Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Strong
Medium FP
Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages
view Sigma YAML
title: Potential Malicious AppX Package Installation Attempts
id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
status: test
description: Detects potential installation or installation attempts of known malicious appx packages
references:
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-01-12
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID:
- 400
- 401
# Add more malicious package names
# TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'
condition: selection
falsepositives:
- Rare occasions where a malicious package uses the exact same name and version as a legitimate application.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Memory Dumping Activity Via LiveKD
Detects execution of LiveKD based on PE metadata or image name
view Sigma YAML
title: Potential Memory Dumping Activity Via LiveKD
id: a85f7765-698a-4088-afa0-ecfbf8d01fa4
status: test
description: Detects execution of LiveKD based on PE metadata or image name
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\livekd.exe'
- '\livekd64.exe'
- OriginalFileName: 'livekd.exe'
condition: selection
falsepositives:
- Administration and debugging activity (must be investigated)
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
view Sigma YAML
title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: test
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Mftrace.EXE Abuse
Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
view Sigma YAML
title: Potential Mftrace.EXE Abuse
id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
status: test
description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-08-03
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mftrace.exe'
condition: selection
falsepositives:
- Legitimate use for tracing purposes
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Network Sniffing Activity Using Network Tools
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
view Sigma YAML
title: Potential Network Sniffing Activity Using Network Tools
id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
status: test
description: |
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2023-02-20
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_tshark:
Image|endswith: '\tshark.exe'
CommandLine|contains: '-i'
selection_windump:
Image|endswith: '\windump.exe'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activity to troubleshoot network issues
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
view Sigma YAML
title: Potential Obfuscated Ordinal Call Via Rundll32
id: 43fa5350-db63-4b8f-9a01-789a427074e1
status: test
description: Detects execution of "rundll32" with potential obfuscated ordinal calls
references:
- Internal Research
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-05-17
modified: 2025-02-23
tags:
- attack.stealth
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli:
CommandLine|contains:
- '#+'
- '#-'
# ordinal can be represented by adding any number of zeros in front ordinal number, for e.g. 000000024
- '#0'
# ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.
# for e.g ordinal 24 can be also represented by 65560 (65536+24)
- '#655'
- '#656'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
view Sigma YAML
title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
id: da34e323-1e65-42db-83be-a6725ac2caa3
status: test
description: |
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
author: frack113
date: 2024-05-12
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Start-NetEventSession'
condition: selection
falsepositives:
- Legitimate network diagnostic scripts.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Password Reconnaissance Via Findstr.EXE
Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
view Sigma YAML
title: Potential Password Reconnaissance Via Findstr.EXE
id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5
status: test
description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
references:
- https://steflan-security.com/windows-privilege-escalation-credential-harvesting/
- https://adsecurity.org/?p=2288
author: Josh Nickels
date: 2023-05-18
tags:
- attack.credential-access
- attack.t1552.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_cli:
CommandLine|contains:
- 'contraseña' # Spanish
- 'hasło' # Polish
- 'heslo' # Czech
- 'parola' # Italian
- 'passe' # French
- 'passw' # German, English
- 'senha' # Portuguese
- 'senord' # Swedish
- '密碼' # Cantonese
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Password Spraying Attempt Using Dsacls.EXE
Detects possible password spraying attempts using Dsacls
view Sigma YAML
title: Potential Password Spraying Attempt Using Dsacls.EXE
id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
status: test
description: Detects possible password spraying attempts using Dsacls
references:
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
- https://ss64.com/nt/dsacls.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsacls.exe'
- OriginalFileName: "DSACLS.EXE"
selection_cli:
CommandLine|contains|all:
- '/user:'
- '/passwd:'
condition: all of selection*
falsepositives:
- Legitimate use of dsacls to bind to an LDAP session
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Peach Sandstorm APT C2 Communication Activity
Detects potential C2 communication activity related to Peach Sandstorm APT
view Sigma YAML
title: Potential Peach Sandstorm APT C2 Communication Activity
id: b8225208-81d0-4715-a822-12bcdd583e0f
status: test
description: Detects potential C2 communication activity related to Peach Sandstorm APT
references:
- https://twitter.com/MsftSecIntel/status/1737895710169628824
- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
author: X__Junior (Nextron Systems)
date: 2024-01-15
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|endswith:
- '/api/Core/Command/Init'
- '/api/Core/Command/Restart'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
view Sigma YAML
title: Potential PendingFileRenameOperations Tampering
id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
status: test
description: |
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
references:
- https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
- https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
- https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
- https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
author: frack113
date: 2023-01-27
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
selection_susp_paths:
Image|contains: '\Users\Public\'
# - '\AppData\Local\Temp\' # Commented out as it's used by legitimate installers
selection_susp_images:
Image|endswith:
- '\reg.exe'
- '\regedit.exe'
condition: selection_main and 1 of selection_susp_*
falsepositives:
- Installers and updaters may set currently in use files for rename or deletion after a reboot.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Persistence Attempt Via ErrorHandler.Cmd
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
view Sigma YAML
title: Potential Persistence Attempt Via ErrorHandler.Cmd
id: 15904280-565c-4b73-9303-3291f964e7f9
status: test
description: |
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
references:
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://github.com/last-byte/PersistenceSniper
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-09
modified: 2022-12-19
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
view Sigma YAML
title: Potential Persistence Attempt Via Existing Service Tampering
id: 38879043-7e1e-47a9-8d46-6bec88e201df
status: test
description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
references:
- https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
author: Sreeman
date: 2020-09-29
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1543.003
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_sc:
- CommandLine|contains|all:
- 'sc '
- 'config '
- 'binpath='
- CommandLine|contains|all:
- 'sc '
- 'failure'
- 'command='
selection_reg_img:
- CommandLine|contains|all:
- 'reg '
- 'add '
- 'FailureCommand'
- CommandLine|contains|all:
- 'reg '
- 'add '
- 'ImagePath'
selection_reg_ext:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin$'
- '.bat'
- '.cmd'
- '.js'
- '.msh$'
- '.reg$'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
condition: selection_sc or all of selection_reg_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Persistence Attempt Via Run Keys Using Reg.EXE
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
view Sigma YAML
title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
id: de587dce-915e-4218-aac4-835ca6af6f70
status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
references:
- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-06-28
modified: 2025-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'reg'
- ' add '
CommandLine|contains:
- 'Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
condition: selection
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
view Sigma YAML
title: Potential Persistence Using DebugPath
id: df4dc653-1029-47ba-8231-3c44238cc0ae
status: test
description: Detects potential persistence using Appx DebugPath
references:
- https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
- https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022-07-27
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection_debug:
TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
TargetObject|endswith: '\DebugPath'
selection_default:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
TargetObject|endswith: '\(Default)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
view Sigma YAML
title: Potential Persistence Via AppCompat RegisterAppRestart Layer
id: b86852fb-4c77-48f9-8519-eb1b2c308b59
status: test
description: |
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
references:
- https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
Details|contains: 'REGISTERAPPRESTART'
condition: selection
falsepositives:
- Legitimate applications making use of this feature for compatibility reasons
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Persistence Via Custom Protocol Handler
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
view Sigma YAML
title: Potential Persistence Via Custom Protocol Handler
id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
status: test
description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
references:
- https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-30
modified: 2023-05-12
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|startswith: 'HKCR\'
Details|startswith: 'URL:'
filter_main_ms_trusted:
Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-"
filter_main_generic_locations:
Image|startswith: # Add more folders to avoid FP
- 'C:\Program Files (x86)'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
# Uncomment This section to add specific Protocol Handler names that are know
# filter_specific:
# Details: 'URL:'
condition: selection and not 1 of filter_main_*
falsepositives:
- Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Persistence Via Disk Cleanup Handler - Registry
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
The disk cleanup manager is part of the operating system. It displays the dialog box […]
The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
view Sigma YAML
title: Potential Persistence Via Disk Cleanup Handler - Registry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
status: test
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
The disk cleanup manager is part of the operating system. It displays the dialog box […]
The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-02-07
tags:
- attack.persistence
logsource:
product: windows
category: registry_add
detection:
selection:
EventType: CreateKey
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
filter_main_default_keys:
# Default Keys
TargetObject|endswith:
- '\Active Setup Temp Folders'
- '\BranchCache'
- '\Content Indexer Cleaner'
- '\D3D Shader Cache'
- '\Delivery Optimization Files'
- '\Device Driver Packages'
- '\Diagnostic Data Viewer database files'
- '\Downloaded Program Files'
- '\DownloadsFolder'
- '\Feedback Hub Archive log files'
- '\Internet Cache Files'
- '\Language Pack'
- '\Microsoft Office Temp Files'
- '\Offline Pages Files'
- '\Old ChkDsk Files'
- '\Previous Installations'
- '\Recycle Bin'
- '\RetailDemo Offline Content'
- '\Setup Log Files'
- '\System error memory dump files'
- '\System error minidump files'
- '\Temporary Files'
- '\Temporary Setup Files'
- '\Temporary Sync Files'
- '\Thumbnail Cache'
- '\Update Cleanup'
- '\Upgrade Discarded Files'
- '\User file versions'
- '\Windows Defender'
- '\Windows Error Reporting Files'
- '\Windows ESD installation files'
- '\Windows Upgrade Log Files'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate new entry added by windows
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Persistence Via Event Viewer Events.asp
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
view Sigma YAML
title: Potential Persistence Via Event Viewer Events.asp
id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b
status: test
description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
references:
- https://twitter.com/nas_bench/status/1626648985824788480
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-17
modified: 2023-03-05
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
# Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
# Also "MicrosoftRedirectionProgramCommandLineParameters" key
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
filter_default_redirect_program:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
filter_default_redirect_program_cli:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
Details: '-url hcp://services/centers/support?topic=%%s'
filter_url:
Details: 'http://go.microsoft.com/fwlink/events.asp'
filter_cleaner:
Details: '(Empty)'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Persistence Via Logon Scripts - Registry
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
view Sigma YAML
title: Potential Persistence Via Logon Scripts - Registry
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
status: test
description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2025-10-26
tags:
- attack.privilege-escalation
- attack.t1037.001
- attack.persistence
- attack.lateral-movement
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'UserInitMprLogonScript'
condition: selection
falsepositives:
- Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml
simulation:
- type: atomic-red-team
name: Logon Scripts
technique: T1037.001
atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231
Convert to SIEM query
medium
Moderate
High FP
Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
view Sigma YAML
title: Potential Persistence Via Microsoft Compatibility Appraiser
id: f548a603-c9f2-4c89-b511-b089f7e94549
related:
- id: 73a883d0-0348-4be4-a8d8-51031c2564f8
type: derived
status: test
description: |
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020-09-29
modified: 2023-02-10
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- 'run '
- '\Application Experience\Microsoft Compatibility Appraiser'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
view Sigma YAML
title: Potential Persistence Via Netsh Helper DLL
id: 56321594-9087-49d9-bf10-524fe8479452
related:
- id: c90362e0-2df3-4e61-94fe-b37615814cb1
type: similar
- id: e7b18879-676e-4a0e-ae18-27039185a8e7
type: similar
status: test
description: |
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
- https://github.com/outflanknl/NetshHelperBeacon
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
author: Victor Sergeev, oscd.community
date: 2019-10-25
modified: 2023-11-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
- attack.s0108
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'netsh.exe'
- Image|endswith: '\netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'add'
- 'helper'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
view Sigma YAML
title: Potential Persistence Via Netsh Helper DLL - Registry
id: c90362e0-2df3-4e61-94fe-b37615814cb1
related:
- id: 56321594-9087-49d9-bf10-524fe8479452
type: similar
- id: e7b18879-676e-4a0e-ae18-27039185a8e7
type: similar
status: test
description: |
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
- https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Anish Bogati
date: 2023-11-28
modified: 2025-10-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
Details|contains: '.dll'
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
Details:
- 'ipmontr.dll'
- 'iasmontr.dll'
- 'ippromon.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate helper added by different programs and the OS
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Persistence Via New AMSI Providers - Registry
Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
view Sigma YAML
title: Potential Persistence Via New AMSI Providers - Registry
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
status: test
description: |
Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
references:
- https://persistence-info.github.io/Data/amsi.html
- https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2025-10-26
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\AMSI\Providers\'
- '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
filter_optional_avira:
Image: 'C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe'
TargetObject|contains: '\{00000001-3DCC-4B48-A82E-E2071FE58E05}'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate security products adding their own AMSI providers. Filter these according to your environment.
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Potential Persistence Via Notepad++ Plugins
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
view Sigma YAML
title: Potential Persistence Via Notepad++ Plugins
id: 54127bd4-f541-4ac3-afdb-ea073f63f692
status: test
description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
references:
- https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2025-09-01
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Notepad++\plugins\'
TargetFilename|endswith: '.dll'
filter_gup:
Image|endswith: '\Notepad++\updater\gup.exe'
filter_install:
# This filter is for Sigma dataset you could remove it or change when using the rule in your own env
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Temp\'
Image|endswith:
- '\target.exe'
- 'Installer.x64.exe'
filter_main_installer:
Image|contains: '\npp.'
Image|endswith: '.exe'
TargetFilename:
- 'C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll'
- 'C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll'
- 'C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll'
- 'C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Possible FPs during first installation of Notepad++
- Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Persistence Via PowerShell User Profile Using Add-Content
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
view Sigma YAML
title: Potential Persistence Via PowerShell User Profile Using Add-Content
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
status: test
description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-18
modified: 2023-05-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_add:
ScriptBlockText|contains: 'Add-Content $profile'
selection_options:
ScriptBlockText|contains:
# Note: You can add more suspicious values
- '-Value "IEX '
- '-Value "Invoke-Expression'
- '-Value "Invoke-WebRequest'
- '-Value "Start-Process'
- "-Value 'IEX "
- "-Value 'Invoke-Expression"
- "-Value 'Invoke-WebRequest"
- "-Value 'Start-Process"
condition: all of selection_*
falsepositives:
- Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
view Sigma YAML
title: Potential Persistence Via Scrobj.dll COM Hijacking
id: fe20dda1-6f37-4379-bbe0-a98d400cae90
status: test
description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-08-20
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'InprocServer32\(Default)'
Details: 'C:\WINDOWS\system32\scrobj.dll'
condition: selection
falsepositives:
- Legitimate use of the dll.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
view Sigma YAML
title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
related:
- id: 236d8e89-ed95-4789-a982-36f4643738ba
type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VMwareToolBoxCmd.exe'
- OriginalFileName: 'toolbox-cmd.exe'
selection_cli:
CommandLine|contains|all:
- ' script '
- ' set '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Persistence Via Visual Studio Tools for Office
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
view Sigma YAML
title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
- https://twitter.com/_vivami/status/1347925307643355138
- https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
- attack.t1137.006
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Office\Outlook\Addins\'
- '\Software\Microsoft\Office\Word\Addins\'
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
filter_main_system:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
filter_main_office_click_to_run:
Image|startswith:
- 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_integrator:
Image:
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_office_apps:
Image|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
- 'C:\PROGRA~2\MICROS~2\Office'
Image|endswith:
- '\excel.exe'
- '\Integrator.exe'
- '\OneNote.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\Teams.exe'
- '\visio.exe'
- '\winword.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate Addin Installation
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
view Sigma YAML
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
status: test
description: |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
references:
- https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
- https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021-08-17
modified: 2022-11-28
tags:
- attack.collection
- attack.credential-access
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dce_rpc
detection:
selection:
operation|startswith: 'efs'
condition: selection
falsepositives:
- Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
view Sigma YAML
title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
status: test
description: |
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
references:
- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
author: Alejandro Houspanossian ('@lekz86')
date: 2024-01-02
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1105
- attack.t1218
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection_cmd:
CommandLine|contains|all:
- 'cmd'
- '/c'
selection_pipes:
CommandLine|contains:
- ' & '
- ' || '
selection_commands_1:
CommandLine|contains:
- ' curl'
- ' wget'
- ' timeout '
- ' ping '
selection_commands_2:
CommandLine|contains:
- ' rundll32'
- ' mkdir '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential PowerShell Console History Access Attempt via History File
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
view Sigma YAML
title: Potential PowerShell Console History Access Attempt via History File
id: f4ff7323-b5fc-4323-8b52-6b9408e15788
status: experimental
description: |
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
references:
- https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
author: Luc Génaux
date: 2025-04-03
tags:
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'ConsoleHost_history.txt'
- '(Get-PSReadLineOption).HistorySavePath'
condition: selection
falsepositives:
- Legitimate access of the console history file is possible
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential PowerShell Downgrade Attack
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
view Sigma YAML
title: Potential PowerShell Downgrade Attack
id: b3512211-c67e-4707-bedc-66efc7848863
related:
- id: 6331d09b-4785-4c13-980f-f96661356249
type: derived
status: test
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-
author: Harish Segar (rule)
date: 2020-03-20
modified: 2023-01-04
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- ' -version 2 '
- ' -versio 2 '
- ' -versi 2 '
- ' -vers 2 '
- ' -ver 2 '
- ' -ve 2 '
- ' -v 2 '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential PowerShell Execution Policy Tampering
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
view Sigma YAML
title: Potential PowerShell Execution Policy Tampering
id: fad91067-08c5-4d1a-8d8c-d96a21b37814
related:
- id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry
type: similar
- id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
type: similar
- id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
type: similar
status: test
description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-12-14
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
# Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux
# Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there
# Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3
- '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
- '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
Details|contains:
- 'Bypass'
- 'Unrestricted'
filter_main_svchost:
# Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example.
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Privileged System Service Operation - SeLoadDriverPrivilege
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
view Sigma YAML
title: Potential Privileged System Service Operation - SeLoadDriverPrivilege
id: f63508a0-c809-4435-b3be-ed819394d612
status: test
description: |
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
references:
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2026-03-29
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_1:
EventID: 4673
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
filter_main_exact:
ProcessName:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\HelpPane.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\fltMC.exe'
- 'C:\Windows\System32\mmc.exe'
- 'C:\Windows\System32\rundll32.exe'
- 'C:\Windows\System32\RuntimeBroker.exe'
- 'C:\Windows\System32\ShellHost.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\SystemSettingsBroker.exe'
- 'C:\Windows\System32\wimserv.exe'
filter_optional_others:
ProcessName|endswith:
- '\AppData\Local\Microsoft\Teams\current\Teams.exe'
- '\Google\Chrome\Application\chrome.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\procmon.exe'
- '\procmon64.exe'
filter_main_startswith:
ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
filter_optional_dropbox:
ProcessName|startswith:
- 'C:\Program Files (x86)\Dropbox\'
- 'C:\Program Files\Dropbox\'
ProcessName|endswith: '\Dropbox.exe'
condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Process Execution Proxy Via CL_Invocation.ps1
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
view Sigma YAML
title: Potential Process Execution Proxy Via CL_Invocation.ps1
id: a0459f02-ac51-4c09-b511-b8c9203fc429
status: test
description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
date: 2020-10-14
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
CommandLine|contains: 'SyncInvoke '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Process Hollowing Activity
Detects when a memory process image does not match the disk image, indicative of process hollowing.
view Sigma YAML
title: Potential Process Hollowing Activity
id: c4b890e5-8d8c-4496-8c66-c805753817cd
status: test
description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
references:
- https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
date: 2022-01-25
modified: 2023-11-28
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.012
logsource:
product: windows
category: process_tampering
detection:
selection:
Type: 'Image is replaced'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)'
- ':\Program Files\'
- ':\Windows\System32\wbem\WMIADAP.exe'
- ':\Windows\SysWOW64\wbem\WMIADAP.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_edge:
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
view Sigma YAML
title: Potential Product Class Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: test
description: |
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
references:
- https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-02-14
modified: 2025-03-17
tags:
- attack.execution
- attack.t1047
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
# Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
CommandLine|contains:
- 'AntiVirusProduct'
- 'AntiSpywareProduct'
- 'FirewallProduct'
condition: all of selection_*
falsepositives:
- Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
view Sigma YAML
title: Potential Product Reconnaissance Via Wmic.EXE
id: 15434e33-5027-4914-88d5-3d4145ec25a9
status: test
description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
references:
- https://thedfirreport.com/2023/03/06/2022-year-in-review/
- https://www.yeahhub.com/list-installed-programs-version-path-windows/
- https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
author: Nasreddine Bencherchali
date: 2023-02-14
modified: 2025-10-22
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'Product'
filter_main_call_operations:
# wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
CommandLine|contains:
- ' uninstall'
- ' install'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Provlaunch.EXE Binary Proxy Execution Abuse
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
view Sigma YAML
title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
related:
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\provlaunch.exe'
filter_main_covered_children:
# Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Python DLL SideLoading
Detects potential DLL sideloading of Python DLL files.
view Sigma YAML
title: Potential Python DLL SideLoading
id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
status: test
description: Detects potential DLL sideloading of Python DLL files.
references:
- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
author: Swachchhanda Shrawan Poudel
date: 2024-10-06
modified: 2025-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\python39.dll'
- '\python310.dll'
- '\python311.dll'
- '\python312.dll'
filter_main_default_install_paths:
- ImageLoaded|startswith:
- 'C:\Program Files\Python3'
- 'C:\Program Files (x86)\Python3'
- ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
filter_optional_visual_studio:
ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_anaconda:
ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_cpython:
ImageLoaded|contains:
- '\cpython\externals\'
- '\cpython\PCbuild\'
filter_optional_pyinstaller:
# Triggered by programs bundled with PyInstaller
ImageLoaded|startswith: 'C:\Users'
ImageLoaded|contains: '\AppData\Local\Temp\_MEI'
filter_main_legit_signature_details:
Product: 'Python'
Signed: 'true'
Description: 'Python'
Company: 'Python Software Foundation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software using Python DLLs
level: medium
Convert to SIEM query
medium
Strong
Low FP
Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
view Sigma YAML
title: Potential RDP Exploit CVE-2019-0708
id: aaa5b30d-f418-420b-83a0-299cb6024885
status: test
description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
references:
- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
- https://github.com/Ekultek/BlueKeep
author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'
date: 2019-05-24
modified: 2022-12-25
tags:
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
- cve.2019-0708
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 56
- 50
Provider_Name: TermDD
condition: selection
falsepositives:
- Bad connections or network interruptions
# too many false positives
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential RDP Session Hijacking Activity
Detects potential RDP Session Hijacking activity on Windows systems
view Sigma YAML
title: Potential RDP Session Hijacking Activity
id: 224f140f-3553-4cd1-af78-13d81bf9f7cc
status: test
description: Detects potential RDP Session Hijacking activity on Windows systems
references:
- https://twitter.com/Moti_B/status/909449115477659651
author: '@juju4'
date: 2022-12-27
modified: 2024-12-01
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\tscon.exe'
- OriginalFileName: 'tscon.exe'
selection_integrity:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
Detects potential malicious and unauthorized usage of bcdedit.exe
view Sigma YAML
title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: test
description: Detects potential malicious and unauthorized usage of bcdedit.exe
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019-02-07
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
- attack.persistence
- attack.t1542.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_cli:
CommandLine|contains:
- 'delete'
- 'deletevalue'
- 'import'
- 'safeboot'
- 'network'
condition: all of selection_*
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Recon Activity Via Nltest.EXE
Detects nltest commands that can be used for information discovery
view Sigma YAML
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
- id: 410ad193-a728-4107-bc79-4419789fcbf8
type: similar
- id: 903076ff-f442-475a-b667-4f246bcc203b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
- attack.discovery
- attack.t1016
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
view Sigma YAML
title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 575dce0c-8139-4e30-9295-1ee75969f7fe
related:
- id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
type: similar
- id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: blueteamer8699
date: 2022-01-03
modified: 2023-02-08
tags:
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: 'gatherNetworkInfo.vbs'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential ReflectDebugger Content Execution Via WerFault.EXE
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
view Sigma YAML
title: Potential ReflectDebugger Content Execution Via WerFault.EXE
id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
related:
- id: 0cf2e1c6-8d10-4273-8059-738778f981ad
type: derived
status: test
description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
references:
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
- attack.execution
- attack.stealth
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\WerFault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
CommandLine|contains: ' -pr '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Register_App.Vbs LOLScript Abuse
Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
view Sigma YAML
title: Potential Register_App.Vbs LOLScript Abuse
id: 28c8f68b-098d-45af-8d43-8089f3e35403
status: test
description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
- https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
author: Austin Songer @austinsonger
date: 2021-11-05
modified: 2022-07-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: '.vbs -register ' # register_app.vbs
condition: all of selection*
falsepositives:
- Other VB scripts that leverage the same starting command line flags
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
view Sigma YAML
title: Potential Registry Persistence Attempt Via DbgManagedDebugger
id: 9827ae57-3802-418f-994b-d5ecf5cd974b
status: test
description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
references:
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://github.com/last-byte/PersistenceSniper
author: frack113
date: 2022-08-07
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
filter:
Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
condition: selection and not filter
falsepositives:
- Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Registry Reconnaissance Via PowerShell Script
Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
view Sigma YAML
title: Potential Registry Reconnaissance Via PowerShell Script
id: 064060aa-09fb-4636-817f-020a32aa7e9e
related:
- id: 970007b7-ce32-49d0-a4a4-fbef016950bd
type: similar
status: test
description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
author: frack113
date: 2023-07-02
tags:
- attack.discovery
- attack.t1012
- attack.t1007
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# TODO: switch to |re|i: after sigma specification v2 is released
ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\'
condition: selection
falsepositives:
- Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.
level: medium
Convert to SIEM query
Showing 801-850 of 1,440