Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
High FP
Get-ADUser Enumeration Using UserAccountControl Flags
Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
view Sigma YAML
title: Get-ADUser Enumeration Using UserAccountControl Flags
id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
status: test
description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
- https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# 4194304 DONT_REQ_PREAUTH
ScriptBlockText|contains|all:
- 'Get-ADUser'
- '-Filter'
- 'useraccountcontrol'
- '-band'
- '4194304'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Github Delete Action Invoked
Detects delete action in the Github audit logs for codespaces, environment, project and repo.
view Sigma YAML
title: Github Delete Action Invoked
id: 16a71777-0b2e-4db7-9888-9d59cb75200b
status: test
description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-19
modified: 2026-03-09
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events#codespaces
tags:
- attack.impact
- attack.collection
- attack.t1213.003
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'codespaces.destroy'
- 'environment.delete'
- 'project.delete'
- 'repo.destroy'
condition: selection
falsepositives:
- Validate the deletion activity is permitted. The "actor" field need to be validated.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Github Fork Private Repositories Setting Enabled/Cleared
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
view Sigma YAML
title: Github Fork Private Repositories Setting Enabled/Cleared
id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
status: test
description: |
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
references:
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
- 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
view Sigma YAML
title: Github Outside Collaborator Detected
id: eaa9ac35-1730-441f-9587-25767bde99d7
status: test
description: |
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
tags:
- attack.privilege-escalation
- attack.persistence
- attack.collection
- attack.t1098.001
- attack.t1098.003
- attack.t1213.003
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'org.remove_outside_collaborator'
- 'project.update_user_permission'
condition: selection
falsepositives:
- Validate the actor if permitted to access the repo.
- Validate the Multifactor Authentication changes.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Github Repository/Organization Transferred
Detects when a repository or an organization is being transferred to another location.
view Sigma YAML
title: Github Repository/Organization Transferred
id: 04ad83ef-1a37-4c10-b57a-81092164bf33
status: test
description: Detects when a repository or an organization is being transferred to another location.
references:
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
- https://docs.github.com/en/migrations
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
- 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
- 'org.transfer' # An organization was transferred between enterprise accounts.
- 'repo.transfer_outgoing' # A repository was transferred to another repository network.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Github SSH Certificate Configuration Changed
Detects when changes are made to the SSH certificate configuration of the organization.
view Sigma YAML
title: Github SSH Certificate Configuration Changed
id: 2f575940-d85e-4ddc-af13-17dad6f1a0ef
status: test
description: Detects when changes are made to the SSH certificate configuration of the organization.
references:
- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'ssh_certificate_authority.create' # An SSH certificate authority for an organization or enterprise was created.
- 'ssh_certificate_requirement.disable' # The requirement for members to use SSH certificates to access an organization resources was disabled.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
view Sigma YAML
title: Github Self-Hosted Runner Execution
id: 5bac7a56-da88-4c27-922e-c81e113b20cb
status: test
description: |
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
references:
- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
author: Daniel Koifman (KoifSec)
date: 2025-11-29
tags:
- attack.command-and-control
- attack.t1102.002
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_worker_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Worker.exe spawnclient 1288 1252
- Image|endswith: '\Runner.Worker.exe'
- OriginalFileName: 'Runner.Worker.dll'
selection_worker_cli:
CommandLine|contains: 'spawnclient'
selection_listener_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Listener.exe configure --url https://github.com/ABC/ABC --token 123123
- Image|endswith: '\Runner.Listener.exe'
- OriginalFileName: 'Runner.Listener.dll'
selection_listener_cli:
CommandLine|contains:
- 'run'
- 'configure'
condition: all of selection_worker_* or all of selection_listener_*
falsepositives:
- Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
- Authorized runner deployments by DevOps/Platform teams following change management
- Scheduled runner updates or reconfigurations on existing build agents
- Self-hosted runners that follow expected/known naming patterns
- Installation via expected/known configuration management tools (reflected mostly as parent process name)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml
Convert to SIEM query
medium
Moderate
High FP
GoToAssist Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: GoToAssist Temporary Installation Artefact
id: 5d756aee-ad3e-4306-ad95-cb1abec48de2
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud DNS Zone Modified or Deleted
Identifies when a DNS Zone is modified or deleted in Google Cloud.
view Sigma YAML
title: Google Cloud DNS Zone Modified or Deleted
id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
status: test
description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/dns/docs/reference/v1/managedZones
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- Dns.ManagedZones.Delete
- Dns.ManagedZones.Update
- Dns.ManagedZones.Patch
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Google Cloud Firewall Modified or Deleted
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
view Sigma YAML
title: Google Cloud Firewall Modified or Deleted
id: fe513c69-734c-4d4a-8548-ac5f609be82b
status: test
description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
author: Austin Songer @austinsonger
date: 2021-08-13
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.Firewalls.Delete
- v*.Compute.Firewalls.Patch
- v*.Compute.Firewalls.Update
- v*.Compute.Firewalls.Insert
condition: selection
falsepositives:
- Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
- Exceptions can be added to this rule to filter expected behavior.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud Kubernetes Admission Controller
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
view Sigma YAML
title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
gcp.audit.method_name|contains:
- '.mutatingwebhookconfigurations.'
- '.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
condition: selection
falsepositives:
- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud Kubernetes CronJob
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
view Sigma YAML
title: Google Cloud Kubernetes CronJob
id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
status: test
description: |
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://cloud.google.com/kubernetes-engine/docs
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.api.batch.v*.Job
- io.k8s.api.batch.v*.CronJob
condition: selection
falsepositives:
- Google Cloud Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Google Cloud Kubernetes RoleBinding
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
view Sigma YAML
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
status: test
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
references:
- https://github.com/elastic/detection-rules/pull/1267
- https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.authorization.rbac.v*.clusterrolebindings.create
- io.k8s.authorization.rbac.v*.rolebindings.create
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch
- io.k8s.authorization.rbac.v*.rolebindings.patch
- io.k8s.authorization.rbac.v*.clusterrolebindings.update
- io.k8s.authorization.rbac.v*.rolebindings.update
- io.k8s.authorization.rbac.v*.clusterrolebindings.delete
- io.k8s.authorization.rbac.v*.rolebindings.delete
condition: selection
falsepositives:
- RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
view Sigma YAML
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
status: test
description: Identifies when the Secrets are Modified or Deleted.
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- io.k8s.core.v*.secrets.delete
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud Re-identifies Sensitive Information
Identifies when sensitive information is re-identified in google Cloud.
view Sigma YAML
title: Google Cloud Re-identifies Sensitive Information
id: 234f9f48-904b-4736-a34c-55d23919e4b7
status: test
description: Identifies when sensitive information is re-identified in google Cloud.
references:
- https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
- attack.t1565
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name: projects.content.reidentify
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud SQL Database Modified or Deleted
Detect when a Cloud SQL DB has been modified or deleted.
view Sigma YAML
title: Google Cloud SQL Database Modified or Deleted
id: f346bbd5-2c4e-4789-a221-72de7685090d
status: test
description: Detect when a Cloud SQL DB has been modified or deleted.
references:
- https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
author: Austin Songer @austinsonger
date: 2021-10-15
modified: 2022-12-25
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- cloudsql.instances.create
- cloudsql.instances.delete
- cloudsql.users.update
- cloudsql.users.delete
condition: selection
falsepositives:
- SQL Database being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud Service Account Disabled or Deleted
Identifies when a service account is disabled or deleted in Google Cloud.
view Sigma YAML
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
status: test
description: Identifies when a service account is disabled or deleted in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
- attack.t1531
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.disable
- .serviceAccounts.delete
condition: selection
falsepositives:
- Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud Service Account Modified
Identifies when a service account is modified in Google Cloud.
view Sigma YAML
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
status: test
description: Identifies when a service account is modified in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.patch
- .serviceAccounts.create
- .serviceAccounts.update
- .serviceAccounts.enable
- .serviceAccounts.undelete
condition: selection
falsepositives:
- Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud Storage Buckets Modified or Deleted
Detects when storage bucket is modified or deleted in Google Cloud.
view Sigma YAML
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
status: test
description: Detects when storage bucket is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.delete
- storage.buckets.insert
- storage.buckets.update
- storage.buckets.patch
condition: selection
falsepositives:
- Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Cloud VPN Tunnel Modified or Deleted
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
view Sigma YAML
title: Google Cloud VPN Tunnel Modified or Deleted
id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
status: test
description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
references:
- https://any-api.com/googleapis_com/compute/docs/vpnTunnels
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- compute.vpnTunnels.insert
- compute.vpnTunnels.delete
condition: selection
falsepositives:
- VPN Tunnel being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
view Sigma YAML
title: Google Full Network Traffic Packet Capture
id: 980a7598-1e7f-4962-9372-2d754c930d0e
status: test
description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
author: Austin Songer @austinsonger
date: 2021-08-13
modified: 2022-10-09
tags:
- attack.collection
- attack.t1074
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.PacketMirrorings.Get
- v*.Compute.PacketMirrorings.Delete
- v*.Compute.PacketMirrorings.Insert
- v*.Compute.PacketMirrorings.Patch
- v*.Compute.PacketMirrorings.List
- v*.Compute.PacketMirrorings.aggregatedList
condition: selection
falsepositives:
- Full Network Packet Capture may be done by a system or network administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Google Workspace Application Access Level Modified
Detects when an access level is changed for a Google workspace application.
An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
An adversary would be able to remove access levels to gain easier access to Google workspace resources.
view Sigma YAML
title: Google Workspace Application Access Level Modified
id: 22f2fb54-5312-435d-852f-7c74f81684ca
status: test
description: |
Detects when an access level is changed for a Google workspace application.
An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
An adversary would be able to remove access levels to gain easier access to Google workspace resources.
references:
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
- https://support.google.com/a/answer/9261439
author: Bryan Lim
date: 2024-01-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: 'admin.googleapis.com'
eventName: 'CHANGE_APPLICATION_SETTING'
setting_name|startswith: 'ContextAwareAccess'
condition: selection
falsepositives:
- Legitimate administrative activities changing the access levels for an application
level: medium
Convert to SIEM query
medium
Strong
Low FP
Google Workspace Application Removed
Detects when an an application is removed from Google Workspace.
view Sigma YAML
title: Google Workspace Application Removed
id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
status: test
description: Detects when an an application is removed from Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- REMOVE_APPLICATION
- REMOVE_APPLICATION_FROM_WHITELIST
condition: selection
falsepositives:
- Application being removed may be performed by a System Administrator.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Google Workspace Government Attack Warning
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
view Sigma YAML
title: Google Workspace Government Attack Warning
id: eafe6f2b-cfec-4612-aec2-49563c33a087
status: experimental
description: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
author: Tom Kluter
date: 2026-04-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.impact
- attack.stealth
- attack.t1078
logsource:
product: gcp
service: google_workspace.login
detection:
selection:
protoPayload.serviceName: 'login.googleapis.com'
protoPayload.metadata.event.eventName: 'gov_attack_warning'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Google Workspace Granted Domain API Access
Detects when an API access service account is granted domain authority.
view Sigma YAML
title: Google Workspace Granted Domain API Access
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
status: test
description: Detects when an API access service account is granted domain authority.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: AUTHORIZE_API_CLIENT_ACCESS
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Google Workspace MFA Disabled
Detects when multi-factor authentication (MFA) is disabled.
view Sigma YAML
title: Google Workspace MFA Disabled
id: 780601d1-6376-4f2a-884e-b8d45599f78c
status: test
description: Detects when multi-factor authentication (MFA) is disabled.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection_base:
eventService: admin.googleapis.com
eventName:
- ENFORCE_STRONG_AUTHENTICATION
- ALLOW_STRONG_AUTHENTICATION
selection_eventValue:
new_value: 'false'
condition: all of selection*
falsepositives:
- MFA may be disabled and performed by a system administrator.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Google Workspace Out Of Domain Email Forwarding
Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
view Sigma YAML
title: Google Workspace Out Of Domain Email Forwarding
id: 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
status: experimental
description: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
references:
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
author: Tom kluter
date: 2026-04-28
tags:
- attack.t1114.003
- attack.collection
logsource:
product: gcp
service: google_workspace.login
detection:
selection:
protoPayload.serviceName: 'login.googleapis.com'
protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
condition: selection
falsepositives:
- Legitimate forwarding
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Google Workspace Role Modified or Deleted
Detects when an a role is modified or deleted in Google Workspace.
view Sigma YAML
title: Google Workspace Role Modified or Deleted
id: 6aef64e3-60c6-4782-8db3-8448759c714e
status: test
description: Detects when an a role is modified or deleted in Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- DELETE_ROLE
- RENAME_ROLE
- UPDATE_ROLE
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Google Workspace Role Privilege Deleted
Detects when an a role privilege is deleted in Google Workspace.
view Sigma YAML
title: Google Workspace Role Privilege Deleted
id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
status: test
description: Detects when an a role privilege is deleted in Google Workspace.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
- attack.impact
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: REMOVE_PRIVILEGE
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Google Workspace User Granted Admin Privileges
Detects when an Google Workspace user is granted admin privileges.
view Sigma YAML
title: Google Workspace User Granted Admin Privileges
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
status: test
description: Detects when an Google Workspace user is granted admin privileges.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: gcp
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- GRANT_ADMIN_PRIVILEGE
condition: selection
falsepositives:
- Google Workspace admin role privileges, may be modified by system administrators.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
view Sigma YAML
title: Gpresult Display Group Policy Information
id: e56d3073-83ff-4021-90fe-c658e0709e72
status: test
description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
- https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: frack113
date: 2022-05-01
tags:
- attack.discovery
- attack.t1615
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\gpresult.exe'
CommandLine|contains:
- '/z'
- '/v'
condition: selection
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Display group policy information via gpresult
technique: T1615
atomic_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Gpscript Execution
Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
view Sigma YAML
title: Gpscript Execution
id: 1e59c230-6670-45bf-83b0-98903780607e
status: test
description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
references:
- https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
- https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
author: frack113
date: 2022-05-16
modified: 2023-06-14
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\gpscript.exe'
- OriginalFileName: 'GPSCRIPT.EXE'
selection_cli:
CommandLine|contains:
- ' /logon'
- ' /startup'
filter_main_svchost:
ParentCommandLine: 'C:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate uses of logon scripts distributed via group policy
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Granting Of Permissions To An Account
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
view Sigma YAML
title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.Authorization/roleAssignments/write
condition: keywords
falsepositives:
- Valid change
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Greedy File Deletion Using Del
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
view Sigma YAML
title: Greedy File Deletion Using Del
id: 204b17ae-4007-471b-917b-b917b315c5db
status: test
description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
references:
- https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113 , X__Junior (Nextron Systems)
date: 2021-12-02
modified: 2023-09-11
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Example:
# del C:\ProgramData\*.dll & exit
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_del:
CommandLine|contains:
- 'del '
- 'erase '
selection_extensions:
CommandLine|contains:
- '\\\*.au3'
- '\\\*.dll'
- '\\\*.exe'
- '\\\*.js'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Group Has Been Deleted Via Groupdel
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
view Sigma YAML
title: Group Has Been Deleted Via Groupdel
id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
status: test
description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/groupdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/groupdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Group Membership Reconnaissance Via Whoami.EXE
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
view Sigma YAML
title: Group Membership Reconnaissance Via Whoami.EXE
id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f
status: test
description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /groups'
- ' -groups'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
view Sigma YAML
title: Group Policy Abuse for Privilege Addition
id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
status: test
description: |
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
author: Elastic, Josh Nickels, Marius Rothenbücher
references:
- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
date: 2024-09-04
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.001
logsource:
product: windows
service: security
definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.'
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
AttributeValue|contains:
- '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
- '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'
condition: selection
falsepositives:
- Users allowed to perform these modifications (user found in field SubjectUserName)
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Guest User Invited By Non Approved Inviters
Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
view Sigma YAML
title: Guest User Invited By Non Approved Inviters
id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9
status: test
description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Invite external user
Status: failure
condition: selection
falsepositives:
- A non malicious user is unaware of the proper process
level: medium
Convert to SIEM query
medium
Strong
Low FP
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
view Sigma YAML
title: Guest Users Invited To Tenant By Non Approved Inviters
id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
status: test
description: Detects guest users being invited to tenant by non-approved inviters
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
OperationName: 'Invite external user'
filter:
InitiatedBy|contains: '<approved guest inviter use OR for multiple>'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Gzip Archive Decode Via PowerShell
Detects attempts of decoding encoded Gzip archives via PowerShell.
view Sigma YAML
title: Gzip Archive Decode Via PowerShell
id: 98767d61-b2e8-4d71-b661-e36783ee24c1
status: test
description: Detects attempts of decoding encoded Gzip archives via PowerShell.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
- attack.command-and-control
- attack.t1132.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'GZipStream'
- '::Decompress'
condition: selection
falsepositives:
- Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
HH.EXE Initiated HTTP Network Connection
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
view Sigma YAML
title: HH.EXE Initiated HTTP Network Connection
id: 468a8cea-2920-4909-a593-0cbe1d96674a
related:
- id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
type: derived
status: test
description: |
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
references:
- https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
- https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-05
tags:
- attack.stealth
- attack.t1218.001
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\hh.exe'
Initiated: 'true'
DestinationPort:
- 80
- 443
condition: selection
falsepositives:
- False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
view Sigma YAML
title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
view Sigma YAML
title: HTTP Request to Low Reputation TLD or Suspicious File Extension
id: 68c2c604-92ad-468b-bf4a-aac49adad08c
status: experimental
description: |
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
references:
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- https://www.spamhaus.org/reputation-statistics/cctlds/domains/
author: '@signalblur, Corelight'
date: 2025-02-26
tags:
- attack.initial-access
- attack.command-and-control
logsource:
product: zeek
service: http
detection:
# Suspicious TLD in the 'host' field OR malicious file extension in the 'uri' field.
selection_suspicious_tld:
host|endswith:
- '.bid'
- '.by'
- '.cf'
- '.click'
- '.cm'
- '.ga'
- '.gq'
- '.ir'
- '.kp'
- '.loan'
- '.ml'
- '.mm'
- '.party'
- '.pw'
- '.ru'
- '.su'
- '.sy'
- '.tk'
- '.top'
- '.tv'
- '.ve'
- '.work'
- '.xyz'
selection_malicious_ext:
uri|endswith:
- '.bat'
- '.bin'
- '.cmd'
- '.cpl'
- '.dll'
- '.dylib'
- '.elf'
- '.exe'
- '.hta'
- '.iso'
- '.jar'
- '.js'
- '.lnk'
- '.msi'
- '.pif'
- '.ps1'
- '.py'
- '.reg'
- '.scr'
- '.sh'
- '.so'
- '.vbs'
- '.wsf'
selection_malicious_mime:
resp_mime_types:
- 'application/vnd.microsoft.portable-executable'
- 'application/x-bat'
- 'application/x-dosexec'
- 'application/x-elf'
- 'application/x-iso9660-image'
- 'application/x-java-archive'
- 'application/x-ms-shortcut'
- 'application/x-msdos-program'
- 'application/x-msdownload'
- 'application/x-python-code'
- 'application/x-sh'
condition: selection_suspicious_tld and 1 of selection_malicious_*
falsepositives:
- Rare legitimate software downloads from low quality TLDs
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
HackTool - Impersonate Execution
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
view Sigma YAML
title: HackTool - Impersonate Execution
id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
status: test
description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
- https://github.com/sensepost/impersonate
author: Sai Prashanth Pulisetti @pulisettis
date: 2022-12-21
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_commandline_exe:
CommandLine|contains: 'impersonate.exe'
selection_commandline_opt:
CommandLine|contains:
- ' list '
- ' exec '
- ' adduser '
selection_hash:
Hashes|contains:
- 'MD5=9520714AB576B0ED01D1513691377D01'
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
condition: all of selection_commandline_* or selection_hash
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
HackTool - Jlaive In-Memory Assembly Execution
Detects the use of Jlaive to execute assemblies in a copied PowerShell
view Sigma YAML
title: HackTool - Jlaive In-Memory Assembly Execution
id: 0a99eb3e-1617-41bd-b095-13dc767f3def
status: test
description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
references:
- https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
- https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-24
modified: 2023-02-22
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
parent_selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|endswith: '.bat'
selection1:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'powershell.exe'
- '.bat.exe'
selection2:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'pwsh.exe'
- '.bat.exe'
selection3:
Image|endswith: '\attrib.exe'
CommandLine|contains|all:
- '+s'
- '+h'
- '.bat.exe'
condition: parent_selection and (1 of selection*)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
view Sigma YAML
title: HackTool - LaZagne Execution
id: c2b86e67-b880-4eec-b045-50bc98ef4844
status: experimental
description: |
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
references:
- https://github.com/AlessandroZ/LaZagne/tree/master
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-06-24
modified: 2025-10-07
tags:
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img_metadata:
Image|endswith: '\lazagne.exe'
selection_img_cli:
# Note: This selection can be prone to FP. An initial baseline is required
Image|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\$Recycle.bin'
- '\AppData\'
- '\Desktop\'
- '\Downloads\'
- '\Favorites\'
- '\Links\'
- '\Music\'
- '\Photos\'
- '\Pictures\'
- '\Saved Games\'
- '\Searches\'
- '\Users\Contacts\'
- '\Users\Default\'
- '\Users\Searches\'
- '\Videos\'
- '\Windows\addins\'
- '\Windows\Fonts\'
- '\Windows\IME\'
CommandLine|endswith:
- '.exe all'
- '.exe browsers'
- '.exe chats'
- '.exe databases'
- '.exe games'
- '.exe git'
- '.exe mails'
- '.exe maven'
- '.exe memory'
- '.exe multimedia'
# - '.exe php' # Might be prone to FP
# - '.exe svn' # Might be prone to FP
- '.exe sysadmin'
- '.exe unused'
- '.exe wifi'
- '.exe windows'
selection_cli_modules:
CommandLine|contains:
- ' all '
- ' browsers '
- ' chats '
- ' databases '
- ' games '
- ' mails '
- ' maven '
- ' memory '
- ' multimedia '
- ' php '
- ' svn '
- ' sysadmin '
- ' unused '
- ' wifi '
selection_cli_options:
CommandLine|contains:
- '-1Password'
- '-apachedirectorystudio'
- '-autologon'
- '-ChromiumBased'
- '-coreftp'
- '-credfiles'
- '-credman'
- '-cyberduck'
- '-dbvis'
- '-EyeCon'
- '-filezilla'
- '-filezillaserver'
- '-ftpnavigator'
- '-galconfusion'
- '-gitforwindows'
- '-hashdump'
- '-iisapppool'
- '-IISCentralCertP'
- '-kalypsomedia'
- '-keepass'
- '-keepassconfig'
- '-lsa_secrets'
- '-mavenrepositories'
- '-memory_dump'
- '-Mozilla'
- '-mRemoteNG'
- '-mscache'
- '-opensshforwindows'
- '-openvpn'
- '-outlook'
- '-pidgin'
- '-postgresql'
- '-psi-im'
- '-puttycm'
- '-pypykatz'
- '-Rclone'
- '-rdpmanager'
- '-robomongo'
- '-roguestale'
- '-skype'
- '-SQLDeveloper'
- '-squirrel'
- '-tortoise'
- '-turba'
- '-UCBrowser'
- '-unattended'
- '-vault'
- '-vaultfiles'
- '-vnc'
- '-winscp'
condition: 1 of selection_img_* or all of selection_cli_*
falsepositives:
- Some false positive is expected from tools with similar command line flags.
# Note: Increase the level to "high" after an initial baseline
level: medium
Convert to SIEM query
medium
Moderate
High FP
HackTool - SharpLDAPmonitor Execution
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
view Sigma YAML
title: HackTool - SharpLDAPmonitor Execution
id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541
status: test
description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
references:
- https://github.com/p0dalirius/LDAPmonitor
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-30
modified: 2023-02-14
tags:
- attack.discovery
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpLDAPmonitor.exe'
- OriginalFileName: 'SharpLDAPmonitor.exe'
selection_cli:
CommandLine|contains|all:
- '/user:'
- '/pass:'
- '/dcip:'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: HackTool - WinRM Access Via Evil-WinRM
id: a197e378-d31b-41c0-9635-cfdf1c1bb423
status: test
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
- https://github.com/Hackplayers/evil-winrm
author: frack113
date: 2022-01-07
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ruby.exe'
CommandLine|contains|all:
- '-i '
- '-u '
- '-p '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
view Sigma YAML
title: Hardware Model Reconnaissance Via Wmic.EXE
id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
status: test
description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
references:
- https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
- https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
author: Florian Roth (Nextron Systems)
date: 2023-02-14
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'csproduct'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Harvesting Of Wifi Credentials Via Netsh.EXE
Detect the harvesting of wifi credentials using netsh.exe
view Sigma YAML
title: Harvesting Of Wifi Credentials Via Netsh.EXE
id: 42b1a5b8-353f-4f10-b256-39de4467faff
status: test
description: Detect the harvesting of wifi credentials using netsh.exe
references:
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
author: Andreas Hunkeler (@Karneades), oscd.community
date: 2020-04-20
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'wlan'
- ' s'
- ' p'
- ' k'
- '=clear'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 401-450 of 1,440