Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

328 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 328
low Moderate High FP
Microsoft Excel Add-In Loaded
Detects Microsoft Excel loading an Add-In (.xll) file
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id c5f4b5cb-4c25-4249-ba91-aa03626e3185
carbon_black query
Image:\\excel.exe ImageLoaded:.xll
view Sigma YAML 
title: Microsoft Excel Add-In Loaded
id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file
references:
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
    - attack.execution
    - attack.t1204.002
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|endswith: '.xll'
    condition: selection
falsepositives:
    - The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs
level: low
Convert to SIEM query
low Moderate High FP
Microsoft Word Add-In Loaded
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
status test author Steffen Rogge (dr0pd34d) ATT&CK sub-technique id 1337afba-d17d-4d23-bd55-29b927603b30
carbon_black query
Image:\\winword.exe ImageLoaded:.wll
view Sigma YAML 
title: Microsoft Word Add-In Loaded
id: 1337afba-d17d-4d23-bd55-29b927603b30
status: test
description: |
    Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
references:
    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
    - https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
author: Steffen Rogge (dr0pd34d)
date: 2024-07-10
tags:
    - attack.execution
    - attack.t1204.002
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\winword.exe'
        ImageLoaded|endswith: '.wll'
    condition: selection
falsepositives:
    - The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs.
level: low
Convert to SIEM query
low Moderate High FP
Msiexec.EXE Initiated Network Connection Over HTTP
Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.
status test author frack113 ATT&CK sub-technique id 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
carbon_black query
Initiated:true Image:\\msiexec.exe (DestinationPort:80 OR DestinationPort:443)
view Sigma YAML 
title: Msiexec.EXE Initiated Network Connection Over HTTP
id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
status: test
description: |
    Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443.
    Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
    Use this rule to hunt for potentially anomalous or suspicious communications.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-01-16
modified: 2024-07-16
tags:
    - attack.stealth
    - attack.t1218.007
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\msiexec.exe'
        DestinationPort:
            - 80
            - 443
    condition: selection
falsepositives:
    - Likely
level: low
Convert to SIEM query
low Strong High FP
Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file
status test author Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock ATT&CK sub-technique id 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
carbon_black query
((Image:\\mstsc.exe OR OriginalFileName:mstsc.exe) (CommandLine:.rdp OR CommandLine:.rdp\")) (-(ParentImage:C\:\\Windows\\System32\\lxss\\wslhost.exe CommandLine:C\:\\ProgramData\\Microsoft\\WSL\\wslg.rdp*))
view Sigma YAML 
title: Mstsc.EXE Execution With Local RDP File
id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file
references:
    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
date: 2023-04-18
modified: 2023-04-30
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mstsc.exe'
        - OriginalFileName: 'mstsc.exe'
    selection_cli:
        CommandLine|endswith:
            - '.rdp'
            - '.rdp"'
    filter_optional_wsl:
        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Likely with legitimate usage of ".rdp" files
level: low
Convert to SIEM query
low Moderate High FP
NTDS.DIT Created
Detects creation of a file named "ntds.dit" (Active Directory Database)
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
carbon_black query
TargetFilename:ntds.dit
view Sigma YAML 
title: NTDS.DIT Created
id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: 'ntds.dit'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
NTLM Logon
Detects logons using NTLM, which could be caused by a legacy source or attackers
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
carbon_black query
EventID:8002
view Sigma YAML 
title: NTLM Logon
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
status: test
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
    - https://twitter.com/JohnLaTwC/status/1004895028995477505
author: Florian Roth (Nextron Systems)
date: 2018-06-08
modified: 2024-07-22
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8002
    condition: selection
falsepositives:
    - Legacy hosts
level: low
Convert to SIEM query
low Moderate High FP
Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 9d779ce8-5256-4b13-8b6f-b91c602b43f4
carbon_black query
Image:\/mkfifo
view Sigma YAML 
title: Named Pipe Created Via Mkfifo
id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility
references:
    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/mkfifo'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Strong High FP
Net.EXE Execution
Detects execution of "Net.EXE".
status test author Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) ATT&CK sub-technique id 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
carbon_black query
((Image:\\net.exe OR Image:\\net1.exe) OR (OriginalFileName:net.exe OR OriginalFileName:net1.exe)) (CommandLine:\ accounts* OR CommandLine:\ group* OR CommandLine:\ localgroup* OR CommandLine:\ share* OR CommandLine:\ start* OR CommandLine:\ stop\ * OR CommandLine:\ user* OR CommandLine:\ view*)
view Sigma YAML 
title: Net.EXE Execution
id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
status: test
description: Detects execution of "Net.EXE".
references:
    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
    - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe
author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
date: 2019-01-16
modified: 2022-07-11
tags:
    - attack.discovery
    - attack.t1007
    - attack.t1049
    - attack.t1018
    - attack.t1135
    - attack.t1201
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1087.001
    - attack.t1087.002
    - attack.lateral-movement
    - attack.t1021.002
    - attack.s0039
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains:
            - ' accounts'
            - ' group'
            - ' localgroup'
            - ' share'
            - ' start'
            - ' stop '
            - ' user'
            - ' view'
    condition: all of selection_*
falsepositives:
    - Likely
level: low
Convert to SIEM query
low Strong High FP
Network Connection Initiated By PowerShell Process
Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 1f21ec3f-810d-4b0e-8045-322202e22b4b
carbon_black query
((Image:\\powershell.exe OR Image:\\pwsh.exe) Initiated:true) (-(((DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:169.254.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:\:\:1\/128 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*) (User:AUTHORI* OR User:AUTORI*)) OR (DestinationIp:20.184.* OR DestinationIp:20.185.* OR DestinationIp:20.186.* OR DestinationIp:20.187.* OR DestinationIp:20.188.* OR DestinationIp:20.189.* OR DestinationIp:20.190.* OR DestinationIp:20.191.* OR DestinationIp:51.103.210.* OR DestinationIp:51.103.211.*)))
view Sigma YAML 
title: Network Connection Initiated By PowerShell Process
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
status: test
description: |
    Detects a network connection that was initiated from a PowerShell process.
    Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.
    Use this rule as a basis for hunting for anomalies.
references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2024-03-13
tags:
    - attack.execution
    - attack.t1059.001
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        Initiated: 'true'
    filter_main_local_ip:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '169.254.0.0/16'  # link-local address
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_main_msrange:
        DestinationIp|cidr:
            - '20.184.0.0/13'
            - '51.103.210.0/23'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative scripts
    - Microsoft IP range
    - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range')
level: low
Convert to SIEM query
low Moderate High FP
Network Connection Initiated To Mega.nz
Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
carbon_black query
Initiated:true (DestinationHostname:mega.co.nz OR DestinationHostname:mega.nz)
view Sigma YAML 
title: Network Connection Initiated To Mega.nz
id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
status: test
description: |
    Detects a network connection initiated by a binary to "api.mega.co.nz".
    Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
references:
    - https://megatools.megous.com/
    - https://www.mandiant.com/resources/russian-targeting-gov-business
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2024-05-31
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'mega.co.nz'
            - 'mega.nz'
    condition: selection
falsepositives:
    - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
level: low
Convert to SIEM query
low Strong Medium FP
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
status test author Timur Zinniatullin, oscd.community ATT&CK technique id f4d3748a-65d1-4806-bd23-e25728081d01
carbon_black query
(type:execve a0:tcpdump a1:\-c a3:\-i*) OR (type:execve a0:tshark a1:\-c a3:\-i)
view Sigma YAML 
title: Network Sniffing - Linux
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: test
description: |
  Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
  An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-12-18
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    product: linux
    service: auditd
detection:
    selection_1:
        type: 'execve'
        a0: 'tcpdump'
        a1: '-c'
        a3|contains: '-i'
    selection_2:
        type: 'execve'
        a0: 'tshark'
        a1: '-c'
        a3: '-i'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
Convert to SIEM query
low Moderate Medium FP
New BITS Job Created Via Bitsadmin
Detects the creation of a new bits job by Bitsadmin
status test author frack113 ATT&CK technique id 1ff315dc-2a3a-4b71-8dde-873818d25d39
carbon_black query
EventID:3 processPath:\\bitsadmin.exe
view Sigma YAML 
title: New BITS Job Created Via Bitsadmin
id: 1ff315dc-2a3a-4b71-8dde-873818d25d39
status: test
description: Detects the creation of a new bits job by Bitsadmin
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith: '\bitsadmin.exe'
    condition: selection
falsepositives:
    - Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field
level: low
Convert to SIEM query
low Moderate Medium FP
New BITS Job Created Via PowerShell
Detects the creation of a new bits job by PowerShell
status test author frack113 ATT&CK technique id fe3a2d49-f255-4d10-935c-bda7391108eb
carbon_black query
EventID:3 (processPath:\\powershell.exe OR processPath:\\pwsh.exe)
view Sigma YAML 
title: New BITS Job Created Via PowerShell
id: fe3a2d49-f255-4d10-935c-bda7391108eb
status: test
description: Detects the creation of a new bits job by PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Administrator PowerShell scripts
level: low
Convert to SIEM query
low Moderate High FP
New Cron File Created
Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
status experimental author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC ATT&CK sub-technique id 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
carbon_black query
((TargetFilename:\/etc\/cron.d\/* OR TargetFilename:\/etc\/cron.daily\/* OR TargetFilename:\/etc\/cron.hourly\/* OR TargetFilename:\/etc\/cron.monthly\/* OR TargetFilename:\/etc\/cron.weekly\/* OR TargetFilename:\/var\/spool\/cron\/crontabs\/* OR TargetFilename:\/var\/spool\/cron\/root*) OR (TargetFilename:\/etc\/cron.allow* OR TargetFilename:\/etc\/cron.deny* OR TargetFilename:\/etc\/crontab*)) (-(TargetFilename:\/etc\/cron.daily\/apt OR TargetFilename:\/etc\/cron.daily\/dpkg OR TargetFilename:\/etc\/cron.daily\/passwd OR TargetFilename:\/etc\/crontabs\/root))
view Sigma YAML 
title: New Cron File Created
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
status: experimental
description: |
    Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.
    Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.
    This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.
    Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.
    Additionally, it is recommended to review the contents of the newly created cron files to assess their intent.
    Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
references:
    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
    - https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
    - https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
    - https://snehbavarva.medium.com/privilege-escalation-techniques-series-linux-cron-jobs-a5b797b424b4
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2026-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    category: file_event
detection:
    selection_cron_dirs:
        TargetFilename|startswith:
            - '/etc/cron.d/'
            - '/etc/cron.daily/'
            - '/etc/cron.hourly/'
            - '/etc/cron.monthly/'
            - '/etc/cron.weekly/'
            - '/var/spool/cron/crontabs/'
            - '/var/spool/cron/root'
    selection_cron_special_files:
        TargetFilename|contains:
            - '/etc/cron.allow'
            - '/etc/cron.deny'
            - '/etc/crontab'
    filter_optional_legit_cron:
        # Note: FPs on docker images: golang, postgres, python, redis, ruby
        TargetFilename:
            - '/etc/cron.daily/apt'
            - '/etc/cron.daily/dpkg'
            - '/etc/cron.daily/passwd'
            - '/etc/crontabs/root'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. Apply baselining before deployment.
level: low
Convert to SIEM query
low Moderate High FP
New Kind of Network (NKN) Detection
NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
status test author Michael Portera (@mportatoes) ATT&CK tactic-only id fa7703d6-0ee8-4949-889c-48c84bc15b6f
carbon_black query
query:seed* query:.nkn.org*
view Sigma YAML 
title: New Kind of Network (NKN) Detection
id: fa7703d6-0ee8-4949-889c-48c84bc15b6f
status: test
description: NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
references:
    - https://github.com/nknorg/nkn-sdk-go
    - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
    - https://github.com/Maka8ka/NGLite
author: Michael Portera (@mportatoes)
date: 2022-04-21
tags:
    - attack.command-and-control
logsource:
    product: zeek
    service: dns
detection:
    selection:
        query|contains|all:
            - 'seed'
            - '.nkn.org'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
status test author Leo Tsaousis (@laripping) ATT&CK technique id e31bae15-83ed-473e-bf31-faf4f8a17d36
carbon_black query
verb:create "objectRef.resource":serviceaccounts
view Sigma YAML 
title: New Kubernetes Service Account Created
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
related:
    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
      type: derived
status: test
description: |
    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.persistence
    - attack.t1136
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'serviceaccounts'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
New Network ACL Entry Added
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
status test author jamesc-grafana ATT&CK sub-technique id e1f7febb-7b94-4234-b5c6-00fb8500f5dd
carbon_black query
eventSource:ec2.amazonaws.com eventName:CreateNetworkAclEntry
view Sigma YAML 
title: New Network ACL Entry Added
id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
status: test
description: |
    Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.defense-impairment
    - attack.t1686.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'CreateNetworkAclEntry'
    condition: selection
falsepositives:
    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
level: low
Convert to SIEM query
low Strong High FP
New ODBC Driver Registered
Detects the registration of a new ODBC driver.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 3390fbef-c98d-4bdd-a863-d65ed7c610dd
carbon_black query
(TargetObject:\\SOFTWARE\\ODBC\\ODBCINST.INI\\* TargetObject:\\Driver) (-(TargetObject:\\SQL\ Server\\* Details:%WINDIR%\\System32\\SQLSRV32.dll)) (-((TargetObject:\\Microsoft\ Access\ * Details:C\:\\Progra* Details:\\ACEODBC.DLL) OR (TargetObject:\\Microsoft\ Excel\ Driver* Details:C\:\\Progra* Details:\\ACEODBC.DLL)))
view Sigma YAML 
title: New ODBC Driver Registered
id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd
status: test
description: Detects the registration of a new ODBC driver.
references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
        TargetObject|endswith: '\Driver'
    filter_main_sqlserver:
        TargetObject|contains: '\SQL Server\'
        Details: '%WINDIR%\System32\SQLSRV32.dll'
    filter_optional_office_access:
        TargetObject|contains: '\Microsoft Access '
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    filter_optional_office_excel:
        TargetObject|contains: '\Microsoft Excel Driver'
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
level: low
Convert to SIEM query
low Moderate High FP
New Process Created Via Taskmgr.EXE
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
status test author Florian Roth (Nextron Systems) ATT&CK technique id 3d7679bd-0c00-440c-97b0-3f204273e6c7
carbon_black query
ParentImage:\\taskmgr.exe (-(Image:\:\\Windows\\System32\\mmc.exe OR Image:\:\\Windows\\System32\\resmon.exe OR Image:\:\\Windows\\System32\\Taskmgr.exe))
view Sigma YAML 
title: New Process Created Via Taskmgr.EXE
id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
status: test
description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
references:
    - https://twitter.com/ReneFreingruber/status/1172244989335810049
author: Florian Roth (Nextron Systems)
date: 2018-03-13
modified: 2024-01-18
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\taskmgr.exe'
    filter_main_generic:
        Image|endswith:
            - ':\Windows\System32\mmc.exe'
            - ':\Windows\System32\resmon.exe'
            - ':\Windows\System32\Taskmgr.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative activity
level: low
Convert to SIEM query
low Moderate High FP
New Service Creation Using PowerShell
Detects the creation of a new service using powershell.
status test author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community ATT&CK sub-technique id c02e96b7-c63a-4c47-bd83-4a9f74afcfb2
carbon_black query
CommandLine:New\-Service* CommandLine:\-BinaryPathName*
view Sigma YAML 
title: New Service Creation Using PowerShell
id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2
related:
    - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE
      type: similar
status: test
description: Detects the creation of a new service using powershell.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'New-Service'
            - '-BinaryPathName'
    condition: selection
falsepositives:
    - Legitimate administrator or user creates a service for legitimate reasons.
    - Software installation
level: low
Convert to SIEM query
low Strong High FP
New Service Creation Using Sc.EXE
Detects the creation of a new service using the "sc.exe" utility.
status test author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community ATT&CK sub-technique id 85ff530b-261d-48c6-a441-facaa2e81e48
carbon_black query
(Image:\\sc.exe (CommandLine:create* CommandLine:binPath*)) (-((ParentImage:C\:\\Program\ Files\ \(x86\)\\Dropbox\\Client\\* OR ParentImage:C\:\\Program\ Files\\Dropbox\\Client\\*) ParentImage:\\Dropbox.exe))
view Sigma YAML 
title: New Service Creation Using Sc.EXE
id: 85ff530b-261d-48c6-a441-facaa2e81e48
related:
    - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell
      type: similar
status: test
description: Detects the creation of a new service using the "sc.exe" utility.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
modified: 2025-09-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sc.exe'
        CommandLine|contains|all:
            - 'create'
            - 'binPath'
    filter_optional_dropbox:
        ParentImage|startswith:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
        ParentImage|endswith: '\Dropbox.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrator or user creates a service for legitimate reasons.
    - Software installation
level: low
Convert to SIEM query
low Strong High FP
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
status test author frack113 ATT&CK sub-technique id 51483085-0cba-46a8-837e-4416496d6971
carbon_black query
((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\powershell_ise.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:New\-NetFirewallRule\ * CommandLine:\ \-Action\ * CommandLine:allow*)
view Sigma YAML 
title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
id: 51483085-0cba-46a8-837e-4416496d6971
related:
    - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
      type: similar
status: test
description: |
    Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113
date: 2024-05-03
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_args:
        CommandLine|contains|all:
            - 'New-NetFirewallRule '
            - ' -Action '
            - 'allow'
    condition: all of selection_*
falsepositives:
    - Administrator script
level: low
Convert to SIEM query
low Moderate High FP
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
status test author frack113 ATT&CK sub-technique id 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
carbon_black query
ScriptBlockText:New\-NetFirewallRule*\-Action*Allow*
view Sigma YAML 
title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
related:
    - id: 51483085-0cba-46a8-837e-4416496d6971
      type: similar
status: test
description: |
    Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113
date: 2024-05-10
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - detection.threat-hunting
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'New-NetFirewallRule*-Action*Allow'
    condition: selection
falsepositives:
    - Administrator script
level: low
Convert to SIEM query
low Moderate High FP
Nltest.EXE Execution
Detects nltest commands that can be used for information discovery
status test author Arun Chauhan ATT&CK technique id 903076ff-f442-475a-b667-4f246bcc203b
carbon_black query
Image:\\nltest.exe OR OriginalFileName:nltestrk.exe
view Sigma YAML 
title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
      type: similar
    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author: Arun Chauhan
date: 2023-02-03
tags:
    - attack.discovery
    - attack.t1016
    - attack.t1018
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\nltest.exe'
        - OriginalFileName: 'nltestrk.exe'
    condition: selection
falsepositives:
    - Legitimate administration activity
level: low
Convert to SIEM query
low Moderate Medium FP
No Suitable Encryption Key Found For Generating Kerberos Ticket
Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
status test author @SerkinValery ATT&CK sub-technique id b1e0b3f5-b62e-41be-886a-daffde446ad4
carbon_black query
(Provider_Name:Kerberos\-Key\-Distribution\-Center OR Provider_Name:Microsoft\-Windows\-Kerberos\-Key\-Distribution\-Center) (EventID:16 OR EventID:27)
view Sigma YAML 
title: No Suitable Encryption Key Found For Generating Kerberos Ticket
id: b1e0b3f5-b62e-41be-886a-daffde446ad4
status: test
description: |
    Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
    This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
author: '@SerkinValery'
date: 2024-03-07
modified: 2025-09-22
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        EventID:
            - 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS
            - 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
NodeJS Execution of JavaScript File
Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id ba3874b9-0fae-465f-836c-eb5d071a1789
carbon_black query
(Image:\\node.exe OR OriginalFileName:node.exe OR Product:Node.js) CommandLine:.js*
view Sigma YAML 
title: NodeJS Execution of JavaScript File
id: ba3874b9-0fae-465f-836c-eb5d071a1789
status: experimental
description: |
    Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.
    Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.
    Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.
    Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
references:
    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\node.exe'
        - OriginalFileName: 'node.exe'
        - Product: 'Node.js'
    selection_cmd:
        CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Legitimate use of node.exe to execute JavaScript or JSC files on your environment
level: low
Convert to SIEM query
low Strong High FP
Non Interactive PowerShell Process Spawned
Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
status test author Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) ATT&CK sub-technique id f4bbd493-b796-416e-bbf2-121235348529
carbon_black query
((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (-((ParentImage:\:\\Windows\\explorer.exe OR ParentImage:\:\\Windows\\System32\\CompatTelRunner.exe OR ParentImage:\:\\Windows\\SysWOW64\\explorer.exe) OR ParentImage:\:\\$WINDOWS.\~BT\\Sources\\SetupHost.exe)) (-((ParentImage:\\AppData\\Local\\Programs\\Microsoft\ VS\ Code\\Code.exe ParentCommandLine:\ \-\-ms\-enable\-electron\-run\-as\-node\ *) OR (ParentImage:\:\\Program\ Files\\WindowsApps\\Microsoft.WindowsTerminal_* ParentImage:\\WindowsTerminal.exe) OR ParentImage:\:\\Program\ Files\\Windows\ Defender\ Advanced\ Threat\ Protection\\SenseIR.exe))
view Sigma YAML 
title: Non Interactive PowerShell Process Spawned
id: f4bbd493-b796-416e-bbf2-121235348529
status: test
description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
references:
    - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
date: 2019-09-12
modified: 2025-02-28
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    filter_main_generic:
        ParentImage|endswith:
            - ':\Windows\explorer.exe'
            - ':\Windows\System32\CompatTelRunner.exe'
            - ':\Windows\SysWOW64\explorer.exe'
    filter_main_windows_update:
        ParentImage: ':\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades
        # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
    filter_optional_vscode:
        # Triggered by VsCode when you open a Shell inside the workspace
        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '
    filter_optional_terminal:
        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_'
        ParentImage|endswith: '\WindowsTerminal.exe'
    filter_optional_defender:
        ParentImage|endswith: ':\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies
level: low
Convert to SIEM query
low Moderate High FP
Notepad Password Files Discovery
Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
status experimental author The DFIR Report ATT&CK technique id 3b4e950b-a3ea-44d3-877e-432071990709
carbon_black query
ParentImage:\\explorer.exe Image:\\notepad.exe (CommandLine:password*.txt OR CommandLine:password*.csv OR CommandLine:password*.doc OR CommandLine:password*.xls)
view Sigma YAML 
title: Notepad Password Files Discovery
id: 3b4e950b-a3ea-44d3-877e-432071990709
status: experimental
description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
references:
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
    - https://intel.thedfirreport.com/eventReports/view/57  # Private Report
author: 'The DFIR Report'
tags:
    - attack.discovery
    - attack.t1083
date: 2025-02-21
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\notepad.exe'
        CommandLine|endswith:
        # Note: Commandline to contain a file with the string password and a specific extension
            - 'password*.txt'
            - 'password*.csv'
            - 'password*.doc'
            - 'password*.xls'
    condition: selection
falsepositives:
    - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
level: low
Convert to SIEM query
low Moderate High FP
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK technique id d27ab432-2199-483f-a297-03633c05bae6
carbon_black query
Image:\/grep (CommandLine:aarch64 OR CommandLine:arm OR CommandLine:i386 OR CommandLine:i686 OR CommandLine:mips OR CommandLine:x86_64)
view Sigma YAML 
title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
    Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: linux
detection:
    selection_process:
        Image|endswith: '/grep'
    selection_architecture:
        CommandLine|endswith:
            - 'aarch64'
            - 'arm'
            - 'i386'
            - 'i686'
            - 'mips'
            - 'x86_64'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Strong High FP
Office Macro File Creation
Detects the creation of a new office macro files on the systems
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 91174a41-dc8f-401b-be89-7bfc140612a0
carbon_black query
(TargetFilename:.docm OR TargetFilename:.dotm OR TargetFilename:.xlsm OR TargetFilename:.xltm OR TargetFilename:.potm OR TargetFilename:.pptm) (-((Image:C\:\\Program\ Files\\Microsoft\ Office\\* OR Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\*) (Image:\\WINWORD.EXE OR Image:\\EXCEL.EXE OR Image:\\POWERPNT.EXE) TargetFilename:\\\~$*))
view Sigma YAML 
title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
      type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2026-01-09
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.docm'
            - '.dotm'
            - '.xlsm'
            - '.xltm'
            - '.potm'
            - '.pptm'
    filter_main_office:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.EXE'
        TargetFilename|contains: '\~$' # Temporary files created by Office applications
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Very common in environments that rely heavily on macro documents
level: low
Convert to SIEM query
low Moderate High FP
Office Macro File Download
Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
carbon_black query
(Image:\\RuntimeBroker.exe OR Image:\\outlook.exe OR Image:\\thunderbird.exe OR Image:\\brave.exe OR Image:\\chrome.exe OR Image:\\firefox.exe OR Image:\\iexplore.exe OR Image:\\maxthon.exe OR Image:\\MicrosoftEdge.exe OR Image:\\msedge.exe OR Image:\\msedgewebview2.exe OR Image:\\opera.exe OR Image:\\safari.exe OR Image:\\seamonkey.exe OR Image:\\vivaldi.exe OR Image:\\whale.exe) ((TargetFilename:.docm OR TargetFilename:.dotm OR TargetFilename:.xlsm OR TargetFilename:.xltm OR TargetFilename:.potm OR TargetFilename:.pptm) OR (TargetFilename:.docm\:Zone* OR TargetFilename:.dotm\:Zone* OR TargetFilename:.xlsm\:Zone* OR TargetFilename:.xltm\:Zone* OR TargetFilename:.potm\:Zone* OR TargetFilename:.pptm\:Zone*))
view Sigma YAML 
title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
    - id: 91174a41-dc8f-401b-be89-7bfc140612a0
      type: similar
status: test
description: |
    Detects the creation of a new office macro files on the system via an application (browser, mail client).
    This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection_processes:
        Image|endswith:
            # Email clients
            - '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
            - '\outlook.exe'
            - '\thunderbird.exe'
            # Browsers
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\maxthon.exe'
            - '\MicrosoftEdge.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\opera.exe'
            - '\safari.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
            - '\whale.exe'
    selection_ext:
        - TargetFilename|endswith:
              - '.docm'
              - '.dotm'
              - '.xlsm'
              - '.xltm'
              - '.potm'
              - '.pptm'
        - TargetFilename|contains:
              - '.docm:Zone'
              - '.dotm:Zone'
              - '.xlsm:Zone'
              - '.xltm:Zone'
              - '.potm:Zone'
              - '.pptm:Zone'
    condition: all of selection_*
falsepositives:
    - Legitimate macro files downloaded from the internet
    - Legitimate macro files sent as attachments via emails
level: low
Convert to SIEM query
low Moderate High FP
Okta Password Health Report Query
Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
status test author Muhammad Faisal (@faisalusuf) ATT&CK tactic-only id 0d58814b-1660-4d31-8c93-d1086ed24cba
carbon_black query
"debugContext.debugData.requestUri":\/reports\/password\-health\/*
view Sigma YAML 
title: Okta Password Health Report Query
id: 0d58814b-1660-4d31-8c93-d1086ed24cba
status: test
description: |
    Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI.
    Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
references:
    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
tags:
    - attack.credential-access
    - detection.threat-hunting
logsource:
    service: okta
    product: okta
detection:
    selection:
        debugContext.debugData.requestUri|contains: '/reports/password-health/'
    condition: selection
falsepositives:
    - OKTA Admin Activites via Web Console UI.
    - This rule is recommended to be used for threat hunting, especially in the context of OKTA support incident in OCT-2023.
    - This rule can be used to hunt the activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login. See reference
level: low
Convert to SIEM query
low Moderate Medium FP
Okta Policy Modified or Deleted
Detects when an Okta policy is modified or deleted.
status test author Austin Songer @austinsonger ATT&CK tactic-only id 1667a172-ed4c-463c-9969-efd92195319a
carbon_black query
eventType:policy.lifecycle.update OR eventType:policy.lifecycle.delete
view Sigma YAML 
title: Okta Policy Modified or Deleted
id: 1667a172-ed4c-463c-9969-efd92195319a
status: test
description: Detects when an Okta policy is modified or deleted.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - policy.lifecycle.update
            - policy.lifecycle.delete
    condition: selection
falsepositives:
    - Okta Policies being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low Strong Medium FP
OneLogin User Account Locked
Detects when an user account is locked or suspended.
status test author Austin Songer @austinsonger ATT&CK tactic-only id a717c561-d117-437e-b2d9-0118a7035d01
carbon_black query
event_type_id:532 OR event_type_id:553 OR event_type_id:551
view Sigma YAML 
title: OneLogin User Account Locked
id: a717c561-d117-437e-b2d9-0118a7035d01
status: test
description: Detects when an user account is locked or suspended.
references:
    - https://developers.onelogin.com/api-docs/1/events/event-resource/
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
    - attack.impact
logsource:
    product: onelogin
    service: onelogin.events
detection:
    selection1: # Locked via API
        event_type_id: 532
    selection2: # Locked via API
        event_type_id: 553
    selection3: # Suspended via API
        event_type_id: 551
    condition: 1 of selection*
falsepositives:
    - System may lock or suspend user accounts.
level: low
Convert to SIEM query
low Moderate Medium FP
OneLogin User Assumed Another User
Detects when an user assumed another user account.
status test author Austin Songer @austinsonger ATT&CK tactic-only id 62fff148-278d-497e-8ecd-ad6083231a35
carbon_black query
event_type_id:3
view Sigma YAML 
title: OneLogin User Assumed Another User
id: 62fff148-278d-497e-8ecd-ad6083231a35
status: test
description: Detects when an user assumed another user account.
references:
    - https://developers.onelogin.com/api-docs/1/events/event-resource
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
    - attack.impact
logsource:
    product: onelogin
    service: onelogin.events
detection:
    selection:
        event_type_id: 3
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
Outgoing Logon with New Credentials
Detects logon events that specify new credentials
status test author Max Altgelt (Nextron Systems) ATT&CK technique id def8b624-e08f-4ae1-8612-1ba21190da6b
carbon_black query
EventID:4624 LogonType:9
view Sigma YAML 
title: Outgoing Logon with New Credentials
id: def8b624-e08f-4ae1-8612-1ba21190da6b
status: test
description: Detects logon events that specify new credentials
references:
    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.lateral-movement
    - attack.t1550
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
    condition: selection
falsepositives:
    - Legitimate remote administration activity
level: low
Convert to SIEM query
low Moderate High FP
Outlook Task/Note Reminder Received
Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id fc06e655-d98c-412f-ac76-05c2698b1cb2
carbon_black query
(TargetObject:\\SOFTWARE\\Microsoft\\Office\\* TargetObject:\\Outlook\\*) (TargetObject:\\Tasks\\* OR TargetObject:\\Notes\\*)
view Sigma YAML 
title: Outlook Task/Note Reminder Received
id: fc06e655-d98c-412f-ac76-05c2698b1cb2
status: test
description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
references:
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-05
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137
    - cve.2023-23397
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Office\'
            - '\Outlook\'
        TargetObject|contains:
            - '\Tasks\'
            - '\Notes\'
    condition: selection
falsepositives:
    - Legitimate reminders received for a task or a note will also trigger this rule.
level: low
Convert to SIEM query
low Strong Medium FP
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
status stable author Jakob Weinzettl, oscd.community ATT&CK technique id 37222991-11e9-4b6d-8bdf-60fbe48f753e
carbon_black query
type:EXECVE a0:dd* (a1:if=\/dev\/null* OR a1:if=\/dev\/zero*)
view Sigma YAML 
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) of a file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Jakob Weinzettl, oscd.community
date: 2019-10-23
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'dd'
        a1|contains:
            - 'if=/dev/null'
            - 'if=/dev/zero'
    condition: selection
falsepositives:
    - Appending null bytes to files.
    - Legitimate overwrite of files.
level: low
Convert to SIEM query
low Strong High FP
PFX File Creation
Detects the creation of PFX files (Personal Information Exchange format). PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: - Exfiltrate digital certificates for impersonation or signing malicious code - Establish persistent access through certificate-based authentication - Bypass security controls that rely on certificate validation Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK sub-technique id dca1b3e8-e043-4ec8-85d7-867f334b5724
carbon_black query
TargetFilename:.pfx (-(((Image:C\:\\Program\ Files\\Microsoft\ OneDrive\\OneDrive.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\ OneDrive\\OneDrive.exe) TargetFilename:\\OneDrive\\CodeSigning.pfx) OR (TargetFilename:C\:\\Program\ Files\ \(x86\)\\Microsoft\ Visual\ Studio\\* OR TargetFilename:C\:\\Program\ Files\\Microsoft\ Visual\ Studio\\*) OR TargetFilename:C\:\\Program\ Files\\CMake\\*))
view Sigma YAML 
title: PFX File Creation
id: dca1b3e8-e043-4ec8-85d7-867f334b5724
status: test
description: |
    Detects the creation of PFX files (Personal Information Exchange format).
    PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to:

        - Exfiltrate digital certificates for impersonation or signing malicious code
        - Establish persistent access through certificate-based authentication
        - Bypass security controls that rely on certificate validation

    Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/14
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1552.004
    - detection.threat-hunting
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.pfx'
    filter_optional_onedrive:
        Image:
            - 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
            - 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
        TargetFilename|endswith: '\OneDrive\CodeSigning.pfx'
    filter_optional_visual_studio:
        TargetFilename|startswith:
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
            - 'C:\Program Files\Microsoft Visual Studio\'
    filter_optional_cmake:
        TargetFilename|startswith: 'C:\Program Files\CMake\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - System administrators legitimately managing certificates and PKI infrastructure
    - Development environments where developers create test certificates for application signing
    - Automated certificate deployment tools and scripts used in enterprise environments
    - Software installation processes that include certificate provisioning (e.g., web servers, VPN clients)
    - Certificate backup and recovery operations performed by IT staff
    - Build systems and CI/CD pipelines that generate code signing certificates
    - Third-party applications that create temporary certificates for secure communications
level: low
Convert to SIEM query
low Moderate High FP
PUA - Adidnsdump Execution
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
status test author frack113 ATT&CK technique id 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
carbon_black query
Image:\\python.exe CommandLine:adidnsdump*
view Sigma YAML 
title: PUA - Adidnsdump Execution
id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
status: test
description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
author: frack113
date: 2022-01-01
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\python.exe'
        CommandLine|contains: 'adidnsdump'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
PUA - Sysinternal Tool Execution - Registry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
status test author Markus Neis ATT&CK sub-technique id 25ffa65d-76d8-4da5-a832-3f2b0136e133
carbon_black query
TargetObject:\\EulaAccepted
view Sigma YAML 
title: PUA - Sysinternal Tool Execution - Registry
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: test
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key
level: low
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml
Convert to SIEM query
low Strong Medium FP
Password Policy Discovery - Linux
Detects password policy discovery commands
status stable author Ömer Günal, oscd.community, Pawel Mazur ATT&CK technique id ca94a6db-8106-4737-9ed2-3e3bb826af0a
carbon_black query
(type:PATH (name:\/etc\/login.defs OR name:\/etc\/pam.d\/auth OR name:\/etc\/pam.d\/common\-account OR name:\/etc\/pam.d\/common\-auth OR name:\/etc\/pam.d\/common\-password OR name:\/etc\/pam.d\/system\-auth OR name:\/etc\/security\/pwquality.conf)) OR (type:EXECVE a0:chage (a1:\-\-list OR a1:\-l)) OR (type:EXECVE a0:passwd (a1:\-S OR a1:\-\-status))
view Sigma YAML 
title: Password Policy Discovery - Linux
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
    - https://linux.die.net/man/1/chage
    - https://man7.org/linux/man-pages/man1/passwd.1.html
    - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020-10-08
modified: 2024-12-01
tags:
    - attack.discovery
    - attack.t1201
logsource:
    product: linux
    service: auditd
detection:
    selection_files:
        type: 'PATH'
        name:
            - '/etc/login.defs'
            - '/etc/pam.d/auth'
            - '/etc/pam.d/common-account'
            - '/etc/pam.d/common-auth'
            - '/etc/pam.d/common-password'
            - '/etc/pam.d/system-auth'
            - '/etc/security/pwquality.conf'
    selection_chage:
        type: 'EXECVE'
        a0: 'chage'
        a1:
            - '--list'
            - '-l'
    selection_passwd:
        type: 'EXECVE'
        a0: 'passwd'
        a1:
            - '-S'
            - '--status'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: low
Convert to SIEM query
low Moderate High FP
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
status test author frack113 ATT&CK technique id bbb9495b-58fc-4016-b9df-9a3a1b67ca82
carbon_black query
ScriptBlockText:Get\-AdDefaultDomainPasswordPolicy*
view Sigma YAML 
title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82
status: test
description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1201
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
Convert to SIEM query
low Moderate High FP
Password Protected Compressed File Extraction Via 7Zip
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id b717b8fd-6467-4d7d-b3d3-27f9a463af77
carbon_black query
(Description:7\-Zip* OR (Image:\\7z.exe OR Image:\\7za.exe OR Image:\\7zr.exe) OR (OriginalFileName:7z.exe OR OriginalFileName:7za.exe OR OriginalFileName:7zr.exe)) (CommandLine:\ \-p* CommandLine:\ x\ * CommandLine:\ \-o*)
view Sigma YAML 
title: Password Protected Compressed File Extraction Via 7Zip
id: b717b8fd-6467-4d7d-b3d3-27f9a463af77
status: test
description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
references:
    - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-10
modified: 2026-06-05
tags:
    - attack.collection
    - attack.t1560.001
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7za.exe'
              - '\7zr.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
              - '7zr.exe'
    selection_password:
        CommandLine|contains|all:
            - ' -p'
            - ' x '
            - ' -o'
    condition: all of selection_*
falsepositives:
    - Legitimate activity is expected since extracting files with a password can be common in some environment.
level: low
Convert to SIEM query
low Strong High FP
Potential 7za.DLL Sideloading
Detects potential DLL sideloading of "7za.dll"
status test author X__Junior ATT&CK sub-technique id 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
carbon_black query
ImageLoaded:\\7za.dll (-((Image:C\:\\Program\ Files\ \(x86\)\\* OR Image:C\:\\Program\ Files\\*) (ImageLoaded:C\:\\Program\ Files\ \(x86\)\\* OR ImageLoaded:C\:\\Program\ Files\\*)))
view Sigma YAML 
title: Potential 7za.DLL Sideloading
id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
status: test
description: Detects potential DLL sideloading of "7za.dll"
references:
    - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d
author: X__Junior
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\7za.dll'
    filter_main_legit_path:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.
level: low
Convert to SIEM query
low Strong Low FP
Potential Bucket Enumeration on AWS
Looks for potential enumeration of AWS buckets via ListBuckets.
status test author Christopher Peacock @securepeacock, SCYTHE @scythe_io ATT&CK technique id f305fd62-beca-47da-ad95-7690a0620084
carbon_black query
(eventSource:s3.amazonaws.com eventName:ListBuckets) (-"userIdentity.type":AssumedRole)
view Sigma YAML 
title: Potential Bucket Enumeration on AWS
id: f305fd62-beca-47da-ad95-7690a0620084
related:
    - id: 4723218f-2048-41f6-bcb0-417f2d784f61
      type: similar
status: test
description: Looks for potential enumeration of AWS buckets via ListBuckets.
references:
    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-01-06
modified: 2024-07-10
tags:
    - attack.discovery
    - attack.t1580
    - attack.t1619
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 's3.amazonaws.com'
        eventName: 'ListBuckets'
    filter:
        userIdentity.type: 'AssumedRole'
    condition: selection and not filter
falsepositives:
    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
level: low
Convert to SIEM query
low Strong High FP
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
status test author Seth Hanford ATT&CK technique id 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
carbon_black query
Image:\/ls (CommandLine:\ \/ OR CommandLine:\ \/\ *) CommandLine:(?:\\s-[^-\\s]{0,20}i|\\s--inode\\s) CommandLine:(?:\\s-[^-\\s]{0,20}d|\\s--directory\\s)
view Sigma YAML 
title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
    category: process_creation
    product: linux
detection:
    selection_ls_img:
        Image|endswith: '/ls'    # inode outside containers low, inside high
    selection_ls_cli:
        - CommandLine|endswith: ' /'
        - CommandLine|contains: ' / '
    selection_regex_inode:
        CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)'      # -i finds inode number
    selection_regex_dir:
        CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)'  # -d gets directory itself, not contents
    condition: all of selection_*
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
Convert to SIEM query
low Moderate High FP
Potential Encoded PowerShell Patterns In CommandLine
Detects specific combinations of encoding methods in PowerShell via the commandline
status test author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton ATT&CK sub-technique id cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
carbon_black query
((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (((CommandLine:ToInt* OR CommandLine:ToDecimal* OR CommandLine:ToByte* OR CommandLine:ToUint* OR CommandLine:ToSingle* OR CommandLine:ToSByte*) (CommandLine:ToChar* OR CommandLine:ToString* OR CommandLine:String*)) OR ((CommandLine:char* CommandLine:join*) OR (CommandLine:split* CommandLine:join*)))
view Sigma YAML 
title: Potential Encoded PowerShell Patterns In CommandLine
id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
related:
    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
      type: similar
status: test
description: Detects specific combinations of encoding methods in PowerShell via the commandline
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_to_1:
        CommandLine|contains:
            - 'ToInt'
            - 'ToDecimal'
            - 'ToByte'
            - 'ToUint'
            - 'ToSingle'
            - 'ToSByte'
    selection_to_2:
        CommandLine|contains:
            - 'ToChar'
            - 'ToString'
            - 'String'
    selection_gen_1:
        CommandLine|contains|all:
            - 'char'
            - 'join'
    selection_gen_2:
        CommandLine|contains|all:
            - 'split'
            - 'join'
    condition: selection_img and (all of selection_to_* or 1 of selection_gen_*)
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Potential Execution of Sysinternals Tools
Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
status test author Markus Neis ATT&CK sub-technique id 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
carbon_black query
CommandLine:\ \-accepteula* OR CommandLine:\ \/accepteula* OR CommandLine:\ –accepteula* OR CommandLine:\ —accepteula* OR CommandLine:\ ―accepteula*
view Sigma YAML 
title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -accepteula'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same command line flag
level: low
Convert to SIEM query
low Moderate Medium FP
Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service. During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives). Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.
status test author Cybex ATT&CK tactic-only id 52a85084-6989-40c3-8f32-091e12e17692
carbon_black query
EventID:1511 Provider_Name:Microsoft\-Windows\-User\ Profiles\ Service
view Sigma YAML 
title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
id: 52a85084-6989-40c3-8f32-091e12e17692
status: test
description: |
    Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service.
    During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives).
    Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.
references:
    - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
author: Cybex
date: 2022-08-16
modified: 2025-11-03
tags:
    - attack.execution
    - detection.emerging-threats
    - cve.2022-21919
    - cve.2021-34484
logsource:
    product: windows
    service: application
detection:
    selection:
        EventID: 1511
        Provider_Name: 'Microsoft-Windows-User Profiles Service'
    condition: selection
falsepositives:
    - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
level: low
Convert to SIEM query
Showing 151-200 of 328
Prev 4 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh