Tool
EDR / XDR
VMware Carbon Black
328 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
28 shown of 328
low
Moderate
Medium FP
Tap Driver Installation - Security
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
view Sigma YAML
title: Tap Driver Installation - Security
id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
type: derived
status: test
description: |
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-11-29
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: security
definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
selection:
EventID: 4697
ServiceFileName|contains: 'tap0901'
condition: selection
falsepositives:
- Legitimate OpenVPN TAP installation
level: low
Convert to SIEM query
low
Moderate
High FP
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory.
The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.
Investigation of the loading application and its behavior is required to determining if its malicious.
view Sigma YAML
title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
id: 3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e
status: test
description: |
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory.
The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.
Investigation of the loading application and its behavior is required to determining if its malicious.
references:
- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/
- https://x.com/Max_Mal_/status/1826179497084739829
author: Swachchhanda Shrawan Poudel
date: 2024-09-02
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1053.005
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection_dll:
- ImageLoaded|endswith: '\taskschd.dll'
- OriginalFileName: 'taskschd.dll'
selection_paths:
Image|contains:
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
condition: all of selection_*
falsepositives:
- Some installers might generate false positives, apply additional filters accordingly.
level: low
Convert to SIEM query
low
Moderate
Medium FP
TeamViewer Log File Deleted
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: TeamViewer Log File Deleted
id: b1decb61-ed83-4339-8e95-53ea51901720
status: test
description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: frack113
date: 2022-01-16
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: '\TeamViewer_'
TargetFilename|endswith: '.log'
filter:
Image: C:\Windows\system32\svchost.exe
condition: selection and not filter
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
Medium FP
The Windows Defender Firewall Service Failed To Load Group Policy
Detects activity when The Windows Defender Firewall service failed to load Group Policy
view Sigma YAML
title: The Windows Defender Firewall Service Failed To Load Group Policy
id: 7ec15688-fd24-4177-ba43-1a950537ee39
status: test
description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-01-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy
condition: selection
level: low
Convert to SIEM query
low
Moderate
Medium FP
USB Device Plugged
Detects plugged/unplugged USB devices
view Sigma YAML
title: USB Device Plugged
id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
status: test
description: Detects plugged/unplugged USB devices
references:
- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
author: Florian Roth (Nextron Systems)
date: 2017-11-09
modified: 2021-11-30
tags:
- attack.initial-access
- attack.t1200
logsource:
product: windows
service: driver-framework
definition: 'Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog'
detection:
selection:
EventID:
- 2003 # Loading drivers
- 2100 # Pnp or power management
- 2102 # Pnp or power management
condition: selection
falsepositives:
- Legitimate administrative activity
level: low
Convert to SIEM query
low
Moderate
High FP
Unattend.XML File Access Attempt
Detects attempts to access the "unattend.xml" file, where credentials might be stored.
This file is used during the unattended windows install process.
view Sigma YAML
title: Unattend.XML File Access Attempt
id: 76a26006-0942-430b-8249-bd51d448f8e5
status: test
description: |
Detects attempts to access the "unattend.xml" file, where credentials might be stored.
This file is used during the unattended windows install process.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2024-07-22
tags:
- attack.credential-access
- attack.t1552.001
- detection.threat-hunting
logsource:
product: windows
category: file_access
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|endswith: '\Panther\unattend.xml'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Strong
Medium FP
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
view Sigma YAML
title: Unauthorized System Time Modification
id: faa031b5-21ed-4e02-8881-2591f98d82ed
status: test
description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
references:
- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
- Live environment caused by malware
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
author: '@neu5ron'
date: 2019-02-05
modified: 2025-12-03
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
detection:
selection:
EventID: 4616
filter_main_svchost:
ProcessName: 'C:\Windows\System32\svchost.exe'
SubjectUserSid: 'S-1-5-19'
filter_optional_vmtools:
ProcessName:
- 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Windows\System32\VBoxService.exe'
- 'C:\Windows\System32\oobe\msoobe.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- HyperV or other virtualization technologies with binary not listed in filter portion of detection
level: low
Convert to SIEM query
low
Moderate
Medium FP
Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
view Sigma YAML
title: Uncommon Process Access Rights For Target Image
id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
status: test
description: |
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
references:
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-27
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.011
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith:
# Note: Add additional uncommon targets to increase coverage.
- '\calc.exe'
- '\calculator.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\ping.exe'
- '\wordpad.exe'
- '\write.exe'
GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
condition: selection
falsepositives:
- Unknown
# Note: please upgrade to a higher level after an initial test/tuning.
level: low
Convert to SIEM query
low
Moderate
High FP
Unmount Share Via Net.EXE
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
view Sigma YAML
title: Unmount Share Via Net.EXE
id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020-10-08
modified: 2023-02-21
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'share'
- '/delete'
condition: all of selection*
falsepositives:
- Administrators or Power users may remove their shares via cmd line
level: low
Convert to SIEM query
low
Moderate
High FP
Unusually Long PowerShell CommandLine
Detects unusually long PowerShell command lines with a length of 1000 characters or more
view Sigma YAML
title: Unusually Long PowerShell CommandLine
id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
status: test
description: Detects unusually long PowerShell command lines with a length of 1000 characters or more
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-04-14
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_powershell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows Powershell'
- Product: 'PowerShell Core 6'
selection_length:
CommandLine|re: '.{1000,}'
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Use Get-NetTCPConnection
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
view Sigma YAML
title: Use Get-NetTCPConnection
id: b366adb4-d63d-422d-8a2c-186463b5ded0
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021-12-10
modified: 2023-10-27
tags:
- attack.discovery
- attack.t1049
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'Get-NetTCPConnection'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Use Get-NetTCPConnection - PowerShell Module
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
view Sigma YAML
title: Use Get-NetTCPConnection - PowerShell Module
id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021-12-10
modified: 2022-12-02
tags:
- attack.discovery
- attack.t1049
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains: 'Get-NetTCPConnection'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
Medium FP
Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
view Sigma YAML
title: Use Of Hidden Paths Or Files
id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
related:
- id: d08722cd-3d09-449a-80b4-83ea2d9d4616
type: similar
status: test
description: Detects calls to hidden files or files located in hidden directories in NIX systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: David Burkett, @signalblur
date: 2022-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name|contains: '/.'
filter:
name|contains:
- '/.cache/'
- '/.config/'
- '/.pyenv/'
- '/.rustup/toolchains'
condition: selection and not filter
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Use Of Remove-Item to Delete File - ScriptBlock
PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
view Sigma YAML
title: Use Of Remove-Item to Delete File - ScriptBlock
id: b8af5f36-1361-4ebe-9e76-e36128d947bf
status: test
description: PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-15
modified: 2022-03-17
tags:
- attack.stealth
- attack.t1070.004
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Remove-Item -Path '
- 'del -Path '
- 'erase -Path '
- 'rd -Path '
- 'ri -Path '
- 'rm -Path '
- 'rmdir -Path '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: low
Convert to SIEM query
low
Moderate
High FP
Virtualbox Driver Installation or Starting of VMs
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
view Sigma YAML
title: Virtualbox Driver Installation or Starting of VMs
id: bab049ca-7471-4828-9024-38279a4c04da
status: test
description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
references:
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
author: Janantha Marasinghe
date: 2020-09-26
modified: 2025-07-29
tags:
- attack.stealth
- attack.t1564.006
- attack.t1564
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'VBoxRT.dll,RTR3Init'
- 'VBoxC.dll'
- 'VBoxDrv.sys'
selection_2:
CommandLine|contains:
- 'startvm'
- 'controlvm'
condition: 1 of selection_*
falsepositives:
- This may have false positives on hosts where Virtualbox is legitimately being used for operations
level: low
Convert to SIEM query
low
Moderate
Medium FP
Volume Shadow Copy Mount
Detects volume shadow copy mount via Windows event log
view Sigma YAML
title: Volume Shadow Copy Mount
id: f512acbf-e662-4903-843e-97ce4652b740
status: test
description: Detects volume shadow copy mount via Windows event log
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Microsoft-Windows-Ntfs
EventID: 98
DeviceName|contains: HarddiskVolumeShadowCopy
condition: selection
falsepositives:
- Legitimate use of volume shadow copy mounts (backups maybe).
level: low
Convert to SIEM query
low
Moderate
High FP
Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
view Sigma YAML
title: Vulnerable Driver Load By Name
id: 72cd00d6-490c-4650-86ff-1d11f491daa1
status: test
description: Detects the load of known vulnerable drivers via the file name of the drivers.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-03
modified: 2023-12-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|endswith:
- '\panmonfltx64.sys'
- '\dbutil.sys'
- '\fairplaykd.sys'
- '\nvaudio.sys'
- '\superbmc.sys'
- '\bsmi.sys'
- '\smarteio64.sys'
- '\bwrsh.sys'
- '\agent64.sys'
- '\asmmap64.sys'
- '\dellbios.sys'
- '\chaos-rootkit.sys'
- '\wcpu.sys'
- '\dh_kernel.sys'
- '\sbiosio64.sys'
- '\bw.sys'
- '\asrdrv102.sys'
- '\nt6.sys'
- '\mhyprot3.sys'
- '\winio64c.sys'
- '\asupio64.sys'
- '\blackbonedrv10.sys'
- '\d.sys'
- '\driver7-x86.sys'
- '\sfdrvx32.sys'
- '\enetechio64.sys'
- '\gdrv.sys'
- '\sysinfodetectorx64.sys'
- '\fh-ethercat_dio.sys'
- '\asromgdrv.sys'
- '\my.sys'
- '\dcprotect.sys'
- '\irec.sys'
- '\gedevdrv.sys'
- '\winio32a.sys'
- '\gvcidrv64.sys'
- '\winio32.sys'
- '\bs_hwmio64.sys'
- '\nstr.sys'
- '\inpoutx64.sys'
- '\hw.sys'
- '\winio64.sys'
- '\hpportiox64.sys'
- '\iobitunlocker.sys'
- '\b1.sys'
- '\aoddriver.sys'
- '\elbycdio.sys'
- '\protects.sys'
- '\kprocesshacker.sys'
- '\speedfan.sys'
- '\radhwmgr.sys'
- '\iscflashx64.sys'
- '\black.sys'
- '\b4.sys'
- '\hwos2ec10x64.sys'
- '\winflash64.sys'
- '\corsairllaccess64.sys'
- '\bs_i2cio.sys'
- '\d3.sys'
- '\windows-xp-64.sys'
- '\aswvmm.sys'
- '\bs_i2c64.sys'
- '\1.sys'
- '\nchgbios2x64.sys'
- '\cpuz141.sys'
- '\segwindrvx64.sys'
- '\tdeio64.sys'
- '\ntiolib.sys'
- '\gtckmdfbs.sys'
- '\iomap64.sys'
- '\avalueio.sys'
- '\semav6msr.sys'
- '\lgdcatcher.sys'
- '\b.sys'
- '\hwdetectng.sys'
- '\nt4.sys'
- '\tgsafe.sys'
- '\mydrivers.sys'
- '\eneio64.sys'
- '\procexp.sys'
- '\viragt64.sys'
- '\fpcie2com.sys'
- '\lenovodiagnosticsdriver.sys'
- '\cp2x72c.sys'
- '\kerneld.amd64'
- '\bs_def64.sys'
- '\piddrv.sys'
- '\amifldrv64.sys'
- '\cpuz_x64.sys'
- '\proxy32.sys'
- '\wsdkd.sys'
- '\t8.sys'
- '\ucorew64.sys'
- '\atszio.sys'
- '\lmiinfo.sys'
- '\80.sys'
- '\nt3.sys'
- '\ngiodriver.sys'
- '\lv561av.sys'
- '\gpcidrv64.sys'
- '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
- '\rtport.sys'
- '\full.sys'
- '\viragt.sys'
- '\fiddrv64.sys'
- '\cupfixerx64.sys'
- '\cpupress.sys'
- '\hwos2ec7x64.sys'
- '\driver7-x86-withoutdbg.sys'
- '\asrdrv10.sys'
- '\nvflsh64.sys'
- '\asrrapidstartdrv.sys'
- '\tmcomm.sys'
- '\wiseunlo.sys'
- '\rwdrv.sys'
- '\asio64.sys'
- '\nvoclock.sys'
- '\panio.sys'
- '\mtcbsv64.sys'
- '\amigendrv64.sys'
- '\capcom.sys'
- '\netflt.sys'
- '\phlashnt.sys'
- '\dbutil_2_3.sys'
- '\ni.sys'
- '\ntiolib_x64.sys'
- '\atszio64.sys'
- '\lgcoretemp.sys'
- '\lha.sys'
- '\phymem64.sys'
- '\dbutildrv2.sys'
- '\asrdrv103.sys'
- '\rtcore64.sys'
- '\bs_hwmio64_w10.sys'
- '\ene.sys'
- '\winio64b.sys'
- '\piddrv64.sys'
- '\directio32.sys'
- '\monitor_win10_x64.sys'
- '\nt5.sys'
- '\asrsmartconnectdrv.sys'
- '\rtif.sys'
- '\atillk64.sys'
- '\directio.sys'
- '\asribdrv.sys'
- '\kfeco11x64.sys'
- '\citmdrv_ia64.sys'
- '\sysdrv3s.sys'
- '\amp.sys'
- '\vboxdrv.sys'
- '\adv64drv.sys'
- '\hostnt.sys'
- '\phymem_ext64.sys'
- '\echo_driver.sys'
- '\winiodrv.sys'
- '\pdfwkrnl.sys'
- '\glckio2.sys'
- '\asrdrv106.sys'
- '\nscm.sys'
- '\bs_rcio64.sys'
- '\ncpl.sys'
- '\sandra.sys'
- '\fiddrv.sys'
- '\hwrwdrv.sys'
- '\mhyprot.sys'
- '\asrsetupdrv103.sys'
- '\iqvw64.sys'
- '\b3.sys'
- '\ssport.sys'
- '\bs_def.sys'
- '\computerz.sys'
- '\windows8-10-32.sys'
- '\nstrwsk.sys'
- '\lurker.sys'
- '\bsmemx64.sys'
- '\wyproxy64.sys'
- '\asio.sys'
- '\t3.sys'
- '\cpuz.sys'
- '\rtkio.sys'
- '\driver7-x64.sys'
- '\netfilterdrv.sys'
- '\ioaccess.sys'
- '\testbone.sys'
- '\gameink.sys'
- '\kevp64.sys'
- '\mhyprot2.sys'
- '\se64a.sys'
- '\vboxusb.sys'
- '\windows7-32.sys'
- '\vproeventmonitor.sys'
- '\winio64a.sys'
- '\asrdrv101.sys'
- '\netproxydriver.sys'
- '\elrawdsk.sys'
- '\zam64.sys'
- '\cg6kwin2k.sys'
- '\asupio.sys'
- '\stdcdrvws64.sys'
- '\81.sys'
- '\citmdrv_amd64.sys'
- '\amdryzenmasterdriver.sys'
- '\vmdrv.sys'
- '\sysinfo.sys'
- '\alsysio64.sys'
- '\directio64.sys'
- '\rzpnk.sys'
- '\amdpowerprofiler.sys'
- '\truesight.sys'
- '\wirwadrv.sys'
- '\phymemx64.sys'
- '\msio64.sys'
- '\sepdrv3_1.sys'
- '\gametersafe.sys'
- '\bs_rcio.sys'
- '\d4.sys'
- '\t.sys'
- '\eio.sys'
- '\nt2.sys'
- '\winring0.sys'
- '\physmem.sys'
- '\libnicm.sys'
- '\msio32.sys'
- '\asrautochkupddrv.sys'
- '\asio32.sys'
- '\etdsupp.sys'
- '\smep_namco.sys'
- '\bandai.sys'
- '\d2.sys'
- '\magdrvamd64.sys'
- '\nvflash.sys'
- '\goad.sys'
- '\proxy64.sys'
- '\amsdk.sys'
- '\kbdcap64.sys'
- '\vdbsv64.sys'
- '\pchunter.sys'
- '\sysconp.sys'
- '\dh_kernel_10.sys'
- '\msrhook.sys'
- '\bedaisy.sys'
- '\dcr.sys'
- '\panmonflt.sys'
- '\bsmixp64.sys'
- '\otipcibus.sys'
- '\fidpcidrv.sys'
- '\kfeco10x64.sys'
- '\asrdrv104.sys'
- '\c.sys'
- '\tdklib64.sys'
- '\bsmix64.sys'
- '\bs_flash64.sys'
- '\stdcdrv64.sys'
- '\naldrv.sys'
- '\ctiio64.sys'
- '\bwrs.sys'
- '\nicm.sys'
- '\winio32b.sys'
- '\paniox64.sys'
- '\ecsiodriverx64.sys'
- '\iomem64.sys'
- '\fidpcidrv64.sys'
- '\aswarpot.sys'
- '\bs_rciow1064.sys'
- '\asmio64.sys'
- '\openlibsys.sys'
- '\viraglt64.sys'
- '\dbk64.sys'
- '\t7.sys'
- '\atlaccess.sys'
- '\nbiolib_x64.sys'
- '\smep_capcom.sys'
- '\iqvw64e.sys'
condition: selection
falsepositives:
- False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
- If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: low
Convert to SIEM query
low
Moderate
High FP
WMI Module Loaded By Uncommon Process
Detects WMI modules being loaded by an uncommon process
view Sigma YAML
title: WMI Module Loaded By Uncommon Process
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
status: test
description: Detects WMI modules being loaded by an uncommon process
references:
- https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2025-02-24
tags:
- attack.execution
- attack.t1047
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\fastprox.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\WmiApRpl.dll'
- '\wmiclnt.dll'
- '\WMINet_Utils.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\explorer.exe'
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_other:
Image|endswith:
- '\WindowsAzureGuestAgent.exe'
- '\WaAppAgent.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_defender:
Image|endswith: '\MsMpEng.exe'
filter_optional_teams:
Image|contains:
- '\Microsoft\Teams\current\Teams.exe'
- '\Microsoft\Teams\Update.exe'
filter_optional_sysmon:
Image|endswith:
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
Medium FP
WebDav Put Request
A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
view Sigma YAML
title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: zeek
service: http
detection:
selection:
user_agent|contains: 'WebDAV'
method: 'PUT'
filter:
id.resp_h|cidr:
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
condition: selection and not filter
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
Medium FP
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration
view Sigma YAML
title: Windows Defender Firewall Has Been Reset To Its Default Configuration
id: 04b60639-39c0-412a-9fbe-e82499c881a3
status: test
description: Detects activity when Windows Defender Firewall has been reset to its default configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2032 # Windows Defender Firewall has been reset to its default configuration
- 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
condition: selection
level: low
Convert to SIEM query
low
Strong
Medium FP
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
view Sigma YAML
title: Windows Defender Submit Sample Feature Disabled
id: 91903aba-1088-42ee-b680-d6d94fe002b0
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: similar
- id: a3ab73f1-bd46-4319-8f06-4b20d0617886
type: similar
- id: 801bd44f-ceed-4eb6-887c-11544633c0aa
type: similar
status: stable
description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-06
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains: '\Real-Time Protection\SubmitSamplesConsent = 0x0'
condition: selection
falsepositives:
- Administrator activity (must be investigated)
level: low
Convert to SIEM query
low
Strong
Medium FP
Windows Event Auditing Disabled
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
view Sigma YAML
title: Windows Event Auditing Disabled
id: 69aeb277-f15f-4d2d-b32a-55e883609563
related:
- id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
type: derived
status: test
description: |
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
references:
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'
date: 2017-11-19
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection:
EventID: 4719
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
filter_main_guid:
# Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
SubcategoryGuid:
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
- '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low # Increase this after a testing period in your environment
Convert to SIEM query
low
Moderate
Medium FP
Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed
view Sigma YAML
title: Windows Firewall Settings Have Been Changed
id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
status: test
description: Detects activity when the settings of the Windows firewall have been changed
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2002 # A Windows Defender Firewall setting has changed.
- 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
- 2003 # A Windows Firewall setting in the profile has changed
- 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
- 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied
# - 2010 # Network profile changed on an interface.
condition: selection
level: low
Convert to SIEM query
low
Moderate
High FP
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
view Sigma YAML
title: Windows MSIX Package Support Framework AI_STUBS Execution
id: af5732ed-764e-489d-826d-0447c8b36242
status: experimental
description: |
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
references:
- https://redcanary.com/blog/threat-intelligence/msix-installers/
- https://redcanary.com/threat-detection-report/techniques/installer-packages/
- https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1218
- attack.t1553.005
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\AI_STUBS\AiStubX64Elevated.exe'
- '\AI_STUBS\AiStubX86Elevated.exe'
- '\AI_STUBS\AiStubX64.exe'
- '\AI_STUBS\AiStubX86.exe'
OriginalFileName: 'popupwrapper.exe'
condition: selection
falsepositives:
- Legitimate applications packaged with Advanced Installer using Package Support Framework
level: low
Convert to SIEM query
low
Moderate
Medium FP
Windows Service Terminated With Error
Detects Windows services that got terminated for whatever reason
view Sigma YAML
title: Windows Service Terminated With Error
id: acfa2210-0d71-4eeb-b477-afab494d596c
related:
- id: d6b5520d-3934-48b4-928c-2aa3f92d6963
type: similar
status: test
description: Detects Windows services that got terminated for whatever reason
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-14
tags:
- attack.stealth
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7023 # The X Service service terminated with the following error
condition: selection
falsepositives:
- False positives could occur since service termination could happen due to multiple reasons
level: low
Convert to SIEM query
low
Moderate
High FP
Windows Share Mount Via Net.EXE
Detects when a share is mounted using the "net.exe" utility
view Sigma YAML
title: Windows Share Mount Via Net.EXE
id: f117933c-980c-4f78-b384-e3d838111165
related:
- id: 3abd6094-7027-475f-9630-8ab9be7b9725
type: similar
status: test
description: Detects when a share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-02
modified: 2023-02-21
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains:
- ' use '
- ' \\\\'
condition: all of selection_*
falsepositives:
- Legitimate activity by administrators and scripts
level: low
Convert to SIEM query
low
Moderate
High FP
Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
view Sigma YAML
title: Winget Admin Settings Modification
id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
status: test
description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
- https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
Image|endswith: '\winget.exe'
TargetObject|startswith: '\REGISTRY\A\'
TargetObject|endswith: '\LocalState\admin_settings'
condition: selection
falsepositives:
- The event doesn't contain information about the type of change. False positives are expected with legitimate changes
level: low
Convert to SIEM query
low
Moderate
High FP
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
Detects powershell execution with that make use of to the bxor (Bitwise XOR).
Attackers might use as an alternative obfuscation method to Base64 encoded commands.
Investigate the CommandLine and process tree to determine if the activity is malicious.
view Sigma YAML
title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
status: test
description: |
Detects powershell execution with that make use of to the bxor (Bitwise XOR).
Attackers might use as an alternative obfuscation method to Base64 encoded commands.
Investigate the CommandLine and process tree to determine if the activity is malicious.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1
author: Teymur Kheirkhabarov, Harish Segar
date: 2020-06-29
modified: 2024-12-11
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'HostName=ConsoleHost'
- ' -bxor '
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
Showing 301-328 of 328