Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Strong
Medium FP
DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: DNS Query To Remote Access Software Domain From Non-Browser App
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
- id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
type: obsolete
- id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
type: obsolete
- id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
type: obsolete
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
- https://redcanary.com/blog/misbehaving-rats/
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
author: frack113, Connor Martin
date: 2022-07-11
modified: 2024-12-17
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: dns_query
detection:
selection_generic:
QueryName|endswith:
- 'agent.jumpcloud.com'
- 'agentreporting.atera.com'
- 'ammyy.com'
- 'api.parsec.app'
- 'api.playanext.com'
- 'api.splashtop.com'
- 'app.atera.com'
- 'assist.zoho.com'
- 'authentication.logmeininc.com'
- 'beyondtrustcloud.com'
- 'cdn.kaseya.net'
- 'client.teamviewer.com'
- 'comserver.corporate.beanywhere.com'
- 'control.connectwise.com'
- 'downloads.zohocdn.com'
- 'dwservice.net'
- 'express.gotoassist.com'
- 'getgo.com'
- 'getscreen.me' # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
- 'integratedchat.teamviewer.com'
- 'join.zoho.com'
- 'kickstart.jumpcloud.com'
- 'license.bomgar.com'
- 'logmein-gateway.com'
- 'logmein.com'
- 'logmeincdn.http.internapcdn.net'
- 'n-able.com'
- 'net.anydesk.com'
- 'netsupportsoftware.com' # For NetSupport Manager RAT
- 'parsecusercontent.com'
- 'pubsub.atera.com'
- 'relay.kaseya.net'
- 'relay.screenconnect.com'
- 'relay.splashtop.com'
- 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
- 'remotedesktop-pa.googleapis.com'
- 'remoteutilities.com' # Usage of Remote Utilities RAT
- 'secure.logmeinrescue.com'
- 'services.vnc.com'
- 'static.remotepc.com'
- 'swi-rc.com'
- 'swi-tc.com'
- 'tailscale.com' # Scattered Spider threat group used this RMM tool
- 'telemetry.servers.qetqo.com'
- 'tmate.io'
- 'twingate.com' # Scattered Spider threat group used this RMM tool
- 'zohoassist.com'
selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
QueryName|endswith: '.rustdesk.com'
QueryName|startswith: 'rs-'
# Exclude browsers for legitimate visits of the domains mentioned above
# Add missing browsers you use and exclude the ones you don't
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_defender:
Image|endswith:
- '\MsMpEng.exe' # Microsoft Defender executable
- '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_optional_brave:
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
filter_optional_maxthon:
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\maxthon.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_seamonkey:
Image|startswith:
- 'C:\Program Files\SeaMonkey\'
- 'C:\Program Files (x86)\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|startswith:
- 'C:\Program Files\Naver\Naver Whale\'
- 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
filter_optional_tor:
Image|contains: '\Tor Browser\'
filter_optional_whaterfox:
Image|startswith:
- 'C:\Program Files\Waterfox\'
- 'C:\Program Files (x86)\Waterfox\'
Image|endswith: '\Waterfox.exe'
filter_optional_midori:
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Midori Next Generation.exe'
filter_optional_slimbrowser:
Image|startswith:
- 'C:\Program Files\SlimBrowser\'
- 'C:\Program Files (x86)\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
filter_optional_flock:
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Flock.exe'
filter_optional_phoebe:
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\Phoebe.exe'
filter_optional_falkon:
Image|startswith:
- 'C:\Program Files\Falkon\'
- 'C:\Program Files (x86)\Falkon\'
Image|endswith: '\falkon.exe'
filter_optional_avant:
Image|startswith:
- 'C:\Program Files (x86)\Avant Browser\'
- 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium
Convert to SIEM query
medium
Moderate
High FP
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
view Sigma YAML
title: DNS Query To Visual Studio Code Tunnels Domain
id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://cydefops.com/vscode-data-exfiltration
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith: '.tunnels.api.visualstudio.com'
condition: selection
falsepositives:
- Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
view Sigma YAML
title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
related:
- id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
type: similar
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Saw Winn Naung , Azure-Sentinel
date: 2021-08-15
modified: 2025-09-12
tags:
- attack.exfiltration
- attack.t1048
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.guide'
- '.onion.in.net'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.ly'
- '.onion.mn'
- '.onion.network'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.pt'
- '.onion.pw'
- '.onion.rip'
- '.onion.sh'
- '.onion.si'
- '.onion.to'
- '.onion.top'
- '.onion.ws'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
view Sigma YAML
title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
- https://github.com/elastic/detection-rules/issues/1371
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1140
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_edge:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
Details: DWORD (0x00000001)
selection_chrome:
TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
Details: 'secure'
selection_firefox:
TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
Details: DWORD (0x00000001)
condition: 1 of selection_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
view Sigma YAML
title: DPAPI Domain Master Key Backup Attempt
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
status: test
description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2023-03-15
tags:
- attack.credential-access
- attack.t1003.004
logsource:
product: windows
service: security
detection:
selection:
EventID: 4692
condition: selection
falsepositives:
- If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
DarkGate - Autoit3.EXE File Creation By Uncommon Process
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
view Sigma YAML
title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
status: test
description: |
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
references:
- https://github.security.telekom.com/2023/08/darkgate-loader.html
- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
- https://github.com/pr0xylife/DarkGate/tree/main
author: Micah Babinski
date: 2023-10-15
tags:
- attack.command-and-control
- attack.execution
- attack.t1105
- attack.t1059
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\Autoit3.exe'
- '\curl.exe'
- '\ExtExport.exe'
- '\KeyScramblerLogon.exe'
- '\wmprph.exe'
TargetFilename|endswith: '\Autoit3.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
DarkGate - Drop DarkGate Loader In C:\Temp Directory
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
view Sigma YAML
title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
id: df49c691-8026-48dd-94d3-4ba6a79102a8
status: test
description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
references:
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
author: Tomasz Dyduch, Josh Nickels
date: 2024-05-31
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_filename_suffix:
TargetFilename|contains: ':\temp\'
TargetFilename|endswith:
- '.au3'
- '\autoit3.exe'
selection_image_suffix:
Image|contains: ':\temp\'
Image|endswith:
- '.au3'
- '\autoit3.exe'
condition: 1 of selection_*
falsepositives:
- Unlikely legitimate usage of AutoIT in temp folders.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Data Exfiltration to Unsanctioned Apps
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
view Sigma YAML
title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
status: test
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1537
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Data exfiltration to unsanctioned apps'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
view Sigma YAML
title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
- https://linux.die.net/man/1/wget
- https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: wget
a1|startswith: '--post-file='
condition: selection
falsepositives:
- Legitimate usage of wget utility to post a file
level: medium
Convert to SIEM query
medium
Strong
High FP
Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
view Sigma YAML
title: Data Export From MSSQL Table Via BCP.EXE
id: c615d676-f655-46b9-b913-78729021e5d7
status: test
description: |
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
references:
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://asec.ahnlab.com/en/61000/
- https://asec.ahnlab.com/en/78944/
- https://www.huntress.com/blog/attacking-mssql-servers
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
date: 2024-08-20
tags:
- attack.execution
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcp.exe'
- OriginalFileName: 'BCP.exe'
selection_cli:
CommandLine|contains:
- ' out ' # Export data from a table
- ' queryout ' # Export data based on a SQL query
condition: all of selection_*
falsepositives:
- Legitimate data export operations.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
view Sigma YAML
title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
related:
- id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading
type: similar
status: test
description: |
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2024-03-01
tags:
- attack.credential-access
- attack.t1003.001
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dnx.exe'
- '\excel.exe'
- '\monitoringhost.exe'
- '\msbuild.exe'
- '\mshta.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\regsvcs.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\scriptrunner.exe'
- '\winword.exe'
- '\wmic.exe'
- '\wscript.exe'
# - '\powershell.exe' # Note: Triggered by installing common software
# - '\regsvr32.exe' # Note: triggered by installing common software
# - '\schtasks.exe' # Note: triggered by installing software
# - '\svchost.exe' # Note: triggered by some services
filter_main_tiworker:
# Note: This filter requires "CommandLine" field enrichment
CommandLine|startswith: 'C:\WINDOWS\WinSxS\'
CommandLine|endswith: '\TiWorker.exe -Embedding'
filter_main_generic:
# Note: This filter requires "CommandLine" field enrichment
Image|endswith: '\svchost.exe'
CommandLine|endswith:
- '-k LocalServiceNetworkRestricted'
- '-k WerSvcGroup'
filter_main_rundll32:
# Note: This filter requires "CommandLine" field enrichment
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- '/d srrstr.dll,ExecuteScheduledSPPCreation'
- 'aepdu.dll,AePduRunUpdate'
- 'shell32.dll,OpenAs_RunDL'
- 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'
condition: selection and not 1 of filter_main_*
falsepositives:
- Debugging scripts might leverage this DLL in order to dump process memory for further analysis.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Default Credentials Usage
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
view Sigma YAML
title: Default Credentials Usage
id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
status: experimental
description: |
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
author: Alexandr Yampolskyi, SOC Prime
date: 2019-03-26
modified: 2025-11-01
tags:
- attack.initial-access
# - CSC4
# - CSC4.2
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
logsource:
product: qualys
detection:
selection:
host.scan.vuln:
- 10693
- 11507
- 11633
- 11804
- 11821
- 11847
- 11867
- 11931
- 11935
- 11950
- 12541
- 12558
- 12559
- 12560
- 12562
- 12563
- 12565
- 12587
- 12590
- 12599
- 12702
- 12705
- 12706
- 12907
- 12928
- 12929
- 13053
- 13178
- 13200
- 13218
- 13241
- 13253
- 13274
- 13296
- 13301
- 13327
- 13373
- 13374
- 13409
- 13530
- 13532
- 20065
- 20073
- 20081
- 27202
- 27358
- 38702
- 38719
- 42045
- 42417
- 43029
- 43220
- 43221
- 43222
- 43223
- 43225
- 43246
- 43431
- 43484
- 86857
- 87098
- 87106
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
view Sigma YAML
title: Defrag Deactivation
id: 958d81aa-8566-4cea-a565-59ccd4df27b0
status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
references:
- https://securelist.com/apt-slingshot/84312/
author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
date: 2019-03-04
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.s0111
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/delete'
- '/change'
CommandLine|contains|all:
- '/TN'
- '\Microsoft\Windows\Defrag\ScheduledDefrag'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Defrag Deactivation - Security
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
view Sigma YAML
title: Defrag Deactivation - Security
id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
related:
- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
type: derived
status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
references:
- https://securelist.com/apt-slingshot/84312/
author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
date: 2019-03-04
modified: 2022-11-27
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.s0111
- detection.emerging-threats
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
selection:
EventID: 4701
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
view Sigma YAML
title: Delete Defender Scan ShellEx Context Menu Registry Key
id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
related:
- id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
type: similar
status: experimental
description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely as this weakens defenses and normally would not be done even if using another AV.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Deleted Data Overwritten Via Cipher.EXE
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
view Sigma YAML
title: Deleted Data Overwritten Via Cipher.EXE
id: 4b046706-5789-4673-b111-66f25fe99534
status: test
description: |
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
author: frack113
date: 2021-12-26
modified: 2023-02-21
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'CIPHER.EXE'
- Image|endswith: '\cipher.exe'
selection_cli:
CommandLine|contains: ' /w:'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
simulation:
- type: atomic-red-team
name: Overwrite deleted data on C drive
technique: T1485
atomic_guid: 321fd25e-0007-417f-adec-33232252be19
Convert to SIEM query
medium
Moderate
Medium FP
Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
view Sigma YAML
title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020-06-27
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4825
condition: selection
falsepositives:
- Valid user was not added to RDP group
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Deployment AppX Package Was Blocked By AppLocker
Detects an appx package deployment that was blocked by AppLocker policy.
view Sigma YAML
title: Deployment AppX Package Was Blocked By AppLocker
id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f
status: test
description: Detects an appx package deployment that was blocked by AppLocker policy.
references:
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 412
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Deployment Of The AppX Package Was Blocked By The Policy
Detects an appx package deployment that was blocked by the local computer policy.
The following events indicate that an AppX package deployment was blocked by a policy:
- Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- Event ID 453: Package blocked by a platform policy.
- Event ID 454: Package blocked by a platform policy.
view Sigma YAML
title: Deployment Of The AppX Package Was Blocked By The Policy
id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
status: test
description: |
Detects an appx package deployment that was blocked by the local computer policy.
The following events indicate that an AppX package deployment was blocked by a policy:
- Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- Event ID 453: Package blocked by a platform policy.
- Event ID 454: Package blocked by a platform policy.
references:
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
- attack.defense-impairment
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID:
- 441 # The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- 442 # Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- 453 # Package blocked by a platform policy
- 454 # Package blocked by a platform policy
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Desktop.INI Created by Uncommon Process
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
view Sigma YAML
title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
Convert to SIEM query
medium
Moderate
High FP
Detected Windows Software Discovery
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
view Sigma YAML
title: Detected Windows Software Discovery
id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1518
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
CommandLine|contains|all:
- 'query'
- '\software\'
- '/v'
- 'svcversion'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Detected Windows Software Discovery - PowerShell
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
view Sigma YAML
title: Detected Windows Software Discovery - PowerShell
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-12-02
tags:
- attack.discovery
- attack.t1518
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
# Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
- 'get-itemProperty'
- '\software\'
- 'select-object'
- 'format-table'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Detection of PowerShell Execution via Sqlps.exe
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
view Sigma YAML
title: Detection of PowerShell Execution via Sqlps.exe
id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
status: test
description: |
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
- https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-10
modified: 2022-12-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\sqlps.exe'
selection_image:
- Image|endswith: '\sqlps.exe'
- OriginalFileName: 'sqlps.exe'
filter_image:
ParentImage|endswith: '\sqlagent.exe'
condition: selection_parent or (selection_image and not filter_image)
falsepositives:
- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Device Installation Blocked
Detects an installation of a device that is forbidden by the system policy
view Sigma YAML
title: Device Installation Blocked
id: c9eb55c3-b468-40ab-9089-db2862e42137
status: test
description: Detects an installation of a device that is forbidden by the system policy
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
author: frack113
date: 2022-10-14
tags:
- attack.initial-access
- attack.t1200
logsource:
service: security
product: windows
detection:
selection:
EventID: 6423
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Device Registration or Join Without MFA
Monitor and alert for device registration or join events where MFA was not performed.
view Sigma YAML
title: Device Registration or Join Without MFA
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
status: test
description: Monitor and alert for device registration or join events where MFA was not performed.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResourceDisplayName: 'Device Registration Service'
conditionalAccessStatus: 'success'
filter_mfa:
AuthenticationRequirement: 'multiFactorAuthentication'
condition: selection and not filter_mfa
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view.
view Sigma YAML
title: DeviceCredentialDeployment Execution
id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
status: test
description: |
Detects the execution of DeviceCredentialDeployment to hide a process from view.
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/147
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\DeviceCredentialDeployment.exe'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dfsvc.EXE Network Connection To Non-Local IPs
Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
view Sigma YAML
title: Dfsvc.EXE Network Connection To Non-Local IPs
id: 3c21219b-49b5-4268-bce6-c914ed50f09c
status: test
description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
references:
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
modified: 2024-03-12
tags:
- attack.execution
- attack.t1203
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\dfsvc.exe'
Initiated: 'true'
filter_main_local_ip:
DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
- '127.0.0.0/8'
- '10.0.0.0/8'
- '169.254.0.0/16' # link-local address
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Direct Autorun Keys Modification
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
view Sigma YAML
title: Direct Autorun Keys Modification
id: 24357373-078f-44ed-9ac4-6d334a668a11
status: test
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-10-25
modified: 2026-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_add:
CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
selection_cli_keys:
CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
- '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
- '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- '\software\Microsoft\Windows NT\CurrentVersion\Windows'
- '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
condition: all of selection_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
Convert to SIEM query
medium
Moderate
High FP
DirectorySearcher Powershell Exploitation
Enumerates Active Directory to determine computers that are joined to the domain
view Sigma YAML
title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
date: 2022-02-12
tags:
- attack.discovery
- attack.t1018
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object '
- 'System.DirectoryServices.DirectorySearcher'
- '.PropertiesToLoad.Add'
- '.findall()'
- 'Properties.name'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
view Sigma YAML
title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
status: test
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022-01-16
modified: 2024-03-25
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\LanmanServer\Parameters\'
TargetObject|endswith:
- '\AutoShareWks'
- '\AutoShareServer'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
simulation:
- type: atomic-red-team
name: Disable Administrative Share Creation at Startup
technique: T1070.005
atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
Convert to SIEM query
medium
Moderate
Medium FP
Disable Exploit Guard Network Protection on Windows Defender
Detects disabling Windows Defender Exploit Guard Network Protection
view Sigma YAML
title: Disable Exploit Guard Network Protection on Windows Defender
id: bf9e1387-b040-4393-9851-1598f8ecfae9
status: test
description: Detects disabling Windows Defender Exploit Guard Network Protection
references:
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride'
Details: 'DWORD (00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
view Sigma YAML
title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_set_1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
- 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
- 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
Details: 'DWORD (0x00000001)'
selection_set_0:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
- 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
- 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
- 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_set_*
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
view Sigma YAML
title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
status: test
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022-01-09
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
TargetObject|contains: '\Services\SharedAccess\Parameters\FirewallPolicy\'
TargetObject|endswith: '\EnableFirewall'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
simulation:
- type: atomic-red-team
name: Disable Microsoft Defender Firewall via Registry
technique: T1562.004
atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
Convert to SIEM query
medium
Strong
Medium FP
Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
view Sigma YAML
title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: |
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
modified: 2025-03-18
tags:
- attack.defense-impairment
- attack.t1685
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/service'
- '/systemctl'
- '/chkconfig'
CommandLine|contains:
- ' stop '
- ' disable '
filter_main_legit_snapd:
Image|endswith: '/systemctl'
CommandLine|contains:
- '--no-reload disable snap-snapd-'
- ' stop snap-snapd-'
filter_main_ssh_preinstall:
Image|endswith: '/systemctl'
ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
CommandLine|contains|all:
- ' stop '
- 'ssh.'
filter_main_ubuntu_upgrade:
ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
Image|endswith: '/systemctl'
filter_optional_aws_agent:
Image|endswith: '/systemctl'
CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activities
- Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Privacy Settings Experience in Registry
Detects registry modifications that disable Privacy Settings Experience
view Sigma YAML
title: Disable Privacy Settings Experience in Registry
id: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b
status: test
description: Detects registry modifications that disable Privacy Settings Experience
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
author: frack113
date: 2022-10-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disable Security Tools
Detects disabling security tools
view Sigma YAML
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: macos
detection:
launchctl_unload:
Image: '/bin/launchctl'
CommandLine|contains: 'unload'
security_plists:
CommandLine|contains:
- 'com.objective-see.lulu.plist' # Objective-See firewall management utility
- 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
- 'com.google.santad.plist' # google santa
- 'com.carbonblack.defense.daemon.plist' # carbon black
- 'com.carbonblack.daemon.plist' # carbon black
- 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
- 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
- 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
- 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
- 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
- 'osquery' # facebook osquery
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'packetbeat' # elastic network logger/shipper
- 'td-agent' # fluentd log shipper
disable_gatekeeper:
Image: '/usr/sbin/spctl'
CommandLine|contains: 'disable'
condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
- Legitimate activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
view Sigma YAML
title: Disable Tamper Protection on Windows Defender
id: 93d298a1-d28f-47f1-a468-d971e7796679
status: test
description: Detects disabling Windows Defender Tamper Protection
references:
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
Details: DWORD (0x00000000)
filter_msmpeng_client: # only disabled temporarily during updates
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_msmpeng_domain_controller: # only disabled temporarily during updates
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
view Sigma YAML
title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
status: test
description: Detect set EnableFirewall to 0 to disable the Windows firewall
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Windows Security Center Notifications
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
view Sigma YAML
title: Disable Windows Security Center Notifications
id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
status: test
description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml
simulation:
- type: atomic-red-team
name: Disable Windows Security Center Notifications
technique: T1112
atomic_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e
Convert to SIEM query
medium
Moderate
Low FP
Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
view Sigma YAML
title: Disabled MFA to Bypass Authentication Mechanisms
id: 7ea78478-a4f9-42a6-9dcd-f861816122bf
status: test
description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
references:
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
author: '@ionsor'
date: 2022-02-08
tags:
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1556
logsource:
product: azure
service: activitylogs
detection:
selection:
eventSource: AzureActiveDirectory
eventName: 'Disable Strong Authentication.'
status: success
condition: selection
falsepositives:
- Authorized modification by administrators
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disabling Security Tools
Detects disabling security tools
view Sigma YAML
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1686
logsource:
category: process_creation
product: linux
detection:
selection_iptables_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_2:
Image|endswith: '/service'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_iptables_3:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_4:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_firewall_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'stop'
selection_firewall_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'disable'
selection_carbonblack_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_2:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'cbdaemon'
- 'off'
selection_carbonblack_3:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_4:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'disable'
selection_selinux:
Image|endswith: '/setenforce'
CommandLine|contains: '0'
selection_crowdstrike_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'stop'
- 'falcon-sensor'
selection_crowdstrike_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'disable'
- 'falcon-sensor'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disabling Security Tools - Builtin
Detects disabling security tools
view Sigma YAML
title: Disabling Security Tools - Builtin
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
related:
- id: e3a8a052-111f-4606-9aee-f28ebeb76776
type: derived
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: syslog
detection:
keywords:
- 'stopping iptables'
- 'stopping ip6tables'
- 'stopping firewalld'
- 'stopping cbdaemon'
- 'stopping falcon-sensor'
condition: keywords
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disk Image Creation Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to create a disk image.
view Sigma YAML
title: Disk Image Creation Via Hdiutil - MacOS
id: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
status: test
description: Detects the execution of the hdiutil utility in order to create a disk image.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.exfiltration
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains: 'create'
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
view Sigma YAML
title: Disk Image Mounting Via Hdiutil - MacOS
id: bf241472-f014-4f01-a869-96f99330ca8c
status: test
description: Detects the execution of the hdiutil utility in order to mount disk images.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.initial-access
- attack.collection
- attack.t1566.001
- attack.t1560.001
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains:
- 'attach '
- 'mount '
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
Convert to SIEM query
medium
Strong
High FP
Diskshadow Child Process Spawned
Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
view Sigma YAML
title: Diskshadow Child Process Spawned
id: 56b1dde8-b274-435f-a73a-fb75eb81262a
related:
- id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
type: similar
- id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
type: similar
- id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
author: Harjot Singh @cyb3rjy0t
date: 2023-09-15
tags:
- attack.stealth
- attack.t1218
- attack.execution
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\diskshadow.exe'
filter_main_werfault:
Image|endswith: ':\Windows\System32\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Likely from legitimate usage of Diskshadow in Interpreter mode.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Diskshadow Script Mode - Execution From Potential Suspicious Location
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
view Sigma YAML
title: Diskshadow Script Mode - Execution From Potential Suspicious Location
id: fa1a7e52-3d02-435b-81b8-00da14dd66c1
related:
- id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
type: similar
- id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE
type: similar
- id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'diskshadow.exe'
- Image|endswith: '\diskshadow.exe'
selection_cli:
CommandLine|contains|windash: '-s '
selection_paths:
CommandLine|contains:
# Note: Add additional susp paths based on your org needs
- ':\Temp\'
- ':\Windows\Temp\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\ProgramData\'
- '\Users\Public\'
condition: all of selection_*
falsepositives:
- False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Diskshadow Script Mode - Uncommon Script Extension Execution
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
Initial baselining of the allowed extension list is required.
view Sigma YAML
title: Diskshadow Script Mode - Uncommon Script Extension Execution
id: 1dde5376-a648-492e-9e54-4241dd9b0c7f
related:
- id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
type: similar
- id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE
type: similar
- id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: |
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
Initial baselining of the allowed extension list is required.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'diskshadow.exe'
- Image|endswith: '\diskshadow.exe'
selection_flag:
CommandLine|contains|windash: '-s '
filter_main_ext:
# Note: can be changed to an "endswith" to avoid rare FPs. But you need to account for quoted paths
# Note: Using the ".txt" is based on the MS documentation example. Best add the extension you use internally before using this rule
CommandLine|contains: '.txt'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required.
level: medium
Convert to SIEM query
medium
Strong
High FP
Diskshadow Script Mode Execution
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
view Sigma YAML
title: Diskshadow Script Mode Execution
id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2
related:
- id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
type: similar
- id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
type: similar
- id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE
type: similar
- id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
type: similar
status: test
description: |
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
author: Ivan Dyachkov, oscd.community
date: 2020-10-07
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218
- attack.execution
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'diskshadow.exe'
- Image|endswith: '\diskshadow.exe'
selection_cli:
CommandLine|contains|windash: '-s '
condition: all of selection_*
falsepositives:
- Likely from legitimate backup scripts
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dism Remove Online Package
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
view Sigma YAML
title: Dism Remove Online Package
id: 43e32da2-fdd0-4156-90de-50dfd62636f9
status: test
description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
- https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
author: frack113
date: 2022-01-16
modified: 2022-08-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_dismhost:
Image|endswith: '\DismHost.exe'
ParentCommandLine|contains|all:
- '/Online'
- '/Disable-Feature'
# - '/FeatureName:'
# - '/Remove'
# /NoRestart
# /quiet
selection_dism:
Image|endswith: '\Dism.exe'
CommandLine|contains|all:
- '/Online'
- '/Disable-Feature'
# - '/FeatureName:'
# - '/Remove'
# /NoRestart
# /quiet
condition: 1 of selection_*
falsepositives:
- Legitimate script
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/info.yml
simulation:
- type: atomic-red-team
name: Disable Windows Defender with DISM
technique: T1562.001
atomic_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58
Convert to SIEM query
medium
Moderate
Medium FP
Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
view Sigma YAML
title: Displaying Hidden Files Feature Disabled
id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
status: test
description: |
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
author: frack113
date: 2022-04-02
modified: 2024-03-26
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 251-300 of 1,440