Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
Medium FP
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
view Sigma YAML
title: Add Potential Suspicious New Download Source To Winget
id: c15a46a0-07d4-4c87-b4b6-89207835a83b
related:
- id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
type: similar
- id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
type: similar
status: test
description: Detects usage of winget to add new potentially suspicious download sources
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-12-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
selection_source_direct_ip:
# This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Add Windows Capability Via PowerShell Cmdlet
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
view Sigma YAML
title: Add Windows Capability Via PowerShell Cmdlet
id: b36d01a3-ddaf-4804-be18-18a6247adfcd
related:
- id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
type: similar
status: test
description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
- https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-05-09
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains: 'Add-WindowsCapability'
selection_capa:
CommandLine|contains: 'OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
condition: all of selection_*
falsepositives:
- Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
view Sigma YAML
title: Add Windows Capability Via PowerShell Script
id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
related:
- id: b36d01a3-ddaf-4804-be18-18a6247adfcd
type: similar
status: test
description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
- https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-05-09
tags:
- attack.execution
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Add-WindowsCapability '
selection_capa:
ScriptBlockText|contains: '-Name OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
condition: all of selection_*
falsepositives:
- Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
view Sigma YAML
title: Added Owner To Application
id: 74298991-9fc4-460e-a92e-511aa60baec1
status: test
description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.t1552
- attack.credential-access
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add owner to application
condition: selection
falsepositives:
- When a new application owner is added by an administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
view Sigma YAML
title: AddinUtil.EXE Execution From Uncommon Directory
id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348
status: test
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
modified: 2025-02-24
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\addinutil.exe'
- OriginalFileName: 'AddInUtil.exe'
filter_main_legit_location:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
- ':\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Advanced IP Scanner - File Event
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
view Sigma YAML
title: Advanced IP Scanner - File Event
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
related:
- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
type: derived
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-11-29
tags:
- attack.discovery
- attack.t1046
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
condition: selection
falsepositives:
- Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml
Convert to SIEM query
medium
Strong
Medium FP
AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
view Sigma YAML
title: AgentExecutor PowerShell Execution
id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
related:
- id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
type: similar
status: test
description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
author: Nasreddine Bencherchali (Nextron Systems), memory-shards
references:
- https://twitter.com/lefterispan/status/1286259016436514816
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- https://twitter.com/jseerden/status/1247985304667066373/photo/1
date: 2022-12-24
modified: 2024-08-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image: '\AgentExecutor.exe'
- OriginalFileName: 'AgentExecutor.exe'
selection_cli:
# Example:
# AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
# Note:
# - If [timeoutSeconds] is NULL then it defaults to 60000
# - If [enforceSignatureCheck] is:
# - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
# - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
# - [powershellPath] is always concatendated to "powershell.exe"
CommandLine|contains:
- ' -powershell' # Also covers the "-powershellDetection" flag
- ' -remediationScript'
filter_main_intune:
ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate use via Intune management. You exclude script paths and names to reduce FP rate
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Allow RDP Remote Assistance Feature
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
view Sigma YAML
title: Allow RDP Remote Assistance Feature
id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
status: test
description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Legitimate use of the feature (alerts should be investigated either way)
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml
simulation:
- type: atomic-red-team
name: Allow RDP Remote Assistance Feature
technique: T1112
atomic_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e
Convert to SIEM query
medium
Strong
Medium FP
Alternate PowerShell Hosts - PowerShell Module
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
view Sigma YAML
title: Alternate PowerShell Hosts - PowerShell Module
id: 64e8e417-c19a-475a-8d19-98ea705394cc
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2025-10-17
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains: '*'
filter_powershell:
# This filter covers the following use cases
# - When powershell is called directly from commandline via keyword powershell or powershell.exe
# - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
ContextInfo|contains:
- '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
- '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
# In some cases \??\C:.. is used
- '= \\\?\?\C:Windows\System32\WindowsPowerShell\v1.0\powershell'
- '= \\\?\?\C:Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
filter_sdiagnhost:
ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example
filter_citrix:
ContextInfo|contains: 'ConfigSyncRun.exe'
filter_adace: # Active Directory Administrative Center Enhancements
ContextInfo|contains: 'C:\Windows\system32\dsac.exe'
filter_winrm:
ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding'
filter_help_update:
Payload|contains:
- 'Update-Help'
- 'Failed to update Help for the module'
condition: selection and not 1 of filter_*
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
level: medium
Convert to SIEM query
medium
Moderate
High FP
Always Install Elevated MSI Spawned Cmd And Powershell
Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
view Sigma YAML
title: Always Install Elevated MSI Spawned Cmd And Powershell
id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
status: test
description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2022-10-20
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_parent:
ParentImage|contains|all:
- '\Windows\Installer\'
- 'msi'
ParentImage|endswith: 'tmp'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Always Install Elevated Windows Installer
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
view Sigma YAML
title: Always Install Elevated Windows Installer
id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
status: test
description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: process_creation
detection:
selection_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_image_1:
Image|contains|all:
- '\Windows\Installer\'
- 'msi'
Image|endswith: 'tmp'
selection_image_2:
Image|endswith: '\msiexec.exe'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_installer:
ParentImage: 'C:\Windows\System32\services.exe'
filter_repair:
- CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
- ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
filter_sophos:
ParentImage|startswith: 'C:\ProgramData\Sophos\'
filter_avira:
ParentImage|startswith: 'C:\ProgramData\Avira\'
filter_avast:
ParentImage|startswith:
- 'C:\Program Files\Avast Software\'
- 'C:\Program Files (x86)\Avast Software\'
filter_google_update:
ParentImage|startswith:
- 'C:\Program Files\Google\Update\'
- 'C:\Program Files (x86)\Google\Update\'
condition: 1 of selection_image_* and selection_user and not 1 of filter_*
falsepositives:
- System administrator usage
- Anti virus products
- WindowsApps located in "C:\Program Files\WindowsApps\"
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
view Sigma YAML
title: Amsi.DLL Loaded Via LOLBIN Process
id: 6ec86d9e-912e-4726-91a2-209359b999b9
status: test
description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
references:
- Internal Research
- https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\amsi.dll'
Image|endswith:
# TODO: Add more interesting processes
- '\ExtExport.exe'
- '\odbcconf.exe'
# - '\regsvr32.exe' # legitimately calls amsi.dll
- '\rundll32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
view Sigma YAML
title: Anydesk Remote Access Software Service Installation
id: 530a6faa-ff3d-4022-b315-50828e77eef5
status: test
description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-11
modified: 2025-02-24
tags:
- attack.persistence
logsource:
product: windows
service: system
detection:
selection_provider:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ServiceName|contains|all:
- 'AnyDesk' # Covers both AnyDesk Service and AnyDesk MSI Service
- 'Service'
- ImagePath|contains: 'AnyDesk'
condition: all of selection_*
falsepositives:
- Legitimate usage of the anydesk tool
level: medium
Convert to SIEM query
medium
Moderate
High FP
Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: Anydesk Temporary Artefact
id: 0b9ad457-2554-44c1-82c2-d56a99c42377
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2024-07-20
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\AppData\Roaming\AnyDesk\user.conf'
- '\AppData\Roaming\AnyDesk\system.conf'
condition: selection
falsepositives:
- Legitimate use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
view Sigma YAML
title: Apache Threading Error
id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c
status: test
description: Detects an issue in apache logs that reports threading related errors
references:
- https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md
author: Florian Roth (Nextron Systems)
date: 2019-01-22
modified: 2021-11-27
tags:
- attack.initial-access
- attack.lateral-movement
- attack.t1190
- attack.t1210
logsource:
service: apache
definition: 'Requirements: Must be able to collect the error.log file'
detection:
keywords:
- '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
condition: keywords
falsepositives:
- 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
level: medium
Convert to SIEM query
medium
Moderate
Low FP
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
view Sigma YAML
title: App Assigned To Azure RBAC/Microsoft Entra Role
id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
status: test
description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-19
modified: 2024-11-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: azure
service: auditlogs
detection:
selection:
targetResources.type: 'Service Principal'
properties.message:
- Add member to role
- Add eligible member to role
- Add scoped member to role
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
view Sigma YAML
title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
- attack.execution
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007
logsource:
product: windows
service: applocker
detection:
selection:
EventID:
- 8004 # EXE and DLL
- 8007 # MSI and Script
- 8022 # Packaged app execution
- 8025 # Packaged app deployment
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
view Sigma YAML
title: AppX Located in Uncommon Directory Added to Deployment Pipeline
id: c977cb50-3dff-4a9f-b873-9290f56132f1
status: test
description: |
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-03
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 854
filter_main_generic:
Path|contains:
# Paths can be written using forward slash if the "file://" protocol is used
- ':/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
- ':/Windows/System32/'
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\ImmersiveControlPanel\'
- ':\Windows\PrintDialog\'
- ':\Windows\SystemApps\'
- 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
- 'x-windowsupdate://'
filter_main_specific:
Path|contains:
- 'https://installer.teams.static.microsoft/'
- 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
- 'https://statics.teams.cdn.live.net/'
- 'https://statics.teams.cdn.office.net/'
- 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
filter_optional_onedrive:
Path|contains: 'AppData\Local\Microsoft\OneDrive\'
filter_optional_winget:
Path|contains:
- 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
- 'AppData\Local\Temp\WinGet\Microsoft.Winget.Source'
filter_optional_x_windowsupdate:
Path|contains: 'x-windowsupdate://'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
view Sigma YAML
title: AppX Package Deployment Failed Due to Signing Requirements
id: 898d5fc9-fbc3-43de-93ad-38e97237c344
status: test
description: |
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
references:
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-03
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 401
ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
condition: selection
falsepositives:
- Legitimate AppX packages not signed by MS used part of an enterprise.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
view Sigma YAML
title: AppX Package Installation Attempts Via AppInstaller.EXE
id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
related:
- id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
type: derived
status: test
description: |
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
references:
- https://twitter.com/notwhickey/status/1333900137232523264
- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: frack113
date: 2021-11-24
modified: 2023-11-09
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: dns_query
detection:
selection:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
Image|endswith: '\AppInstaller.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
view Sigma YAML
title: Application Removed Via Wmic.EXE
id: b53317a0-8acf-4fd1-8de8-a5401e776b96
related:
- id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
type: derived
status: test
description: Detects the removal or uninstallation of an application via "Wmic.EXE".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic
author: frack113
date: 2022-01-28
modified: 2024-07-02
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'call'
- 'uninstall'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Application Terminated Via Wmic.EXE
Detects calls to the "terminate" function via wmic in order to kill an application
view Sigma YAML
title: Application Terminated Via Wmic.EXE
id: 49d9671b-0a0a-4c09-8280-d215bfd30662
related:
- id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
type: derived
status: test
description: Detects calls to the "terminate" function via wmic in order to kill an application
references:
- https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
- https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-11
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'call'
- 'terminate'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
This can be a misconfigured application or potentially something malicious.
view Sigma YAML
title: Application Using Device Code Authentication Flow
id: 248649b7-d64f-46f0-9fb2-a52774166fb5
status: test
description: |
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
This can be a misconfigured application or potentially something malicious.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: signinlogs
detection:
selection:
properties.message: Device Code
condition: selection
falsepositives:
- Applications that are input constrained will need to use device code flow and are valid authentications.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
The application then uses those credentials to authenticate the user against the identity provider.
view Sigma YAML
title: Applications That Are Using ROPC Authentication Flow
id: 55695bc0-c8cf-461f-a379-2535f563c854
status: test
description: |
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
The application then uses those credentials to authenticate the user against the identity provider.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: signinlogs
detection:
selection:
properties.message: ROPC
condition: selection
falsepositives:
- Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Arbitrary Command Execution Using WSL
Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
view Sigma YAML
title: Arbitrary Command Execution Using WSL
id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
related:
- id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules
type: similar
status: test
description: |
Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
- https://twitter.com/nas_bench/status/1535431474429808642
author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2023-04-12
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wsl.exe'
- OriginalFileName: 'wsl.exe'
selection_cli:
CommandLine|contains:
- ' -e '
- ' --exec'
- ' --system'
- ' --shell-type '
- ' /mnt/c' # Path to mounted "C:\" partition (Indication of running Windows binaries via WSL)
- ' --user root'
- ' -u root'
- '--debug-shell'
filter_main_kill:
# This filter is to handle a FP that occurs when a process is spawned from WSL and then closed by the user
# Example would be to open VsCode through it's server extension from WSL
# GrandparentCommandLine: "C:\Users\XXX\AppData\Local\Programs\Microsoft VS Code\Code.exe" --ms-enable-electron-run-as-node c:\Users\XXX\.vscode\extensions\ms-vscode-remote.remote-wsl-0.72.0\dist\wslDaemon.js
# ParentCommandLine: C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366"
# CommandLine: C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366
ParentImage|endswith: '\cmd.exe'
CommandLine|contains|all:
- ' -d '
- ' -e kill '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Automation and orchestration scripts may use this method to execute scripts etc.
- Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
view Sigma YAML
title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
status: test
description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
- https://twitter.com/_felamos/status/1204705548668555264
- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2025-10-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet.exe'
- OriginalFileName: '.NET Host'
selection_cli:
CommandLine|endswith:
- '.csproj'
- '.csproj"'
- '.dll'
- '.dll"'
- ".csproj'"
- ".dll'"
filter_optional_notepadplus_plus:
ParentImage:
- 'C:\Program Files (x86)\Notepad++\notepad++.exe'
- 'C:\Program Files\Notepad++\notepad++.exe'
CommandLine|contains|all:
- 'C:\ProgramData\CSScriptNpp\'
- '-cscs_path:'
- '\cs-script\cscs.dll'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administrator usage
level: medium
Convert to SIEM query
medium
Moderate
High FP
Arbitrary File Download Via ConfigSecurityPolicy.EXE
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender.
Users can configure different pilot collections for each of the co-management workloads.
It can be abused by attackers in order to upload or download files.
view Sigma YAML
title: Arbitrary File Download Via ConfigSecurityPolicy.EXE
id: 1f0f6176-6482-4027-b151-00071af39d7e
status: test
description: |
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender.
Users can configure different pilot collections for each of the co-management workloads.
It can be abused by attackers in order to upload or download files.
references:
- https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/
author: frack113
date: 2021-11-26
modified: 2022-05-16
tags:
- attack.exfiltration
- attack.t1567
logsource:
category: process_creation
product: windows
detection:
selection_img:
- CommandLine|contains: ConfigSecurityPolicy.exe
- Image|endswith: '\ConfigSecurityPolicy.exe'
- OriginalFileName: 'ConfigSecurityPolicy.exe'
selection_url:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
view Sigma YAML
title: Arbitrary File Download Via GfxDownloadWrapper.EXE
id: eee00933-a761-4cd0-be70-c42fe91731e7
status: test
description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
references:
- https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-10-18
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\GfxDownloadWrapper.exe'
CommandLine|contains:
- 'http://'
- 'https://'
filter_main_known_urls:
CommandLine|contains: 'https://gameplayapi.intel.com/'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Arbitrary File Download Via MSEDGE_PROXY.EXE
Detects usage of "msedge_proxy.exe" to download arbitrary files
view Sigma YAML
title: Arbitrary File Download Via MSEDGE_PROXY.EXE
id: e84d89c4-f544-41ca-a6af-4b92fd38b023
status: test
description: Detects usage of "msedge_proxy.exe" to download arbitrary files
references:
- https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msedge_proxy.exe'
- OriginalFileName: 'msedge_proxy.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Arbitrary File Download Via MSOHTMED.EXE
Detects usage of "MSOHTMED" to download arbitrary files
view Sigma YAML
title: Arbitrary File Download Via MSOHTMED.EXE
id: 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d
status: test
description: Detects usage of "MSOHTMED" to download arbitrary files
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MSOHTMED.exe'
- OriginalFileName: 'MsoHtmEd.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Arbitrary File Download Via MSPUB.EXE
Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
view Sigma YAML
title: Arbitrary File Download Via MSPUB.EXE
id: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf
status: test
description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-02-08
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MSPUB.exe'
- OriginalFileName: 'MSPUB.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Arbitrary File Download Via PresentationHost.EXE
Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
view Sigma YAML
title: Arbitrary File Download Via PresentationHost.EXE
id: b124ddf4-778d-418e-907f-6dd3fc0d31cd
status: test
description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/239/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\presentationhost.exe'
- OriginalFileName: 'PresentationHost.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
- 'ftp://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
view Sigma YAML
title: Arbitrary File Download Via Squirrel.EXE
id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
related:
- id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
type: similar
- id: fa4b21c9-0057-4493-b289-2556416ae4d7
type: obsolete
status: test
description: |
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\squirrel.exe'
- '\update.exe'
selection_download_cli:
CommandLine|contains:
- ' --download '
- ' --update '
- ' --updateRollback='
selection_download_http_keyword:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium
Convert to SIEM query
medium
Moderate
High FP
Arbitrary MSI Download Via Devinit.EXE
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
view Sigma YAML
title: Arbitrary MSI Download Via Devinit.EXE
id: 90d50722-0483-4065-8e35-57efaadd354d
status: test
description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
references:
- https://twitter.com/mrd0x/status/1460815932402679809
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' -t msi-install '
- ' -i http'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
view Sigma YAML
title: Arbitrary Shell Command Execution Via Settingcontent-Ms
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
status: test
description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
author: Sreeman
date: 2020-03-13
modified: 2022-04-14
tags:
- attack.t1204
- attack.t1566.001
- attack.execution
- attack.initial-access
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '.SettingContent-ms'
filter:
CommandLine|contains: 'immersivecontrolpanel'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
view Sigma YAML
title: AspNetCompiler Execution
id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: frack113
date: 2021-11-24
modified: 2025-02-24
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\aspnet_compiler.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Assembly DLL Creation Via AspNetCompiler
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
view Sigma YAML
title: Assembly DLL Creation Via AspNetCompiler
id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: |
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\aspnet_compiler.exe'
TargetFilename|contains|all:
- '\Temporary ASP.NET Files\'
- '\assembly\tmp\'
- '.dll'
condition: selection
falsepositives:
- Legitimate assembly compilation using a build provider
level: medium
Convert to SIEM query
medium
Moderate
High FP
Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
view Sigma YAML
title: Assembly Loading Via CL_LoadAssembly.ps1
id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
status: test
description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
references:
- https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
- https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-21
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
CommandLine|contains:
- 'LoadAssemblyFromPath '
- 'LoadAssemblyFromNS '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Atbroker Registry Change
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
view Sigma YAML
title: Atbroker Registry Change
id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
status: test
description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
references:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
author: Mateusz Wydra, oscd.community
date: 2020-10-13
modified: 2023-01-19
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1218
- attack.persistence
- attack.t1547
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
- 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
filter_atbroker:
Image: 'C:\Windows\system32\atbroker.exe'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
Details: '(Empty)'
filter_uninstallers:
Image|startswith: 'C:\Windows\Installer\MSI'
TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
condition: selection and not 1 of filter_*
falsepositives:
- Creation of non-default, legitimate at usage
level: medium
Convert to SIEM query
medium
Moderate
High FP
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
view Sigma YAML
title: Audio Capture via PowerShell
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
status: test
description: Detects audio capture via PowerShell Cmdlet.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
- https://github.com/frgnca/AudioDeviceCmdlets
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-04-06
tags:
- attack.collection
- attack.t1123
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'WindowsAudioDevice-Powershell-Cmdlet'
- 'Toggle-AudioDevice'
- 'Get-AudioDevice '
- 'Set-AudioDevice '
- 'Write-AudioDevice '
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
view Sigma YAML
title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
status: test
description: Detect attacker collecting audio via SoundRecorder application.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.collection
- attack.t1123
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\SoundRecorder.exe'
CommandLine|contains: '/FILE'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Authentications To Important Apps Using Single Factor Authentication
Detect when authentications to important application(s) only required single-factor authentication
view Sigma YAML
title: Authentications To Important Apps Using Single Factor Authentication
id: f272fb46-25f2-422c-b667-45837994980f
status: test
description: Detect when authentications to important application(s) only required single-factor authentication
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
AppId: 'Insert Application ID use OR for multiple'
AuthenticationRequirement: 'singleFactorAuthentication'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Automated Collection Command PowerShell
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
view Sigma YAML
title: Automated Collection Command PowerShell
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
author: frack113
date: 2021-07-28
modified: 2022-12-25
tags:
- attack.collection
- attack.t1119
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ext:
ScriptBlockText|contains:
- '.doc'
- '.docx'
- '.xls'
- '.xlsx'
- '.ppt'
- '.pptx'
- '.rtf'
- '.pdf'
- '.txt'
selection_cmd:
ScriptBlockText|contains|all:
- 'Get-ChildItem'
- ' -Recurse '
- ' -Include '
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
view Sigma YAML
title: Automated Collection Command Prompt
id: f576a613-2392-4067-9d1a-9345fb58d8d1
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021-07-28
modified: 2022-11-11
tags:
- attack.collection
- attack.t1119
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_ext:
CommandLine|contains:
- '.doc'
- '.docx'
- '.xls'
- '.xlsx'
- '.ppt'
- '.pptx'
- '.rtf'
- '.pdf'
- '.txt'
selection_other_dir:
CommandLine|contains|all:
- 'dir '
- ' /b '
- ' /s '
selection_other_findstr:
OriginalFileName: 'FINDSTR.EXE'
CommandLine|contains:
- ' /e '
- ' /si '
condition: selection_ext and 1 of selection_other_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
view Sigma YAML
title: Azure AD Health Monitoring Agent Registry Keys Access
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'Key'
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
filter:
ProcessName|contains:
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Azure AD Health Service Agents Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
view Sigma YAML
title: Azure AD Health Service Agents Registry Keys Access
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
status: test
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'Key'
ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent'
filter:
ProcessName|contains:
- 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
- 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
- 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
- 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Azure Active Directory Hybrid Health AD FS New Server
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
view Sigma YAML
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-impairment
- attack.t1578
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- Legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium
Convert to SIEM query
medium
Strong
Low FP
Azure Active Directory Hybrid Health AD FS Service Delete
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
view Sigma YAML
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-impairment
- attack.t1578.003
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
falsepositives:
- Legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Azure Application Deleted
Identifies when a application is deleted in Azure.
view Sigma YAML
title: Azure Application Deleted
id: 410d2a41-1e6d-452f-85e5-abdd8257a823
status: test
description: Identifies when a application is deleted in Azure.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.impact
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Delete application
- Hard Delete application
condition: selection
falsepositives:
- Application being deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Azure Application Gateway Modified or Deleted
Identifies when a application gateway is modified or deleted.
view Sigma YAML
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
status: test
description: Identifies when a application gateway is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
condition: selection
falsepositives:
- Application gateway being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
Showing 51-100 of 1,440