Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Strong
Medium FP
Suspicious Network Connection to IP Lookup Service APIs
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
view Sigma YAML
title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
- id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
- https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
- attack.discovery
- attack.t1016
logsource:
category: network_connection
product: windows
detection:
selection:
- DestinationHostname:
- 'www.ip.cn'
- 'l2.io'
- DestinationHostname|contains:
- 'api.2ip.ua'
- 'api.bigdatacloud.net'
- 'api.ipify.org'
- 'bot.whatismyipaddress.com'
- 'canireachthe.net'
- 'checkip.amazonaws.com'
- 'checkip.dyndns.org'
- 'curlmyip.com'
- 'db-ip.com'
- 'edns.ip-api.com'
- 'eth0.me'
- 'freegeoip.app'
- 'geoipy.com'
- 'getip.pro'
- 'icanhazip.com'
- 'ident.me'
- 'ifconfig.io'
- 'ifconfig.me'
- 'ip-api.com'
- 'ip.360.cn'
- 'ip.anysrc.net'
- 'ip.taobao.com'
- 'ip.tyk.nu'
- 'ipaddressworld.com'
- 'ipapi.co'
- 'ipconfig.io'
- 'ipecho.net'
- 'ipinfo.io'
- 'ipip.net'
- 'ipof.in'
- 'ipv4.icanhazip.com'
- 'ipv4bot.whatismyipaddress.com'
- 'ipv6-test.com'
- 'ipwho.is'
- 'jsonip.com'
- 'myexternalip.com'
- 'seeip.org'
- 'wgetip.com'
- 'whatismyip.akamai.com'
- 'whois.pconline.com.cn'
- 'wtfismyip.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate use of the external websites for troubleshooting or network monitoring
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious New Instance Of An Office COM Object
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
view Sigma YAML
title: Suspicious New Instance Of An Office COM Object
id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28
status: test
description: |
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
references:
- https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic
- https://github.com/med0x2e/vba2clr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-13
modified: 2023-12-19
tags:
- attack.execution
- detection.threat-hunting
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith:
- '\eqnedt32.exe'
- '\excel.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\powerpnt.exe'
- '\visio.exe'
- '\winword.exe'
condition: selection
falsepositives:
- Legitimate usage of office automation via scripting
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious New-PSDrive to Admin Share
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: Suspicious New-PSDrive to Admin Share
id: 1c563233-030e-4a07-af8c-ee0490a66d3a
status: test
description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
author: frack113
date: 2022-08-13
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-PSDrive'
- '-psprovider '
- 'filesystem'
- '-root '
- '\\\\'
- '$'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Non PowerShell WSMAN COM Provider
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
view Sigma YAML
title: Suspicious Non PowerShell WSMAN COM Provider
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
status: test
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-22
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.003
logsource:
product: windows
service: powershell-classic
detection:
selection:
Data|contains: 'ProviderName=WSMan'
filter_main_ps:
Data|contains:
- 'HostApplication=powershell'
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
filter_optional_hexnode:
Data|contains: 'HostApplication=C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Non-Browser Network Communication With Telegram API
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
view Sigma YAML
title: Suspicious Non-Browser Network Communication With Telegram API
id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
status: test
description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
- attack.command-and-control
- attack.exfiltration
- attack.t1102
- attack.t1567
- attack.t1105
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains: 'api.telegram.org'
# Other browsers or apps known to use telegram should be added
# TODO: Add full paths for default install locations
filter_main_brave:
Image|endswith: '\brave.exe'
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_maxthon:
Image|endswith: '\maxthon.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_opera:
Image|endswith: '\opera.exe'
filter_main_safari:
Image|endswith: '\safari.exe'
filter_main_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Suspicious OAuth App File Download Activities
Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
view Sigma YAML
title: Suspicious OAuth App File Download Activities
id: ee111937-1fe7-40f0-962a-0eb44d57d174
status: test
description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.exfiltration
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Suspicious OAuth app file download activities'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
view Sigma YAML
title: Suspicious OpenSSH Daemon Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
status: test
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-06-30
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: sshd
detection:
keywords:
- 'unexpected internal error'
- 'unknown or unsupported key type'
- 'invalid certificate signing key'
- 'invalid elliptic curve value'
- 'incorrect signature'
- 'error in libcrypto'
- 'unexpected bytes remain after decoding'
- 'fatal: buffer_get_string: bad string'
- 'Local: crc32 compensation attack'
- 'bad client public DH value'
- 'Corrupted MAC on input'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Outbound SMTP Connections
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
view Sigma YAML
title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 25
- 587
- 465
- 2525
Initiated: 'true'
filter_clients:
Image|endswith:
- \thunderbird.exe
- \outlook.exe
filter_mailserver:
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
filter_outlook:
Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
Image|endswith: '\HxTsr.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Other SMTP tools
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious PROCEXP152.sys File Created In TMP
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
view Sigma YAML
title: Suspicious PROCEXP152.sys File Created In TMP
id: 3da70954-0f2c-4103-adff-b7440368f50e
status: test
description: |
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
references:
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2022-11-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'PROCEXP152.sys'
filter:
Image|contains:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
condition: selection and not filter
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
view Sigma YAML
title: Suspicious Package Installed - Linux
id: 700fb7e8-2981-401c-8430-be58e189e741
status: test
description: Detects installation of suspicious packages using system installation utilities
references:
- https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2026-01-01
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection_tool_apt:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains: 'install'
selection_tool_yum:
Image|endswith: '/yum'
CommandLine|contains:
- 'localinstall'
- 'install'
selection_tool_rpm:
Image|endswith: '/rpm'
CommandLine|contains: '-i'
selection_tool_dpkg:
Image|endswith: '/dpkg'
CommandLine|contains:
- '--install'
- '-i'
selection_keyword:
CommandLine|contains:
# Add more suspicious packages
- 'nmap'
- ' nc'
- 'netcat'
- 'wireshark'
- 'tshark'
- 'openconnect'
- 'proxychains'
- 'socat'
condition: 1 of selection_tool_* and selection_keyword
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious PowerShell Download - PoshModule
Detects suspicious PowerShell download command
view Sigma YAML
title: Suspicious PowerShell Download - PoshModule
id: de41232e-12e8-49fa-86bc-c05c7e722df9
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: test
description: Detects suspicious PowerShell download command
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-01-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_webclient_:
ContextInfo|contains: 'System.Net.WebClient'
selection_function:
ContextInfo|contains:
- '.DownloadFile('
- '.DownloadString('
condition: all of selection_*
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious PowerShell Download - Powershell Script
Detects suspicious PowerShell download command
view Sigma YAML
title: Suspicious PowerShell Download - Powershell Script
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: test
description: Detects suspicious PowerShell download command
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
webclient:
ScriptBlockText|contains: 'System.Net.WebClient'
download:
ScriptBlockText|contains:
- '.DownloadFile('
- '.DownloadFileAsync('
- '.DownloadString('
- '.DownloadStringAsync('
condition: webclient and download
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious PowerShell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
view Sigma YAML
title: Suspicious PowerShell In Registry Run Keys
id: 8d85cf08-bf97-4260-ba49-986a2a65129c
status: test
description: Detects potential PowerShell commands or code within registry run keys
references:
- https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
- https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2025-07-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details|contains:
- 'powershell'
- 'pwsh '
- 'FromBase64String'
- '.DownloadFile('
- '.DownloadString('
- ' -w hidden '
- ' -w 1 '
- '-windowstyle hidden'
- '-window hidden'
- ' -nop '
- ' -encodedcommand '
- '-ExecutionPolicy Bypass'
- 'Invoke-Expression'
- 'IEX ('
- 'Invoke-Command'
- 'ICM -'
- 'Invoke-WebRequest'
- 'IWR '
- 'Invoke-RestMethod'
- 'IRM '
- ' -noni '
- ' -noninteractive '
condition: selection
falsepositives:
- Legitimate admin or third party scripts. Baseline according to your environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious PowerShell Invocation From Script Engines
Detects suspicious powershell invocations from interpreters or unusual programs
view Sigma YAML
title: Suspicious PowerShell Invocation From Script Engines
id: 95eadcb2-92e4-4ed1-9031-92547773a6db
status: test
description: Detects suspicious powershell invocations from interpreters or unusual programs
references:
- https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
filter_health_service:
CurrentDirectory|contains: '\Health Service State\'
condition: selection and not 1 of filter_*
falsepositives:
- Microsoft Operations Manager (MOM)
- Other scripts
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
view Sigma YAML
title: Suspicious PowerShell Invocations - Specific - ProcessCreation
id: 536e2947-3729-478c-9903-745aaffe60d2
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: obsolete
- id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
type: similar
- id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-05
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_convert_b64:
CommandLine|contains|all:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex:
CommandLine|contains|all:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc:
CommandLine|contains|all:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg:
CommandLine|contains|all:
- 'powershell'
- 'reg'
- 'add'
- '\software\'
selection_webclient:
CommandLine|contains|all:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
CommandLine|contains|all:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
CommandLine|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- 'Write-ChocolateyWarning'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious PowerShell WindowStyle Option
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
view Sigma YAML
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
- attack.stealth
- attack.t1564.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'powershell'
- 'WindowStyle'
- 'Hidden'
filter:
ScriptBlockText|contains|all:
- ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
- '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Powercfg Execution To Change Lock Screen Timeout
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
view Sigma YAML
title: Suspicious Powercfg Execution To Change Lock Screen Timeout
id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b
status: test
description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
author: frack113
date: 2022-11-18
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_power:
- Image|endswith: '\powercfg.exe'
- OriginalFileName: 'PowerCfg.exe'
selection_standby:
# powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK
- CommandLine|contains|all:
- '/setacvalueindex '
- 'SCHEME_CURRENT'
- 'SUB_VIDEO'
- 'VIDEOCONLOCK'
# powercfg -change -standby-timeout-dc 3000
# powercfg -change -standby-timeout-ac 3000
- CommandLine|contains|all:
- '-change '
- '-standby-timeout-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Process Start Locations
Detects suspicious process run from unusual locations
view Sigma YAML
title: Suspicious Process Start Locations
id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
status: test
description: Detects suspicious process run from unusual locations
references:
- https://car.mitre.org/wiki/CAR-2013-05-002
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2022-01-07
tags:
- attack.stealth
- attack.t1036
- car.2013-05-002
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains:
- ':\RECYCLER\'
- ':\SystemVolumeInformation\'
- Image|startswith:
- 'C:\Windows\Tasks\'
- 'C:\Windows\debug\'
- 'C:\Windows\fonts\'
- 'C:\Windows\help\'
- 'C:\Windows\drivers\'
- 'C:\Windows\addins\'
- 'C:\Windows\cursors\'
- 'C:\Windows\system32\tasks\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious RASdial Activity
Detects suspicious process related to rasdial.exe
view Sigma YAML
title: Suspicious RASdial Activity
id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
status: test
description: Detects suspicious process related to rasdial.exe
references:
- https://twitter.com/subTee/status/891298217907830785
author: juju4
date: 2019-01-16
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'rasdial.exe'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
view Sigma YAML
title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
id: c8a180d6-47a3-4345-a609-53f9c3d834fc
related:
- id: cef24b90-dddc-4ae1-a09a-8764872f69fc
type: similar
status: test
description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-10
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: windows
detection:
# Covers group and localgroup flags
selection_cmdlet:
CommandLine|contains: 'Get-LocalGroupMember '
selection_group:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Recursive Takeown
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
view Sigma YAML
title: Suspicious Recursive Takeown
id: 554601fb-9b71-4bcc-abf4-21a611be4fde
status: test
description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
author: frack113
date: 2022-01-30
modified: 2022-11-21
tags:
- attack.defense-impairment
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\takeown.exe'
CommandLine|contains|all:
- '/f '
- '/r'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Rejected SMB Guest Logon From IP
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
view Sigma YAML
title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
status: test
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
references:
- https://twitter.com/KevTheHermit/status/1410203844064301056
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w
date: 2021-06-30
modified: 2023-01-02
tags:
- attack.credential-access
- attack.t1110.001
logsource:
product: windows
service: smbclient-security
detection:
selection:
EventID: 31017
UserName: ''
ServerName|startswith: '\1'
condition: selection
falsepositives:
- Account fallback reasons (after failed login with specific account)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
view Sigma YAML
title: Suspicious Remote Logon with Explicit Credentials
id: 941e5c45-cda7-4864-8cea-bbb7458d194a
status: test
description: Detects suspicious processes logging on with explicit credentials
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton
date: 2020-10-05
modified: 2022-08-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.lateral-movement
logsource:
product: windows
service: security
detection:
selection:
EventID: 4648
ProcessName|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\winrs.exe'
- '\wmic.exe'
- '\net.exe'
- '\net1.exe'
- '\reg.exe'
filter1:
TargetServerName: 'localhost'
filter2:
SubjectUserName|endswith: '$'
TargetUserName|endswith: '$'
condition: selection and not 1 of filter*
falsepositives:
- Administrators that use the RunAS command or scheduled tasks
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
view Sigma YAML
title: Suspicious RunAs-Like Flag Combination
id: 50d66fb0-03f8-4da0-8add-84e77d12a020
status: test
description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
references:
- https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
author: Florian Roth (Nextron Systems)
date: 2022-11-11
tags:
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_user:
CommandLine|contains:
- ' -u system '
- ' --user system '
- ' -u NT'
- ' -u "NT'
- " -u 'NT"
- ' --system '
- ' -u administrator '
selection_command:
CommandLine|contains:
- ' -c cmd'
- ' -c "cmd'
- ' -c powershell'
- ' -c "powershell'
- ' --command cmd'
- ' --command powershell'
- ' -c whoami'
- ' -c wscript'
- ' -c cscript'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Suspicious Rundll32 Setupapi.dll Activity
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
view Sigma YAML
title: Suspicious Rundll32 Setupapi.dll Activity
id: 285b85b1-a555-4095-8652-a8a4106af63f
status: test
description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
references:
- https://lolbas-project.github.io/lolbas/Libraries/Setupapi/
- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
author: Konstantin Grishchenko, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\runonce.exe'
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- 'setupapi.dll'
- 'InstallHinfSection'
condition: selection
falsepositives:
- Scripts and administrative tools that use INF files for driver installation with setupapi.dll
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Runscripthelper.exe
Detects execution of powershell scripts via Runscripthelper.exe
view Sigma YAML
title: Suspicious Runscripthelper.exe
id: eca49c87-8a75-4f13-9c73-a5a29e845f03
status: test
description: Detects execution of powershell scripts via Runscripthelper.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2022-07-11
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Runscripthelper.exe'
CommandLine|contains: 'surfacecheck'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
view Sigma YAML
title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: test
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022-12-27
references:
- https://github.com/sqlmapproject/sqlmap
tags:
- attack.exfiltration
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.t1190
- attack.t1505.001
logsource:
category: database
definition: 'Requirements: Must be able to log the SQL queries'
detection:
keywords:
- 'drop'
- 'truncate'
- 'dump'
- 'select \*'
condition: keywords
falsepositives:
- Inventory and monitoring activity
- Vulnerability scanners
- Legitimate applications
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious SYSVOL Domain Group Policy Access
Detects Access to Domain Group Policies stored in SYSVOL
view Sigma YAML
title: Suspicious SYSVOL Domain Group Policy Access
id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
status: test
description: Detects Access to Domain Group Policies stored in SYSVOL
references:
- https://adsecurity.org/?p=2288
- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
author: Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2018-04-09
modified: 2022-01-07
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\SYSVOL\'
- '\policies\'
condition: selection
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Strong
High FP
Suspicious Scan Loop Network
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
view Sigma YAML
title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://ss64.com/nt/for.html
- https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
- attack.execution
- attack.t1059
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- 'nslookup'
- 'ping'
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Scheduled Task Creation via Masqueraded XML File
Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
view Sigma YAML
title: Suspicious Scheduled Task Creation via Masqueraded XML File
id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
status: test
description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
references:
- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
- https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
author: Swachchhanda Shrawan Poudel, Elastic (idea)
date: 2023-04-20
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1036.005
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains:
- '/create'
- '-create'
selection_cli_xml:
CommandLine|contains:
- '/xml'
- '-xml'
filter_main_extension_xml:
CommandLine|contains: '.xml'
filter_main_system_process:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_main_rundll32:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- ':\WINDOWS\Installer\MSI'
- '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
filter_optional_third_party:
ParentImage|endswith:
# Consider removing any tools that you don't use to avoid blind spots
- ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'
- ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
- ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
- ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
- ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Scheduled Task Name As GUID
Detects creation of a scheduled task with a GUID like name
view Sigma YAML
title: Suspicious Scheduled Task Name As GUID
id: ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b
status: test
description: Detects creation of a scheduled task with a GUID like name
references:
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_tn:
CommandLine|contains:
# Can start with single or double quote
- '/TN "{'
- "/TN '{"
- "/TN {"
selection_end:
CommandLine|contains:
# Ending of the name to avoid possible FP in the rest of the commandline
- '}"'
- "}'"
- '} '
condition: all of selection_*
falsepositives:
- Legitimate software naming their tasks as GUIDs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
view Sigma YAML
title: Suspicious Schtasks Schedule Type With High Privileges
id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
related:
- id: 24c8392b-aa3c-46b7-a545-43f71657fe98
type: similar
status: test
description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
selection_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_*
falsepositives:
- Some installers were seen using this method of creation unfortunately. Filter them in your environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious ScreenSave Change by Reg.exe
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
view Sigma YAML
title: Suspicious ScreenSave Change by Reg.exe
id: 0fc35fc3-efe6-4898-8a37-0b233339524f
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: frack113
date: 2021-08-19
modified: 2022-06-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.002
logsource:
category: process_creation
product: windows
detection:
selection_reg:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'HKEY_CURRENT_USER\Control Panel\Desktop'
- 'HKCU\Control Panel\Desktop'
selection_option_1: # /force Active ScreenSaveActive
CommandLine|contains|all:
- '/v ScreenSaveActive'
- '/t REG_SZ'
- '/d 1'
- '/f'
selection_option_2: # /force set ScreenSaveTimeout
CommandLine|contains|all:
- '/v ScreenSaveTimeout'
- '/t REG_SZ'
- '/d '
- '/f'
selection_option_3: # /force set ScreenSaverIsSecure
CommandLine|contains|all:
- '/v ScreenSaverIsSecure'
- '/t REG_SZ'
- '/d 0'
- '/f'
selection_option_4: # /force set a .scr
CommandLine|contains|all:
- '/v SCRNSAVE.EXE'
- '/t REG_SZ'
- '/d '
- '.scr'
- '/f'
condition: selection_reg and 1 of selection_option_*
falsepositives:
- GPO
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Screensaver Binary File Creation
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
view Sigma YAML
title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
author: frack113
date: 2021-12-29
modified: 2022-11-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.scr'
filter_generic:
Image|endswith:
- '\Kindle.exe'
- '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
filter_tiworker:
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
Image|endswith: '\TiWorker.exe'
TargetFilename|endswith: '\uwfservicingscr.scr'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Service Installed
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
view Sigma YAML
title: Suspicious Service Installed
id: f2485272-a156-4773-82d7-1d178bc4905b
status: test
description: |
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
references:
- https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject:
- 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
- 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
filter:
Image|endswith:
# Please add the full paths that you use in your environment to tighten the rule
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
- '\handle.exe'
- '\handle64.exe'
Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
condition: selection and not filter
falsepositives:
- Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
view Sigma YAML
title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3
status: test
description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Sittikorn S
date: 2020-05-31
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1221
- detection.emerging-threats
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|startswith: 'HKCR\ms-msdt\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Shell Open Command Registry Modification
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
view Sigma YAML
title: Suspicious Shell Open Command Registry Modification
id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
status: experimental
description: |
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
references:
- https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548.002
- attack.t1546.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\shell\open\command\'
Details|contains:
- '\$Recycle.Bin\'
- '\AppData\Local\Temp\'
- '\Contacts\'
- '\Music\'
- '\PerfLogs\'
- '\Photos\'
- '\Pictures\'
- '\Users\Public\'
- '\Videos\'
- '\Windows\Temp\'
- '%AppData%'
- '%LocalAppData%'
- '%Temp%'
- '%tmp%'
condition: selection
falsepositives:
- Legitimate software installations or updates that modify the shell open command registry keys to these locations.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Start-Process PassThru
Powershell use PassThru option to start in background
view Sigma YAML
title: Suspicious Start-Process PassThru
id: 0718cd72-f316-4aa2-988f-838ea8533277
status: test
description: Powershell use PassThru option to start in background
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-15
tags:
- attack.stealth
- attack.t1036.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Start-Process
- '-PassThru '
- '-FilePath '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious SysAidServer Child
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
view Sigma YAML
title: Suspicious SysAidServer Child
id: 60bfeac3-0d35-4302-8efb-1dd16f715bc6
status: test
description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
references:
- https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
tags:
- attack.lateral-movement
- attack.t1210
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains: 'SysAidServer'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious TCP Tunnel Via PowerShell Script
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
view Sigma YAML
title: Suspicious TCP Tunnel Via PowerShell Script
id: bd33d2aa-497e-4651-9893-5c5364646595
status: test
description: Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
references:
- https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-08
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '[System.Net.HttpWebRequest]'
- 'System.Net.Sockets.TcpListener'
- 'AcceptTcpClient'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Unblock-File
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
view Sigma YAML
title: Suspicious Unblock-File
id: 5947497f-1aa4-41dd-9693-c9848d58727d
status: test
description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
author: frack113
date: 2022-02-01
tags:
- attack.defense-impairment
- attack.t1553.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Unblock-File '
- '-Path '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
view Sigma YAML
title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
id: a58353df-af43-4753-bad0-cd83ef35eef5
related:
- id: 2afafd61-6aae-4df4-baed-139fa1f4c345
type: derived
status: test
description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-14
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ntdsutil.exe'
- OriginalFileName: 'ntdsutil.exe'
selection_cli:
- CommandLine|contains|all:
- 'snapshot'
- 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit
- CommandLine|contains|all:
# This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08
# The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms
# Same case with the "instance" flag
- 'ac'
- ' i'
- ' ntds'
condition: all of selection_*
falsepositives:
- Legitimate usage to restore snapshots
- Legitimate admin activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
view Sigma YAML
title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
id: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b
status: experimental
description: |
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
references:
- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2025-11-12
tags:
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_tokens:
CommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
selection_tokens_parent:
ParentCommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
view Sigma YAML
title: Suspicious Use of /dev/tcp
id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c
status: test
description: Detects suspicious command with /dev/tcp
references:
- https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/
- https://book.hacktricks.xyz/shells/shells/linux
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
author: frack113
date: 2021-12-10
modified: 2023-01-06
tags:
- attack.reconnaissance
logsource:
product: linux
detection:
keywords:
- 'cat </dev/tcp/'
- 'exec 3<>/dev/tcp/'
- 'echo >/dev/tcp/'
- 'bash -i >& /dev/tcp/'
- 'sh -i >& /dev/udp/'
- '0<&196;exec 196<>/dev/tcp/'
- 'exec 5<>/dev/tcp/'
- '(sh)0>/dev/tcp/'
- 'bash -c ''bash -i >& /dev/tcp/'
- 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Use of PsLogList
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
view Sigma YAML
title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
status: test
description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
references:
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
- https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
- https://twitter.com/EricaZelic/status/1614075109827874817
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1087
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'psloglist.exe'
- Image|endswith:
- '\psloglist.exe'
- '\psloglist64.exe'
selection_cli_eventlog:
CommandLine|contains:
- ' security'
- ' application'
- ' system'
selection_cli_flags:
CommandLine|contains|windash:
- ' -d'
- ' -x'
- ' -s'
- ' -c' # Clear event log after displaying
- ' -g' # Export an event log as an evt file.
condition: all of selection_*
falsepositives:
- Another tool that uses the command line switches of PsLogList
- Legitimate use of PsLogList by an administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
view Sigma YAML
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-user-agent|contains:
# Add more tools as you see fit
- 'Wfuzz/'
- 'WPScan v'
- 'Recon-ng/v'
- 'GIS - AppSec Team - Project Vision'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
This allows to create values in the registry and install drivers.
For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
view Sigma YAML
title: Suspicious VBoxDrvInst.exe Parameters
id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
status: test
description: |
Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
This allows to create values in the registry and install drivers.
For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
- https://twitter.com/pabraeken/status/993497996179492864
author: Konstantin Grishchenko, oscd.community
date: 2020-10-06
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\VBoxDrvInst.exe'
CommandLine|contains|all:
- 'driver'
- 'executeinf'
condition: selection
falsepositives:
- Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
view Sigma YAML
title: Suspicious VSFTPD Error Messages
id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
status: test
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/dagwieers/vsftpd/
author: Florian Roth (Nextron Systems)
date: 2017-07-05
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: vsftpd
detection:
keywords:
- 'Connection refused: too many sessions for this address.'
- 'Connection refused: tcp_wrappers denial.'
- 'Bad HTTP verb.'
- 'port and pasv both active'
- 'pasv and port both active'
- 'Transfer done (but failed to open directory).'
- 'Could not set file modification time.'
- 'bug: pid active in ptrace_sandbox_free'
- 'PTRACE_SETOPTIONS failure'
- 'weird status:'
- 'couldn''t handle sandbox event'
- 'syscall * out of bounds'
- 'syscall not permitted:'
- 'syscall validate failed:'
- 'Input line too long.'
- 'poor buffer accounting in str_netfd_alloc'
- 'vsf_sysutil_read_loop'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Vsls-Agent Command With AgentExtensionPath Load
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
view Sigma YAML
title: Suspicious Vsls-Agent Command With AgentExtensionPath Load
id: 43103702-5886-11ed-9b6a-0242ac120002
status: test
description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
references:
- https://twitter.com/bohops/status/1583916360404729857
author: bohops
date: 2022-10-30
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vsls-agent.exe'
CommandLine|contains: '--agentExtensionPath'
filter:
CommandLine|contains: 'Microsoft.VisualStudio.LiveShare.Agent.'
condition: selection and not filter
falsepositives:
- False positives depend on custom use of vsls-agent.exe
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
view Sigma YAML
title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
id: 48917adc-a28e-4f5d-b729-11e75da8941f
status: test
description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022-02-13
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
- 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
CommandLine|contains|all:
- 'ADD '
- '/t '
- 'REG_DWORD '
- '/v '
- '/d '
- '0'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
Showing 1201-1250 of 1,440