: 9db37458-4df2-46a5-95ab-307e7f29e675
status: test
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
references:
- https://twitter.com/OTR_Community/status/1371053369071132675
author: Jose Rodriguez @Cyb3rPandaH
date: 2021-03-15
modified: 2023-01-23
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
service: msexchange-management
detection:
keywords:
'|all':
- 'Set-OabVirtualDirectory'
- 'ExternalUrl'
- 'Page_Load'
- 'script'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Execute Pcwrun.EXE To Leverage Follina
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
view Sigma YAML
title: Execute Pcwrun.EXE To Leverage Follina
id: 6004abd0-afa4-4557-ba90-49d172e0a299
status: test
description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nas_bench/status/1535663791362519040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcwrun.exe'
CommandLine|contains: '../'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Execution DLL of Choice Using WAB.EXE
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
view Sigma YAML
title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
status: test
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
- https://twitter.com/Hexacorn/status/991447379864932352
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
author: oscd.community, Natalia Shornikova
date: 2020-10-13
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
filter:
Details: '%CommonProgramFiles%\System\wab32.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
view Sigma YAML
title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
- https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-f C:\Users\Public'
- '-f "C:\Users\Public'
- '-f %Public%'
- '-fi C:\Users\Public'
- '-fi "C:\Users\Public'
- '-fi %Public%'
- '-fil C:\Users\Public'
- '-fil "C:\Users\Public'
- '-fil %Public%'
- '-file C:\Users\Public'
- '-file "C:\Users\Public'
- '-file %Public%'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
view Sigma YAML
title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
- https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith: '\WorkFolders.exe'
filter:
Image: 'C:\Windows\System32\control.exe'
condition: selection and not filter
falsepositives:
- Legitimate usage of the uncommon Windows Work Folders feature.
level: high
Convert to SIEM query
high
Strong
Medium FP
Execution via stordiag.exe
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
view Sigma YAML
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high
Convert to SIEM query
high
Moderate
High FP
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
view Sigma YAML
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
view Sigma YAML
title: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
id: e5f66e87-7d6b-404f-92fe-7aa67814b5cd
status: experimental
description: |
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
references:
- https://unit42.paloaltonetworks.com/cve-2025-59287/
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-31
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.t1203
- cve.2025-59287
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Windows Server Update Services'
EventID: 7053
Data|contains|all:
# Indicators of untrusted deserialization exploitation attempts
# https://github.com/pwntester/ysoserial.net/issues/114
- 'System.InvalidCastException'
- 'System.Windows.Data.ObjectDataProvider'
- 'Unable to cast object of type'
- 'System.Windows.Media.Brush'
condition: selection
falsepositives:
- Legitimate WSUS operations that may trigger similar error messages
level: high
Convert to SIEM query
high
Strong
Medium FP
Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
view Sigma YAML
title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
id: 43259cc4-1b80-4931-bd98-baea01afc196
status: experimental
description: |
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
references:
- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-31
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.t1203
- cve.2025-59287
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent_wsusservice:
ParentImage|endswith: '\wsusservice.exe'
selection_parent_w3wp_wsuspool:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: 'WsusPool'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
condition: 1 of selection_parent_* and selection_child
falsepositives:
- If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
level: high
Convert to SIEM query
high
Strong
Medium FP
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
view Sigma YAML
title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b
status: test
description: Detects the execution of the commonly used ZeroLogon PoC executable.
references:
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: '@Kostastsale, TheDFIRReport'
date: 2022-02-12
tags:
- attack.execution
- attack.lateral-movement
- attack.t1210
- cve.2020-1472
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection_main:
ParentImage|endswith: '\cmd.exe'
Image|endswith:
- '\cool.exe'
- '\zero.exe'
CommandLine|contains|all:
- 'Administrator'
- '-c'
selection_payloads_1:
CommandLine|contains|all:
- 'taskkill'
- '/f'
- '/im'
selection_payloads_2:
CommandLine|contains: 'powershell'
condition: selection_main and 1 of selection_payloads_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
view Sigma YAML
title: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
related:
- id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
type: derived
status: test
description: |
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
references:
- https://github.com/nathan31337/Splunk-RCE-poc/
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://advisory.splunk.com/advisories/SVD-2023-1104
author: Lars B. P. Frydenskov(Trifork Security)
date: 2023-11-27
tags:
- attack.lateral-movement
- attack.t1210
- cve.2023-46214
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_method_and_response:
cs-method: POST
sc-status:
- 200
- 302
selection_uri_upload:
cs-uri-stem|contains: '/splunkd/__upload/indexing/preview'
cs-uri-query|contains|all:
- 'NO_BINARY_CHECK=1'
- 'input.path=shell.xsl'
selection_uri_search:
cs-uri-stem|contains|all:
- '/api/search/jobs'
- '/results'
cs-uri-query|contains|all:
- '/opt/splunk/var/run/splunk/dispatch/'
- '/shell.xsl'
condition: selection_method_and_response and 1 of selection_uri_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
view Sigma YAML
title: Exploitation Indicator Of CVE-2022-42475
id: 293ccb8c-bed8-4868-8296-bef30e303b7e
status: test
description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
references:
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
date: 2024-02-08
tags:
- attack.initial-access
- cve.2022-42475
- detection.emerging-threats
logsource:
product: fortios
service: sslvpnd
definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
detection:
keywords:
- '/data/etc/wxd.conf'
- '/data/lib/libgif.so'
- '/data/lib/libips.bak'
- '/data/lib/libiptcp.so'
- '/data/lib/libipudp.so'
- '/data/lib/libjepg.so'
- '/var/.sslvpnconfigbk'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Exploitation Indicators Of CVE-2023-20198
Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
view Sigma YAML
title: Exploitation Indicators Of CVE-2023-20198
id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b
status: test
description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
references:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
author: Lars B. P. Frydenskov (Trifork Security)
date: 2023-10-20
tags:
- attack.privilege-escalation
- attack.initial-access
- detection.emerging-threats
logsource:
product: cisco
service: syslog
definition: 'Requirements: Cisco IOS XE system logs needs to be configured and ingested'
detection:
keyword_event:
- '%WEBUI-6-INSTALL_OPERATION_INFO:'
- '%SYS-5-CONFIG_P:'
- '%SEC_LOGIN-5-WEBLOGIN_SUCCESS:'
keyword_user:
- 'cisco_tac_admin'
- 'cisco_support'
- 'cisco_sys_manager'
condition: keyword_event and keyword_user
falsepositives:
- Rare false positives might occur if there are valid users named "cisco_tac_admin" or "cisco_support", which are not created by default or CISCO representatives
level: high
Convert to SIEM query
Showing 251-300 of 1,677