Tool
EDR / XDR
VMware Carbon Black
328 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 328
low
Strong
High FP
Potential File Override/Append Via SET Command
Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign.
Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly.
Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt".
The typical use case of the "set /p=" command is to prompt the user for input.
view Sigma YAML
title: Potential File Override/Append Via SET Command
id: 65e4c134-ee52-4099-9e35-5e17a4b45c62
status: test
description: |
Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign.
Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly.
Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt".
The typical use case of the "set /p=" command is to prompt the user for input.
references:
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1
- https://ss64.com/nt/set.html
author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan)
date: 2024-08-22
tags:
- attack.execution
- detection.threat-hunting
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains:
- '/c set /p='
- '"set /p='
- '>>*set /p=' # To catch edge cases where the attacker passes it via a "cmd /c"
condition: all of selection_*
falsepositives:
- Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts.
level: low
Convert to SIEM query
low
Moderate
High FP
Potential PowerShell Obfuscation Using Alias Cmdlets
Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
view Sigma YAML
title: Potential PowerShell Obfuscation Using Alias Cmdlets
id: 96cd126d-f970-49c4-848a-da3a09f55c55
related:
- id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
type: derived
status: test
description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
references:
- https://github.com/1337Rin/Swag-PSO
author: frack113
date: 2023-01-08
modified: 2025-10-22
tags:
- attack.execution
- attack.stealth
- attack.t1027
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Set-Alias '
- 'New-Alias '
filter_main_cim:
ScriptBlockText:
- 'Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Potential PowerShell Obfuscation Using Character Join
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
view Sigma YAML
title: Potential PowerShell Obfuscation Using Character Join
id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
related:
- id: 96cd126d-f970-49c4-848a-da3a09f55c55
type: derived
status: test
description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-09
tags:
- attack.execution
- attack.stealth
- attack.t1027
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# Example:
# Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
# Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
ScriptBlockText|contains|all:
- '-Alias' # For both "New-Alias" and "Set-Alias"
- ' -Value (-join('
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Potential Proxy Execution Via Explorer.EXE From Shell Process
Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe".
Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter.
While this is often a legitimate action, this rule can be use to hunt for anomalies.
Muddy Waters threat actor was seeing using this technique.
view Sigma YAML
title: Potential Proxy Execution Via Explorer.EXE From Shell Process
id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
status: test
description: |
Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe".
Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter.
While this is often a legitimate action, this rule can be use to hunt for anomalies.
Muddy Waters threat actor was seeing using this technique.
references:
- https://twitter.com/CyberRaiju/status/1273597319322058752
- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
date: 2020-10-05
modified: 2024-06-21
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\explorer.exe'
CommandLine|contains: 'explorer.exe'
condition: selection
falsepositives:
- Legitimate explorer.exe run from a shell host like "cmd.exe" or "powershell.exe"
level: low
Convert to SIEM query
low
Strong
High FP
Potential Raspberry Robin Registry Set Internet Settings ZoneMap
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
view Sigma YAML
title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
status: test
description: |
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
references:
- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
author: Swachchhanda Shrawan Poudel
date: 2024-07-31
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored'
detection:
selection_registry_image:
- Image|contains:
- '\AppData\Local\Temp\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
- Image|endswith: '\control.exe'
selection_registry_object:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
selection_value_enable:
TargetObject|endswith:
- '\IntranetName'
- '\ProxyByPass'
- '\UNCAsIntranet'
Details|contains: 'DWORD (0x00000001)'
selection_value_disable:
TargetObject|endswith: '\AutoDetect'
Details|contains: 'DWORD (0x00000000)'
condition: all of selection_registry_* and 1 of selection_value_*
falsepositives:
- Unknown
# Note: can be upgraded to medium after an initial baseline
level: low
Convert to SIEM query
low
Moderate
High FP
Potentially Suspicious Long Filename Pattern - Linux
Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.
Adjust the threshold of filename length as needed based on your environment.
view Sigma YAML
title: Potentially Suspicious Long Filename Pattern - Linux
id: 11629c4d-0fe6-465b-be62-b39a1c442aad
status: experimental
description: |
Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.
Adjust the threshold of filename length as needed based on your environment.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1027
- detection.threat-hunting
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|re: '[^/]{100,}$'
filter_optional_known_good:
TargetFilename|startswith:
- '/run/systemd/units/invocation:systemd-fsck@'
- '/sys/firmware/'
- '/var/log/journal/'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate files with long filenames.
level: low
Convert to SIEM query
low
Strong
High FP
Potentially Suspicious Network Connection To Notion API
Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
view Sigma YAML
title: Potentially Suspicious Network Connection To Notion API
id: 7e9cf7b6-e827-11ed-a05b-15959c120003
status: test
description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
references:
- https://github.com/mttaggart/OffensiveNotion
- https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
author: Gavin Knapp
date: 2023-05-03
tags:
- attack.command-and-control
- attack.t1102
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains: 'api.notion.com'
filter_main_notion:
Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
filter_main_brave:
Image|endswith: '\brave.exe'
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_maxthon:
Image|endswith: '\maxthon.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_opera:
Image|endswith: '\opera.exe'
filter_main_safari:
Image|endswith: '\safari.exe'
filter_main_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
level: low
Convert to SIEM query
low
Strong
High FP
Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
view Sigma YAML
title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: test
description: Detects the creation of shell scripts under the "profile.d" path.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.persistence
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains: '/etc/profile.d/'
TargetFilename|endswith:
- '.csh'
- '.sh'
condition: selection
falsepositives:
- Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
- Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning
Convert to SIEM query
low
Moderate
High FP
PowerShell Download Via Net.WebClient - PowerShell Classic
Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.
This technique is often abused by attackers to download additional payloads.
view Sigma YAML
title: PowerShell Download Via Net.WebClient - PowerShell Classic
id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: test
description: |
Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.
This technique is often abused by attackers to download additional payloads.
references:
- https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2026-04-28
tags:
- attack.execution
- attack.command-and-control
- attack.t1059.001
- attack.t1105
logsource:
product: windows
category: ps_classic_start
detection:
selection_webclient:
Data|contains: 'Net.WebClient'
selection_download:
Data|contains:
- '.DownloadFile('
- '.DownloadString('
condition: all of selection_*
falsepositives:
- This activity may be used by legitimate software, such as patch management tools or software updaters. Investigate any such activity and apply the necessary filter.
level: low
Convert to SIEM query
low
Moderate
High FP
PowerShell Module File Created
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
view Sigma YAML
title: PowerShell Module File Created
id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|contains:
- '\WindowsPowerShell\Modules\'
- '\PowerShell\7\Modules\'
condition: selection
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Moderate
High FP
PowerShell Script Change Permission Via Set-Acl - PsScript
Detects PowerShell scripts set ACL to of a file or a folder
view Sigma YAML
title: PowerShell Script Change Permission Via Set-Acl - PsScript
id: cae80281-ef23-44c5-873b-fd48d2666f49
related:
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
type: derived
status: test
description: Detects PowerShell scripts set ACL to of a file or a folder
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1222
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
- '-Path '
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Strong
High FP
PowerShell Script Dropped Via PowerShell.EXE
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
view Sigma YAML
title: PowerShell Script Dropped Via PowerShell.EXE
id: 576426ad-0131-4001-ae01-be175da0c108
status: test
description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113
date: 2023-05-09
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.ps1'
filter_main_psscriptpolicytest:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_appdata:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
filter_main_windows_temp:
TargetFilename|startswith: 'C:\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: low
Convert to SIEM query
low
Moderate
High FP
PowerShell Script Execution Policy Enabled
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
view Sigma YAML
title: PowerShell Script Execution Policy Enabled
id: 8218c875-90b9-42e2-b60d-0b0069816d10
related:
- id: fad91067-08c5-4d1a-8d8c-d96a21b37814
type: derived
status: test
description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
references:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-18
tags:
- attack.execution
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Moderate
High FP
PowerShell Script With File Upload Capabilities
Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
view Sigma YAML
title: PowerShell Script With File Upload Capabilities
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: test
description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
- https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
author: frack113
date: 2022-01-07
modified: 2025-07-18
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
selection_flag:
ScriptBlockText|contains:
- '-Method "POST"'
- '-Method "PUT"'
- '-Method POST'
- '-Method PUT'
- "-Method 'POST'"
- "-Method 'PUT'"
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Powershell Suspicious Win32_PnPEntity
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
view Sigma YAML
title: Powershell Suspicious Win32_PnPEntity
id: b26647de-4feb-4283-af6b-6117661283c5
status: test
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
author: frack113
date: 2021-08-23
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1120
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: Win32_PnPEntity
condition: selection
falsepositives:
- Admin script
level: low
Convert to SIEM query
low
Strong
Medium FP
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
view Sigma YAML
title: Previously Installed IIS Module Was Removed
id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
status: test
description: Detects the removal of a previously installed IIS module.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: Nasreddine Bencherchali
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration|contains: '/system.webServer/modules/remove'
condition: selection
falsepositives:
- Legitimate administrator activity
# Note: Upgrade after an initial baseline
level: low
Convert to SIEM query
low
Moderate
Medium FP
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
view Sigma YAML
title: Privileged Container Deployed
id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
status: test
description: |
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
- https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1611
- attack.privilege-escalation
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Process Discovery
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
Information obtained could be used to gain an understanding of common software/applications running on systems within the network
view Sigma YAML
title: Process Discovery
id: 4e2f5868-08d4-413d-899f-dc2f1508627b
status: stable
description: |
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
Information obtained could be used to gain an understanding of common software/applications running on systems within the network
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md
- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
author: Ömer Günal, oscd.community, CheraaghiMilad
date: 2020-10-06
modified: 2022-07-07
tags:
- attack.discovery
- attack.t1057
- detection.threat-hunting
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/atop'
- '/htop'
- '/pgrep'
- '/ps'
- '/pstree'
- '/top'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Process Execution From WebDAV Share
Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares.
Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.
Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
view Sigma YAML
title: Process Execution From WebDAV Share
id: f8de9dd5-7a63-4cfd-9d0c-ae124878b5a9
status: experimental
description: |
Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares.
Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.
Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
references:
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.execution
- attack.command-and-control
- attack.lateral-movement
- attack.t1105
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|startswith: '\\\\'
Image|contains: '\DavWWWRoot\'
condition: selection
falsepositives:
- Legitimate use of WebDAV shares for process execution
- Known applications executing from WebDAV paths
level: low
Convert to SIEM query
low
Strong
High FP
Process Terminated Via Taskkill
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
view Sigma YAML
title: Process Terminated Via Taskkill
id: 86085955-ea48-42a2-9dd3-85d4c36b167d
status: test
description: |
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali
date: 2021-12-26
modified: 2024-10-06
tags:
- attack.impact
- attack.t1489
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\taskkill.exe'
- OriginalFileName: 'taskkill.exe'
selection_cli_force:
- CommandLine|contains|windash: ' /f '
- CommandLine|endswith|windash: ' /f'
selection_cli_filter_process:
CommandLine|contains|windash:
- ' /im '
- ' /pid '
filter_main_installers:
ParentImage|contains:
- '\AppData\Local\Temp\'
- ':\Windows\Temp'
ParentImage|endswith: '.tmp'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
level: low
Convert to SIEM query
low
Moderate
Medium FP
PsExec Default Named Pipe
Detects PsExec service default pipe creation
view Sigma YAML
title: PsExec Default Named Pipe
id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: test
description: Detects PsExec service default pipe creation
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
- detection.threat-hunting
logsource:
category: pipe_created
product: windows
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName: '\PSEXESVC'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
PsExec Service File Creation
Detects default PsExec service filename which indicates PsExec service installation and execution
view Sigma YAML
title: PsExec Service File Creation
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: test
description: Detects default PsExec service filename which indicates PsExec service installation and execution
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\PSEXESVC.exe'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
QuickAssist Execution
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
view Sigma YAML
title: QuickAssist Execution
id: e20b5b14-ce93-4230-88af-981983ef6e74
status: experimental
description: |
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
references:
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://x.com/cyb3rops/status/1862406110365245506
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\QuickAssist.exe'
condition: selection
falsepositives:
- Legitimate use of Quick Assist in the environment.
level: low
Convert to SIEM query
low
Moderate
Medium FP
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions.
In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
view Sigma YAML
title: RBAC Permission Enumeration Attempt
id: 84b777bd-c946-4d17-aa2e-c39f5a454325
status: test
description: |
Detects identities attempting to enumerate their Kubernetes RBAC permissions.
In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
references:
- https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1069.003
- attack.t1087.004
- attack.discovery
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
apiGroup: 'authorization.k8s.io'
objectRef.resource: 'selfsubjectrulesreviews'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
view Sigma YAML
title: RegAsm.EXE Execution Without CommandLine Flags or Files
id: 651f87f7-12db-47f9-84c5-f27b081b94b6
status: experimental
description: |
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
references:
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
- https://www.joesandbox.com/analysis/1467354/0/html
author: frack113
date: 2025-06-04
tags:
- attack.stealth
- attack.t1218.009
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\RegAsm.exe'
- OriginalFileName: 'RegAsm.exe'
selection_cli:
CommandLine|endswith:
- 'RegAsm'
- 'RegAsm.exe'
- 'RegAsm.exe"'
- "RegAsm.exe'"
condition: all of selection_*
falsepositives:
- Legitimate use of Regasm by developers.
# Note: You can increase after an initial baseline
level: low
Convert to SIEM query
low
Strong
High FP
Registry Modification Via Regini.EXE
Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
view Sigma YAML
title: Registry Modification Via Regini.EXE
id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
related:
- id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
type: derived
status: test
description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regini/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020-10-08
modified: 2023-02-08
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\regini.exe'
- OriginalFileName: 'REGINI.EXE'
filter:
CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
condition: selection and not filter
falsepositives:
- Legitimate modification of keys
level: low
Convert to SIEM query
low
Moderate
Medium FP
Remote Access Tool - ScreenConnect Command Execution
Detects command execution via ScreenConnect RMM
view Sigma YAML
title: Remote Access Tool - ScreenConnect Command Execution
id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: Detects command execution via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
selection:
Provider_Name: 'ScreenConnect'
EventID: 200
Data|contains: 'Executed command of length'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
Convert to SIEM query
low
Moderate
Medium FP
Remote Access Tool - ScreenConnect File Transfer
Detects file being transferred via ScreenConnect RMM
view Sigma YAML
title: Remote Access Tool - ScreenConnect File Transfer
id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: Detects file being transferred via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
selection:
Provider_Name: 'ScreenConnect'
EventID: 201
Data|contains: 'Transferred files with action'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
Convert to SIEM query
low
Strong
High FP
Remote Access Tool - ScreenConnect Remote Command Execution
Detects the execution of a system command via the ScreenConnect RMM service.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Remote Command Execution
id: b1f73849-6329-4069-bc8f-78a604bb8b23
status: test
description: Detects the execution of a system command via the ScreenConnect RMM service.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
modified: 2024-02-26
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\ScreenConnect.ClientService.exe'
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
# Example:
# CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd"
CommandLine|contains: '\TEMP\ScreenConnect\'
condition: all of selection_*
falsepositives:
- Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.
# Note: Increase the level if you don't leverage ScreenConnect
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - ScreenConnect Temporary File
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: |
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ScreenConnect.WindowsClient.exe'
TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
# Note: Incase the level if ScreenConnect is not used
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
view Sigma YAML
title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - Team Viewer Session Started On MacOS Host
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
view Sigma YAML
title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - Team Viewer Session Started On Windows Host
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
view Sigma YAML
title: Remote Access Tool - Team Viewer Session Started On Windows Host
id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
related:
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
Image: 'TeamViewer_Desktop.exe'
ParentImage: 'TeamViewer_Service.exe'
CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
Convert to SIEM query
low
Moderate
Medium FP
Remote File Copy
Detects the use of tools that copy files from or to remote systems
view Sigma YAML
title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
references:
- https://www.cisa.gov/stopransomware/ransomware-guide
author: Ömer Günal
date: 2020-06-18
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1105
logsource:
product: linux
detection:
tools:
- 'scp '
- 'rsync '
- 'sftp '
filter:
- '@'
- ':'
condition: tools and filter
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Remote PowerShell Session (PS Classic)
Detects remote PowerShell sessions
view Sigma YAML
title: Remote PowerShell Session (PS Classic)
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
related:
- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
type: derived
status: test
description: Detects remote PowerShell sessions
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2024-01-03
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'HostName=ServerRemoteHost'
- 'wsmprovhost.exe'
condition: selection
falsepositives:
- Legitimate use remote PowerShell sessions
# Note: Increase the level to "medium" in environments that do not leverage PowerShell remoting
level: low
Convert to SIEM query
low
Moderate
High FP
Renamed Powershell Under Powershell Channel
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
view Sigma YAML
title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2025-01-20
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1036.003
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'HostName=ConsoleHost'
# Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
filter_main_ps:
Data|contains:
- 'HostApplication=powershell'
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
- 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Replace Desktop Wallpaper by Powershell
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
view Sigma YAML
title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: test
description: |
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
author: frack113
date: 2021-12-26
tags:
- attack.impact
- attack.t1491.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_1:
ScriptBlockText|contains|all:
- 'Get-ItemProperty'
- 'Registry::'
- 'HKEY_CURRENT_USER\Control Panel\Desktop\'
- 'WallPaper'
selection_2:
ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
condition: 1 of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Run Once Task Execution as Configured in Registry
This rule detects the execution of Run Once task as configured in the registry
view Sigma YAML
title: Run Once Task Execution as Configured in Registry
id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
status: test
description: This rule detects the execution of Run Once task as configured in the registry
references:
- https://twitter.com/pabraeken/status/990717080805789697
- https://lolbas-project.github.io/lolbas/Binaries/Runonce/
- https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'
date: 2020-10-18
modified: 2022-12-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\runonce.exe'
- Description: 'Run Once Wrapper'
selection_cli:
- CommandLine|contains: '/AlternateShellStartup'
- CommandLine|endswith: '/r'
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Strong
High FP
SC.EXE Query Execution
Detects execution of "sc.exe" to query information about registered services on the system
view Sigma YAML
title: SC.EXE Query Execution
id: 57712d7a-679c-4a41-a913-87e7175ae429
status: test
description: Detects execution of "sc.exe" to query information about registered services on the system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery
author: frack113
date: 2021-12-06
modified: 2024-02-08
tags:
- attack.discovery
- attack.t1007
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\sc.exe'
OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains: ' query'
filter_optional_keybase:
CommandLine: 'sc query dokan1'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate query of a service by an administrator to get more information such as the state or PID
- Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"
level: low
Convert to SIEM query
low
Moderate
High FP
SNAKE Malware Installer Name Indicators
Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
view Sigma YAML
title: SNAKE Malware Installer Name Indicators
id: 99eccc2b-7182-442f-8806-b76cc36d866b
status: test
description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\jpsetup.exe'
- '\jpinst.exe'
condition: selection
falsepositives:
- Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis.
level: low
Convert to SIEM query
low
Moderate
High FP
Scheduled Task Created - FileCreation
Detects the creation of a scheduled task via file creation.
view Sigma YAML
title: Scheduled Task Created - FileCreation
id: a762e74f-4dce-477c-b023-4ed81df600f9
status: test
description: Detects the creation of a scheduled task via file creation.
references:
- https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
- https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- attack.s0111
- car.2013-08-001
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- ':\Windows\System32\Tasks\'
- ':\Windows\SysWOW64\Tasks\'
- ':\Windows\Tasks\'
condition: selection
falsepositives:
- Normal behaviour on Windows
level: low
Convert to SIEM query
low
Moderate
High FP
Scheduled Task Created - Registry
Detects the creation of a scheduled task via Registry keys.
view Sigma YAML
title: Scheduled Task Created - Registry
id: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3
status: test
description: Detects the creation of a scheduled task via Registry keys.
references:
- https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
- https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.s0111
- attack.t1053.005
- car.2013-08-001
- detection.threat-hunting
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\'
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
condition: selection
falsepositives:
- Likely as this is a normal behaviour on Windows
level: low
Convert to SIEM query
low
Strong
High FP
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
view Sigma YAML
title: Scheduled Task Creation Via Schtasks.EXE
id: 92626ddd-662c-49e3-ac59-f6535f12d189
status: test
description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2025-10-22
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- attack.s0111
- car.2013-08-001
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains: ' /create '
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_msoffice:
# schtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"
ParentImage:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
CommandLine|contains: 'Microsoft\Office\Office Performance Monitor'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative activity
- Software installation
level: low
Convert to SIEM query
low
Strong
Medium FP
Scheduled Task Deletion
Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
view Sigma YAML
title: Scheduled Task Deletion
id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
status: test
description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
references:
- https://twitter.com/matthewdunwoody/status/1352356685982146562
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
author: David Strassegger, Tim Shelton
date: 2021-01-22
modified: 2023-01-20
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- car.2013-08-001
- attack.t1053.005
- detection.threat-hunting
logsource:
product: windows
service: security
definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID: 4699
filter_main_generic:
TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # Triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f
filter_main_firefox:
TaskName|contains: '\Mozilla\Firefox Default Browser Agent ' # Triggered by firefox updates
condition: selection and not 1 of filter_*
falsepositives:
- Software installation
level: low
Convert to SIEM query
low
Moderate
High FP
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks.
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
view Sigma YAML
title: Scheduled Task/Job At
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
status: stable
description: |
Detects the use of at/atd which are utilities that are used to schedule tasks.
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
author: Ömer Günal, oscd.community
date: 2020-10-06
modified: 2022-07-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/at'
- '/atd'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Screen Capture - macOS
Detects attempts to use screencapture to collect macOS screenshots
view Sigma YAML
title: Screen Capture - macOS
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
status: test
description: Detects attempts to use screencapture to collect macOS screenshots
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
author: remotephone, oscd.community
date: 2020-10-13
modified: 2021-11-27
tags:
- attack.collection
- attack.t1113
logsource:
product: macos
category: process_creation
detection:
selection:
Image: '/usr/sbin/screencapture'
condition: selection
falsepositives:
- Legitimate user activity taking screenshots
level: low
Convert to SIEM query
low
Strong
Medium FP
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool.
Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.
ImageMagick must be installed.
view Sigma YAML
title: Screen Capture with Import Tool
id: dbe4b9c5-c254-4258-9688-d6af0b7967fd
status: test
description: |
Detects adversary creating screen capture of a desktop with Import Tool.
Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.
ImageMagick must be installed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
- https://linux.die.net/man/1/import
- https://imagemagick.org/
author: 'Pawel Mazur'
date: 2021-09-21
modified: 2022-10-09
tags:
- attack.collection
- attack.t1113
logsource:
product: linux
service: auditd
detection:
import:
type: EXECVE
a0: import
import_window_root:
a1: '-window'
a2: 'root'
a3|endswith:
- '.png'
- '.jpg'
- '.jpeg'
import_no_window_root:
a1|endswith:
- '.png'
- '.jpg'
- '.jpeg'
condition: import and (import_window_root or import_no_window_root)
falsepositives:
- Legitimate use of screenshot utility
level: low
Convert to SIEM query
low
Strong
Medium FP
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
view Sigma YAML
title: Screen Capture with Xwd
id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c
status: test
description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
- https://linux.die.net/man/1/xwd
author: 'Pawel Mazur'
date: 2021-09-13
modified: 2022-12-18
tags:
- attack.collection
- attack.t1113
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: xwd
xwd_root_window:
a1: '-root'
a2: '-out'
a3|endswith: '.xwd'
xwd_no_root_window:
a1: '-out'
a2|endswith: '.xwd'
condition: selection and 1 of xwd_*
falsepositives:
- Legitimate use of screenshot utility
level: low
Convert to SIEM query
low
Moderate
High FP
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
view Sigma YAML
title: Security Software Discovery - Linux
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: test
description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# You can add more grep variations such as fgrep, rgrep...etc
- '/grep'
- '/egrep'
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'cbagentd' # carbon black
- 'falcond' # crowdstrike falcon
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Moderate
High FP
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key.
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
view Sigma YAML
title: Service Registry Key Read Access Request
id: 11d00fff-5dc3-428c-8184-801f292faec0
status: test
description: |
Detects "read access" requests on the services registry key.
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
references:
- https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-28
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
product: windows
service: security
definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
detection:
selection:
EventID: 4663
ObjectName|contains|all:
- '\SYSTEM\'
- 'ControlSet\Services\'
AccessList|contains: '%%1538' # READ_CONTROL
condition: selection
falsepositives:
- Likely from legitimate applications reading their key. Requires heavy tuning
level: low
Convert to SIEM query
Showing 201-250 of 328