Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
Low FP
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
view Sigma YAML
title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
- id: 225d8b09-e714-479c-a0e4-55e6f29adf35
type: derived
status: test
description: |
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.stealth
- attack.t1070
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'events'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
view Sigma YAML
title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
- https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
- attack.execution
- attack.discovery
- attack.t1609
- attack.t1613
logsource:
product: kubernetes
service: audit
detection:
selection_status:
responseStatus.code: 'ALLOW'
selection_request_uri:
requestURI|contains:
# Shells Encoded
- '%2fbin%2fash'
- '%2fbin%2fbash'
- '%2fbin%2fbusybox'
- '%2fbin%2fdash'
- '%2fbin%2fsh'
- '%2fbin%2fzsh'
# Shells Plain
- '/bin/ash'
- '/bin/bash'
- '/bin/busybox'
- '/bin/dash'
- '/bin/sh'
- '/bin/zsh'
# Tools Encoded
- '%2fusr%2fbin%2fcurl'
- '%2fusr%2fbin%2fkubectl'
- '%2fusr%2fbin%2fperl'
- '%2fusr%2fbin%2fpython'
- '%2fusr%2fbin%2fwget'
# Tools Plain
- '/usr/bin/curl'
- '/usr/bin/kubectl'
- '/usr/bin/perl'
- '/usr/bin/python'
- '/usr/bin/wget'
selection_request_user_agent:
userAgent|contains:
- 'access_matrix' # Rakkess
- 'trufflehog' # Secret scanning tool
- 'azurehound' # Azure/Cloud discovery
- 'micro-scanner' # Vulnerability scanning
condition: selection_status and 1 of selection_request_*
falsepositives:
- Authorized administrative maintenance via kubectl
- Automated internal infrastructure monitoring and certificate rotation
- Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
view Sigma YAML
title: Kubernetes Rolebinding Modification
id: 10b97915-ec8d-455f-a815-9a78926585f6
related:
- id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
type: similar
status: test
description: |
Detects when a Kubernetes Rolebinding is created or modified.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'rbac.authorization.k8s.io'
objectRef.resource:
- 'clusterrolebindings'
- 'rolebindings'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
view Sigma YAML
title: Kubernetes Secrets Modified or Deleted
id: 58d31a75-a4f8-4c40-985b-373d58162ca2
related:
- id: 2f0bae2d-bf20-4465-be86-1311addebaa3
type: similar
status: test
description: |
Detects when Kubernetes Secrets are Modified or Deleted.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
author: kelnage
date: 2024-07-11
tags:
- attack.credential-access
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.resource: 'secrets'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
Convert to SIEM query
medium
Strong
High FP
LOLBAS Data Exfiltration by DataSvcUtil.exe
Detects when a user performs data exfiltration by using DataSvcUtil.exe
view Sigma YAML
title: LOLBAS Data Exfiltration by DataSvcUtil.exe
id: e290b10b-1023-4452-a4a9-eb31a9013b3a
status: test
description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
references:
- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
- https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-05-16
tags:
- attack.exfiltration
- attack.t1567
logsource:
category: process_creation
product: windows
detection:
selection_cli:
CommandLine|contains:
- '/in:'
- '/out:'
- '/uri:'
selection_img:
- Image|endswith: '\DataSvcUtil.exe'
- OriginalFileName: 'DataSvcUtil.exe'
condition: all of selection*
falsepositives:
- DataSvcUtil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
LSA PPL Protection Setting Modification via CommandLine
Detects modification of LSA PPL protection settings via CommandLine.
It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
view Sigma YAML
title: LSA PPL Protection Setting Modification via CommandLine
id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
status: test
description: |
Detects modification of LSA PPL protection settings via CommandLine.
It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/shoober420/windows11-scripts/blob/38d83331738cd713ccb42f2c4557d17a27aefd98/Windows11Tweaks.bat#L1825
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-03-22
modified: 2026-03-13
tags:
- attack.defense-impairment
- attack.t1689
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'reg.exe'
- 'powershell.exe'
- 'pwsh.dll'
selection_cli_action:
CommandLine|contains|all:
- 'ControlSet'
- '\Control\Lsa'
CommandLine|contains:
- 'Set-ItemProperty'
- 'New-ItemProperty'
- ' add '
selection_key:
CommandLine|contains:
- 'IsPplAutoEnabled'
- 'RunAsPPL'
- 'RunAsPPLBoot'
condition: all of selection_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Strong
Medium FP
LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
view Sigma YAML
title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
- https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4663
- 4656
AccessMask:
- '0x100000'
- '0x1010' # car.2019-04-004
- '0x1400'
- '0x1410' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
- '143a' # car.2019-04-004
- '1f0fff'
- '1f1fff'
- '1f2fff'
- '1f3fff'
# - '0x1000' # minimum access requirements to query basic info from service
ObjectType: 'Process'
ObjectName|endswith: '\lsass.exe'
filter_main_service_account:
SubjectUserName|endswith: '$'
filter_main_generic:
ProcessName|contains:
# Legitimate AV and EDR solutions
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_wmiprvse:
ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
AccessMask: '0x1410'
filter_optional_steam:
ProcessName|contains: '\SteamLibrary\steamapps\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
LSASS Access From Program In Potentially Suspicious Folder
Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
view Sigma YAML
title: LSASS Access From Program In Potentially Suspicious Folder
id: fa34b441-961a-42fa-a100-ecc28c886725
status: test
description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth (Nextron Systems)
date: 2021-11-27
modified: 2023-12-06
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
- detection.threat-hunting
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
SourceImage|contains:
- '\Temp\'
- '\Users\Public\'
- '\PerfLogs\'
- '\AppData\'
- '\Temporary'
filter_optional_generic_appdata:
SourceImage|contains|all:
- ':\Users\'
- '\AppData\Local\'
SourceImage|endswith:
- '\Microsoft VS Code\Code.exe'
- '\software_reporter_tool.exe'
- '\DropboxUpdate.exe'
- '\MBAMInstallerService.exe'
- '\WebexMTA.exe'
- '\Meetings\WebexMTAV2.exe'
- '\WebEx\WebexHost.exe'
- '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
GrantedAccess: '0x410'
filter_optional_dropbox_1:
SourceImage|contains: ':\Windows\Temp\'
SourceImage|endswith: '.tmp\DropboxUpdate.exe'
GrantedAccess:
- '0x410'
- '0x1410'
filter_optional_dropbox_2:
SourceImage|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\'
SourceImage|endswith: '.tmp\DropboxUpdate.exe'
GrantedAccess: '0x1410'
filter_optional_dropbox_3:
SourceImage|contains:
- ':\Program Files (x86)\Dropbox\'
- ':\Program Files\Dropbox\'
SourceImage|endswith: '\DropboxUpdate.exe'
GrantedAccess: '0x1410'
filter_optional_nextron:
SourceImage|contains:
- ':\Windows\Temp\asgard2-agent\'
- ':\Windows\Temp\asgard2-agent-sc\'
SourceImage|endswith:
- '\thor64.exe'
- '\thor.exe'
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
GrantedAccess:
- '0x1fffff'
- '0x1010'
- '0x101010'
filter_optional_ms_products:
SourceImage|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\'
- '\vs_bootstrapper_'
GrantedAccess: '0x1410'
filter_optional_chrome_update:
SourceImage|contains: ':\Program Files (x86)\Google\Temp\'
SourceImage|endswith: '.tmp\GoogleUpdate.exe'
GrantedAccess:
- '0x410'
- '0x1410'
filter_optional_keybase:
SourceImage|contains: ':\Users\'
SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
GrantedAccess: '0x1fffff'
filter_optional_avira:
SourceImage|contains: '\AppData\Local\Temp\is-'
SourceImage|endswith: '.tmp\avira_system_speedup.tmp'
GrantedAccess: '0x1410'
filter_optional_viberpc_updater:
SourceImage|contains: '\AppData\Roaming\ViberPC\'
SourceImage|endswith: '\updater.exe'
TargetImage|endswith: '\winlogon.exe'
GrantedAccess: '0x1fffff'
filter_optional_adobe_arm_helper:
SourceImage|contains: # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
- ':\Program Files\Common Files\Adobe\ARM\'
- ':\Program Files (x86)\Common Files\Adobe\ARM\'
SourceImage|endswith: '\AdobeARMHelper.exe'
GrantedAccess: '0x1410'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Updaters and installers are typical false positives. Apply custom filters depending on your environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Launch Agent/Daemon Execution Via Launchctl
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
view Sigma YAML
title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
- https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1569.001
- attack.t1543.001
- attack.t1543.004
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/launchctl'
CommandLine|contains:
- 'submit'
- 'load'
- 'start'
condition: selection
falsepositives:
- Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Launch-VsDevShell.PS1 Proxy Execution
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
view Sigma YAML
title: Launch-VsDevShell.PS1 Proxy Execution
id: 45d3a03d-f441-458c-8883-df101a3bb146
status: test
description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
references:
- https://twitter.com/nas_bench/status/1535981653239255040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1216.001
logsource:
category: process_creation
product: windows
detection:
selection_script:
CommandLine|contains: 'Launch-VsDevShell.ps1'
selection_flags:
CommandLine|contains:
- 'VsWherePath '
- 'VsInstallationPath '
condition: all of selection_*
falsepositives:
- Legitimate usage of the script by a developer
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Base64 Encoded Pipe to Shell
Detects suspicious process command line that uses base64 encoded input for execution with a shell
view Sigma YAML
title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
- https://github.com/arget13/DDexec
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
- attack.stealth
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection_base64:
CommandLine|contains: 'base64 '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- ' |sh'
- '| bash'
- '| sh'
- '|bash'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
view Sigma YAML
title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.stealth
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
- "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
- "IyEvYmluL3pza" # Note: #!/bin/zsh"
- "IyEvYmluL2Zpc2" # Note: #!/bin/fish
- "IyEvYmluL3No" # Note: # !/bin/sh"
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
view Sigma YAML
title: Linux Doas Conf File Creation
id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
status: stable
description: Detects the creation of doas.conf file in linux host platform.
references:
- https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: '/etc/doas.conf'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Linux Logs Clearing Attempts
Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
Adversaries often try to clear logs to cover their tracks after performing malicious activities.
view Sigma YAML
title: Linux Logs Clearing Attempts
id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
status: stable
description: |
Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
Adversaries often try to clear logs to cover their tracks after performing malicious activities.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2026-03-18
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/rm' # covers /rmdir as well
- '/rmdir'
- '/shred'
- '/unlink'
CommandLine|contains:
- '/var/log'
- '/var/spool/mail'
filter_main_legit_systat:
Image|endswith: '/rm'
CommandLine|startswith: 'rm -f /var/log/sysstat/'
filter_main_dmseg:
Image|endswith: '/rm'
CommandLine|startswith: 'rm -f -- /var/log//dmesg' # // before dmesg is not typo
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Shell Pipe to Shell
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
view Sigma YAML
title: Linux Shell Pipe to Shell
id: 880973f3-9708-491c-a77b-2a35a1921158
status: test
description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
modified: 2022-07-26
tags:
- attack.stealth
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|startswith:
- 'sh -c '
- 'bash -c '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- '| bash'
- '| sh'
- '|bash'
- ' |sh'
condition: all of selection*
falsepositives:
- Legitimate software that uses these patterns
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
LiveKD Driver Creation
Detects the creation of the LiveKD driver, which is used for live kernel debugging
view Sigma YAML
title: LiveKD Driver Creation
id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
status: test
description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection
falsepositives:
- Legitimate usage of LiveKD for debugging purposes will also trigger this
level: medium
Convert to SIEM query
medium
Moderate
Low FP
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
view Sigma YAML
title: LoadBalancer Security Group Modification
id: 7a4409fc-f8ca-45f6-8006-127d779eaad9
status: test
description: |
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'elasticloadbalancing.amazonaws.com'
eventName:
- 'ApplySecurityGroupsToLoadBalancer'
- 'SetSecurityGroups'
condition: selection
falsepositives:
- Repurposing of an ELB or ALB to serve a different or additional application
- Changes to security groups to allow for new services to be deployed
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Loaded Module Enumeration Via Tasklist.EXE
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
In order to dump the process memory or perform other nefarious actions.
view Sigma YAML
title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
In order to dump the process memory or perform other nefarious actions.
references:
- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
- https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
modified: 2024-03-13
tags:
- attack.t1003
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\tasklist.exe'
- OriginalFileName: 'tasklist.exe'
selection_flags:
CommandLine|contains|windash: '-m'
selection_module:
# Note: add other interesting modules or binaries
CommandLine|contains: 'rdpcorets.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Local File Read Using Curl.EXE
Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
view Sigma YAML
title: Local File Read Using Curl.EXE
id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
status: test
description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
CommandLine|contains: 'file:///'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
view Sigma YAML
title: Local Network Connection Initiated By Script Interpreter
id: 08249dc0-a28d-4555-8ba5-9255a198e08c
related:
- id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
type: derived
status: test
description: |
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-05-31
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
# Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection
falsepositives:
- Legitimate scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
view Sigma YAML
title: Logged-On User Password Change Via Ksetup.EXE
id: c9783e20-4793-4164-ba96-d9ee483992c4
status: test
description: Detects password change for the logged-on user's via "ksetup.exe"
references:
- https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-06
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ksetup.exe'
- OriginalFileName: 'ksetup.exe'
selection_cli:
CommandLine|contains: ' /ChangePassword '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
view Sigma YAML
title: Login to Disabled Account
id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
status: test
description: Detect failed attempts to sign in to disabled accounts.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50057
ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Logon from a Risky IP Address
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
view Sigma YAML
title: Logon from a Risky IP Address
id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
status: test
description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Log on from a risky IP address'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Lolbin Runexehelper Use As Proxy
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
view Sigma YAML
title: Lolbin Runexehelper Use As Proxy
id: cd71385d-fd9b-4691-9b98-2b1f7e508714
status: test
description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
references:
- https://twitter.com/0gtweet/status/1206692239839289344
- https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/
author: frack113
date: 2022-12-29
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\runexehelper.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Lolbin Unregmp2.exe Use As Proxy
Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
view Sigma YAML
title: Lolbin Unregmp2.exe Use As Proxy
id: 727454c0-d851-48b0-8b89-385611ab0704
status: test
description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
references:
- https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
author: frack113
date: 2022-12-29
modified: 2024-06-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\unregmp2.exe'
- OriginalFileName: 'unregmp2.exe'
selection_cmd:
CommandLine|contains|windash: ' /HideWMP'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Basic
High FP
Low Reputation Effective Top-Level Domain (eTLD)
Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.
view Sigma YAML
title: Low Reputation Effective Top-Level Domain (eTLD)
id: cf5ee356-65c4-4556-8d11-6977fcdfed4b
status: experimental
description: Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.
references:
- https://feeds.alphasoc.net/bad-etlds.txt
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-08-04
tags:
- attack.command-and-control
- attack.t1071.004
- attack.initial-access
- detection.threat-hunting
logsource:
category: dns
detection:
selection:
query|endswith:
- '.duckdns.org'
- '.top'
- '.ddns.net'
- '.gl.at.ply.gg'
- '.portmap.io'
- '.icu'
- '.zapto.org'
- '.live'
- '.hopto.org'
- '.portmap.host'
- '.sbs'
- '.sytes.net'
- '.click'
- '.ydns.eu'
- '.site'
- '.cloud'
- '.no-ip.org'
- '.kozow.com'
- '.lat'
- '.pro'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
view Sigma YAML
title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1047
- attack.t1053.002
- attack.t1569.002
logsource:
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'JobAdd'
operation: 'atsvc'
op2:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcEnableTask'
op3:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRegisterTask'
op4:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRun'
op5:
endpoint: 'IWbemServices'
operation: 'ExecMethod'
op6:
endpoint: 'IWbemServices'
operation: 'ExecMethodAsync'
op7:
endpoint: 'svcctl'
operation: 'CreateServiceA'
op8:
endpoint: 'svcctl'
operation: 'CreateServiceW'
op9:
endpoint: 'svcctl'
operation: 'StartServiceA'
op10:
endpoint: 'svcctl'
operation: 'StartServiceW'
condition: 1 of op*
falsepositives:
- Windows administrator tasks or troubleshooting
- Windows management scripts or software
level: medium
Convert to SIEM query
medium
Strong
Low FP
MITRE BZAR Indicators for Persistence
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
view Sigma YAML
title: MITRE BZAR Indicators for Persistence
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
status: test
description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.004
logsource:
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'spoolss'
operation: 'RpcAddMonitor'
op2:
endpoint: 'spoolss'
operation: 'RpcAddPrintProcessor'
op3:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddMonitor'
op4:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddPrintProcessor'
op5:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonW'
op6:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonExW'
condition: 1 of op*
falsepositives:
- Windows administrator tasks or troubleshooting
- Windows management scripts or software
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
view Sigma YAML
title: MMC Loading Script Engines DLLs
id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
status: experimental
description: |
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.elastic.co/security-labs/grimresource
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218.014
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\mmc.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\jscript.dll'
- '\jscript9.dll'
condition: selection
falsepositives:
- Legitimate MMC operations or extensions loading these libraries
level: medium
Convert to SIEM query
medium
Moderate
High FP
MSExchange Transport Agent Installation
Detects the Installation of a Exchange Transport Agent
view Sigma YAML
title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad8568612f
related:
- id: 83809e84-4475-4b69-bc3e-4aad8568612f
type: similar
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1505.002
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: 'Install-TransportAgent'
condition: selection
falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
MSExchange Transport Agent Installation - Builtin
Detects the Installation of a Exchange Transport Agent
view Sigma YAML
title: MSExchange Transport Agent Installation - Builtin
id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
related:
- id: 83809e84-4475-4b69-bc3e-4aad8568612f
type: derived
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-11-27
tags:
- attack.persistence
- attack.t1505.002
logsource:
product: windows
service: msexchange-management
detection:
selection:
- 'Install-TransportAgent'
condition: selection
falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
view Sigma YAML
title: MSI Installation From Suspicious Locations
id: c7c8aa1c-5aff-408e-828b-998e3620b341
status: test
description: Detects MSI package installation from suspicious locations
references:
- https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-10-23
tags:
- attack.execution
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'MsiInstaller'
EventID:
- 1040
- 1042
Data|contains:
# Add more suspicious paths
- ':\Windows\TEMP\'
- '\\\\'
- '\Desktop\'
- '\PerfLogs\'
- '\Users\Public\'
# - '\AppData\Local\Temp\' # too many FPs
# - '\Downloads\' # too many FPs, typical legitimate staging directory
filter_winget:
Data|contains: '\AppData\Local\Temp\WinGet\'
filter_updhealthtools:
Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
condition: selection and not 1 of filter_*
falsepositives:
- False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
MSI Installation From Web
Detects installation of a remote msi file from web.
view Sigma YAML
title: MSI Installation From Web
id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
status: test
description: Detects installation of a remote msi file from web.
references:
- https://twitter.com/_st0pp3r_/status/1583922009842802689
author: Stamatis Chatzimangou
date: 2022-10-23
tags:
- attack.stealth
- attack.t1218
- attack.t1218.007
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'MsiInstaller'
EventID:
- 1040
- 1042
Data|contains: '://'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
view Sigma YAML
title: MSSQL Destructive Query
id: 00321fee-ca72-4cce-b011-5415af3b9960
status: experimental
description: |
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
references:
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
author: Daniel Degasperi '@d4ns4n_'
date: 2025-06-04
tags:
- attack.exfiltration
- attack.impact
- attack.t1485
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)'
detection:
selection:
Provider_Name: 'MSSQLSERVER$AUDIT'
EventID: 33205
Data|contains:
- 'statement:TRUNCATE TABLE'
- 'statement:DROP TABLE'
- 'statement:DROP DATABASE'
condition: selection
falsepositives:
- Legitimate transaction from a sysadmin.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
MSSQL Server Failed Logon From External Network
Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
view Sigma YAML
title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
- id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
type: similar
status: test
description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: j4son
date: 2023-10-11
modified: 2025-05-28
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
- 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
- 'CLIENT: 172.20.'
- 'CLIENT: 172.21.'
- 'CLIENT: 172.22.'
- 'CLIENT: 172.23.'
- 'CLIENT: 172.24.'
- 'CLIENT: 172.25.'
- 'CLIENT: 172.26.'
- 'CLIENT: 172.27.'
- 'CLIENT: 172.28.'
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
- 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
- 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
- 'CLIENT: <local machine>'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
view Sigma YAML
title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
author: Alejandro Ortuno, oscd.community
date: 2020-10-23
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.014
logsource:
category: file_event
product: macos
detection:
selection_1:
TargetFilename|contains: '/etc/emond.d/rules/'
TargetFilename|endswith: '.plist'
selection_2:
TargetFilename|contains: '/private/var/db/emondClients/'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
view Sigma YAML
title: MacOS Scripting Interpreter AppleScript
id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
status: test
description: Detects execution of AppleScript of the macOS scripting language AppleScript.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
- https://redcanary.com/blog/applescript/
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2026-05-21
tags:
- attack.execution
- attack.t1059.002
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/osascript'
CommandLine|contains:
- ' -e '
- '.scpt'
- '.js'
filter_optional_opencode:
# OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
ParentImage|endswith: 'opencode'
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'set imageData to the clipboard'
- 'set fileRef'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Application installers might contain scripts as part of the installation process.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Mail Forwarding/Redirecting Activity In O365
Detects email forwarding or redirecting activity in O365 Audit logs.
view Sigma YAML
title: Mail Forwarding/Redirecting Activity In O365
id: c726e007-2cd0-4a55-abfb-79730fbedee5
status: test
description: Detects email forwarding or redirecting activity in O365 Audit logs.
references:
- https://redcanary.com/blog/email-forwarding-rules/
- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t
date: 2023-10-11
modified: 2024-11-17
tags:
- attack.collection
- attack.stealth
- attack.t1114.003
- attack.t1564.008
- attack.exfiltration
- attack.t1020
- detection.threat-hunting
logsource:
service: audit
product: m365
definition: "Requirements: The 'OperationProperties' and 'Parameters' fields are a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search"
detection:
# Note: Might require seperation in the future when enough data is gatherd
selection_updateinbox:
Operation|contains: 'UpdateInboxRules'
OperationProperties|contains:
- 'Forward'
- 'Recipients'
selection_setmailbox:
Operation|contains: 'Set-Mailbox'
Parameters|contains:
- 'ForwardingSmtpAddress'
- 'ForwardingAddress'
selection_setinbox:
Operation|contains:
- 'New-InboxRule'
- 'Set-InboxRule'
Parameters|contains:
- 'ForwardAsAttachmentTo'
- 'ForwardingAddress'
- 'ForwardingSmtpAddress'
- 'ForwardTo'
- 'RedirectTo'
- 'RedirectToRecipients'
condition: 1 of selection_*
falsepositives:
- False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet
view Sigma YAML
title: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
id: 0c7686d5-c74e-4292-b224-2a08e956ebc4
related:
- id: c726e007-2cd0-4a55-abfb-79730fbedee5
type: similar
- id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
type: obsolete
status: experimental
description: Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet
references:
- https://redcanary.com/blog/email-forwarding-rules/
- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
author: Nasreddine Bencherchali (Nextron Systems), Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-03-01
tags:
- attack.collection
- attack.stealth
- attack.t1114.003
- attack.t1564.008
- attack.exfiltration
- attack.t1020
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'New-InboxRule'
- 'Set-InboxRule'
- 'Set-Mailbox'
selection_params:
ScriptBlockText|contains:
- 'ForwardAsAttachmentTo'
- 'ForwardingAddress'
- 'ForwardingSmtpAddress'
- 'ForwardTo'
- 'RedirectTo' # Also covers "RedirectToRecipients"
condition: all of selection_*
falsepositives:
- Legitimate mail forwarding rules created by users or administrators to forward email to designated internal or external recipients for business or operational purposes.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Malicious Driver Load By Name
Detects loading of known malicious drivers via the file name of the drivers.
view Sigma YAML
title: Malicious Driver Load By Name
id: 39b64854-5497-4b57-a448-40977b8c9679
status: test
description: Detects loading of known malicious drivers via the file name of the drivers.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-03
modified: 2023-12-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|endswith:
- '\wfshbr64.sys'
- '\ktmutil7odm.sys'
- '\ktes.sys'
- '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
- '\kt2.sys'
- '\4748696211bd56c2d93c21cab91e82a5.sys'
- '\malicious.sys'
- '\a236e7d654cd932b7d11cb604629a2d0.sys'
- '\spwizimgvt.sys'
- '\c94f405c5929cfcccc8ad00b42c95083.sys'
- '\fur.sys'
- '\wantd.sys'
- '\windbg.sys'
- '\4118b86e490aed091b1a219dba45f332.sys'
- '\gmer64.sys'
- '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
- '\poortry2.sys'
- '\wintapix.sys'
- '\daxin_blank6.sys'
- '\6771b13a53b9c7449d4891e427735ea2.sys'
- '\blacklotus_driver.sys'
- '\air_system10.sys'
- '\dkrtk.sys'
- '\7.sys'
- '\sense5ext.sys'
- '\ktgn.sys'
- '\ndislan.sys'
- '\nlslexicons0024uvn.sys'
- '\be6318413160e589080df02bb3ca6e6a.sys'
- '\4.sys'
- '\wantd_2.sys'
- '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
- '\daxin_blank3.sys'
- '\gftkyj64.sys'
- '\daxin_blank2.sys'
- '\wantd_4.sys'
- '\reddriver.sys'
- '\834761775.sys'
- '\mlgbbiicaihflrnh.sys'
- '\mjj0ge.sys'
- '\daxin_blank.sys'
- '\daxin_blank5.sys'
- '\poortry1.sys'
- '\msqpq.sys'
- '\mimidrv.sys'
- '\e939448b28a4edc81f1f974cebf6e7d2.sys'
- '\prokiller64.sys'
- '\nodedriver.sys'
- '\wantd_3.sys'
- '\lctka.sys'
- '\kapchelper_x64.sys'
- '\daxin_blank4.sys'
- '\a9df5964635ef8bd567ae487c3d214c4.sys'
- '\wantd_6.sys'
- '\ntbios.sys'
- '\wantd_5.sys'
- '\pciecubed.sys'
- '\mimikatz.sys'
- '\nqrmq.sys'
- '\2.sys'
- '\poortry.sys'
- '\ntbios_2.sys'
- '\fgme.sys'
- '\telephonuafy.sys'
- '\typelibde.sys'
- '\daxin_blank1.sys'
- '\ef0e1725aaf0c6c972593f860531a2ea.sys'
- '\5a4fe297c7d42539303137b6d75b150d.sys'
condition: selection
falsepositives:
- False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
- If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
This option may be used adversaries to execute malicious code by signed verified binary.
The debugger is installed alongside with Microsoft Visual Studio package.
view Sigma YAML
title: Malicious PE Execution by Microsoft Visual Studio Debugger
id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
status: test
description: |
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
This option may be used adversaries to execute malicious code by signed verified binary.
The debugger is installed alongside with Microsoft Visual Studio package.
references:
- https://twitter.com/pabraeken/status/990758590020452353
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
date: 2020-10-14
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\vsjitdebugger.exe'
reduction1:
Image|endswith: '\vsimmersiveactivatehelper*.exe'
reduction2:
Image|endswith: '\devenv.exe'
condition: selection and not (reduction1 or reduction2)
falsepositives:
- The process spawned by vsjitdebugger.exe is uncommon.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Malicious PowerShell Keywords
Detects keywords from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Keywords
id: f62176f3-8128-4faa-bf6c-83261322e5eb
status: test
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-06-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'AdjustTokenPrivileges'
- 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
# - 'LSA_UNICODE_STRING'
- 'Metasploit'
- 'Microsoft.Win32.UnsafeNativeMethods'
- 'Mimikatz'
- 'MiniDumpWriteDump'
- 'PAGE_EXECUTE_READ'
- 'ReadProcessMemory.Invoke'
- 'SE_PRIVILEGE_ENABLED'
- 'SECURITY_DELEGATION'
- 'TOKEN_ADJUST_PRIVILEGES'
- 'TOKEN_ALL_ACCESS'
- 'TOKEN_ASSIGN_PRIMARY'
- 'TOKEN_DUPLICATE'
- 'TOKEN_ELEVATION'
- 'TOKEN_IMPERSONATE'
- 'TOKEN_INFORMATION_CLASS'
- 'TOKEN_PRIVILEGES'
- 'TOKEN_QUERY'
condition: selection
falsepositives:
- Depending on the scripts, this rule might require some initial tuning to fit the environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
Manipulation of User Computer or Group Security Principals Across AD
Adversaries may create a domain account to maintain access to victim systems.
Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
view Sigma YAML
title: Manipulation of User Computer or Group Security Principals Across AD
id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
status: test
description: |
Adversaries may create a domain account to maintain access to victim systems.
Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
author: frack113
date: 2021-12-28
tags:
- attack.persistence
- attack.t1136.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: System.DirectoryServices.AccountManagement
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Manual Execution of Script Inside of a Compressed File
This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.
From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
1. Compressed file opened using 7zip.
2. Compressed file opened using WinRar.
3. Compressed file opened using native windows File Explorer capabilities.
When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
view Sigma YAML
title: Manual Execution of Script Inside of a Compressed File
id: 95724fc1-a258-4674-97db-a30351981c5a
status: test
description: |
This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.
From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
1. Compressed file opened using 7zip.
2. Compressed file opened using WinRar.
3. Compressed file opened using native windows File Explorer capabilities.
When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
references:
- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a
- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692
author: '@kostastsale'
date: 2023-02-15
modified: 2024-08-13
tags:
- attack.execution
- attack.t1059
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_parent_7zip:
ParentImage|endswith: '\7z*.exe'
CommandLine|contains: '\AppData\local\temp\7z*\'
selection_parent_winrar:
ParentImage|endswith: '\winrar.exe'
CommandLine|contains: '\AppData\local\temp\rar*\'
selection_parent_explorer:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains:
- '\AppData\local\temp\*.rar\'
- '\AppData\local\temp\*.zip\'
selection_child:
Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
CommandLine|endswith:
- '.hta'
- '.js'
- '.jse'
- '.ps1'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: 1 of selection_parent_* and selection_child
falsepositives:
- Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
Several different variations of this technique have been observed.
view Sigma YAML
title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: test
description: |
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
Several different variations of this technique have been observed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-08-22
tags:
- attack.stealth
- attack.t1036.003
logsource:
product: linux
service: auditd
detection:
selection:
type: 'execve'
a0: 'cp'
a1: '/bin/sh'
a2|endswith: '/crond'
condition: selection
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Mesh Agent Service Installation
Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
view Sigma YAML
title: Mesh Agent Service Installation
id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
status: test
description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
references:
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'MeshAgent.exe'
- ServiceName|contains: 'Mesh Agent'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Microsoft 365 - Impossible Travel Activity
Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
view Sigma YAML
title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: test
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2020-07-06
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Impossible travel activity'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Microsoft 365 - Potential Ransomware Activity
Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
view Sigma YAML
title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: test
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.impact
- attack.t1486
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Potential ransomware activity'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Microsoft 365 - Unusual Volume of File Deletion
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
view Sigma YAML
title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
status: test
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Unusual volume of file deletion'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Microsoft 365 - User Restricted from Sending Email
Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
view Sigma YAML
title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1199
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'User restricted from sending email'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 501-550 of 1,440