Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
40 shown of 1,440
medium
Moderate
High FP
Windows Credential Manager Access via VaultCmd
List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
view Sigma YAML
title: Windows Credential Manager Access via VaultCmd
id: 58f50261-c53b-4c88-bd12-1d71f12eda4c
status: test
description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
author: frack113
date: 2022-04-08
modified: 2022-05-13
tags:
- attack.credential-access
- attack.t1555.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VaultCmd.exe'
- OriginalFileName: 'VAULTCMD.EXE'
selection_cli:
CommandLine|contains: '/listcreds:'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
view Sigma YAML
title: Windows Default Domain GPO Modification
id: e5ac86dd-2da1-454b-be74-05d26c769d7d
related:
- id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
type: similar
status: experimental
description: |
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
references:
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
- https://adsecurity.org/?p=3377
- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
- https://jgspiers.com/audit-group-policy-changes/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-22
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.001
logsource:
product: windows
service: security
definition: |
Enable 'Audit Directory Service Changes' in the Default Domain Controllers Policy under:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access -> Audit Directory Service Changes (Success).
Additionally, proper SACL needs to be configured on the 'CN=Policies,CN=System,DC=<domain>,DC=<tld>' container in Active Directory to capture changes to Group Policy Objects.
detection:
selection:
EventID: 5136
ObjectClass: 'groupPolicyContainer'
ObjectDN|startswith:
- 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Policy
- 'CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Controllers Policy
condition: selection
falsepositives:
- Legitimate modifications to Default Domain or Default Domain Controllers GPOs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
view Sigma YAML
title: Windows Default Domain GPO Modification via GPME
id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
related:
- id: e5ac86dd-2da1-454b-be74-05d26c769d7d
type: similar
status: experimental
description: |
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
references:
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
- https://adsecurity.org/?p=3377
- https://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/
- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
author: TropChaud
date: 2025-11-22
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.001
logsource:
product: windows
category: process_creation
detection:
# "C:\Windows\System32\gpme.msc" /s /gpobject:"LDAP://<REDACTED>/cn<REDACTED>,cnpolicies,cnsystem,DC<REDACTED>,DClocal"
selection_mmc:
- Image|endswith: '\mmc.exe'
- OriginalFileName: 'MMC.exe'
selection_gpme:
CommandLine|contains|all:
- 'gpme.msc'
- 'gpobject:'
selection_default_gpos:
CommandLine|contains:
- '31B2F340-016D-11D2-945F-00C04FB984F9' # Default Domain Policy GUID
- '6AC1786C-016F-11D2-945F-00C04FB984F9' # Default Domain Controllers Policy GUID
condition: all of selection_*
falsepositives:
- Legitimate use of GPME to modify GPOs
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
view Sigma YAML
title: Windows Defender Exclusion List Modified
id: 46a68649-f218-4f86-aea1-16a759d81820
related:
- id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
type: derived
- id: a33f8808-2812-4373-ae95-8cfb82134978
type: derived
status: test
description: |
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
references:
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
author: '@BarryShooshooga'
date: 2019-10-26
modified: 2023-11-11
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
detection:
selection:
EventID: 4657 # A registry value was modified.
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
condition: selection
falsepositives:
- Intended exclusions by administrators
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Defender Exclusion Registry Key - Write Access Requested
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
view Sigma YAML
title: Windows Defender Exclusion Registry Key - Write Access Requested
id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
related:
- id: 46a68649-f218-4f86-aea1-16a759d81820
type: derived
- id: a33f8808-2812-4373-ae95-8cfb82134978
type: derived
status: test
description: |
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
references:
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)'
date: 2019-10-26
modified: 2023-11-11
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
detection:
selection:
AccessList|contains:
- '%%4417' # WriteData
- '%%4418' # AppendData
EventID:
- 4656 # A handle to an object was requested.
- 4663 # An attempt was made to access an object.
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
view Sigma YAML
title: Windows Defender Exclusions Added
id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
status: stable
description: Detects the Setting of Windows Defender Exclusions
references:
- https://twitter.com/_nullbind/status/1204923340810543109
author: Christian Burkard (Nextron Systems)
date: 2021-07-06
modified: 2022-12-06
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection
falsepositives:
- Administrator actions
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Defender Exclusions Added - PowerShell
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
view Sigma YAML
title: Windows Defender Exclusions Added - PowerShell
id: c1344fa2-323b-4d2e-9176-84b4d4821c88
related:
- id: 17769c90-230e-488b-a463-e05c08e9d48f
type: similar
status: test
description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
references:
- https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-16
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1685
- attack.execution
- attack.t1059
logsource:
category: ps_script
product: windows
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_args_exc:
ScriptBlockText|contains:
- ' -ExclusionPath '
- ' -ExclusionExtension '
- ' -ExclusionProcess '
- ' -ExclusionIpAddress '
selection_args_pref:
ScriptBlockText|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Defender Exclusions Added - Registry
Detects the Setting of Windows Defender Exclusions
view Sigma YAML
title: Windows Defender Exclusions Added - Registry
id: a982fc9c-6333-4ffb-a51d-addb04e8b529
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: derived
status: test
description: Detects the Setting of Windows Defender Exclusions
references:
- https://twitter.com/_nullbind/status/1204923340810543109
author: Christian Burkard (Nextron Systems)
date: 2021-07-06
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection2:
TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection2
falsepositives:
- Administrator actions
level: medium
Convert to SIEM query
medium
Strong
Low FP
Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features
view Sigma YAML
title: Windows Defender Real-Time Protection Failure/Restart
id: dd80db93-6ec2-4f4c-a017-ad40da6ffe81
status: stable
description: Detects issues with Windows Defender Real-Time Protection features
references:
- Internal Research
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
- https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes)
author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)
date: 2023-03-28
modified: 2023-05-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID:
- 3002 # Real-Time Protection feature has encountered an error and failed
- 3007 # Real-time Protection feature has restarted
filter_optional_network_inspection:
Feature_Name: '%%886' # Network Inspection System
Reason:
- '%%892' # The system is missing updates that are required for running Network Inspection System. Install the required updates and restart the device.
- '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required
level: medium
Convert to SIEM query
medium
Strong
Low FP
Windows Defender Threat Detection Service Disabled
Detects when the "Windows Defender Threat Protection" service is disabled.
view Sigma YAML
title: Windows Defender Threat Detection Service Disabled
id: 6c0a7755-6d31-44fa-80e1-133e57752680
related:
- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
type: derived
status: stable
description: Detects when the "Windows Defender Threat Protection" service is disabled.
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2024-07-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: system
detection:
selection:
EventID: 7036
Provider_Name: 'Service Control Manager'
# Note: The service name and messages are localized
param1:
- 'Windows Defender Antivirus Service'
- 'Service antivirus Microsoft Defender' # French OS
param2:
- 'stopped'
- 'arrêté' # French OS
condition: selection
falsepositives:
- Administrator actions
- Auto updates of Windows Defender causes restarts
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Firewall Disabled via PowerShell
Detects attempts to disable the Windows Firewall using PowerShell
view Sigma YAML
title: Windows Firewall Disabled via PowerShell
id: 12f6b752-042d-483e-bf9c-915a6d06ad75
related:
- id: 488b44e7-3781-4a71-888d-c95abfacf44d
type: similar
status: test
description: Detects attempts to disable the Windows Firewall using PowerShell
references:
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-14
modified: 2023-02-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_name:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_args:
CommandLine|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_opt:
CommandLine|contains:
- ' -All '
- 'Public'
- 'Domain'
- 'Private'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Firewall Profile Disabled
Detects when a user disables the Windows Firewall via a Profile to help evade defense.
view Sigma YAML
title: Windows Firewall Profile Disabled
id: 488b44e7-3781-4a71-888d-c95abfacf44d
related:
- id: 12f6b752-042d-483e-bf9c-915a6d06ad75
type: similar
status: test
description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
references:
- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-30
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_args:
ScriptBlockText|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_opt:
ScriptBlockText|contains:
- ' -All '
- 'Public'
- 'Domain'
- 'Private'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
view Sigma YAML
title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
status: test
description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
references:
- https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: ' qfe'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
view Sigma YAML
title: Windows Kernel Debugger Execution
id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
status: test
description: Detects execution of the Windows Kernel Debugger "kd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-04-24
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\kd.exe'
- OriginalFileName: 'kd.exe'
condition: selection
falsepositives:
- Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Mail App Mailbox Access Via PowerShell Script
Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
view Sigma YAML
title: Windows Mail App Mailbox Access Via PowerShell Script
id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3
status: test
description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md
author: frack113
date: 2023-07-08
tags:
- attack.stealth
- attack.t1070.008
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains: '\Comms\Unistore\data'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Windows Network Access Suspicious desktop.ini Action
Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
view Sigma YAML
title: Windows Network Access Suspicious desktop.ini Action
id: 35bc7e28-ee6b-492f-ab04-da58fcf6402e
status: test
description: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Tim Shelton (HAWK.IO)
date: 2021-12-06
modified: 2022-01-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ObjectType: File
RelativeTargetName|endswith: '\desktop.ini'
AccessList|contains:
- 'WriteData'
- 'DELETE'
- 'WriteDAC'
- 'AppendData'
- 'AddSubdirectory'
condition: selection
falsepositives:
- Read only access list authority
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Pcap Drivers
Detects Windows Pcap driver installation based on a list of associated .sys files.
view Sigma YAML
title: Windows Pcap Drivers
id: 7b687634-ab20-11ea-bb37-0242ac130002
status: test
description: Detects Windows Pcap driver installation based on a list of associated .sys files.
references:
- https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
author: Cian Heasley
date: 2020-06-10
modified: 2023-04-14
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'pcap'
- 'npcap'
- 'npf'
- 'nm3'
- 'ndiscap'
- 'nmnt'
- 'windivert'
- 'USBPcap'
- 'pktmon'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
view Sigma YAML
title: Windows PowerShell User Agent
id: c8557060-9221-4448-8794-96320e6f3e74
status: test
description: Detects Windows PowerShell Web Access
references:
- https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|contains: ' WindowsPowerShell/'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
view Sigma YAML
title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
related:
- id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
type: similar
- id: 817f252c-5143-4dae-b418-48c3e9f63728
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_delete
product: windows
detection:
selection:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
EventType: DeleteValue
TargetObject|endswith: '\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
condition: selection
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Recall Feature Enabled - Registry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
view Sigma YAML
title: Windows Recall Feature Enabled - Registry
id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
related:
- id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
type: similar
- id: 817f252c-5143-4dae-b418-48c3e9f63728
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
TargetObject|endswith: '\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Windows Recall Feature Enabled Via Reg.EXE
Detects the enabling of the Windows Recall feature via registry manipulation.
Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
view Sigma YAML
title: Windows Recall Feature Enabled Via Reg.EXE
id: 817f252c-5143-4dae-b418-48c3e9f63728
related:
- id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
type: similar
- id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation.
Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_value:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
CommandLine|contains|all:
- 'Microsoft\Windows\WindowsAI'
- 'DisableAIDataAnalysis'
selection_action_add:
CommandLine|contains:
- 'add'
- '0'
selection_action_delete:
CommandLine|contains: 'delete'
condition: selection_img and selection_value and 1 of selection_action_*
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc.
ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
view Sigma YAML
title: Windows Recovery Environment Disabled Via Reagentc
id: db1c21e4-cd66-4b4e-85ca-590f0780529c
status: experimental
description: |
Detects attempts to disable windows recovery environment using Reagentc.
ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
references:
- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
author: Daniel Koifman (KoifSec), Michael Vilshin
date: 2025-07-31
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img: # Example command simulated: reagentc /disable
- Image|endswith: '\reagentc.exe'
- OriginalFileName: 'reagentc.exe'
selection_cli:
CommandLine|contains|windash: '/disable'
condition: all of selection_*
falsepositives:
- Legitimate administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Registry Trust Record Modification
Alerts on trust record modification within the registry, indicating usage of macros
view Sigma YAML
title: Windows Registry Trust Record Modification
id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
related:
- id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
type: similar
status: test
description: Alerts on trust record modification within the registry, indicating usage of macros
references:
- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
- https://twitter.com/inversecos/status/1494174785621819397
author: Antonlovesdnb, Trent Liffick (@tliffick)
date: 2020-02-19
modified: 2023-06-21
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
condition: selection
falsepositives:
- This will alert on legitimate macro usage as well, additional tuning is required
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Screen Capture with CopyFromScreen
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
view Sigma YAML
title: Windows Screen Capture with CopyFromScreen
id: d4a11f63-2390-411c-9adf-d791fd152830
status: test
description: |
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
author: frack113
date: 2021-12-28
modified: 2022-07-07
tags:
- attack.collection
- attack.t1113
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: '.CopyFromScreen'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Terminal Profile Settings Modification By Uncommon Process
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
view Sigma YAML
title: Windows Terminal Profile Settings Modification By Uncommon Process
id: 9b64de98-9db3-4033-bd7a-f51430105f00
status: test
description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile
- https://twitter.com/nas_bench/status/1550836225652686848
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.015
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Note: Add other potential common applications
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'
condition: selection
falsepositives:
- Some false positives may occur with admin scripts that set WT settings.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled.
Which allows for multiple Remote Desktop connection sessions to be opened at once.
This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
view Sigma YAML
title: Winlogon AllowMultipleTSSessions Enable
id: f7997770-92c3-4ec9-b112-774c4ef96f96
status: test
description: |
Detects when the 'AllowMultipleTSSessions' value is enabled.
Which allows for multiple Remote Desktop connection sessions to be opened at once.
This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
Details|endswith: DWORD (0x00000001)
condition: selection
falsepositives:
- Legitimate use of the multi session functionality
level: medium
Convert to SIEM query
medium
Moderate
High FP
Winlogon Helper DLL
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to
load and execute malicious DLLs and/or executables.
view Sigma YAML
title: Winlogon Helper DLL
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
status: test
description: |
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to
load and execute malicious DLLs and/or executables.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-07-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'CurrentVersion\Winlogon'
selection2:
ScriptBlockText|contains:
- 'Set-ItemProperty'
- 'New-Item'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Winrar Compressing Dump Files
Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
view Sigma YAML
title: Winrar Compressing Dump Files
id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
related:
- id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
type: similar
status: test
description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2023-09-12
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rar.exe'
- '\winrar.exe'
- Description: 'Command line RAR'
selection_extension:
CommandLine|contains:
- '.dmp'
- '.dump'
- '.hdmp'
condition: all of selection_*
falsepositives:
- Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally
- Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting
level: medium
Convert to SIEM query
medium
Moderate
High FP
Winscp Execution From Non Standard Folder
Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable.
view Sigma YAML
title: Winscp Execution From Non Standard Folder
id: 7674f8ef-7141-4cf0-a311-ee359264c64c
status: experimental
description: Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable.
references:
- https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
author: frack113
date: 2025-10-12
tags:
- attack.exfiltration
- attack.t1048
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\WinSCP.exe'
- OriginalFileName: 'winscp.exe'
filter_main_location:
Image|startswith: 'C:\Program Files (x86)\WinSCP\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Wow6432Node Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: Wow6432Node Classes Autorun Keys Modification
id: 18f2065c-d36c-464a-a748-bcf909acb2e3
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
wow_classes_base:
TargetObject|contains: '\Software\Wow6432Node\Classes'
wow_classes:
TargetObject|contains:
- '\Folder\ShellEx\ExtShellFolderViews'
- '\Folder\ShellEx\DragDropHandlers'
- '\Folder\ShellEx\ColumnHandlers'
- '\Directory\Shellex\DragDropHandlers'
- '\Directory\Shellex\CopyHookHandlers'
- '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
- '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
- '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
- '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
- '\AllFileSystemObjects\ShellEx\DragDropHandlers'
- '\ShellEx\PropertySheetHandlers'
- '\ShellEx\ContextMenuHandlers'
filter:
Details: '(Empty)'
condition: wow_classes_base and wow_classes and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Moderate
High FP
Write Protect For Storage Disabled
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
view Sigma YAML
title: Write Protect For Storage Disabled
id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
status: test
description: |
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
references:
- https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
author: Sreeman
date: 2021-06-11
modified: 2024-01-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control'
- 'Write Protection'
- '0'
- 'storage'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Writing Local Admin Share
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
view Sigma YAML
title: Writing Local Admin Share
id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
status: test
description: |
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
author: frack113
date: 2022-01-01
modified: 2022-08-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.lateral-movement
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- '\\\\127.0.0'
- '\ADMIN$\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
view Sigma YAML
title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
- attack.stealth
- attack.t1211
- attack.t1059
- attack.persistence
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- 'echo'
- 'copy'
- 'type'
- 'file createnew'
- 'cacls'
selection_2:
CommandLine|contains: 'C:\Windows\Fonts\'
selection_3:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.cmd'
- '.js'
- '.msh'
- '.reg'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
- '.inf'
- '.cpl'
- '.hta'
- '.msi'
- '.vbs'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Wscript Shell Run In CommandLine
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
view Sigma YAML
title: Wscript Shell Run In CommandLine
id: 2c28c248-7f50-417a-9186-a85b223010ee
status: test
description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
references:
- https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
- https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-05-15
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Wscript.'
- '.Shell'
- '.Run'
condition: selection
falsepositives:
- Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Strong
Medium FP
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
view Sigma YAML
title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE
id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f
status: test
description: |
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
references:
- https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-01
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\presentationhost.exe'
- OriginalFileName: 'PresentationHost.exe'
selection_cli:
CommandLine|contains: '.xbap'
filter_main_generic:
CommandLine|contains: # Filter out legitimate locations if you find them
- ' C:\Windows\'
- ' C:\Program Files'
condition: all of selection* and not 1 of filter_main_*
falsepositives:
- Legitimate ".xbap" being executed via "PresentationHost"
level: medium
Convert to SIEM query
medium
Strong
Medium FP
XSL Script Execution Via WMIC.EXE
Detects the execution of WMIC with the "format" flag to potentially load local XSL files.
Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
view Sigma YAML
title: XSL Script Execution Via WMIC.EXE
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
related:
- id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
type: similar
- id: 8d63dadf-b91b-4187-87b6-34a1114577ea
type: similar
status: test
description: |
Detects the execution of WMIC with the "format" flag to potentially load local XSL files.
Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-10-21
modified: 2026-01-24
tags:
- attack.stealth
- attack.t1047
- attack.t1220
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
- Hashes|contains: # Sysmon field hashes contains all types
- 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
- 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
- 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
- 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
- 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
selection_cmd:
CommandLine|contains|windash: '-format:' # wmic process list -FORMAT /? or wmic process list /FORMAT /?
filter_main_known_format:
CommandLine|contains:
- 'Format:List'
- 'Format:htable'
- 'Format:hform'
- 'Format:table'
- 'Format:mof'
- 'Format:value'
- 'Format:rawxml'
- 'Format:xml'
- 'Format:csv'
filter_main_remote_operation: # Covered by 8d63dadf-b91b-4187-87b6-34a1114577ea
CommandLine|contains:
- '://'
- '\\\\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- Static format arguments - https://petri.com/command-line-wmi-part-3
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Zimbra Collaboration Suite Email Server Unauthenticated RCE
Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
view Sigma YAML
title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
id: dd218fb6-4d02-42dc-85f0-a0a376072efd
status: test
description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
references:
- https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
- https://www.yang99.top/index.php/archives/82/
- https://github.com/vnhacker1337/CVE-2022-27925-PoC
author: '@gott_cyber'
date: 2022-08-17
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2022-27925
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_servlet:
cs-method: 'POST'
cs-uri-query|contains: '/service/extension/backup/mboximport\?'
cs-uri-query|contains|all:
- 'account-name'
- 'ow'
- 'no-switch'
- 'append'
sc-status:
- 401
- 200
selection_shell:
cs-uri-query|contains: '/zimbraAdmin/'
cs-uri-query|endswith: '.jsp'
sc-status|contains: '200'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
related:
- id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
type: similar
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
type: similar
- id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
type: similar
status: test
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2023-12-18
tags:
- attack.collection
- attack.t1074.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains|all:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Zip A Folder With PowerShell For Staging In Temp - PowerShell
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell
id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
related:
- id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
type: similar
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
type: similar
- id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
type: similar
status: test
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2023-12-18
tags:
- attack.collection
- attack.t1074.001
logsource:
product: windows
service: powershell-classic
detection:
selection:
Data|contains:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
related:
- id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
type: similar
- id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
type: similar
- id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
type: similar
status: test
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2023-12-18
tags:
- attack.collection
- attack.t1074.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 1401-1440 of 1,440