Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
High FP
New Network Trace Capture Started Via Netsh.EXE
Detects the execution of netsh with the "trace" flag in order to start a network capture
view Sigma YAML
title: New Network Trace Capture Started Via Netsh.EXE
id: d3c3861d-c504-4c77-ba55-224ba82d0118
status: test
description: Detects the execution of netsh with the "trace" flag in order to start a network capture
references:
- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
- https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
author: Kutepov Anton, oscd.community
date: 2019-10-24
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'trace'
- 'start'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
- id: 117d3d3a-755c-4a61-b23e-9171146d094c
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinely creates a VB Macro for their email
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New PDQDeploy Service - Client Side
Detects PDQDeploy service installation on the target system.
When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
view Sigma YAML
title: New PDQDeploy Service - Client Side
id: b98a10af-1e1e-44a7-bab2-4cc026917648
status: test
description: |
Detects PDQDeploy service installation on the target system.
When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployRunner-'
- ServiceName|startswith: 'PDQDeployRunner-'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
view Sigma YAML
title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployService.exe'
- ServiceName:
- 'PDQDeploy'
- 'PDQ Deploy'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
view Sigma YAML
title: New Port Forwarding Rule Added Via Netsh.EXE
id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
status: test
description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-01-29
modified: 2023-09-01
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli_1:
CommandLine|contains|all:
- 'interface'
- 'portproxy'
- 'add'
- 'v4tov4'
selection_cli_2:
CommandLine|contains|all:
# Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1
- 'i ' # interface
- 'p ' # portproxy
- 'a ' # add
- 'v ' # v4tov4
selection_cli_3:
CommandLine|contains|all:
- 'connectp'
- 'listena'
- 'c='
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate administration activity
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
level: medium
Convert to SIEM query
medium
Moderate
High FP
New PortProxy Registry Entry Added
Detects the modification of the PortProxy registry key which is used for port forwarding.
view Sigma YAML
title: New PortProxy Registry Entry Added
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
status: test
description: Detects the modification of the PortProxy registry key which is used for port forwarding.
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Andreas Hunkeler (@Karneades)
date: 2021-06-22
modified: 2024-03-25
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: registry_event
product: windows
detection:
selection:
# Example: HKLM\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/1337
TargetObject|contains: '\Services\PortProxy\v4tov4\tcp\'
condition: selection
falsepositives:
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
- Synergy Software KVM (https://symless.com/synergy)
level: medium
Convert to SIEM query
medium
Moderate
High FP
New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
view Sigma YAML
title: New Process Created Via Wmic.EXE
id: 526be59f-a573-4eea-b5f7-f0973207634d
related:
- id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
type: derived
status: test
description: Detects new process creation using WMIC via the "process call create" flag
references:
- https://www.sans.org/blog/wmic-for-incident-response/
- https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
date: 2019-01-16
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'process'
- 'call'
- 'create'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Remote Desktop Connection Initiated Via Mstsc.EXE
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
author: frack113
date: 2022-01-07
modified: 2024-06-04
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
selection_cli:
CommandLine|contains|windash: ' /v:'
filter_optional_wsl:
# Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- WSL (Windows Sub System For Linux)
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
view Sigma YAML
title: New Root Certificate Authority Added
id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
status: test
description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
references:
- https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName: 'Set Company Information'
TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
New Root Certificate Installed Via CertMgr.EXE
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via CertMgr.EXE
id: ff992eac-6449-4c60-8c1d-91c9722a1d48
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
- https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
selection_img:
- Image|endswith: '\CertMgr.exe'
- OriginalFileName: 'CERTMGT.EXE'
selection_cli:
CommandLine|contains|all:
- '/add'
- 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via Certutil.EXE
id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
modified: 2024-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: certutil -addstore -f -user ROOT CertificateFileName.der
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli_add:
CommandLine|contains|windash: '-addstore'
selection_cli_store:
CommandLine|contains: 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
view Sigma YAML
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
TargetObject|endswith: '\Blob'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Self Extracting Package Created Via IExpress.EXE
Detects the "iexpress.exe" utility creating self-extracting packages.
Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
view Sigma YAML
title: New Self Extracting Package Created Via IExpress.EXE
id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a
status: test
description: |
Detects the "iexpress.exe" utility creating self-extracting packages.
Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_1_parent:
ParentImage|endswith: '\iexpress.exe'
selection_1_img:
- Image|endswith: '\makecab.exe'
- OriginalFileName: 'makecab.exe'
selection_2_img:
- Image|endswith: '\iexpress.exe'
- OriginalFileName: 'IEXPRESS.exe'
selection_2_cli:
CommandLine|contains: ' /n '
condition: all of selection_1_* or all of selection_2_*
falsepositives:
- Administrators building packages using iexpress.exe
level: medium
Convert to SIEM query
medium
Moderate
High FP
New User Created Via Net.EXE
Identifies the creation of local users via the net.exe command.
view Sigma YAML
title: New User Created Via Net.EXE
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
related:
- id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
type: similar
status: test
description: Identifies the creation of local users via the net.exe command.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
- attack.persistence
- attack.t1136.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'user'
- 'add'
condition: all of selection_*
falsepositives:
- Legitimate user creation.
- Better use event IDs for user creation rather than command line rules.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Virtual Smart Card Created Via TpmVscMgr.EXE
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
view Sigma YAML
title: New Virtual Smart Card Created Via TpmVscMgr.EXE
id: c633622e-cab9-4eaa-bb13-66a1d68b3e47
status: test
description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
references:
- https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-15
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\tpmvscmgr.exe'
OriginalFileName: 'TpmVscMgr.exe'
selection_cli:
CommandLine|contains: 'create'
condition: all of selection_*
falsepositives:
- Legitimate usage by an administrator
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
view Sigma YAML
title: New or Renamed User Account with '$' Character
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
status: test
description: |
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2024-01-16
tags:
- attack.stealth
- attack.t1036
logsource:
product: windows
service: security
detection:
selection_create:
EventID: 4720 # create user
SamAccountName|contains: '$'
selection_rename:
EventID: 4781 # rename user
NewTargetUserName|contains: '$'
filter_main_homegroup:
EventID: 4720
TargetUserName: 'HomeGroupUser$'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
view Sigma YAML
title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
- https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
filter:
CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
view Sigma YAML
title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
- https://gtfobins.github.io/gtfobins/nohup/
- https://en.wikipedia.org/wiki/Nohup
- https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
condition: selection
falsepositives:
- Administrators or installed processes that leverage nohup
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
view Sigma YAML
title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_notepad_legit_domain:
QueryName: 'notepad-plus-plus.org'
filter_optional_sourceforge_legit_domain:
QueryName|endswith: '.sourceforge.net'
filter_optional_github_legit_domain:
- QueryName|endswith: '.githubusercontent.com'
- QueryName: 'github.com'
filter_optional_google_storage_legit_domain:
QueryName|endswith: '.googleapis.com'
filter_optional_uncommon_domains:
QueryName|endswith:
- '.azurewebsites.net'
- 'block.opendns.com'
- 'gateway.zscalerthree.net'
# Add other known legitimate domains if any
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
- Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries
Convert to SIEM query
medium
Moderate
High FP
Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
view Sigma YAML
title: Nslookup PowerShell Download Cradle
id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
related:
- id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
type: similar
status: test
description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
date: 2022-12-10
modified: 2025-02-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'powershell'
- 'nslookup'
- '[1]'
Data|contains:
- '-q=txt http'
- '-querytype=txt http'
- '-type=txt http'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Nslookup PowerShell Download Cradle - ProcessCreation
Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
view Sigma YAML
title: Nslookup PowerShell Download Cradle - ProcessCreation
id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
related:
- id: 72671447-4352-4413-bb91-b85569687135
type: obsolete
- id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
type: similar
status: test
description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2022-12-19
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\nslookup.exe'
- OriginalFileName: '\nslookup.exe'
selection_cmd:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -q=txt '
- ' -querytype=txt '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
view Sigma YAML
title: Ntdsutil Abuse
id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'ESENT'
EventID:
- 216
- 325
- 326
- 327
Data|contains: 'ntds.dit'
condition: selection
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Number Of Resource Creation Or Deployment Activities
Number of VM creations or deployment activities occur in Azure via the azureactivity log.
view Sigma YAML
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: test
description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
falsepositives:
- Valid change
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
view Sigma YAML
title: Obfuscated IP Download Activity
id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
status: test
description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
- https://twitter.com/fr0s7_/status/1712780207105404948
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_command:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'Invoke-RestMethod'
- 'irm '
- 'wget '
- 'curl '
- 'DownloadFile'
- 'DownloadString'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
view Sigma YAML
title: Obfuscated IP Via CLI
id: 56d19cb4-6414-4769-9644-1ed35ffbb148
status: test
description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\ping.exe'
- '\arp.exe'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
view Sigma YAML
title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
- attack.command-and-control
- attack.stealth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
filter_main_common_ports:
DestinationPort:
- 53 # DNS
- 80 # HTTP
- 139 # NETBIOS
- 389 # LDAP
- 443 # HTTPS
- 445 # SMB
- 3268 # MSFT-GC
filter_main_outlook_ports:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
DestinationPort:
- 143
- 465 # SMTP
- 587 # SMTP
- 993 # IMAP
- 995 # POP3
condition: selection and not 1 of filter_main_*
falsepositives:
- Other ports can be used, apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
view Sigma YAML
title: Office Application Initiated Network Connection To Non-Local IP
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
status: test
description: |
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
references:
- https://corelight.com/blog/detecting-cve-2021-42292
- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-10
modified: 2025-10-17
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange_generic:
DestinationIp|cidr:
- '2.16.56.0/23' # Akamai International B.V.
- '2.17.248.0/21' # Akamai International B.V.
- '13.107.240.0/21' # Microsoft Corporation
- '20.184.0.0/13' # Microsoft Corporation
- '23.61.224.0/20' # Akamai-AS
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '23.3.88.0/22' # Akamai-AS
- '23.216.132.0/22' # Akamai-AS
- '40.76.0.0/14' # Microsoft Corporation
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
- '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
- '95.101.96.0/21' # Akamai-As
- '204.79.197.0/24' # Microsoft Corporation
filter_main_msrange_exchange_1:
# Exchange Online
# "urls": [
# "outlook.cloud.microsoft",
# "outlook.office.com",
# "outlook.office365.com"
# ]
DestinationIp|cidr:
- '13.107.4.0/22'
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.42.0/23'
- '13.107.128.0/22'
- '23.35.224.0/20'
- '23.53.40.0/22'
- '23.103.160.0/20'
- '23.216.76.0/22'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 80
- 443
filter_main_msrange_exchange_2:
# Exchange Online
# "urls": [
# "outlook.office365.com",
# "smtp.office365.com"
# ]
DestinationIp|cidr:
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.128.0/22'
- '23.103.160.0/20'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 143
- 587
- 993
- 995
Protocol: 'tcp'
filter_main_msrange_exchange_3:
# Exchange Online
# "urls": [
# "*.protection.outlook.com"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 443
filter_main_msrange_exchange_4:
# Exchange Online
# "urls": [
# "*.mail.protection.outlook.com",
# "*.mx.microsoft"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 25
filter_main_msrange_sharepoint_1:
# SharePoint Online and OneDrive for Business",
# "urls": [
# "*.sharepoint.com"
# ]
DestinationIp|cidr:
- '13.107.136.0/22'
- '40.108.128.0/17'
- '52.104.0.0/14'
- '104.146.128.0/17'
- '150.171.40.0/22'
- '2603:1061:1300::/40'
- '2620:1ec:8f8::/46'
- '2620:1ec:908::/46'
- '2a01:111:f402::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_1:
# Microsoft 365 Common and Office Online",
# "urls": [
# "*.officeapps.live.com",
# "*.online.office.com",
# "office.live.com",
# "office.com.akadns.net"
# ],
DestinationIp|cidr:
- '13.107.6.171/32'
- '13.107.18.15/32'
- '13.107.140.6/32'
- '20.64.0.0/10'
- '52.108.0.0/14'
- '52.244.37.168/32'
- '2603:1006:1400::/40'
- '2603:1016:2400::/40'
- '2603:1026:2400::/40'
- '2603:1036:2400::/40'
- '2603:1046:1400::/40'
- '2603:1056:1400::/40'
- '2603:1063:2000::/38'
- '2620:1ec:c::15/128'
- '2620:1ec:8fc::6/128'
- '2620:1ec:a92::171/128'
- '2a01:111:f100:2000::a83e:3019/128'
- '2a01:111:f100:2002::8975:2d79/128'
- '2a01:111:f100:2002::8975:2da8/128'
- '2a01:111:f100:7000::6fdd:6cd5/128'
- '2a01:111:f100:a004::bfeb:88cf/128'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_2:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.auth.microsoft.com",
# "*.msftidentity.com",
# "*.msidentity.com",
# "account.activedirectory.windowsazure.com",
# "accounts.accesscontrol.windows.net",
# "adminwebservice.microsoftonline.com",
# "api.passwordreset.microsoftonline.com",
# "autologon.microsoftazuread-sso.com",
# "becws.microsoftonline.com",
# "ccs.login.microsoftonline.com",
# "clientconfig.microsoftonline-p.net",
# "cloudapp.azure.com",
# "companymanager.microsoftonline.com",
# "device.login.microsoftonline.com",
# "graph.microsoft.com",
# "graph.windows.net",
# "login-us.microsoftonline.com",
# "login.microsoft.com",
# "login.microsoftonline-p.com",
# "login.microsoftonline.com",
# "login.windows.net",
# "logincert.microsoftonline.com",
# "loginex.microsoftonline.com",
# "nexus.microsoftonline-p.com",
# "passwordreset.microsoftonline.com",
# "provisioningapi.microsoftonline.com",
# "web.core.windows.net",
# ]
DestinationIp|cidr:
- '172.128.0.0/10'
- '20.20.32.0/19'
- '20.103.156.88/32' # msn.com
- '20.190.128.0/18'
- '20.231.128.0/19'
- '40.126.0.0/18'
- '57.150.0.0/15'
- '2603:1006:2000::/48'
- '2603:1007:200::/48'
- '2603:1016:1400::/48'
- '2603:1017::/48'
- '2603:1026:3000::/48'
- '2603:1027:1::/48'
- '2603:1036:3000::/48'
- '2603:1037:1::/48'
- '2603:1046:2000::/48'
- '2603:1047:1::/48'
- '2603:1056:2000::/48'
- '2603:1057:2::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_3:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.compliance.microsoft.com",
# "*.data.microsoft.com",
# "*.protection.office.com",
# "*.security.microsoft.com",
# "compliance.microsoft.com",
# "defender.microsoft.com",
# "protection.office.com",
# "security.microsoft.com",
# "teams.microsoft.com",
# ]
DestinationIp|cidr:
- '13.64.0.0/11'
- '13.107.6.192/32'
- '13.107.9.192/32'
- '13.89.179.14/32'
- '20.40.0.0/14'
- '20.48.0.0/12'
- '20.64.0.0/12'
- '52.123.0.0/16'
- '52.108.0.0/14'
- '52.136.0.0/13'
- '57.150.0.0/15'
- '80.239.150.67/32' # Arelion Sweden AB
- '2620:1ec:4::192/128'
- '2620:1ec:a92::192/128'
DestinationPort: 443
Protocol: 'tcp'
filter_main_destination_host:
DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'
DestinationPort: 443
Protocol: 'tcp'
condition: selection and not 1 of filter_main_*
falsepositives:
- You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
- Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
- It is highly recommended to baseline your activity and tune out common business use cases.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
view Sigma YAML
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
- https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
author: omkar72
date: 2020-10-25
modified: 2023-11-08
tags:
- attack.persistence
- attack.t1137.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta 2023 Breach Indicator Of Compromise
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
view Sigma YAML
title: Okta 2023 Breach Indicator Of Compromise
id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
status: test
description: |
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
modified: 2026-04-27
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://developer.okta.com/docs/reference/api/event-types/
tags:
- attack.credential-access
- detection.emerging-threats
logsource:
service: okta
product: okta
detection:
selection:
eventType:
- 'user.lifecycle.create'
- 'user.lifecycle.activate'
target.displayName|contains: 'svc_network_backup'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta API Token Created
Detects when a API token is created
view Sigma YAML
title: Okta API Token Created
id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
status: test
description: Detects when a API token is created
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventType: system.api_token.create
condition: selection
falsepositives:
- Legitimate creation of an API token by authorized users
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta API Token Revoked
Detects when a API Token is revoked.
view Sigma YAML
title: Okta API Token Revoked
id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
status: test
description: Detects when a API Token is revoked.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType: system.api_token.revoke
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
view Sigma YAML
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
- attack.credential-access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Admin Role Assigned to an User or Group
Detects when an the Administrator role is assigned to an user or group.
view Sigma YAML
title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
status: test
description: Detects when an the Administrator role is assigned to an user or group.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- group.privilege.grant
- user.account.privilege.grant
condition: selection
falsepositives:
- Administrator roles could be assigned to users or group by other admin users.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Admin Role Assignment Created
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
view Sigma YAML
title: Okta Admin Role Assignment Created
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
status: test
description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Nikita Khalimonenkov
date: 2023-01-19
modified: 2026-04-27
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'iam.resourceset.bindings.add'
condition: selection
falsepositives:
- Legitimate creation of a new admin role assignment
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Application Modified or Deleted
Detects when an application is modified or deleted.
view Sigma YAML
title: Okta Application Modified or Deleted
id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
status: test
description: Detects when an application is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- application.lifecycle.update
- application.lifecycle.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Application Sign-On Policy Modified or Deleted
Detects when an application Sign-on Policy is modified or deleted.
view Sigma YAML
title: Okta Application Sign-On Policy Modified or Deleted
id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
status: test
description: Detects when an application Sign-on Policy is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- application.policy.sign_on.update
- application.policy.sign_on.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
view Sigma YAML
title: Okta Identity Provider Created
id: 969c7590-8c19-4797-8c1b-23155de6e7ac
status: test
description: Detects when a new identity provider is created for Okta.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.001
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'system.idp.lifecycle.create'
condition: selection
falsepositives:
- When an admin creates a new, authorised identity provider.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
view Sigma YAML
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
status: test
description: Detects when an attempt at deactivating or resetting MFA.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-21
modified: 2026-04-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.006
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- user.mfa.factor.deactivate
- user.mfa.factor.reset_all
condition: selection
falsepositives:
- If a MFA reset or deactivated was performed by a system administrator.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Network Zone Deactivated or Deleted
Detects when an Network Zone is Deactivated or Deleted.
view Sigma YAML
title: Okta Network Zone Deactivated or Deleted
id: 9f308120-69ed-4506-abde-ac6da81f4310
status: test
description: Detects when an Network Zone is Deactivated or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- zone.deactivate
- zone.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Policy Rule Modified or Deleted
Detects when an Policy Rule is Modified or Deleted.
view Sigma YAML
title: Okta Policy Rule Modified or Deleted
id: 0c97c1d3-4057-45c9-b148-1de94b631931
status: test
description: Detects when an Policy Rule is Modified or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- policy.rule.update
- policy.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Security Threat Detected
Detects when an security threat is detected in Okta.
view Sigma YAML
title: Okta Security Threat Detected
id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
status: test
description: Detects when an security threat is detected in Okta.
references:
- https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.command-and-control
logsource:
product: okta
service: okta
detection:
selection:
eventType: security.threat.detected
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Unauthorized Access to App
Detects when unauthorized access to app occurs.
view Sigma YAML
title: Okta Unauthorized Access to App
id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
status: test
description: Detects when unauthorized access to app occurs.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
displayMessage: User attempted unauthorized access to app
condition: selection
falsepositives:
- User might of believe that they had access.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta User Account Locked Out
Detects when an user account is locked out.
view Sigma YAML
title: Okta User Account Locked Out
id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
status: test
description: Detects when an user account is locked out.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
- attack.t1531
logsource:
product: okta
service: okta
detection:
selection:
displayMessage: Max sign in attempts exceeded
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
view Sigma YAML
title: Old TLS1.0/TLS1.1 Protocol Version Enabled
id: 439957a7-ad86-4a8f-9705-a28131c6821b
status: test
description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
references:
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\'
- '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\'
TargetObject|endswith: '\Enabled'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Legitimate enabling of the old tls versions due to incompatibility
level: medium
Convert to SIEM query
medium
Strong
Medium FP
OneNote Attachment File Dropped In Suspicious Location
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
view Sigma YAML
title: OneNote Attachment File Dropped In Suspicious Location
id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
status: test
description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-09-19
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
# Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- ':\Temp\'
TargetFilename|endswith:
- '.one'
- '.onepkg'
filter_main_onenote:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\ONENOTE.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate usage of ".one" or ".onepkg" files from those locations
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
OpenEDR Spawning Command Shell
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
view Sigma YAML
title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.execution
- attack.t1059.003
- attack.lateral-movement
- attack.t1021.004
- attack.command-and-control
- attack.t1219
logsource:
product: windows
category: process_creation
detection:
selection_img:
ParentImage|endswith: '\ITSMService.exe'
Image|endswith: '\ssh-shellhost.exe'
CommandLine|contains: '--pty'
selection_cli_shell:
CommandLine|contains:
- 'bash'
- 'cmd'
- 'powershell'
- 'pwsh'
condition: all of selection_*
falsepositives:
- Legitimate use of OpenEDR for remote command execution
level: medium
Convert to SIEM query
medium
Strong
Medium FP
OpenSSH Server Listening On Socket
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
view Sigma YAML
title: OpenSSH Server Listening On Socket
id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
status: test
description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
- https://winaero.com/enable-openssh-server-windows-10/
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
- https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: mdecrevoisier
date: 2022-10-25
tags:
- attack.lateral-movement
- attack.t1021.004
logsource:
product: windows
service: openssh
detection:
selection:
EventID: 4
process: sshd
payload|startswith: 'Server listening on '
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Osacompile Execution By Potentially Suspicious Applet/Osascript
Detects potential suspicious applet or osascript executing "osacompile".
view Sigma YAML
title: Osacompile Execution By Potentially Suspicious Applet/Osascript
id: a753a6af-3126-426d-8bd0-26ebbcb92254
status: test
description: Detects potential suspicious applet or osascript executing "osacompile".
references:
- https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (Idea)
date: 2023-04-03
tags:
- attack.execution
- attack.t1059.002
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith:
- '/applet'
- '/osascript'
CommandLine|contains: 'osacompile'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
view Sigma YAML
title: Outbound Network Connection To Public IP Via Winlogon
id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b
status: test
description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-04-28
modified: 2024-03-12
tags:
- attack.execution
- attack.command-and-control
- attack.stealth
- attack.t1218.011
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\winlogon.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
view Sigma YAML
title: Outlook Security Settings Updated - Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
related:
- id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules
type: similar
status: test
description: Detects changes to the registry values related to outlook security settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
author: frack113
date: 2021-12-28
modified: 2026-01-09
tags:
- attack.persistence
- attack.t1137
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Outlook\Security\'
filter_main_outlook:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
Showing 601-650 of 1,440