Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
Medium FP
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
The "--headless" flag hides the windows from the user upon execution.
view Sigma YAML
title: Headless Process Launched Via Conhost.EXE
id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
related:
- id: 056c7317-9a09-4bd4-9067-d051312752ea
type: derived
status: test
description: |
Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-23
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\conhost.exe'
ParentCommandLine|contains: '--headless'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
view Sigma YAML
title: Hidden Executable In NTFS Alternate Data Stream
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: test
description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
author: Florian Roth (Nextron Systems), @0xrawsec
date: 2018-06-03
modified: 2023-02-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
definition: 'Requirements: Sysmon or equivalent configured with Imphash logging'
detection:
selection:
Hash|contains: 'IMPHASH='
filter_main_null:
Hash|contains: 'IMPHASH=00000000000000000000000000000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
view Sigma YAML
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
view Sigma YAML
title: Hidden Powershell in Link File Pattern
id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
status: test
description: Detects events that appear when a user click on a link file with a powershell command in it
references:
- https://www.x86matthew.com/view_post?id=embed_exe_lnk
author: frack113
date: 2022-02-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: C:\Windows\explorer.exe
Image: C:\Windows\System32\cmd.exe
CommandLine|contains|all:
- 'powershell'
- '.lnk'
condition: selection
falsepositives:
- Legitimate commands in .lnk files
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
view Sigma YAML
title: Hidden User Creation
id: b22a5b36-2431-493a-8be1-0bae56c28ef3
status: test
description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-10
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: macos
detection:
dscl_create:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
id_below_500:
CommandLine|contains: UniqueID
CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
ishidden_option_declaration:
CommandLine|contains: 'IsHidden'
ishidden_option_confirmation:
CommandLine|contains:
- 'true'
- 'yes'
- '1'
condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Hiding Files with Attrib.exe
Detects usage of attrib.exe to hide files from users.
view Sigma YAML
title: Hiding Files with Attrib.exe
id: 4281cb20-2994-4580-aa63-c8b86d019934
status: test
description: Detects usage of attrib.exe to hide files from users.
references:
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
- https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
author: Sami Ruohonen
date: 2019-01-16
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +h '
filter_main_msiexec:
CommandLine|contains: '\desktop.ini '
filter_optional_intel:
ParentImage|endswith: '\cmd.exe'
CommandLine: '+R +H +S +A \\\*.cui'
ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
- Msiexec.exe hiding desktop.ini
level: medium
Convert to SIEM query
medium
Strong
High FP
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
id: 9ec9fb1b-e059-4489-9642-f270c207923d
related:
- id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
type: similar
status: test
description: |
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: '@Kostastsale, TheDFIRReport'
date: 2022-05-14
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
- 'add'
- '/v'
- '/d 0'
condition: selection
falsepositives:
- System administrator activities
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
IE Change Domain Zone
Hides the file extension through modification of the registry
view Sigma YAML
title: IE Change Domain Zone
id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
related:
- id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
type: derived
status: test
description: Hides the file extension through modification of the registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.t1137
logsource:
category: registry_set
product: windows
detection:
selection_domains:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
filter:
Details:
- DWORD (0x00000000) # My Computer
- DWORD (0x00000001) # Local Intranet Zone
- '(Empty)'
condition: selection_domains and not filter
falsepositives:
- Administrative scripts
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml
simulation:
- type: atomic-red-team
name: Add Domain to Trusted Sites Zone
technique: T1112
atomic_guid: cf447677-5a4e-4937-a82c-e47d254afd57
Convert to SIEM query
medium
Strong
Medium FP
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
view Sigma YAML
title: IIS Native-Code Module Command Line Installation
id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
status: test
description: Detects suspicious IIS native-code module installations via command line
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems)
date: 2019-12-11
modified: 2024-03-13
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'install'
- 'module'
CommandLine|contains|windash: '-name:'
filter_iis_setup:
ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown as it may vary from organisation to organisation how admins use to install IIS modules
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: IIS WebServer Access Logs Deleted
id: 3eb8c339-a765-48cc-a150-4364c04652bf
related:
- id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
type: similar
status: test
description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
references:
- https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-16
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains: '\inetpub\logs\LogFiles\'
TargetFilename|endswith: '.log'
condition: selection
falsepositives:
- During uninstallation of the IIS service
- During log rotation
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
view Sigma YAML
title: IIS WebServer Log Deletion via CommandLine Utilities
id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
related:
- id: 3eb8c339-a765-48cc-a150-4364c04652bf
type: similar
status: experimental
description: |
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-02
tags:
- attack.stealth
- attack.t1070
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'cmd.exe'
- 'powershell.exe'
- 'powershell_ise.exe'
- 'pwsh.dll'
selection_cli_del:
CommandLine|contains:
- 'del '
- 'erase '
- 'rm '
- 'remove-item '
- 'rmdir '
selection_cli_iis_dir:
CommandLine|contains: '\inetpub\logs\'
condition: all of selection_*
falsepositives:
- Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
- Legitimate schedule tasks or scripts that clean up log files regularly.
# More Fp cases
# https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
level: medium
Convert to SIEM query
medium
Strong
Low FP
ISO Image Mounted
Detects the mount of an ISO image on an endpoint
view Sigma YAML
title: ISO Image Mounted
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
status: test
description: Detects the mount of an ISO image on an endpoint
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: Syed Hasan (@syedhasan009)
date: 2021-05-29
modified: 2023-11-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
detection:
selection:
EventID: 4663
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName|startswith: '\Device\CdRom'
filter_main_generic:
ObjectName:
- '\Device\CdRom0\autorun.ico'
- '\Device\CdRom0\setup.exe'
- '\Device\CdRom0\setup64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Software installation ISO files
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
view Sigma YAML
title: ISO or Image Mount Indicator in Recent Files
id: 4358e5a5-7542-4dcb-b9f3-87667371839b
status: test
description: |
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
references:
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
- https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
author: Florian Roth (Nextron Systems)
date: 2022-02-11
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.iso.lnk'
- '.img.lnk'
- '.vhd.lnk'
- '.vhdx.lnk'
TargetFilename|contains: '\Microsoft\Windows\Recent\'
condition: selection
falsepositives:
- Cases in which a user mounts an image file for legitimate reasons
level: medium
Convert to SIEM query
medium
Strong
High FP
Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
view Sigma YAML
title: Import LDAP Data Interchange Format File Via Ldifde.EXE
id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
status: test
description: |
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
references:
- https://twitter.com/0gtweet/status/1564968845726580736
- https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber'
date: 2022-09-02
modified: 2023-03-14
tags:
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ldifde.exe'
- OriginalFileName: 'ldifde.exe'
selection_cli:
CommandLine|contains|all:
- '-i'
- '-f'
condition: all of selection_*
falsepositives:
- Since the content of the files are unknown, false positives are expected
level: medium
Convert to SIEM query
medium
Moderate
High FP
Import PowerShell Modules From Suspicious Directories
Detects powershell scripts that import modules from suspicious directories
view Sigma YAML
title: Import PowerShell Modules From Suspicious Directories
id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
related:
- id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-07
modified: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Import PowerShell Modules From Suspicious Directories - ProcCreation
Detects powershell scripts that import modules from suspicious directories
view Sigma YAML
title: Import PowerShell Modules From Suspicious Directories - ProcCreation
id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
related:
- id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Imports Registry Key From a File
Detects the import of the specified file to the registry with regedit.exe.
view Sigma YAML
title: Imports Registry Key From a File
id: 73bba97f-a82d-42ce-b315-9182e76c57b1
related:
- id: 0b80ade5-6997-4b1d-99a1-71701778ea61
type: similar
status: test
description: Detects the import of the specified file to the registry with regedit.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2024-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli:
CommandLine|contains:
- ' /i '
- ' /s '
- '.reg'
filter_1:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
filter_2:
CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
condition: all of selection_* and not all of filter_*
falsepositives:
- Legitimate import of keys
- Evernote
level: medium
Convert to SIEM query
medium
Moderate
High FP
Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
view Sigma YAML
title: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
id: 04580eed-e1d6-426b-a570-f6e64a4577f7
related:
- id: d3577be1-42c9-44a7-b56e-2e8de97349d3
type: similar
status: experimental
description: |
Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
references:
- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-02-10
tags:
- attack.stealth
- attack.t1564.008
- attack.exfiltration
- attack.collection
- attack.t1114.003
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'New-InboxRule'
- 'Set-InboxRule'
selection_params:
ScriptBlockText|contains:
- 'DeleteMessage'
- 'MarkAsRead'
- 'MoveToFolder'
- 'SubjectOrBodyContainsWords'
condition: all of selection_*
falsepositives:
- Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Inbox Rules Creation Or Update Activity in O365
Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
view Sigma YAML
title: Inbox Rules Creation Or Update Activity in O365
id: d3577be1-42c9-44a7-b56e-2e8de97349d3
status: experimental
description: |
Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
references:
- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-09
tags:
- attack.stealth
- attack.t1564.008
- attack.exfiltration
- attack.collection
- attack.t1114.003
- detection.threat-hunting
logsource:
service: audit
product: m365
definition: "Requirements: The 'Parameters' field is a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search"
detection:
selection:
Operation:
- 'New-InboxRule'
- 'Set-InboxRule'
Parameters|contains:
- 'DeleteMessage'
- 'MarkAsRead'
- 'MoveToFolder'
- 'SubjectOrBodyContainsWords'
condition: selection
falsepositives:
- Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Increased Failed Authentications Of Any Type
Detects when sign-ins increased by 10% or greater.
view Sigma YAML
title: Increased Failed Authentications Of Any Type
id: e1d02b53-c03c-4948-b11d-4d00cca49d03
status: test
description: Detects when sign-ins increased by 10% or greater.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022-08-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: failure
Count: "<10%"
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Indicator Removal on Host - Clear Mac System Logs
Detects deletion of local audit logs
view Sigma YAML
title: Indicator Removal on Host - Clear Mac System Logs
id: acf61bd8-d814-4272-81f0-a7a269aa69aa
status: test
description: Detects deletion of local audit logs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: remotephone, oscd.community
date: 2020-10-11
modified: 2022-09-16
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_cli_1:
CommandLine|contains: '/var/log'
selection_cli_2:
CommandLine|contains|all:
- '/Users/'
- '/Library/Logs/'
condition: selection1 and 1 of selection_cli*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
view Sigma YAML
title: Indirect Command Execution via SFTP ProxyCommand
id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
status: experimental
description: |
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Sftp/
- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sftp.exe'
CommandLine|contains: 'ProxyCommand='
condition: selection
falsepositives:
- Legitimate use of SFTP with proxy commands for administration or networking tasks
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
Convert to SIEM query
medium
Moderate
High FP
Indirect Inline Command Execution Via Bash.EXE
Detects execution of Microsoft bash launcher with the "-c" flag.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
view Sigma YAML
title: Indirect Inline Command Execution Via Bash.EXE
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
related:
- id: 2d22a514-e024-4428-9dba-41505bd63a5b
type: similar
status: test
description: |
Detects execution of Microsoft bash launcher with the "-c" flag.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Bash/
author: frack113
date: 2021-11-24
modified: 2023-08-15
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- ':\Windows\System32\bash.exe'
- ':\Windows\SysWOW64\bash.exe'
- OriginalFileName: 'Bash.exe'
selection_cli:
CommandLine|contains: ' -c '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
view Sigma YAML
title: InfDefaultInstall.exe .inf Execution
id: ce7cf472-6fcc-490a-9481-3786840b5d9b
status: test
description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution
- https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/
author: frack113
date: 2021-07-13
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'InfDefaultInstall.exe '
- '.inf'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group.
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
view Sigma YAML
title: Ingress/Egress Security Group Modification
id: 6fb77778-040f-4015-9440-572aa9b6b580
status: test
description: |
Detects when an account makes changes to the ingress or egress rules of a security group.
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'AuthorizeSecurityGroupEgress'
- 'AuthorizeSecurityGroupIngress'
- 'RevokeSecurityGroupEgress'
- 'RevokeSecurityGroupIngress'
condition: selection
falsepositives:
- New VPCs and Subnets being setup requiring a different security profile to those already defined
- A single port being opened for a new service that is known to be deploying
- Administrators closing unused ports to reduce the attack surface
level: medium
Convert to SIEM query
medium
Moderate
High FP
Insecure Proxy/DOH Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
view Sigma YAML
title: Insecure Proxy/DOH Transfer Via Curl.EXE
id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
status: test
description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
CommandLine|contains:
- '--doh-insecure'
- '--proxy-insecure'
condition: all of selection_*
falsepositives:
- Access to badly maintained internal or development systems
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml
Convert to SIEM query
medium
Moderate
High FP
Insecure Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "--insecure" flag.
view Sigma YAML
title: Insecure Transfer Via Curl.EXE
id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
status: test
description: Detects execution of "curl.exe" with the "--insecure" flag.
references:
- https://curl.se/docs/manpage.html
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
- CommandLine|re: '\s-k\s'
- CommandLine|contains: '--insecure'
condition: all of selection_*
falsepositives:
- Access to badly maintained internal or development systems
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
The manifest option enables you to install an application by passing in a YAML file directly to the client.
Winget can be used to download and install exe, msi or msix files later.
view Sigma YAML
title: Install New Package Via Winget Local Manifest
id: 313d6012-51a0-4d93-8dfc-de8553239e25
status: test
description: |
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
The manifest option enables you to install an application by passing in a YAML file directly to the client.
Winget can be used to download and install exe, msi or msix files later.
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://lolbas-project.github.io/lolbas/Binaries/Winget/
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Sreeman, Florian Roth (Nextron Systems), frack113
date: 2020-04-21
modified: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_install_flag:
CommandLine|contains:
- 'install'
- ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
selection_manifest_flag:
CommandLine|contains:
- '-m '
- '--manifest'
condition: all of selection_*
falsepositives:
- Some false positives are expected in some environment that may use this functionality to install and test their custom applications
level: medium
Convert to SIEM query
medium
Moderate
High FP
Installation of TeamViewer Desktop
TeamViewer_Desktop.exe is create during install
view Sigma YAML
title: Installation of TeamViewer Desktop
id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
status: test
description: TeamViewer_Desktop.exe is create during install
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
author: frack113
date: 2022-01-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\TeamViewer_Desktop.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
view Sigma YAML
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
ie:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Internet Explorer'
- '\Software\Microsoft\Internet Explorer'
ie_details:
TargetObject|contains:
- '\Toolbar'
- '\Extensions'
- '\Explorer Bars'
filter_empty:
Details: '(Empty)'
filter_extensions:
TargetObject|contains:
- '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
- '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
- '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
- '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
filter_toolbar:
TargetObject|endswith:
- '\Toolbar\ShellBrowser\ITBar7Layout'
- '\Toolbar\ShowDiscussionButton'
- '\Toolbar\Locked'
condition: ie and ie_details and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
view Sigma YAML
title: Internet Explorer DisableFirstRunCustomize Enabled
id: ab567429-1dfb-4674-b6d2-979fd2f9d125
status: test
description: |
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
- https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
Details:
- 'DWORD (0x00000001)' # Home Page
- 'DWORD (0x00000002)' # Welcome To IE
filter_main_generic:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\ie4uinit.exe'
filter_optional_avira:
Image|contains|all:
- '\Temp\'
- '\.cr\avira_'
Details|contains: 'DWORD (0x00000001)'
filter_optional_foxit:
Image:
- 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
- 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
Details|contains: 'DWORD (0x00000001)'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- As this is controlled by group policy as well as user settings. Some false positives may occur.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
These can be used for example in decrypting malicious payload for defense evasion.
view Sigma YAML
title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
id: ad856965-f44d-42a8-945e-bbf7bd03d05a
status: test
description: |
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
These can be used for example in decrypting malicious payload for defense evasion.
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
- https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
author: Andreas Braathen (mnemonic.io)
date: 2023-12-01
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027.010
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet_namespace:
CommandLine|contains: 'System.Security.Cryptography.'
selection_cmdlet_classes:
CommandLine|contains:
- '.AesCryptoServiceProvider'
- '.DESCryptoServiceProvider'
- '.DSACryptoServiceProvider'
- '.RC2CryptoServiceProvider'
- '.Rijndael'
- '.RSACryptoServiceProvider'
- '.TripleDESCryptoServiceProvider'
condition: all of selection_*
falsepositives:
- Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
view Sigma YAML
title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
id: 2afafd61-6aae-4df4-baed-139fa1f4c345
status: test
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019-01-16
modified: 2022-03-11
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ntdsutil.exe'
condition: selection
falsepositives:
- NTDS maintenance
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invoke-Obfuscation COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
view Sigma YAML
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
CommandLine|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
- 'readtoend('
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
view Sigma YAML
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
ScriptBlockText|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
ScriptBlockText|endswith: 'readtoend'
condition: selection_4104
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
view Sigma YAML
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
Payload|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
Payload|endswith: 'readtoend'
condition: selection_4103
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
view Sigma YAML
title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
- id: 175997c5-803c-4b08-8bb0-70b099f47595
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ServiceFileName|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Invoke-Obfuscation COMPRESS OBFUSCATION - System
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
view Sigma YAML
title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ImagePath|contains:
- ':system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
Detects Obfuscated Powershell via RUNDLL LAUNCHER
view Sigma YAML
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4104
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
Detects Obfuscated Powershell via RUNDLL LAUNCHER
view Sigma YAML
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4103
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Invoke-Obfuscation RUNDLL LAUNCHER - Security
Detects Obfuscated Powershell via RUNDLL LAUNCHER
view Sigma YAML
title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Invoke-Obfuscation RUNDLL LAUNCHER - System
Detects Obfuscated Powershell via RUNDLL LAUNCHER
view Sigma YAML
title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
view Sigma YAML
title: JAMF MDM Potential Suspicious Child Process
id: 2316929c-01aa-438c-970f-099145ab1ee6
status: test
description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
references:
- https://github.com/MythicAgents/typhon/
- https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
- https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-22
tags:
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/jamf'
Image|endswith:
# Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
- '/bash'
- '/sh'
condition: selection
falsepositives:
- Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
view Sigma YAML
title: Java Running with Remote Debugging
id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
status: test
description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
references:
- https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-02-01
tags:
- attack.t1203
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_jdwp_transport:
CommandLine|contains: 'transport=dt_socket,address='
selection_old_jvm_version:
CommandLine|contains:
- 'jre1.'
- 'jdk1.'
exclusion:
CommandLine|contains:
- 'address=127.0.0.1'
- 'address=localhost'
condition: all of selection_* and not exclusion
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Kapeka Backdoor Configuration Persistence
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
view Sigma YAML
title: Kapeka Backdoor Configuration Persistence
id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
status: test
description: |
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1553.003
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Cryptography\Providers\{'
TargetObject|endswith: '\Seed'
filter_main_empty:
Details|contains: '(Empty)'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Kerberoasting Activity - Initial Query
This rule will collect the data needed to start looking into possible kerberoasting activity.
Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
view Sigma YAML
title: Kerberoasting Activity - Initial Query
id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
status: test
description: |
This rule will collect the data needed to start looking into possible kerberoasting activity.
Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
references:
- https://www.trustedsec.com/blog/art_of_kerberoast/
- https://adsecurity.org/?p=3513
author: '@kostastsale'
date: 2022-01-21
modified: 2025-10-19
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
Status: '0x0' # Translated as status from failure code field. Query only for successes
TicketEncryptionType: '0x17' # RC4 ticket encryption type
filter_main_krbtgt:
ServiceName|endswith:
- 'krbtgt' # Ignore requests for the krbtgt service
- '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
filter_main_machine_accounts:
TargetUserName|contains: '$@' # Ignore requests from machines
condition: selection and not 1 of filter_main_*
falsepositives:
- Legacy applications.
level: medium
Convert to SIEM query
medium
Strong
Low FP
Kerberos Network Traffic RC4 Ticket Encryption
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
view Sigma YAML
title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: test
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
- https://adsecurity.org/?p=3458
author: sigma
date: 2020-02-12
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: zeek
service: kerberos
detection:
selection:
request_type: 'TGS'
cipher: 'rc4-hmac'
computer_acct:
service|startswith: '$'
condition: selection and not computer_acct
falsepositives:
- Normal enterprise SPN requests activity
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
view Sigma YAML
title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
- id: 6ad91e31-53df-4826-bd27-0166171c8040
type: similar
status: test
description: |
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'admissionregistration.k8s.io'
objectRef.resource:
- 'mutatingwebhookconfigurations'
- 'validatingwebhookconfigurations'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Kubernetes CronJob/Job Modification
Detects when a Kubernetes CronJob or Job is created or modified.
A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
view Sigma YAML
title: Kubernetes CronJob/Job Modification
id: 0c9b3bda-41a6-4442-9345-356ae86343dc
related:
- id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
type: similar
status: test
description: |
Detects when a Kubernetes CronJob or Job is created or modified.
A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
author: kelnage
date: 2024-07-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'batch'
objectRef.resource:
- 'cronjobs'
- 'jobs'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
Convert to SIEM query
Showing 451-500 of 1,440