Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Strong
Medium FP
Suspicious WindowsTerminal Child Processes
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
view Sigma YAML
title: Suspicious WindowsTerminal Child Processes
id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48
status: test
description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
references:
- https://persistence-info.github.io/Data/windowsterminalprofile.html
- https://twitter.com/nas_bench/status/1550836225652686848
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-25
modified: 2023-02-14
tags:
- attack.execution
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\WindowsTerminal.exe'
- '\wt.exe'
selection_susp:
- Image|endswith:
# Add more LOLBINS
- '\rundll32.exe'
- '\regsvr32.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\csc.exe'
- Image|contains:
# Add more suspicious paths
- 'C:\Users\Public\'
- '\Downloads\'
- '\Desktop\'
- '\AppData\Local\Temp\'
- '\Windows\TEMP\'
- CommandLine|contains:
# Add more suspicious commandline
- ' iex '
- ' icm'
- 'Invoke-'
- 'Import-Module '
- 'ipmo '
- 'DownloadString('
- ' /c '
- ' /k '
- ' /r '
filter_builtin_visual_studio_shell:
CommandLine|contains|all:
- 'Import-Module'
- 'Microsoft.VisualStudio.DevShell.dll'
- 'Enter-VsDevShell'
filter_open_settings:
CommandLine|contains|all:
- '\AppData\Local\Packages\Microsoft.WindowsTerminal_'
- '\LocalState\settings.json'
filter_vsdevcmd:
CommandLine|contains|all:
- 'C:\Program Files\Microsoft Visual Studio\'
- '\Common7\Tools\VsDevCmd.bat'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Other legitimate "Windows Terminal" profiles
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Wordpad Outbound Connections
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
This might indicate potential process injection activity from a beacon or similar mechanisms.
view Sigma YAML
title: Suspicious Wordpad Outbound Connections
id: 786cdae8-fefb-4eb2-9227-04e34060db01
status: test
description: |
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
This might indicate potential process injection activity from a beacon or similar mechanisms.
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-15
tags:
- attack.command-and-control
- attack.stealth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\wordpad.exe'
filter_main_ports:
DestinationPort:
- 80
- 139
- 443
- 445
- 465
- 587
- 993
- 995
condition: selection and not 1 of filter_main_*
falsepositives:
- Other ports can be used, apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Workstation Locking via Rundll32
Detects a suspicious call to the user32.dll function that locks the user workstation
view Sigma YAML
title: Suspicious Workstation Locking via Rundll32
id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc
status: test
description: Detects a suspicious call to the user32.dll function that locks the user workstation
references:
- https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/
author: frack113
date: 2022-06-04
modified: 2023-02-09
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_call_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_call_parent:
ParentImage|endswith: '\cmd.exe'
selection_call_cli:
CommandLine|contains: 'user32.dll,'
selection_function:
CommandLine|contains: 'LockWorkStation'
condition: all of selection_*
falsepositives:
- Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious X509Enrollment - Process Creation
Detect use of X509Enrollment
view Sigma YAML
title: Suspicious X509Enrollment - Process Creation
id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
related:
- id: 504d63cb-0dba-4d02-8531-e72981aace2c
type: similar
status: test
description: Detect use of X509Enrollment
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'X509Enrollment.CBinaryConverter'
- '884e2002-217d-11da-b2a4-000e7bbb2b09'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious X509Enrollment - Ps Script
Detect use of X509Enrollment
view Sigma YAML
title: Suspicious X509Enrollment - Ps Script
id: 504d63cb-0dba-4d02-8531-e72981aace2c
related:
- id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
type: similar
status: test
description: Detect use of X509Enrollment
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'X509Enrollment.CBinaryConverter'
- '884e2002-217d-11da-b2a4-000e7bbb2b09'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious XOR Encoded PowerShell Command
Detects presence of a potentially xor encoded powershell command
view Sigma YAML
title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
- id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://redcanary.com/blog/yellow-cockatoo/
- https://zero2auto.com/2020/05/19/netwalker-re/
- https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
selection_cli_xor:
CommandLine|contains: 'bxor'
selection_cli_other:
CommandLine|contains:
- 'ForEach'
- 'for('
- 'for '
- '-join '
- "-join'"
- '-join"'
- '-join`'
- '::Join'
- '[char]'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious ZipExec Execution
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
view Sigma YAML
title: Suspicious ZipExec Execution
id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
status: test
description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
references:
- https://twitter.com/SBousseaden/status/1451237393017839616
- https://github.com/Tylous/ZipExec
author: frack113
date: 2021-11-07
modified: 2022-12-25
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
run:
CommandLine|contains|all:
- '/generic:Microsoft_Windows_Shell_ZipFolder:filename='
- '.zip'
- '/pass:'
- '/user:'
delete:
CommandLine|contains|all:
- '/delete'
- 'Microsoft_Windows_Shell_ZipFolder:filename='
- '.zip'
condition: run or delete
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
view Sigma YAML
title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: test
description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
date: 2020-10-05
modified: 2022-12-02
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains: 'SyncAppvPublishingServer.exe'
condition: selection
falsepositives:
- App-V clients
level: medium
Convert to SIEM query
medium
Moderate
High FP
SyncAppvPublishingServer Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
view Sigma YAML
title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
id: fbd7c32d-db2a-4418-b92c-566eb8911133
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: obsolete
status: test
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: frack113
date: 2021-07-12
modified: 2022-10-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SyncAppvPublishingServer.exe'
- OriginalFileName: 'syncappvpublishingserver.exe'
selection_cli:
CommandLine|contains: '"n; '
condition: all of selection_*
falsepositives:
- App-V clients
level: medium
Convert to SIEM query
medium
Moderate
High FP
SyncAppvPublishingServer Execution to Bypass Powershell Restriction
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
view Sigma YAML
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
id: dddfebae-c46f-439c-af7a-fdb6bde90218
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: test
description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
date: 2020-10-05
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'SyncAppvPublishingServer.exe'
condition: selection
falsepositives:
- App-V clients
level: medium
Convert to SIEM query
medium
Moderate
High FP
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
view Sigma YAML
title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
status: test
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: frack113
date: 2021-07-16
modified: 2022-06-22
tags:
- attack.stealth
- attack.t1218
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\SyncAppvPublishingServer.vbs'
- ';' # at a minimum, a semi-colon is required
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
view Sigma YAML
title: Sysinternals PsService Execution
id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
status: test
description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-16
modified: 2023-02-24
tags:
- attack.privilege-escalation
- attack.discovery
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'psservice.exe'
- Image|endswith:
- '\PsService.exe'
- '\PsService64.exe'
condition: selection
falsepositives:
- Legitimate use of PsService by an administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
Sysinternals PsSuspend Execution
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
view Sigma YAML
title: Sysinternals PsSuspend Execution
id: 48bbc537-b652-4b4e-bd1d-281172df448f
related:
- id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
type: similar
status: test
description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
- https://twitter.com/0gtweet/status/1638069413717975046
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-23
tags:
- attack.privilege-escalation
- attack.discovery
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'pssuspend.exe'
- Image|endswith:
- '\pssuspend.exe'
- '\pssuspend64.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Sysmon Configuration Change
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
view Sigma YAML
title: Sysmon Configuration Change
id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
status: test
description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: frack113
date: 2022-01-12
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 16
# To avoid FP just add
# filter:
# ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'
# condition: selection and not filter
condition: selection
falsepositives:
- Legitimate administrative action
level: medium
regression_tests_path: regression_data/rules/windows/sysmon/sysmon_config_modification/info.yml
Convert to SIEM query
medium
Moderate
High FP
Sysmon Configuration Update
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
view Sigma YAML
title: Sysmon Configuration Update
id: 87911521-7098-470b-a459-9a57fc80bdfd
status: test
description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
modified: 2024-03-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith:
- \Sysmon64.exe
- \Sysmon.exe
- Description: 'System activity monitor'
selection_cli:
CommandLine|contains|windash: '-c'
condition: all of selection_*
falsepositives:
- Legitimate administrators might use this command to update Sysmon configuration.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Sysmon File Executable Creation Detected
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
view Sigma YAML
title: Sysmon File Executable Creation Detected
id: 693a44e9-7f26-4cb6-b787-214867672d3a
status: test
description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
author: frack113
date: 2023-07-20
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 29 # this is fine, we want to match any FileExecutableDetected event
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Sysprep on AppData Folder
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
view Sigma YAML
title: Sysprep on AppData Folder
id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
status: test
description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
references:
- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
author: Florian Roth (Nextron Systems)
date: 2018-06-22
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sysprep.exe'
CommandLine|contains: '\AppData\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
view Sigma YAML
title: System Disk And Volume Reconnaissance Via Wmic.EXE
id: c79da740-5030-45ec-a2e0-479e824a562c
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: similar
status: test
description: |
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
date: 2024-02-02
modified: 2025-10-20
tags:
- attack.execution
- attack.discovery
- attack.t1047
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
- CommandLine|contains:
- ' volumename'
- ' logicaldisk'
- CommandLine|contains|all:
- 'path'
- 'win32_logicaldisk'
- CommandLine|contains|all:
- ' volume'
- ' list '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
view Sigma YAML
title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# Examples:
# /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
# /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
# /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
# ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
selection_img:
- Image|endswith: '/ioreg'
- CommandLine|contains: 'ioreg'
selection_cmd1:
CommandLine|contains:
- '-l'
- '-c'
selection_cmd2:
CommandLine|contains:
- 'AppleAHCIDiskDriver'
- 'IOPlatformExpertDevice'
- 'Oracle'
- 'Parallels'
- 'USB Vendor Name'
- 'VirtualBox'
- 'VMware'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Strong
High FP
System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
view Sigma YAML
title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
- https://ss64.com/mac/system_profiler.html
- https://objective-see.org/blog/blog_0x62.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1497.001
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/system_profiler'
- CommandLine|contains: 'system_profiler'
selection_cmd:
# Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
CommandLine|contains:
- 'SPApplicationsDataType'
- 'SPHardwareDataType'
- 'SPNetworkDataType'
- 'SPUSBDataType'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Strong
High FP
System Information Discovery Using sw_vers
Detects the use of "sw_vers" for system information discovery
view Sigma YAML
title: System Information Discovery Using sw_vers
id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
status: test
description: Detects the use of "sw_vers" for system information discovery
references:
- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
- https://ss64.com/osx/sw_vers.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
selection_image:
Image|endswith: '/sw_vers'
selection_options:
CommandLine|contains:
- '-buildVersion'
- '-productName'
- '-productVersion'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Strong
High FP
System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
view Sigma YAML
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
references:
- https://www.loobins.io/binaries/sysctl/#
- https://evasions.checkpoint.com/techniques/macos.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://objective-see.org/blog/blog_0x1E.html
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
- attack.stealth
- attack.t1497.001
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/sysctl'
- CommandLine|contains: 'sysctl'
selection_cmd:
CommandLine|contains:
- 'hw.'
- 'kern.'
- 'machdep.'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
view Sigma YAML
title: System Integrity Protection (SIP) Disabled
id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6
status: test
description: |
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
references:
- https://ss64.com/osx/csrutil.html
- https://objective-see.org/blog/blog_0x6D.html
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: macos
category: process_creation
detection:
# VT Query: behavior_processes:"csrutil status" p:5+ type:mac
selection:
Image|endswith: '/csrutil'
CommandLine|contains: 'disable'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
System Language Discovery via Reg.Exe
Detects the usage of Reg.Exe to query system language settings.
Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,
or avoid targeting certain locales to evade detection.
view Sigma YAML
title: System Language Discovery via Reg.Exe
id: c43a5405-e8e1-4221-9ac9-dbe3fa14e886
status: experimental
description: |
Detects the usage of Reg.Exe to query system language settings.
Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,
or avoid targeting certain locales to evade detection.
references:
- https://scythe.io/threat-thursday/threatthursday-darkside-ransomware
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-09
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains|all:
- 'query'
- 'Control\Nls\Language'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/info.yml
simulation:
- type: atomic-red-team
name: Discover System Language by Registry Query
technique: T1614.001
atomic_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be
Convert to SIEM query
medium
Strong
Medium FP
System Scripts Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: System Scripts Autorun Keys Modification
id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
scripts_base:
TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
scripts:
TargetObject|contains:
- '\Startup'
- '\Shutdown'
- '\Logon'
- '\Logoff'
filter:
Details: '(Empty)'
condition: scripts_base and scripts and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
view Sigma YAML
title: Systemd Service Creation
id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
status: test
description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
author: 'Pawel Mazur'
date: 2022-02-03
modified: 2022-02-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.002
logsource:
product: linux
service: auditd
detection:
path:
type: 'PATH'
nametype: 'CREATE'
name_1:
name|startswith:
- '/usr/lib/systemd/system/'
- '/etc/systemd/system/'
name_2:
name|contains: '/.config/systemd/user/'
condition: path and 1 of name_*
falsepositives:
- Admin work like legit service installs.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
TacticalRMM Service Installation
Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
view Sigma YAML
title: TacticalRMM Service Installation
id: 4bb79b62-ef12-4861-981d-2aab43fab642
status: test
description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
references:
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'tacticalrmm.exe'
- ServiceName|contains: 'TacticalRMM Agent Service'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Tap Driver Installation
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
view Sigma YAML
title: Tap Driver Installation
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains: 'tap0901'
condition: selection
falsepositives:
- Legitimate OpenVPN TAP installation
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Tap Installer Execution
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
view Sigma YAML
title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\tapinstall.exe'
filter_optional_avast:
Image|contains:
- ':\Program Files\Avast Software\SecureLine VPN\'
- ':\Program Files (x86)\Avast Software\SecureLine VPN\'
filter_optional_openvpn:
Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
filter_optional_protonvpn:
Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate OpenVPN TAP installation
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
TeamViewer Domain Query By Non-TeamViewer Application
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
view Sigma YAML
title: TeamViewer Domain Query By Non-TeamViewer Application
id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
status: test
description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
references:
- https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
modified: 2023-09-18
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName:
- 'taf.teamviewer.com'
- 'udp.ping.teamviewer.com'
filter_main_teamviewer:
# Note: To avoid evasion based on similar names. Best add full install location of TeamViewer
Image|contains: 'TeamViewer'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown binary names of TeamViewer
- Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications
level: medium
Convert to SIEM query
medium
Moderate
High FP
TeamViewer Remote Session
Detects the creation of log files during a TeamViewer remote session
view Sigma YAML
title: TeamViewer Remote Session
id: 162ab1e4-6874-4564-853c-53ec3ab8be01
status: test
description: Detects the creation of log files during a TeamViewer remote session
references:
- https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection1:
TargetFilename|endswith:
- '\TeamViewer\RemotePrinting\tvprint.db'
- '\TeamViewer\TVNetwork.log'
selection2:
TargetFilename|contains|all:
- '\TeamViewer'
- '_Logfile.log'
condition: 1 of selection*
falsepositives:
- Legitimate uses of TeamViewer in an organisation
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
view Sigma YAML
title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.002
logsource:
category: proxy
detection:
selection:
cs-host: 'api.telegram.org' # Often used by Bots
filter:
c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- 'Telegram'
- 'Bot'
condition: selection and not filter
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
view Sigma YAML
title: Telegram Bot API Request
id: c64c5175-5189-431b-a55e-6d9882158251
status: test
description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
references:
- https://core.telegram.org/bots/faq
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1102.002
logsource:
category: dns
detection:
selection:
query: 'api.telegram.org' # Telegram Bot API Request https://core.telegram.org/bots/faq
condition: selection
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
Convert to SIEM query
medium
Moderate
High FP
Terminate Linux Process Via Kill
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
view Sigma YAML
title: Terminate Linux Process Via Kill
id: 64c41342-6b27-523b-5d3f-c265f3efcdb3
status: test
description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
author: Tuan Le (NCSGroup)
date: 2023-03-16
modified: 2024-12-12
tags:
- attack.defense-impairment
- attack.t1685
- detection.threat-hunting
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/kill'
- '/killall'
- '/pkill'
- '/xkill'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Testing Usage of Uncommonly Used Port
Adversaries may communicate using a protocol and port paring that are typically not associated.
For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
view Sigma YAML
title: Testing Usage of Uncommonly Used Port
id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
status: test
description: |
Adversaries may communicate using a protocol and port paring that are typically not associated.
For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
author: frack113
date: 2022-01-23
tags:
- attack.command-and-control
- attack.t1571
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Test-NetConnection
- '-ComputerName '
- '-port '
filter:
ScriptBlockText|contains:
- ' 443 '
- ' 80 '
condition: selection and not filter
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Third Party Software DLL Sideloading
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
view Sigma YAML
title: Third Party Software DLL Sideloading
id: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63
status: test
description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
# Lenovo
selection_lenovo:
ImageLoaded|endswith: '\commfunc.dll'
filter_lenovo:
- ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
- ImageLoaded|startswith:
- 'C:\Program Files\Lenovo\Communications Utility\'
- 'C:\Program Files (x86)\Lenovo\Communications Utility\'
# Toshiba
selection_toshiba:
ImageLoaded|endswith: '\tosbtkbd.dll'
filter_toshiba:
ImageLoaded|startswith:
- 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\'
- 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\'
# Zoom (FP with System32)
# selection_zoom:
# ImageLoaded|endswith: '\version.dll'
# filter_zoom:
# ImageLoaded|startswith: 'C:\Users\'
# ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\'
condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Time Machine Backup Deletion Attempt Via Tmutil - MacOS
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
view Sigma YAML
title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
id: 452df256-da78-427a-866f-49fa04417d74
status: test
description: |
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'delete'
condition: all of selection_*
falsepositives:
- Legitimate activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
An attacker can use this to prevent backups from occurring.
view Sigma YAML
title: Time Machine Backup Disabled Via Tmutil - MacOS
id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
status: test
description: |
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
An attacker can use this to prevent backups from occurring.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'disable'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Tomcat WebServer Logs Deleted
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: Tomcat WebServer Logs Deleted
id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
status: test
description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://linuxhint.com/view-tomcat-logs-windows/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-16
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\Tomcat'
- '\logs\'
TargetFilename|contains:
- 'catalina.'
- '_access_log.'
- 'localhost.'
condition: selection
falsepositives:
- During uninstallation of the tomcat server
- During log rotation
level: medium
Convert to SIEM query
medium
Moderate
High FP
Touch Suspicious Service File
Detects usage of the "touch" process in service file.
view Sigma YAML
title: Touch Suspicious Service File
id: 31545105-3444-4584-bebf-c466353230d2
status: test
description: Detects usage of the "touch" process in service file.
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-11
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains: ' -t '
CommandLine|endswith: '.service'
condition: selection
falsepositives:
- Admin changing date of files.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
view Sigma YAML
title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
- id: 2e69f167-47b5-4ae7-a390-47764529eff5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-07-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 5145
selection_object:
- RelativeTargetName|contains:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- RelativeTargetName:
- 'Windows\NTDS\ntds.dit'
- 'Windows\System32\config\SAM'
- 'Windows\System32\config\SECURITY'
- 'Windows\System32\config\SYSTEM'
condition: all of selection_*
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Transferring Files with Credential Data via Network Shares - Zeek
Transferring files with well-known filenames (sensitive files with credential data) using network shares
view Sigma YAML
title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
- id: 910ab938-668b-401b-b08c-b596e80fdca5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
date: 2020-04-02
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- '\sam'
- '\ntds.dit'
- '\security'
condition: selection
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
view Sigma YAML
title: Troubleshooting Pack Cmdlet Execution
id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
status: test
description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
references:
- https://twitter.com/nas_bench/status/1537919885031772161
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-21
tags:
- attack.stealth
- attack.t1202
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Invoke-TroubleshootingPack'
- 'C:\Windows\Diagnostics\System\PCW'
- '-AnswerFile'
- '-Unattended'
condition: selection
falsepositives:
- Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
level: medium
Convert to SIEM query
medium
Moderate
High FP
Tunneling Tool Execution
Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
view Sigma YAML
title: Tunneling Tool Execution
id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
status: test
description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
author: Daniil Yugoslavskiy, oscd.community
references:
- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
date: 2019-10-24
modified: 2024-01-18
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1041
- attack.t1572
- attack.t1071.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\httptunnel.exe'
- '\plink.exe'
- '\socat.exe'
- '\stunnel.exe'
condition: selection
falsepositives:
- Legitimate administrators using one of these tools
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
view Sigma YAML
title: UAC Bypass via Windows Firewall Snap-In Hijack
id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
status: test
description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
references:
- https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mmc.exe'
ParentCommandLine|contains: 'WF.msc'
filter:
Image|endswith: '\WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
view Sigma YAML
title: UAC Disabled
id: 48437c39-9e5f-47fb-af95-3d663c3f2919
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 0d7ceeef-3539-4392-8953-3dc664912714
type: similar
status: stable
description: |
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2022-01-05
modified: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
view Sigma YAML
title: UAC Notification Disabled
id: c5f6a85d-b647-40f7-bbad-c10b66bab038
related:
- id: 0d7ceeef-3539-4392-8953-3dc664912714
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
view Sigma YAML
title: UAC Secure Desktop Prompt Disabled
id: 0d7ceeef-3539-4392-8953-3dc664912714
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
UFW Disable Attempt
Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems.
UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules.
Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
view Sigma YAML
title: UFW Disable Attempt
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: test
description: |
Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems.
UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules.
Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
references:
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
- https://manpages.debian.org/unstable/ufw/ufw-framework.8.en.html
- https://www.cyberciti.biz/faq/linux-disable-firewall-command/
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
modified: 2026-05-04
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
category: process_creation
detection:
selection_ufw_init:
Image|endswith: '/ufw-init'
CommandLine|contains:
- ' force-stop' # same as stop, except does not check if the firewall is already loaded
- ' stop' # unloads the firewall
- ' flush' # flushes the built-in chains, deletes all non-built-in chains and resets the policy to ACCEPT
selection_ufw_disable:
CommandLine|contains|all:
# Covers both ufw disable and systemctl disable ufw
# systemctl disable ufw -- prevents UFW starting at boot, but does not stop the currently running instance of UFW
# ufw disable -- stops the currently running instance of UFW and prevents it from starting at boot
- 'ufw '
- 'disable'
condition: 1 of selection_*
falsepositives:
- Legitimate actions by system administrators to disable UFW.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
view Sigma YAML
title: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
id: f24bcaea-0cd1-11eb-adc1-0242ac120002
status: test
description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
references:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
author: Mateusz Wydra, oscd.community
date: 2020-10-12
modified: 2024-03-06
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\AtBroker.exe'
- OriginalFileName: 'AtBroker.exe'
selection_cli:
CommandLine|contains: 'start'
filter_main_builtin:
CommandLine|contains:
- 'animations'
- 'audiodescription'
- 'caretbrowsing'
- 'caretwidth'
- 'colorfiltering'
- 'cursorindicator'
- 'cursorscheme'
- 'filterkeys'
- 'focusborderheight'
- 'focusborderwidth'
- 'highcontrast'
- 'keyboardcues'
- 'keyboardpref'
- 'livecaptions'
- 'magnifierpane'
- 'messageduration'
- 'minimumhitradius'
- 'mousekeys'
- 'Narrator'
- 'osk'
- 'overlappedcontent'
- 'showsounds'
- 'soundsentry'
- 'speechreco'
- 'stickykeys'
- 'togglekeys'
- 'voiceaccess'
- 'windowarranging'
- 'windowtracking'
- 'windowtrackingtimeout'
- 'windowtrackingzorder'
filter_optional_java:
CommandLine|contains: 'Oracle_JavaAccessBridge'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate, non-default assistive technology applications execution
level: medium
Convert to SIEM query
Showing 1251-1300 of 1,440