Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
High FP
Portable Gpg.EXE Execution
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
view Sigma YAML
title: Portable Gpg.EXE Execution
id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
status: test
description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
references:
- https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
- https://securelist.com/locked-out/68960/
- https://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-06
modified: 2023-11-10
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- OriginalFileName: 'gpg.exe'
- Description: 'GnuPG’s OpenPGP tool'
filter_main_legit_location:
Image|contains:
- ':\Program Files (x86)\GNU\GnuPG\bin\'
- ':\Program Files (x86)\GnuPG VS-Desktop\'
- ':\Program Files (x86)\GnuPG\bin\'
- ':\Program Files (x86)\Gpg4win\bin\'
condition: selection and not 1 of filter_main_*
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Possible DC Shadow Attack
Detects DCShadow via create new SPN
view Sigma YAML
title: Possible DC Shadow Attack
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
related:
- id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
type: derived
status: test
description: Detects DCShadow via create new SPN
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019-10-25
modified: 2022-10-17
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1207
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection1:
EventID: 4742
ServicePrincipalNames|contains: 'GC/'
selection2:
EventID: 5136
AttributeLDAPDisplayName: servicePrincipalName
AttributeValue|startswith: 'GC/'
condition: 1 of selection*
falsepositives:
- Valid on domain controllers; exclude known DCs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Possible PrintNightmare Print Driver Install - CVE-2021-1675
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
view Sigma YAML
title: Possible PrintNightmare Print Driver Install - CVE-2021-1675
id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
related:
- id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
type: derived
status: stable
description: |
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
- https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://github.com/corelight/CVE-2021-1675
- https://old.zeek.org/zeekweek2019/slides/bzar.pdf
- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
author: '@neu5ron (Nate Guagenti)'
date: 2021-08-23
modified: 2025-11-03
tags:
- attack.execution
- cve.2021-1678
- cve.2021-1675
- cve.2021-34527
- detection.emerging-threats
logsource:
product: zeek
service: dce_rpc
detection:
selection:
operation:
- 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
- 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
- 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
- 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
- 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
- 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
condition: selection
falsepositives:
- Legitimate remote alteration of a printer driver.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential AD User Enumeration From Non-Machine Account
Detects read access to a domain user from a non-machine account
view Sigma YAML
title: Potential AD User Enumeration From Non-Machine Account
id: ab6bffca-beff-4baa-af11-6733f296d57a
status: test
description: Detects read access to a domain user from a non-machine account
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Maxime Thiebaut (@0xThiebaut)
date: 2020-03-30
modified: 2022-11-08
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
detection:
selection:
EventID: 4662
# Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
# The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
AccessMask|endswith:
# Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
- '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
- '3?' # Read Property + Write Property
- '4?' # Read Property + Delete Tree
- '7?' # Read Property + Write Property + Delete Tree
- '9?' # Read Property + List Object
- 'B?' # Read Property + Write Property + List Object
- 'D?' # Read Property + Delete Tree + List Object
- 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
filter_main_machine_accounts:
SubjectUserName|endswith: '$' # Exclude machine accounts
filter_main_msql:
SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators configuring new users.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential AMSI Bypass Script Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
view Sigma YAML
title: Potential AMSI Bypass Script Using NULL Bits
id: fa2559c8-1197-471d-9cdd-05a0273d4522
related:
- id: 92a974db-ab84-457f-9ec0-55db83d7a825
type: similar
status: test
description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
references:
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-05-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- "if(0){{{0}}}' -f $(0 -as [char]) +"
- "#<NULL>"
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential AMSI Bypass Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
view Sigma YAML
title: Potential AMSI Bypass Using NULL Bits
id: 92a974db-ab84-457f-9ec0-55db83d7a825
related:
- id: fa2559c8-1197-471d-9cdd-05a0273d4522
type: similar
status: test
description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
references:
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-05-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "if(0){{{0}}}' -f $(0 -as [char]) +"
- "#<NULL>"
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential APT FIN7 Exploitation Activity
Detects potential APT FIN7 exploitation activity as reported by Google.
In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
view Sigma YAML
title: Potential APT FIN7 Exploitation Activity
id: 6676896b-2cce-422d-82af-5a1abe65e241
status: test
description: |
Detects potential APT FIN7 exploitation activity as reported by Google.
In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
author: Alex Walston (@4ayymm)
date: 2024-07-29
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_notepad_plus:
ParentImage|endswith: '\notepad++.exe'
Image|endswith: '\cmd.exe'
selection_rdpinit:
ParentImage|endswith: '\rdpinit.exe'
Image|endswith: '\notepad++.exe'
condition: 1 of selection_*
falsepositives:
- Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
view Sigma YAML
title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
status: test
description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
references:
- https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-02
modified: 2023-03-29
tags:
- attack.stealth
- attack.t1218.010
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'regsvr32'
- '\AppData\Local\'
- '.dll'
- ',DllEntry'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential AS-REP Roasting via Kerberos TGT Requests
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
view Sigma YAML
title: Potential AS-REP Roasting via Kerberos TGT Requests
id: 3e2f1b2c-4d5e-11ee-be56-0242ac120002
status: experimental
description: |
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
references:
- https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
author: ANosir
date: 2025-05-22
modified: 2025-07-04
logsource:
product: windows
service: security
detection:
selection:
EventID: 4768
TicketEncryptionType: '0x17'
ServiceName: 'krbtgt'
PreAuthType: 0
condition: selection
falsepositives:
- Legacy systems or applications that legitimately use RC4 encryption
- Misconfigured accounts with pre-authentication disabled
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential AVKkid.DLL Sideloading
Detects potential DLL sideloading of "AVKkid.dll"
view Sigma YAML
title: Potential AVKkid.DLL Sideloading
id: 952ed57c-8f99-453d-aee0-53a49c22f95d
status: test
description: Detects potential DLL sideloading of "AVKkid.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\AVKkid.dll'
filter_main_legit_path:
Image|contains:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
Image|endswith: '\AVKKid.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Abuse of Linux Magic System Request Key
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
view Sigma YAML
title: Potential Abuse of Linux Magic System Request Key
id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
status: experimental
description: |
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
references:
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
author: Milad Cheraghi
date: 2025-05-23
tags:
- attack.execution
- attack.t1059.004
- attack.impact
- attack.t1529
- attack.t1489
- attack.t1499
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-w /proc/sysrq-trigger -p wa -k sysrq
-w /proc/sys/kernel/sysrq -p wa -k sysrq
detection:
selection:
type: 'PATH'
name|endswith:
# Enable
- '/sysrq'
- '/sysctl.conf'
# Execute
- '/sysrq-trigger'
condition: selection
falsepositives:
- Legitimate administrative activity
level: medium
Convert to SIEM query
medium
Strong
Low FP
Potential Access Token Abuse
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
view Sigma YAML
title: Potential Access Token Abuse
id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
status: test
description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
references:
- https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
- https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
author: Michaela Adams, Zach Mathis
date: 2022-11-06
modified: 2023-04-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- stp.4u
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 9
LogonProcessName: 'Advapi'
AuthenticationPackageName: 'Negotiate'
ImpersonationLevel: '%%1833' # Impersonation
condition: selection
falsepositives:
- Anti-Virus
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
view Sigma YAML
title: Potential Active Directory Enumeration Using AD Module - ProcCreation
id: 70bc5215-526f-4477-963c-a47a5c9ebd12
related:
- id: 9e620995-f2d8-4630-8430-4afd89f77604
type: similar
- id: 74176142-4684-4d8a-8b0a-713257e7df8e
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
view Sigma YAML
title: Potential Active Directory Enumeration Using AD Module - PsModule
id: 74176142-4684-4d8a-8b0a-713257e7df8e
related:
- id: 70bc5215-526f-4477-963c-a47a5c9ebd12
type: similar
- id: 9e620995-f2d8-4630-8430-4afd89f77604
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_cmdlet:
Payload|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
Payload|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Active Directory Enumeration Using AD Module - PsScript
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
view Sigma YAML
title: Potential Active Directory Enumeration Using AD Module - PsScript
id: 9e620995-f2d8-4630-8430-4afd89f77604
related:
- id: 70bc5215-526f-4477-963c-a47a5c9ebd12
type: similar
- id: 74176142-4684-4d8a-8b0a-713257e7df8e
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113, Nasreddine Bencherchali
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection_generic:
ScriptBlockText|contains|all:
- 'Import-Module '
- 'Microsoft.ActiveDirectory.Management.dll'
selection_specific:
ScriptBlockText|contains: 'ipmo Microsoft.ActiveDirectory.Management.dll'
condition: 1 of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
view Sigma YAML
title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects potential Active Directory enumeration via LDAP
references:
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
- https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
- https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
- https://ipurple.team/2024/07/15/sharphound-detection/
author: Adeem Mawani
date: 2021-06-22
modified: 2025-07-04
tags:
- attack.discovery
- attack.t1069.002
- attack.t1087.002
- attack.t1482
logsource:
product: windows
service: ldap
definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
detection:
generic_search:
EventID: 30
SearchFilter|contains:
- '(groupType:1.2.840.113556.1.4.803:=2147483648)'
- '(groupType:1.2.840.113556.1.4.803:=2147483656)'
- '(groupType:1.2.840.113556.1.4.803:=2147483652)'
- '(groupType:1.2.840.113556.1.4.803:=2147483650)'
- '(sAMAccountType=805306369)'
- '(sAMAccountType=805306368)'
- '(sAMAccountType=536870913)'
- '(sAMAccountType=536870912)'
- '(sAMAccountType=268435457)'
- '(sAMAccountType=268435456)'
- '(objectCategory=groupPolicyContainer)'
- '(objectCategory=organizationalUnit)'
# - '(objectCategory=Computer)' Prone to false positives
- '(objectCategory=nTDSDSA)'
- '(objectCategory=server)'
- '(objectCategory=domain)'
- '(objectCategory=person)'
- '(objectCategory=group)'
- '(objectCategory=user)'
- '(objectClass=trustedDomain)'
- '(objectClass=computer)'
- '(objectClass=server)'
- '(objectClass=group)'
- '(objectClass=user)'
- '(primaryGroupID=521)'
- '(primaryGroupID=516)'
- '(primaryGroupID=515)'
- '(primaryGroupID=512)'
- 'Domain Admins'
- 'objectGUID=\*'
- '(schemaIDGUID=\*)'
- 'admincount=1'
distinguished_name_enumeration:
EventID: 30
SearchFilter: '(objectclass=\*)'
DistinguishedName|contains:
- 'CN=Domain Admins'
- 'CN=Enterprise Admins'
- 'CN=Group Policy Creator Owners'
suspicious_flag:
EventID: 30
SearchFilter|contains:
- '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
- '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
- '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
- '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
- '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
- '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
- '(userAccountControl:1.2.840.113556.1.4.803:=544)'
- '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
- 'msDS-AllowedToActOnBehalfOfOtherIdentity'
- 'msDS-AllowedToDelegateTo'
- 'msDS-GroupManagedServiceAccount'
- '(accountExpires=9223372036854775807)'
- '(accountExpires=0)'
- '(adminCount=1)'
- 'ms-MCS-AdmPwd'
narrow_down_filter:
EventID: 30
SearchFilter|contains:
- '(domainSid=*)'
- '(objectSid=*)'
condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
view Sigma YAML
title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-02
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\amazon-ssm-agent.exe'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Antivirus Software DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
view Sigma YAML
title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
# Bitdefender
selection_bitdefender:
ImageLoaded|endswith: '\log.dll'
filter_log_dll_bitdefender:
ImageLoaded|startswith:
- 'C:\Program Files\Bitdefender Antivirus Free\'
- 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
filter_log_dll_dell_sar:
Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
ImageLoaded:
- 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
- 'C:\Program Files\Dell\SARemediation\audit\log.dll'
filter_log_dll_canon:
ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
filter_log_dll_avast:
ImageLoaded:
- 'C:\Program Files\AVAST Software\Avast\log.dll'
- 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
filter_log_dll_avg:
ImageLoaded:
- 'C:\Program Files\AVG\Antivirus\log.dll'
- 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
# F-Secure
selection_fsecure:
ImageLoaded|endswith: '\qrt.dll'
filter_fsecure:
ImageLoaded|startswith:
- 'C:\Program Files\F-Secure\Anti-Virus\'
- 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
# McAfee
selection_mcafee:
ImageLoaded|endswith:
- '\ashldres.dll'
- '\lockdown.dll'
- '\vsodscpl.dll'
filter_mcafee:
ImageLoaded|startswith:
- 'C:\Program Files\McAfee\'
- 'C:\Program Files (x86)\McAfee\'
# CyberArk
selection_cyberark:
ImageLoaded|endswith: '\vftrace.dll'
filter_cyberark:
ImageLoaded|startswith:
- 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
- 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
# Avast
selection_avast:
ImageLoaded|endswith: '\wsc.dll'
filter_wsc_dll_avast:
ImageLoaded|startswith:
- 'C:\program Files\AVAST Software\Avast\'
- 'C:\program Files (x86)\AVAST Software\Avast\'
filter_wsc_dll_avg:
ImageLoaded|startswith:
- 'C:\Program Files\AVG\Antivirus\'
- 'C:\Program Files (x86)\AVG\Antivirus\'
# ESET
selection_eset_deslock:
ImageLoaded|endswith: '\DLPPREM32.dll'
filter_eset_deslock:
ImageLoaded|startswith:
- 'C:\program Files\ESET'
- 'C:\program Files (x86)\ESET'
# Trend Micro Titanium
selection_titanium:
ImageLoaded|endswith: '\tmdbglog.dll'
filter_titanium:
ImageLoaded|startswith:
- 'C:\program Files\Trend Micro\Titanium\'
- 'C:\program Files (x86)\Trend Micro\Titanium\'
condition: (selection_bitdefender and not 1 of filter_log_dll_*)
or (selection_fsecure and not filter_fsecure)
or (selection_mcafee and not filter_mcafee)
or (selection_cyberark and not filter_cyberark)
or (selection_avast and not 1 of filter_wsc_dll_*)
or (selection_titanium and not filter_titanium)
or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
- Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
- Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
- The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Application Whitelisting Bypass via Dnx.EXE
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
Attackers might abuse this in order to bypass application whitelisting.
view Sigma YAML
title: Potential Application Whitelisting Bypass via Dnx.EXE
id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
status: test
description: |
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
Attackers might abuse this in order to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
author: Beyu Denis, oscd.community
date: 2019-10-26
modified: 2024-04-24
tags:
- attack.stealth
- attack.t1218
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dnx.exe'
condition: selection
falsepositives:
- Legitimate use of dnx.exe by legitimate user
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Arbitrary Command Execution Via FTP.EXE
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
view Sigma YAML
title: Potential Arbitrary Command Execution Via FTP.EXE
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
status: test
description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2024-04-23
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\ftp.exe'
selection_child_img:
- Image|endswith: '\ftp.exe'
- OriginalFileName: 'ftp.exe'
selection_child_cli:
CommandLine|contains|windash: '-s:'
condition: selection_parent or all of selection_child_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Arbitrary DLL Load Using Winword
Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
view Sigma YAML
title: Potential Arbitrary DLL Load Using Winword
id: f7375e28-5c14-432f-b8d1-1db26c832df3
related:
- id: 2621b3a6-3840-4810-ac14-a02426086171
type: obsolete
status: test
description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
references:
- https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-03-29
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WINWORD.exe'
- OriginalFileName: 'WinWord.exe'
selection_dll:
CommandLine|contains|all:
- '/l '
- '.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Arbitrary File Download Via Cmdl32.EXE
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
Attackers can abuse this utility in order to download arbitrary files via a configuration file.
Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
view Sigma YAML
title: Potential Arbitrary File Download Via Cmdl32.EXE
id: f37aba28-a9e6-4045-882c-d5004043b337
status: test
description: |
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
Attackers can abuse this utility in order to download arbitrary files via a configuration file.
Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
- https://twitter.com/SwiftOnSecurity/status/1455897435063074824
- https://github.com/LOLBAS-Project/LOLBAS/pull/151
author: frack113
date: 2021-11-03
modified: 2024-04-22
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdl32.exe'
- OriginalFileName: CMDL32.EXE
selection_cli:
CommandLine|contains|all:
- '/vpn'
- '/lan'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
view Sigma YAML
title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
- id: d443095b-a221-4957-a2c4-cd1756c9b747
type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
- https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|endswith: '='
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Binary Or Script Dropper Via PowerShell
Detects PowerShell creating a binary executable or a script file.
view Sigma YAML
title: Potential Binary Or Script Dropper Via PowerShell
id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
status: test
description: Detects PowerShell creating a binary executable or a script file.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-17
modified: 2025-07-04
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
TargetFilename|endswith:
- '.bat'
- '.chm'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.jar'
- '.js'
- '.ocx'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.wsf'
filter_main_user_temp:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_main_other_temp:
# Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
TargetFilename|startswith:
- 'C:\Windows\Temp\'
- 'C:\Windows\SystemTemp\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_main_powershell_module:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
TargetFilename|endswith: '.dll'
filter_main_nuget:
TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Binary Proxy Execution Via Cdb.EXE
Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
view Sigma YAML
title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
- https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
- attack.execution
- attack.stealth
- attack.t1106
- attack.t1218
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cdb.exe'
- OriginalFileName: 'CDB.Exe'
selection_cli:
CommandLine|contains:
- ' -c ' # Using a debugger script
- ' -cf '
condition: all of selection*
falsepositives:
- Legitimate use of debugging tools
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Binary Proxy Execution Via VSDiagnostics.EXE
Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
view Sigma YAML
title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
id: ac1c92b4-ac81-405a-9978-4604d78cc47e
status: test
description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
references:
- https://twitter.com/0xBoku/status/1679200664013135872
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VSDiagnostics.exe'
- OriginalFileName: 'VSDiagnostics.exe'
selection_cli_start:
CommandLine|contains: 'start'
selection_cli_launch:
CommandLine|contains:
- ' /launch:'
- ' -launch:'
condition: all of selection_*
falsepositives:
- Legitimate usage for tracing and diagnostics purposes
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
view Sigma YAML
title: Potential Browser Data Stealing
id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
related:
- id: fc028194-969d-4122-8abe-0470d5b8f12f
type: derived
status: test
description: |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
- https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2025-03-19
tags:
- attack.credential-access
- attack.t1555.003
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- 'move-item'
- ' mi '
- ' mv '
- Image|endswith:
- '\esentutl.exe' # akira ransomware
- '\xcopy.exe'
- '\robocopy.exe'
- OriginalFileName:
- 'esentutl.exe'
- 'XCOPY.EXE'
- 'robocopy.exe'
selection_path:
CommandLine|contains:
- '\Amigo\User Data'
- '\BraveSoftware\Brave-Browser\User Data'
- '\CentBrowser\User Data'
- '\Chromium\User Data'
- '\CocCoc\Browser\User Data'
- '\Comodo\Dragon\User Data'
- '\Elements Browser\User Data'
- '\Epic Privacy Browser\User Data'
- '\Google\Chrome Beta\User Data'
- '\Google\Chrome SxS\User Data'
- '\Google\Chrome\User Data\'
- '\Kometa\User Data'
- '\Maxthon5\Users'
- '\Microsoft\Edge\User Data'
- '\Mozilla\Firefox\Profiles'
- '\Nichrome\User Data'
- '\Opera Software\Opera GX Stable\'
- '\Opera Software\Opera Neon\User Data'
- '\Opera Software\Opera Stable\'
- '\Orbitum\User Data'
- '\QIP Surf\User Data'
- '\Sputnik\User Data'
- '\Torch\User Data'
- '\uCozMedia\Uran\User Data'
- '\Vivaldi\User Data'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CCleanerDU.DLL Sideloading
Detects potential DLL sideloading of "CCleanerDU.dll"
view Sigma YAML
title: Potential CCleanerDU.DLL Sideloading
id: 1fbc0671-5596-4e17-8682-f020a0b995dc
status: test
description: Detects potential DLL sideloading of "CCleanerDU.dll"
references:
- https://lab52.io/blog/2344-2/
author: X__Junior (Nextron Systems)
date: 2023-07-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\CCleanerDU.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files\CCleaner\'
- 'C:\Program Files (x86)\CCleaner\'
Image|endswith:
- '\CCleaner.exe'
- '\CCleaner64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CCleanerReactivator.DLL Sideloading
Detects potential DLL sideloading of "CCleanerReactivator.dll"
view Sigma YAML
title: Potential CCleanerReactivator.DLL Sideloading
id: 3735d5ac-d770-4da0-99ff-156b180bc600
status: test
description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
references:
- https://lab52.io/blog/2344-2/
author: X__Junior
date: 2023-07-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\CCleanerReactivator.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files\CCleaner\'
- 'C:\Program Files (x86)\CCleaner\'
Image|endswith: '\CCleanerReactivator.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential COM Object Hijacking Via TreatAs Subkey - Registry
Detects COM object hijacking via TreatAs subkey
view Sigma YAML
title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: test
description: Detects COM object hijacking via TreatAs subkey
references:
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019-10-23
modified: 2025-10-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- 'HKU\'
- 'Classes\CLSID\'
- '\TreatAs'
filter_main_svchost:
# Example of target object by svchost
# TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
Image: 'C:\WINDOWS\system32\svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
simulation:
- type: atomic-red-team
name: COM hijacking via TreatAs
technique: T1546.015
atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
Convert to SIEM query
medium
Moderate
High FP
Potential COM Objects Download Cradles Usage - PS Script
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
view Sigma YAML
title: Potential COM Objects Download Cradles Usage - PS Script
id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
related:
- id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection_1:
ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
selection_2:
ScriptBlockText|contains:
- '0002DF01-0000-0000-C000-000000000046'
- 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
- 'F5078F35-C551-11D3-89B9-0000F81FE221'
- '88d96a0a-f192-11d4-a65f-0040963251e5'
- 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
- 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
- '88d96a0b-f192-11d4-a65f-0040963251e5'
- '2087c2f4-2cef-4953-a8ab-66779b670495'
- '000209FF-0000-0000-C000-000000000046'
- '00024500-0000-0000-C000-000000000046'
condition: all of selection_*
falsepositives:
- Legitimate use of the library
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential COM Objects Download Cradles Usage - Process Creation
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
view Sigma YAML
title: Potential COM Objects Download Cradles Usage - Process Creation
id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
related:
- id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains: '[Type]::GetTypeFromCLSID('
selection_2:
CommandLine|contains:
- '0002DF01-0000-0000-C000-000000000046'
- 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
- 'F5078F35-C551-11D3-89B9-0000F81FE221'
- '88d96a0a-f192-11d4-a65f-0040963251e5'
- 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
- 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
- '88d96a0b-f192-11d4-a65f-0040963251e5'
- '2087c2f4-2cef-4953-a8ab-66779b670495'
- '000209FF-0000-0000-C000-000000000046'
- '00024500-0000-0000-C000-000000000046'
condition: all of selection_*
falsepositives:
- Legitimate use of the library
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CVE-2021-27905 Exploitation Attempt
Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
view Sigma YAML
title: Potential CVE-2021-27905 Exploitation Attempt
id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
status: test
description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
references:
- https://twitter.com/Al1ex4/status/1382981479727128580
- https://twitter.com/sec715/status/1373472323538362371
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
- https://github.com/murataydemir/CVE-2021-27905
author: '@gott_cyber'
date: 2022-12-11
modified: 2023-03-24
tags:
- attack.initial-access
- attack.t1190
- cve.2021-27905
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_request1:
cs-uri-query|contains|all:
- '/solr/'
- '/debug/dump?'
- 'param=ContentStream'
sc-status: 200
selection_request2:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/solr/'
- 'command=fetchindex'
- 'masterUrl='
sc-status: 200
condition: 1 of selection_*
falsepositives:
- Vulnerability Scanners
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential CVE-2021-42278 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
view Sigma YAML
title: Potential CVE-2021-42278 Exploitation Attempt
id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
related:
- id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
type: similar
status: test
description: |
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
- https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
author: frack113
date: 2021-12-15
modified: 2023-04-14
tags:
- attack.credential-access
- attack.t1558.003
- cve.2021-42278
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-Kerberos-Key-Distribution-Center' # Active Directory
EventID:
- 35 # PAC without attributes
- 36 # Ticket without a PAC
- 37 # Ticket without Requestor
- 38 # Requestor Mismatch
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential CVE-2021-42287 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
view Sigma YAML
title: Potential CVE-2021-42287 Exploitation Attempt
id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
related:
- id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
type: similar
status: test
description: |
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
- https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
author: frack113
date: 2021-12-15
modified: 2023-04-14
tags:
- attack.credential-access
- attack.t1558.003
- detection.emerging-threats
- cve.2021-42287
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Microsoft-Windows-Directory-Services-SAM # Active Directory
EventID:
- 16990 # Object class and UserAccountControl validation failure
- 16991 # SAM Account Name validation failure
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
view Sigma YAML
title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
id: 5660d8db-6e25-411f-b92f-094420168a5d
status: test
description: |
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
references:
- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
author: '@kostastsale'
date: 2022-04-25
tags:
- attack.execution
- attack.initial-access
- attack.t1059.006
- attack.t1190
- cve.2022-22954
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\prunsrv.exe'
selection_payload_pwsh:
Image|endswith: '\powershell.exe'
selection_payload_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: '/c powershell'
condition: selection_parent and 1 of selection_payload_*
falsepositives:
- Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-2283 Exploitation
Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
view Sigma YAML
title: Potential CVE-2023-2283 Exploitation
id: 8b244735-5833-4517-a45b-28d8c63924c0
status: test
description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
references:
- https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
- https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
- https://nvd.nist.gov/vuln/detail/CVE-2023-2283
- https://www.blumira.com/cve-2023-2283/
- https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
author: Florian Roth (Nextron Systems)
date: 2023-06-09
tags:
- attack.initial-access
- attack.t1190
- cve.2023-2283
- detection.emerging-threats
logsource:
product: linux
service: sshd
detection:
keywords:
- 'Failed to generate curve25519 keys'
condition: keywords
falsepositives:
- Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-23397 Exploitation Attempt - SMB
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
view Sigma YAML
title: Potential CVE-2023-23397 Exploitation Attempt - SMB
id: de96b824-02b0-4241-9356-7e9b47f04bac
status: test
description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
references:
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
- https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-05
modified: 2025-10-13
tags:
- attack.exfiltration
- cve.2023-23397
- detection.emerging-threats
logsource:
product: windows
service: smbclient-connectivity
detection:
selection:
# Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
EventID:
# - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
- 30803 # Failed to establish a network connection.
- 30804 # A network connection was disconnected.
- 30806 # The client re-established its session to the server.
# - 31001 # Error (Doesn't contain the "ServerAddress" field)
filter_main_local_ips:
- ServerAddress|cidr:
# IPv4
- '10.0.0.0/8'
- '127.0.0.0/8'
- '169.254.0.0/16'
- '172.16.0.0/12'
- '192.168.0.0/16'
# IPv6
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
- Address|startswith:
# This is for EventID 30804, which doesn't have the "ServerAddress" field, but a field called "Address" and it contains a socket address (IP:Port) and not an IP
# IPv4
- '10.'
- '127.'
- '169.254.'
- '172.'
- '192.168.'
# IPv6
- '::1'
- 'fe80::'
- 'fc00::'
# The filters below cover the XML raw log
- Address|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
- ServerAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
- RemoteAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur from external trusted servers. Apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-27997 Exploitation Indicators
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
view Sigma YAML
title: Potential CVE-2023-27997 Exploitation Indicators
id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
status: test
description: |
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
references:
- https://blog.lexfo.fr/Forensics-xortigate-notice.html
- https://blog.lexfo.fr/xortigate-cve-2023-27997.html
- https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
- https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-28
tags:
- attack.initial-access
- attack.t1190
- cve.2023-27997
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_uri:
cs-method:
- 'GET'
- 'POST'
cs-uri-query|contains:
- '/remote/hostcheck_validate'
- '/remote/logincheck'
selection_keywords:
- 'enc='
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
view Sigma YAML
title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
id: 92389a99-5215-43b0-a09f-e334453b2ed3
status: test
description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
references:
- https://github.com/Wh04m1001/CVE-2023-36874
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
tags:
- attack.execution
- cve.2023-36874
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\'
TargetFilename|endswith: '\Report.wer'
filter_main_locations:
TargetFilename|contains:
# Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report
- '\ReportArchive\AppCrash_'
- '\ReportArchive\AppHang_'
- '\ReportArchive\Critical_'
- '\ReportArchive\Kernel_'
- '\ReportArchive\NonCritical_'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-36884 Exploitation - File Downloads
Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
view Sigma YAML
title: Potential CVE-2023-36884 Exploitation - File Downloads
id: 6af1617f-c179-47e3-bd66-b28034a1052d
status: test
description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|contains:
- '/ex001.url'
- '/file001.search-ms'
- '/file001.url'
- '/file001.vbs'
- '/file1.mht'
- '/o2010.asp'
- '/redir_obj.html'
- '/RFile.asp'
- '/zip_k.asp'
- '/zip_k2.asp'
- '/zip_k3.asp'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
view Sigma YAML
title: Potential CVE-2023-36884 Exploitation Dropped File
id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
status: test
description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
- https://twitter.com/wdormann/status/1679184475677130755
- https://twitter.com/r00tbsd/status/1679042071477338114/photo/1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2023-07-13
tags:
- attack.persistence
- cve.2023-36884
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
TargetFilename|endswith: '\file001.url'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-46214 Exploitation Attempt
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
view Sigma YAML
title: Potential CVE-2023-46214 Exploitation Attempt
id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
related:
- id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
type: derived
status: test
description: |
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
references:
- https://github.com/nathan31337/Splunk-RCE-poc/
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://advisory.splunk.com/advisories/SVD-2023-1104
author: Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT)
date: 2023-11-27
tags:
- attack.lateral-movement
- attack.t1210
- cve.2023-46214
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: POST
cs-uri-query|contains|all:
- 'NO_BINARY_CHECK=1'
- 'input.path'
cs-uri-query|endswith: '.xsl'
sc-status:
- 200
- 302
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
view Sigma YAML
title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
status: test
description: |
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
references:
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
- attack.execution
- cve.2024-3400
- detection.emerging-threats
logsource:
product: paloalto
service: globalprotect
category: file_event
definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'
detection:
selection:
TargetFilename|contains:
- '{IFS}'
- 'base64'
- 'bash'
- 'curl'
- 'http'
TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
condition: selection
falsepositives:
- The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CVE-2024-35250 Exploitation Activity
Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
view Sigma YAML
title: Potential CVE-2024-35250 Exploitation Activity
id: 17ce9373-2163-4a2c-90ba-f91e9ef7a8c1
status: experimental
description: |
Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
references:
- https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
- https://github.com/varwara/CVE-2024-35250
- https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: '@eyezuhk Isaac Fernandes'
date: 2025-02-19
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2024-35250
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\ksproxy.ax'
filter_main_system_paths:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_optional_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
filter_optional_zoom:
Image|endswith: '\AppData\Roaming\Zoom\bin\Zoom.exe'
filter_optional_firefox:
Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
filter_optional_chrome:
Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
filter_optional_opera:
Image|endswith: '\AppData\Local\Programs\Opera\opera.exe'
filter_optional_discord:
Image|endswith: '\AppData\Local\Discord\app-*\Discord.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications that use Windows Stream Interface APIs.
- Media applications that use DirectShow filters.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Chrome Frame Helper DLL Sideloading
Detects potential DLL sideloading of "chrome_frame_helper.dll"
view Sigma YAML
title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
- https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\chrome_frame_helper.dll'
filter_main_path:
ImageLoaded|startswith:
- 'C:\Program Files\Google\Chrome\Application\'
- 'C:\Program Files (x86)\Google\Chrome\Application\'
filter_optional_user_path:
ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Command Line Path Traversal Evasion Attempt
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
view Sigma YAML
title: Potential Command Line Path Traversal Evasion Attempt
id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
status: test
description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
references:
- https://twitter.com/hexacorn/status/1448037865435320323
- https://twitter.com/Gal_B1t/status/1062971006078345217
author: Christian Burkard (Nextron Systems)
date: 2021-10-26
modified: 2023-03-29
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|contains: '\Windows\'
CommandLine|contains:
- '\..\Windows\'
- '\..\System32\'
- '\..\..\'
selection_2:
CommandLine|contains: '.exe\..\'
filter_optional_google_drive:
CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
filter_optional_citrix:
CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Google Drive
- Citrix
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential CommandLine Obfuscation Using Unicode Characters
Detects potential CommandLine obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
view Sigma YAML
title: Potential CommandLine Obfuscation Using Unicode Characters
id: e0552b19-5a83-4222-b141-b36184bb8d79
related:
- id: 584bca0f-3608-4402-80fd-4075ff6072e3
type: similar
- id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
type: similar
- id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
type: obsolete
status: test
description: |
Detects potential CommandLine obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems)
date: 2022-01-15
modified: 2024-09-05
tags:
- attack.stealth
- attack.t1027
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# spacing modifier letters that get auto-replaced
- 'ˣ' # 0x02E3
- '˪' # 0x02EA
- 'ˢ' # 0x02E2
# Forward slash alternatives
- '∕' # 0x22FF
- '⁄' # 0x206F
# Hyphen alternatives
- '―' # 0x2015
- '—' # 0x2014
# Whitespace that don't work as path separator
- ' ' # 0x00A0
# Other
- '¯'
- '®'
- '¶'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Commandline Obfuscation Using Escape Characters
Detects potential commandline obfuscation using known escape characters
view Sigma YAML
title: Potential Commandline Obfuscation Using Escape Characters
id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
status: test
description: Detects potential commandline obfuscation using known escape characters
references:
- https://twitter.com/vysecurity/status/885545634958385153
- https://twitter.com/Hexacorn/status/885553465417756673 # Dead link
- https://twitter.com/Hexacorn/status/885570278637678592 # Dead link
- https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques
- https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
date: 2018-12-11
modified: 2023-03-03
tags:
- attack.stealth
- attack.t1140
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# - <TAB> # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
- 'h^t^t^p'
- 'h"t"t"p'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Configuration And Service Reconnaissance Via Reg.EXE
Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
view Sigma YAML
title: Potential Configuration And Service Reconnaissance Via Reg.EXE
id: 970007b7-ce32-49d0-a4a4-fbef016950bd
status: test
description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
- attack.discovery
- attack.t1012
- attack.t1007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_flag:
CommandLine|contains: 'query'
selection_key:
CommandLine|contains:
- 'currentVersion\windows'
- 'winlogon\'
- 'currentVersion\shellServiceObjectDelayLoad'
- 'currentVersion\run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce"
- 'currentVersion\policies\explorer\run'
- 'currentcontrolset\services'
condition: all of selection_*
falsepositives:
- Discord
level: medium
Convert to SIEM query
Showing 701-750 of 1,440