Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Strong
Medium FP
Django Framework Exceptions
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
view Sigma YAML
title: Django Framework Exceptions
id: fd435618-981e-4a7c-81f8-f78ce480d616
status: stable
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
references:
- https://docs.djangoproject.com/en/1.11/ref/exceptions/
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
author: Thomas Patzke
date: 2017-08-05
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: django
detection:
keywords:
- SuspiciousOperation
# Subclasses of SuspiciousOperation
- DisallowedHost
- DisallowedModelAdminLookup
- DisallowedModelAdminToField
- DisallowedRedirect
- InvalidSessionKey
- RequestDataTooBig
- SuspiciousFileOperation
- SuspiciousMultipartForm
- SuspiciousSession
- TooManyFieldsSent
# Further security-related exceptions
- PermissionDenied
condition: keywords
falsepositives:
- Application bugs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
DllUnregisterServer Function Call Via Msiexec.EXE
Detects MsiExec loading a DLL and calling its DllUnregisterServer function
view Sigma YAML
title: DllUnregisterServer Function Call Via Msiexec.EXE
id: 84f52741-8834-4a8c-a413-2eb2269aa6c8
status: test
description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
- https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
- https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022-04-24
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.007
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\msiexec.exe'
- OriginalFileName: '\msiexec.exe'
selection_flag:
CommandLine|contains|windash: ' -z '
selection_dll:
CommandLine|contains: '.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dllhost.EXE Initiated Network Connection To Non-Local IP Address
Detects Dllhost.EXE initiating a network connection to a non-local IP address.
Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
An initial baseline is recommended before deployment.
view Sigma YAML
title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
id: cfed2f44-16df-4bf3-833a-79405198b277
status: test
description: |
Detects Dllhost.EXE initiating a network connection to a non-local IP address.
Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
An initial baseline is recommended before deployment.
references:
- https://redcanary.com/blog/child-processes/
- https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
author: bartblaze
date: 2020-07-13
modified: 2024-07-16
tags:
- attack.stealth
- attack.t1218
- attack.execution
- attack.t1559.001
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\dllhost.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
filter_main_msrange:
DestinationIp|cidr:
- '20.184.0.0/13' # Microsoft Corporation
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '52.224.0.0/11' # Microsoft Corporation
- '150.171.0.0/19' # Microsoft Corporation
- '204.79.197.0/24' # Microsoft Corporation'
condition: selection and not 1 of filter_main_*
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
Convert to SIEM query
medium
Moderate
High FP
Domain Trust Discovery Via Dsquery
Detects execution of "dsquery.exe" for domain trust discovery
view Sigma YAML
title: Domain Trust Discovery Via Dsquery
id: 3bad990e-4848-4a78-9530-b427d854aac0
related:
- id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects execution of "dsquery.exe" for domain trust discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md
- https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843
author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72
date: 2019-10-24
modified: 2023-02-02
tags:
- attack.discovery
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsquery.exe'
- OriginalFileName: 'dsquery.exe'
selection_cli:
CommandLine|contains: 'trustedDomain'
condition: all of selection_*
falsepositives:
- Legitimate use of the utilities by legitimate user for legitimate reason
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml
simulation:
- type: atomic-red-team
name: Windows - Discover domain trusts with dsquery
technique: T1482
atomic_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f
Convert to SIEM query
medium
Moderate
Medium FP
DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
view Sigma YAML
title: DotNET Assembly DLL Loaded Via Office Application
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
view Sigma YAML
title: Download File To Potentially Suspicious Directory Via Wget
id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
status: test
description: Detects the use of wget to download content to a suspicious directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/wget'
selection_output:
- CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
- CommandLine|contains: '--output-document'
selection_path:
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
view Sigma YAML
title: Download from Suspicious Dyndns Hosts
id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
status: test
description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
references:
- https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
author: Florian Roth (Nextron Systems)
date: 2017-11-08
modified: 2023-05-18
tags:
- attack.command-and-control
- attack.t1105
- attack.t1568
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
- '.hopto.org'
- '.no-ip.org'
- '.no-ip.info'
- '.no-ip.biz'
- '.no-ip.com'
- '.noip.com'
- '.ddns.name'
- '.myftp.org'
- '.myftp.biz'
- '.serveblog.net'
- '.servebeer.com'
- '.servemp3.com'
- '.serveftp.com'
- '.servequake.com'
- '.servehalflife.com'
- '.servehttp.com'
- '.servegame.com'
- '.servepics.com'
- '.myvnc.com'
- '.ignorelist.com'
- '.jkub.com'
- '.dlinkddns.com'
- '.jumpingcrab.com'
- '.ddns.info'
- '.mooo.com'
- '.dns-dns.com'
- '.strangled.net'
- '.adultdns.net'
- '.craftx.biz'
- '.ddns01.com'
- '.dns53.biz'
- '.dnsapi.info'
- '.dnsd.info'
- '.dnsdynamic.com'
- '.dnsdynamic.net'
- '.dnsget.org'
- '.fe100.net'
- '.flashserv.net'
- '.ftp21.net'
- '.http01.com'
- '.http80.info'
- '.https443.com'
- '.imap01.com'
- '.kadm5.com'
- '.mysq1.net'
- '.ns360.info'
- '.ntdll.net'
- '.ole32.com'
- '.proxy8080.com'
- '.sql01.com'
- '.ssh01.com'
- '.ssh22.net'
- '.tempors.com'
- '.tftpd.net'
- '.ttl60.com'
- '.ttl60.org'
- '.user32.com'
- '.voip01.com'
- '.wow64.net'
- '.x64.me'
- '.xns01.com'
- '.dyndns.org'
- '.dyndns.info'
- '.dyndns.tv'
- '.dyndns-at-home.com'
- '.dnsomatic.com'
- '.zapto.org'
- '.webhop.net'
- '.25u.com'
- '.slyip.net'
condition: selection
falsepositives:
- Software downloads
level: medium
Convert to SIEM query
medium
Strong
High FP
Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
view Sigma YAML
title: Driver/DLL Installation Via Odbcconf.EXE
id: 3f5491e2-8db8-496b-9e95-1029fce852d4
related:
- id: cb0fe7c5-f3a3-484d-aa25-d350a7912729
type: similar
status: test
description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains|all:
- 'INSTALLDRIVER '
- '.dll'
condition: all of selection_*
falsepositives:
- Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.
level: medium
Convert to SIEM query
medium
Moderate
High FP
DriverQuery.EXE Execution
Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
view Sigma YAML
title: DriverQuery.EXE Execution
id: a20def93-0709-4eae-9bd2-31206e21e6b2
related:
- id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
type: similar
status: test
description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
references:
- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
- https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-19
modified: 2023-09-29
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: 'driverquery.exe'
- OriginalFileName: 'drvqry.exe'
filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- ParentImage|contains:
- '\AppData\Local\'
- '\Users\Public\'
- '\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use by third party tools in order to investigate installed drivers
level: medium # Level could be reduced to low if this utility is often used in your environment
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Drop Binaries Into Spool Drivers Color Folder
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
view Sigma YAML
title: Drop Binaries Into Spool Drivers Color Folder
id: ce7066a6-508a-42d3-995b-2952c65dc2ce
status: test
description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\spool\drivers\color\'
TargetFilename|endswith:
- '.dll'
- '.exe'
- '.sys'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
view Sigma YAML
title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
references:
- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
author: Sreeman
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.002
logsource:
category: process_creation
product: windows
detection:
selection_cmdline:
CommandLine|contains|all:
- 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
- 'scecli\0*'
- 'reg add'
condition: selection_cmdline
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Dump Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
view Sigma YAML
title: Dump Credentials from Windows Credential Manager With PowerShell
id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
status: test
description: |
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1555
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_kiddie:
ScriptBlockText|contains:
- 'Get-PasswordVaultCredentials'
- 'Get-CredManCreds'
selection_rename_Password:
ScriptBlockText|contains|all:
- 'New-Object'
- 'Windows.Security.Credentials.PasswordVault'
selection_rename_credman:
ScriptBlockText|contains|all:
- 'New-Object'
- 'Microsoft.CSharp.CSharpCodeProvider'
- '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())'
- 'Collections.ArrayList'
- 'System.CodeDom.Compiler.CompilerParameters'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
view Sigma YAML
title: Dump Ntds.dit To Suspicious Location
id: 94dc4390-6b7c-4784-8ffc-335334404650
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2023-10-23
tags:
- attack.execution
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection_root:
Provider_Name: 'ESENT'
EventID: 325 # New Database Created
Data|contains: 'ntds.dit'
selection_paths:
Data|contains:
# Add more locations that you don't use in your env or that are just suspicious
- ':\ntds.dit'
- '\Appdata\'
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- '\Temp\'
- '\Users\Public\'
condition: all of selection_*
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
Convert to SIEM query
medium
Moderate
High FP
DumpMinitool Execution
Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
view Sigma YAML
title: DumpMinitool Execution
id: dee0a7a3-f200-4112-a99b-952196d81e42
status: test
description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
- https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
selection_cli:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dumping Process via Sqldumper.exe
Detects process dump via legitimate sqldumper.exe binary
view Sigma YAML
title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020-10-08
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
view Sigma YAML
title: Dynamic .NET Compilation Via Csc.EXE
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
status: test
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-08-24
modified: 2026-03-23
tags:
- attack.stealth
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\csc.exe'
selection_susp_location_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\AppData\Local\Temp\' # User execution
- '\Temporary Internet'
- '\Windows\Temp\' # Admin execution
selection_susp_location_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- CommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
selection_susp_location_3:
CommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
filter_main_programfiles:
# Note: this is a generic filter. You could baseline execution in your env for a more robust rule
ParentImage|startswith:
- 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
- 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_sdiagnhost:
ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_w3p:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
filter_optional_chocolatey:
ParentImage: # Chocolatey https://chocolatey.org/
- 'C:\ProgramData\chocolatey\choco.exe'
- 'C:\ProgramData\chocolatey\tools\shimgen.exe'
filter_optional_defender:
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
filter_optional_ansible:
# Note: As ansible is widely used we exclude it with this generic filter.
# A better option would be to filter based on script content basis or other marker while hunting
ParentCommandLine|contains:
# '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
- 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
- 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
- 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
- Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
- Ansible
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dynamic .NET Compilation Via Csc.EXE - Hunting
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
view Sigma YAML
title: Dynamic .NET Compilation Via Csc.EXE - Hunting
id: acf2807c-805b-4042-aab9-f86b6ba9cb2b
related:
- id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
type: derived
status: test
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-02
tags:
- attack.stealth
- attack.t1027.004
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
CommandLine|contains: '/noconfig /fullpaths @'
condition: selection
falsepositives:
- Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies
level: medium
Convert to SIEM query
medium
Moderate
High FP
ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
view Sigma YAML
title: ESXi Account Creation Via ESXCLI
id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
status: test
description: Detects user account creation on ESXi system via esxcli
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-08-22
tags:
- attack.persistence
- attack.execution
- attack.t1136
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system '
- 'account '
- 'add '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
view Sigma YAML
title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'network'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
view Sigma YAML
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
Convert to SIEM query
medium
Moderate
High FP
ESXi Syslog Configuration Change Via ESXCLI
Detects changes to the ESXi syslog configuration via "esxcli"
view Sigma YAML
title: ESXi Syslog Configuration Change Via ESXCLI
id: 38eb1dbb-011f-40b1-a126-cf03a0210563
status: test
description: Detects changes to the ESXi syslog configuration via "esxcli"
references:
- https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
- attack.t1690
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system'
- 'syslog'
- 'config'
CommandLine|contains: ' set'
condition: selection
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
view Sigma YAML
title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
High FP
ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
view Sigma YAML
title: ESXi VM Kill Via ESXCLI
id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
status: test
description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.impact
- attack.t1059.012
- attack.t1529
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'vm process'
- 'kill'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
High FP
ESXi VM List Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
view Sigma YAML
title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'vm process'
CommandLine|endswith: ' list'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
view Sigma YAML
title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'vsan'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
view Sigma YAML
title: ETW Logging/Processing Option Disabled On IIS Server
id: a5b40a90-baf5-4bf7-a6f7-373494881d22
status: test
description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
author: frack113, Nasreddine Bencherchali
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration|endswith: '@logTargetW3C'
OldValue|contains: 'ETW'
filter_main_etw_added:
NewValue|contains: 'ETW'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
EVTX Created In Uncommon Location
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
view Sigma YAML
title: EVTX Created In Uncommon Location
id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
status: test
description: |
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
references:
- https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2024-03-26
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
detection:
selection:
TargetFilename|endswith: '.evtx'
filter_main_path:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
filter_main_baseimage:
TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrator or backup activity
- An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml
Convert to SIEM query
medium
Moderate
High FP
Elevated System Shell Spawned
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
view Sigma YAML
title: Elevated System Shell Spawned
id: 61065c72-5d7d-44ef-bf41-6a36684b545f
related:
- id: 178e615d-e666-498b-9630-9ed363038101
type: similar
status: test
description: |
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
references:
- https://github.com/Wh04m1001/SysmonEoP
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-11-23
modified: 2025-03-06
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1059
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection_shell:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'powershell_ise.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
selection_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enable BPF Kprobes Tracing
Detects common command used to enable bpf kprobes tracing
view Sigma YAML
title: Enable BPF Kprobes Tracing
id: 7692f583-bd30-4008-8615-75dab3f08a99
status: test
description: Detects common command used to enable bpf kprobes tracing
references:
- https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
- https://bpftrace.org/
- https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-25
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains|all:
- 'echo 1 >'
- '/sys/kernel/debug/tracing/events/kprobes/'
CommandLine|contains:
- '/myprobe/enable'
- '/myretprobe/enable'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Enable Local Manifest Installation With Winget
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
view Sigma YAML
title: Enable Local Manifest Installation With Winget
id: fa277e82-9b78-42dd-b05c-05555c7b6015
status: test
description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\AppInstaller\EnableLocalManifestFiles'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Administrators or developers might enable this for testing purposes or to install custom private packages
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Enable Microsoft Dynamic Data Exchange
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
view Sigma YAML
title: Enable Microsoft Dynamic Data Exchange
id: 63647769-326d-4dde-a419-b925cc0caf42
status: test
description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
references:
- https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
author: frack113
date: 2022-02-26
modified: 2023-08-17
tags:
- attack.execution
- attack.t1559.002
logsource:
category: registry_set
product: windows
detection:
selection_word:
TargetObject|endswith: '\Word\Security\AllowDDE'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000002)'
selection_excel:
TargetObject|endswith:
- '\Excel\Security\DisableDDEServerLaunch'
- '\Excel\Security\DisableDDEServerLookup'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
view Sigma YAML
title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
id: 4d431012-2ab5-4db7-a84e-b29809da2172
status: test
description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
references:
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
author: X__Junior (Nextron Systems)
date: 2023-11-03
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Microsoft\WBEM\CIMOM\AllowAnonymousCallback'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enable Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: Enable Windows Remote Management
id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
author: frack113
date: 2022-01-07
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Enable-PSRemoting '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enabling COR Profiler Environment Variables
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
view Sigma YAML
title: Enabling COR Profiler Environment Variables
id: ad89044a-8f49-4673-9a55-cbd88a1b374f
status: test
description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
references:
- https://twitter.com/jamieantisocial/status/1304520651248668673
- https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
- https://www.sans.org/cyber-security-summit/archives
- https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
date: 2020-09-10
modified: 2023-11-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.012
logsource:
category: registry_set
product: windows
detection:
selection_1:
TargetObject|endswith:
- '\COR_ENABLE_PROFILING'
- '\COR_PROFILER'
- '\CORECLR_ENABLE_PROFILING'
selection_2:
TargetObject|contains: '\CORECLR_PROFILER_PATH'
condition: 1 of selection_*
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
End User Consent Blocked
Detects when end user consent is blocked due to risk-based consent.
view Sigma YAML
title: End User Consent Blocked
id: 7091372f-623c-4293-bc37-20c32b3492be
status: test
description: Detects when end user consent is blocked due to risk-based consent.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-10
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
failure_status_reason: 'Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enumerate All Information With Whoami.EXE
Detects the execution of "whoami.exe" with the "/all" flag
view Sigma YAML
title: Enumerate All Information With Whoami.EXE
id: c248c896-e412-4279-8c15-1c558067b6fa
status: test
description: Detects the execution of "whoami.exe" with the "/all" flag
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
- https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-04
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_main_cli:
CommandLine|contains|windash: ' -all'
condition: all of selection_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enumerate Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
view Sigma YAML
title: Enumerate Credentials from Windows Credential Manager With PowerShell
id: 603c6630-5225-49c1-8047-26c964553e0e
status: test
description: |
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1555
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- vaultcmd
- '/listcreds:'
selection_option:
ScriptBlockText|contains:
- 'Windows Credentials'
- 'Web Credentials'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Enumeration for 3rd Party Creds From CLI
Detects processes that query known 3rd party registry keys that holds credentials via commandline
view Sigma YAML
title: Enumeration for 3rd Party Creds From CLI
id: 87a476dc-0079-4583-a985-dee7a20a03de
related:
- id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
type: derived
- id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
type: similar
status: test
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
references:
- https://isc.sans.edu/diary/More+Data+Exfiltration/25698
- https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
- https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: # Add more paths as they are discovered
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm\'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys\'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
filter_main_other_rule: # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
Image|endswith: 'reg.exe'
CommandLine|contains:
- 'export'
- 'save'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
The Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
view Sigma YAML
title: Enumeration for Credentials in Registry
id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
status: test
description: |
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
The Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
reg:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- ' query '
- '/t '
- 'REG_SZ'
- '/s'
hive:
- CommandLine|contains|all:
- '/f '
- 'HKLM'
- CommandLine|contains|all:
- '/f '
- 'HKCU'
- CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
condition: reg and hive
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
view Sigma YAML
title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
author: sam0x90
date: 2021-08-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.003
- attack.s0404
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'esentutl'
- ' /p'
condition: selection
falsepositives:
- To be determined
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Esentutl Steals Browser Information
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
view Sigma YAML
title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022-02-13
modified: 2024-03-05
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: 'esentutl.exe'
selection_flag:
CommandLine|contains|windash: '-r'
selection_webcache:
CommandLine|contains: '\Windows\WebCache'
condition: all of selection*
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
EventLog EVTX File Deleted
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: EventLog EVTX File Deleted
id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
status: test
description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
TargetFilename|endswith: '.evtx'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
EventLog Query Requests By Builtin Utilities
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
view Sigma YAML
title: EventLog Query Requests By Builtin Utilities
id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
related:
- id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
type: derived
status: test
description: |
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-20
modified: 2024-01-24
tags:
- attack.t1552
- attack.credential-access
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection_wmi:
CommandLine|contains|all:
- 'Select'
- 'Win32_NTLogEvent'
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wmic_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
condition: selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet
falsepositives:
- Legitimate log access by administrators or troubleshooting tools
level: medium
Convert to SIEM query
medium
Strong
Low FP
Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
view Sigma YAML
title: Eventlog Cleared
id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
type: derived
- id: 100ef69e-3327-481c-8e5c-6d80d9507556
type: derived
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
filter_main_covered:
# The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: medium
Convert to SIEM query
medium
Moderate
High FP
Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
view Sigma YAML
title: Executable from Webdav
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
status: test
description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
references:
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
- https://github.com/OTRF/detection-hackathon-apt29
author: 'SOC Prime, Adam Swan'
date: 2020-05-01
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: zeek
service: http
detection:
selection_webdav:
- c-useragent|contains: 'WebDAV'
- c-uri|contains: 'webdav'
selection_executable:
- resp_mime_types|contains: 'dosexec'
- c-uri|endswith: '.exe'
condition: selection_webdav and selection_executable
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Execute Code with Pester.bat
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
view Sigma YAML
title: Execute Code with Pester.bat
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
author: Julia Fomina, oscd.community
date: 2020-10-08
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
powershell_module:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Pester'
- 'Get-Help'
cmd_execution:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'pester'
- ';'
get_help:
CommandLine|contains:
- 'help'
- '\?'
condition: powershell_module or (cmd_execution and get_help)
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
view Sigma YAML
title: Execute Code with Pester.bat as Parent
id: 18988e1b-9087-4f8a-82fe-0414dce49878
related:
- id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
type: similar
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://twitter.com/_st0pp3r_/status/1560072680887525378
author: frack113, Nasreddine Bencherchali
date: 2022-08-20
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_module:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
selection_cli:
ParentCommandLine|contains:
- '{ Invoke-Pester -EnableExit ;'
- '{ Get-Help "'
condition: all of selection_*
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
Convert to SIEM query
medium
Strong
High FP
Execute Files with Msdeploy.exe
Detects file execution using the msdeploy.exe lolbin
view Sigma YAML
title: Execute Files with Msdeploy.exe
id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
status: test
description: Detects file execution using the msdeploy.exe lolbin
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/
- https://twitter.com/pabraeken/status/995837734379032576
- https://twitter.com/pabraeken/status/999090532839313408
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'verb:sync'
- '-source:RunCommand'
- '-dest:runCommand'
Image|endswith: '\msdeploy.exe'
condition: selection
falsepositives:
- System administrator Usage
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
view Sigma YAML
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Execute Invoke-command on Remote Host
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: Execute Invoke-command on Remote Host
id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
author: frack113
date: 2022-01-07
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'invoke-command '
- ' -ComputerName '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: medium
Convert to SIEM query
Showing 301-350 of 1,440