Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 3,646
high Moderate High FP
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community ATT&CK sub-technique id 2f211361-7dce-442d-b78a-c04039677378
carbon_black query
Payload:\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[ OR Payload:\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[ OR Payload:\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[ OR Payload:\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2} OR Payload:\\*mdr\\*\\W\\s*\\)\\.Name OR Payload:\\$VerbosePreference\\.ToString\\( OR Payload:\\[String\\]\\s*\\$VerbosePreference
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
id: 2f211361-7dce-442d-b78a-c04039677378
related:
    - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
      type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-12-31
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_payload:
        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - Payload|re: '\*mdr\*\W\s*\)\.Name'
        - Payload|re: '\$VerbosePreference\.ToString\('
        - Payload|re: '\[String\]\s*\$VerbosePreference'
    condition: selection_payload
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Obfuscated IEX Invocation - Security
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community ATT&CK technique id fd0f5778-d3cb-4c9a-9695-66759d04702a
carbon_black query
EventID:4697 (ServiceFileName:\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[ OR ServiceFileName:\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[ OR ServiceFileName:\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[ OR ServiceFileName:\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2} OR ServiceFileName:\\\\*mdr\\*\\W\\s*\\)\\.Name OR ServiceFileName:\\$VerbosePreference\\.ToString\\( OR ServiceFileName:\\String\\]\\s*\\$VerbosePreference)
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - Security
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
related:
    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
      type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
    - attack.stealth
    - attack.t1027
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection_eid:
        EventID: 4697
    selection_servicefilename:
        - ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'
        - ServiceFileName|re: '\$VerbosePreference\.ToString\('
        - ServiceFileName|re: '\String\]\s*\$VerbosePreference'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status test author Daniel Bohannon (@Mandiant/@FireEye), oscd.community ATT&CK technique id 51aa9387-1c53-4153-91cc-d73c59ae1ca9
carbon_black query
EventID:7045 (ImagePath:\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[ OR ImagePath:\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[ OR ImagePath:\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[ OR ImagePath:\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2} OR ImagePath:\\\\*mdr\\*\\W\\s*\\)\\.Name OR ImagePath:\\$VerbosePreference\\.ToString\\( OR ImagePath:\\String\\]\\s*\\$VerbosePreference)
view Sigma YAML 
title: Invoke-Obfuscation Obfuscated IEX Invocation - System
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
    - attack.stealth
    - attack.t1027
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        EventID: 7045
    selection_imagepath:
        - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
        - ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
        - ImagePath|re: '\$VerbosePreference\.ToString\('
        - ImagePath|re: '\String\]\s*\$VerbosePreference'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation STDIN+ Launcher
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 6c96fc76-0eb1-11eb-adc1-0242ac120002
carbon_black query
CommandLine:cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher
id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
        # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
        CommandLine|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 9ac8b09b-45de-4a07-9da1-0de8c09304a3
carbon_black query
Payload:cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+"
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
related:
    - id: 779c8c12-0eb1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation STDIN+ Launcher - Powershell
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 779c8c12-0eb1-11eb-adc1-0242ac120002
carbon_black query
ScriptBlockText:cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+"
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - Powershell
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation STDIN+ Launcher - Security
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
carbon_black query
(EventID:4697 (ServiceFileName:cmd* ServiceFileName:powershell*)) (ServiceFileName:$\{input\}* OR ServiceFileName:noexit*) (ServiceFileName:\ \/c\ * OR ServiceFileName:\ \/r\ *)
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - Security
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
related:
    - id: 72862bf2-0eb1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'cmd'
            - 'powershell'
    selection2:
        ServiceFileName|contains:
            - '${input}'
            - 'noexit'
    selection3:
        ServiceFileName|contains:
            - ' /c '
            - ' /r '
    condition: all of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation STDIN+ Launcher - System
Detects Obfuscated use of stdin to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 72862bf2-0eb1-11eb-adc1-0242ac120002
carbon_black query
(Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:cmd* ImagePath:powershell*) (ImagePath:\/c* OR ImagePath:\/r*)) (ImagePath:noexit* OR (ImagePath:input* ImagePath:$*))
view Sigma YAML 
title: Invoke-Obfuscation STDIN+ Launcher - System
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection_main:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
        # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
        # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
        ImagePath|contains|all:
            - 'cmd'
            - 'powershell'
        ImagePath|contains:
            - '/c'
            - '/r'
    selection_other:
        - ImagePath|contains: 'noexit'
        - ImagePath|contains|all:
              - 'input'
              - '$'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation VAR+ Launcher
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 27aec9c9-dbb0-4939-8422-1742242471d0
carbon_black query
CommandLine:cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher
id: 27aec9c9-dbb0-4939-8422-1742242471d0
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation VAR+ Launcher - PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 0adfbc14-0ed1-11eb-adc1-0242ac120002
carbon_black query
ScriptBlockText:cmd.{0,5}(?:/c|/r)(?:\\s|)"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\"\\s+?-f(?:.*\\)){1,}.*"
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
carbon_black query
Payload:cmd.{0,5}(?:/c|/r)(?:\\s|)"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\"\\s+?-f(?:.*\\)){1,}.*"
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
related:
    - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation VAR+ Launcher - Security
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id dcf2db1f-f091-425b-a821-c05875b8925a
carbon_black query
EventID:4697 (ServiceFileName:cmd* ServiceFileName:\"set* ServiceFileName:\-f*) (ServiceFileName:\/c* OR ServiceFileName:\/r*)
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ServiceFileName|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ServiceFileName|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation VAR+ Launcher - System
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community ATT&CK sub-technique id 8ca7004b-e620-4ecb-870e-86129b5b8e75
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:cmd* ImagePath:\"set* ImagePath:\-f*) (ImagePath:\/c* OR ImagePath:\/r*)
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - System
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ImagePath|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ImagePath|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community ATT&CK sub-technique id e9f55347-2928-4c06-88e5-1a7f8169942e
carbon_black query
(CommandLine:&&set* CommandLine:cmd* CommandLine:\/c* CommandLine:\-f*) (CommandLine:\{0\}* OR CommandLine:\{1\}* OR CommandLine:\{2\}* OR CommandLine:\{3\}* OR CommandLine:\{4\}* OR CommandLine:\{5\}*)
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: e9f55347-2928-4c06-88e5-1a7f8169942e
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # CommandLine|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        CommandLine|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        CommandLine|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community ATT&CK sub-technique id e54f5149-6ba3-49cf-b153-070d24679126
carbon_black query
ScriptBlockText:(?i)&&set.*(\\{\\d\\}){2,}\\\\"\\s+?-f.*&&.*cmd.*/c
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
id: e54f5149-6ba3-49cf-b153-070d24679126
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community ATT&CK sub-technique id f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
carbon_black query
Payload:(?i)&&set.*(\\{\\d\\}){2,}\\\\"\\s+?-f.*&&.*cmd.*/c
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
related:
    - id: e54f5149-6ba3-49cf-b153-070d24679126
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community ATT&CK sub-technique id 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
carbon_black query
EventID:4697 (ServiceFileName:&&set* ServiceFileName:cmd* ServiceFileName:\/c* ServiceFileName:\-f*) (ServiceFileName:\{0\}* OR ServiceFileName:\{1\}* OR ServiceFileName:\{2\}* OR ServiceFileName:\{3\}* OR ServiceFileName:\{4\}* OR ServiceFileName:\{5\}*)
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ServiceFileName|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ServiceFileName|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community ATT&CK sub-technique id 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:&&set* ImagePath:cmd* ImagePath:\/c* ImagePath:\-f*) (ImagePath:\{0\}* OR ImagePath:\{1\}* OR ImagePath:\{2\}* OR ImagePath:\{3\}* OR ImagePath:\{4\}* OR ImagePath:\{5\}*)
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ImagePath|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ImagePath|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Stdin
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 9c14c9fa-1a63-4a64-8e57-d19280559490
carbon_black query
CommandLine:(?i)(?:set).*&&\\s?set.*(?:environment|invoke|\\$\\{?input).*&&.*"
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re: '(?i)(?:set).*&&\s?set.*(?:environment|invoke|\$\{?input).*&&.*"'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Stdin - PowerShell Module
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id c72aca44-8d52-45ad-8f81-f96c4d3c755e
carbon_black query
Payload:(?i)(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*"
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - PowerShell Module
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
related:
    - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Stdin - Powershell
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
carbon_black query
ScriptBlockText:(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Powershell
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Stdin - Security
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
carbon_black query
EventID:4697 (ServiceFileName:set* ServiceFileName:&&*) (ServiceFileName:environment* OR ServiceFileName:invoke* OR ServiceFileName:$\{input\)*)
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
    - id: 487c7524-f892-4054-b263-8a0ace63fc25
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'set'
            - '&&'
        ServiceFileName|contains:
            - 'environment'
            - 'invoke'
            - '${input)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Stdin - System
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 487c7524-f892-4054-b263-8a0ace63fc25
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:set* ImagePath:&&*) (ImagePath:environment* OR ImagePath:invoke* OR ImagePath:input*)
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - System
id: 487c7524-f892-4054-b263-8a0ace63fc25
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
        ImagePath|contains|all:
            - 'set'
            - '&&'
        ImagePath|contains:
            - 'environment'
            - 'invoke'
            - 'input'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Clip
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id e1561947-b4e3-4a74-9bdd-83baed21bdb5
carbon_black query
CommandLine:(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip
id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )"
        # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )"
        CommandLine|re: '(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Clip - PowerShell Module
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
carbon_black query
Payload:(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - PowerShell Module
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Clip - Powershell
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id db92dd33-a3ad-49cf-8c2c-608c3e30ace0
carbon_black query
ScriptBlockText:(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Powershell
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Clip - Security
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
carbon_black query
EventID:4697 ServiceFileName:\(Clipboard|i*
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Clip - System
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 63e3365d-4824-42d8-8b82-e56810fefa0c
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 ImagePath:\(Clipboard|i*
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - System
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use MSHTA
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id ac20ae82-8758-4f38-958e-b44a3140ca88
carbon_black query
CommandLine:set* CommandLine:&&* CommandLine:mshta* CommandLine:vbscript\:createobject* CommandLine:.run* CommandLine:\(window.close\)*
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA
id: ac20ae82-8758-4f38-958e-b44a3140ca88
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009   # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-03-08
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use MSHTA - PowerShell
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id e55a5195-4724-480e-a77e-3ebe64bd3759
carbon_black query
ScriptBlockText:set* ScriptBlockText:&&* ScriptBlockText:mshta* ScriptBlockText:vbscript\:createobject* ScriptBlockText:.run* ScriptBlockText:\(window.close\)*
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell
id: e55a5195-4724-480e-a77e-3ebe64bd3759
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
carbon_black query
Payload:set* Payload:&&* Payload:mshta* Payload:vbscript\:createobject* Payload:.run* Payload:\(window.close\)*
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
related:
    - id: e55a5195-4724-480e-a77e-3ebe64bd3759
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2023-01-04
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use MSHTA - Security
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
carbon_black query
EventID:4697 (ServiceFileName:mshta* ServiceFileName:vbscript\:createobject* ServiceFileName:.run* ServiceFileName:window.close*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - 'window.close'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use MSHTA - System
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:mshta* ImagePath:vbscript\:createobject*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - System
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
carbon_black query
(ScriptBlockText:&&* ScriptBlockText:rundll32* ScriptBlockText:shell32.dll* ScriptBlockText:shellexec_rundll*) (ScriptBlockText:value* OR ScriptBlockText:invoke* OR ScriptBlockText:comspec* OR ScriptBlockText:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ScriptBlockText|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
carbon_black query
(Payload:&&* Payload:rundll32* Payload:shell32.dll* Payload:shellexec_rundll*) (Payload:value* OR Payload:invoke* OR Payload:comspec* OR Payload:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        Payload|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Rundll32 - Security
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id cd0f7229-d16f-42de-8fe3-fba365fbcb3a
carbon_black query
EventID:4697 (ServiceFileName:&&* ServiceFileName:rundll32* ServiceFileName:shell32.dll* ServiceFileName:shellexec_rundll*) (ServiceFileName:value* OR ServiceFileName:invoke* OR ServiceFileName:comspec* OR ServiceFileName:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ServiceFileName|contains:
            - value
            - invoke
            - comspec
            - iex
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Rundll32 - System
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 641a4bfb-c017-44f7-800c-2aee0184ce9b
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:&&* ImagePath:rundll32* ImagePath:shell32.dll* ImagePath:shellexec_rundll*) (ImagePath:value* OR ImagePath:invoke* OR ImagePath:comspec* OR ImagePath:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - System
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ImagePath|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
status test author Florian Roth (Nextron Systems) ATT&CK technique id 412d55bc-7737-4d25-9542-5b396867ce55
carbon_black query
"\/Basic\/Command\/Base64\/" OR "\/Basic\/ReverseShell\/" OR "\/Basic\/TomcatMemshell" OR "\/Basic\/JettyMemshell" OR "\/Basic\/WeblogicMemshell" OR "\/Basic\/JBossMemshell" OR "\/Basic\/WebsphereMemshell" OR "\/Basic\/SpringMemshell" OR "\/Deserialization\/URLDNS\/" OR "\/Deserialization\/CommonsCollections1\/Dnslog\/" OR "\/Deserialization\/CommonsCollections2\/Command\/Base64\/" OR "\/Deserialization\/CommonsBeanutils1\/ReverseShell\/" OR "\/Deserialization\/Jre8u20\/TomcatMemshell" OR "\/TomcatBypass\/Dnslog\/" OR "\/TomcatBypass\/Command\/" OR "\/TomcatBypass\/ReverseShell\/" OR "\/TomcatBypass\/TomcatMemshell" OR "\/TomcatBypass\/SpringMemshell" OR "\/GroovyBypass\/Command\/" OR "\/WebsphereBypass\/Upload\/"
view Sigma YAML 
title: JNDIExploit Pattern
id: 412d55bc-7737-4d25-9542-5b396867ce55
status: test
description: Detects exploitation attempt using the JNDI-Exploit-Kit
references:
    - https://github.com/pimps/JNDI-Exploit-Kit
    - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
author: Florian Roth (Nextron Systems)
date: 2021-12-12
modified: 2022-12-25
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '/Basic/Command/Base64/'
        - '/Basic/ReverseShell/'
        - '/Basic/TomcatMemshell'
        - '/Basic/JettyMemshell'
        - '/Basic/WeblogicMemshell'
        - '/Basic/JBossMemshell'
        - '/Basic/WebsphereMemshell'
        - '/Basic/SpringMemshell'
        - '/Deserialization/URLDNS/'
        - '/Deserialization/CommonsCollections1/Dnslog/'
        - '/Deserialization/CommonsCollections2/Command/Base64/'
        - '/Deserialization/CommonsBeanutils1/ReverseShell/'
        - '/Deserialization/Jre8u20/TomcatMemshell'
        - '/TomcatBypass/Dnslog/'
        - '/TomcatBypass/Command/'
        - '/TomcatBypass/ReverseShell/'
        - '/TomcatBypass/TomcatMemshell'
        - '/TomcatBypass/SpringMemshell'
        - '/GroovyBypass/Command/'
        - '/WebsphereBypass/Upload/'
    condition: keywords
falsepositives:
    - Legitimate apps the use these paths
level: high
Convert to SIEM query
high Moderate High FP
JXA In-memory Execution Via OSAScript
Detects possible malicious execution of JXA in-memory via OSAScript
status test author Sohan G (D4rkCiph3r) ATT&CK sub-technique id f1408a58-0e94-4165-b80a-da9f96cf6fc3
carbon_black query
(CommandLine:osascript* CommandLine:\ \-e\ * CommandLine:eval* CommandLine:NSData.dataWithContentsOfURL*) ((CommandLine:\ \-l\ * CommandLine:JavaScript*) OR CommandLine:.js*)
view Sigma YAML 
title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
    - https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
    - attack.t1059.002
    - attack.t1059.007
    - attack.execution
logsource:
    product: macos
    category: process_creation
detection:
    selection_main:
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'eval'
            - 'NSData.dataWithContentsOfURL'
    selection_js:
        - CommandLine|contains|all:
              - ' -l '
              - 'JavaScript'
        - CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Java Payload Strings
Detects possible Java payloads in web access logs
status test author frack113, Harjot Singh, "@cyb3rjy0t" (update) ATT&CK technique id 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
carbon_black query
"%24%7B%28%23a%3D%40" OR "$\{\(#a=@" OR "%24%7B%40java" OR "$\{@java" OR "u0022java" OR "%2F%24%7B%23" OR "\/$\{#" OR "new\+java." OR "getRuntime\(\).exec\(" OR "getRuntime%28%29.exec%28"
view Sigma YAML 
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
    - https://twitter.com/httpvoid0x2f/status/1532924261035384832
    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
    - cve.2022-26134
    - cve.2021-26084
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '%24%7B%28%23a%3D%40'
        - '${(#a=@'
        - '%24%7B%40java'
        - '${@java'
        - 'u0022java'
        - '%2F%24%7B%23'
        - '/${#'
        - 'new+java.'
        - 'getRuntime().exec('
        - 'getRuntime%28%29.exec%28'
    condition: keywords
falsepositives:
    - Legitimate apps
level: high
Convert to SIEM query
high Moderate High FP
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
carbon_black query
"bash\ \-c\ \/bin\/bash" "&\/dev\/tcp\/"
view Sigma YAML 
title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
status: test
description: Detects suspicious command sequence that JexBoss
references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2025-11-22
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        '|all':
            - 'bash -c /bin/bash'
            - '&/dev/tcp/'
    condition: keywords
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Kalambur Backdoor Curl TOR SOCKS Proxy Execution
Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
status experimental author Arda Buyukkaya (EclecticIQ) ATT&CK sub-technique id e99375eb-3ee0-407a-9f90-79569cc6a01c
carbon_black query
Image:\\curl.exe (CommandLine:socks5h\:\/\/* OR CommandLine:socks5\:\/\/* OR CommandLine:socks4a\:\/\/*) CommandLine:.onion*
view Sigma YAML 
title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
id: e99375eb-3ee0-407a-9f90-79569cc6a01c
status: experimental
description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
references:
    - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
author: Arda Buyukkaya (EclecticIQ)
date: 2025-02-11
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1090
    - attack.t1573
    - attack.t1071.001
    - attack.t1059.001
    - attack.s0183
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\curl.exe'
    selection_socks:
        CommandLine|contains:
            - 'socks5h://'
            - 'socks5://'
            - 'socks4a://'
    selection_onion:
        CommandLine|contains: '.onion'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Kapeka Backdoor Autorun Persistence
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id c0c67b21-eb8a-4c84-a395-40473ec3b482
carbon_black query
TargetObject:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run* (TargetObject:\\Sens\ Api OR TargetObject:\\OneDrive) (Details:\:\\WINDOWS\\system32\\rundll32.exe* Details:.wll* Details:#1*)
view Sigma YAML 
title: Kapeka Backdoor Autorun Persistence
id: c0c67b21-eb8a-4c84-a395-40473ec3b482
related:
    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
      type: similar
status: test
description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
        TargetObject|endswith:
            - '\Sens Api'
            - '\OneDrive'
        Details|contains|all:
            - ':\WINDOWS\system32\rundll32.exe'
            - '.wll'
            - '#1'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Kapeka Backdoor Execution Via RunDLL32.EXE
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
status test author Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
carbon_black query
(Image:\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE) (CommandLine:\:\\ProgramData* OR CommandLine:\\AppData\\Local*) ((CommandLine:.wll* CommandLine:#1* CommandLine:\ \-d*) OR (CommandLine:.wll* CommandLine:#1))
view Sigma YAML 
title: Kapeka Backdoor Execution Via RunDLL32.EXE
id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
status: test
description: |
    Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-03
tags:
    - attack.stealth
    - attack.t1218.011
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_backdoor_path:
        CommandLine|contains:
            - ':\ProgramData'
            - '\AppData\Local'
    selection_backdoor_exec_1:
        CommandLine|contains|all:
            - '.wll'
            - '#1'
            - ' -d'
    selection_backdoor_exec_2:
        # This account for the in the wild variant
        CommandLine|contains: '.wll'
        CommandLine|endswith: '#1'
    condition: selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Kapeka Backdoor Loaded Via Rundll32.EXE
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
carbon_black query
Image:\\rundll32.exe (ImageLoaded:\:\\ProgramData* OR ImageLoaded:\\AppData\\Local\\*) ImageLoaded:[a-zA-Z]{5,6}\\.wll
view Sigma YAML 
title: Kapeka Backdoor Loaded Via Rundll32.EXE
id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
status: test
description: |
    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.002
    - attack.t1218.011
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|contains:
            - ':\ProgramData'
            - '\AppData\Local\'
        ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
carbon_black query
(((Image:\\schtasks.exe OR OriginalFileName:schtasks.exe) (CommandLine:create* CommandLine:ONSTART*)) OR ((Image:\\reg.exe OR OriginalFileName:reg.exe) (CommandLine:add* CommandLine:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*))) ((CommandLine:rundll32* CommandLine:.wll* CommandLine:#1*) (CommandLine:Sens\ Api* OR CommandLine:OneDrive*))
view Sigma YAML 
title: Kapeka Backdoor Persistence Activity
id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
status: test
description: |
    Detects Kapeka backdoor persistence activity.
    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
    For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
    To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_schtasks_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_schtasks_flags:
        CommandLine|contains|all:
            - 'create'
            - 'ONSTART'
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_flags:
        CommandLine|contains|all:
            - 'add'
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
    selection_backdoor_command:
        CommandLine|contains|all:
            - 'rundll32'
            - '.wll'
            - '#1'
        CommandLine|contains:
            - 'Sens Api'
            - 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
    condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Kapeka Backdoor Scheduled Task Creation
Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id 6c130acd-0adb-4545-bcc4-2e85d0883c9a
carbon_black query
EventID:4698 (TaskContent:\:\\ProgramData\\* OR TaskContent:\\AppData\\Local\\*) (TaskContent:rundll32* TaskContent:.wll* TaskContent:#1*) (TaskContent:OneDrive* OR TaskContent:Sens\ Api*)
view Sigma YAML 
title: Kapeka Backdoor Scheduled Task Creation
id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a
related:
    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
      type: similar
status: test
description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
references:
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1053.005
    - detection.emerging-threats
logsource:
    product: windows
    service: security
    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.'
detection:
    selection_eid:
        EventID: 4698
    selection_paths:
        TaskContent|contains:
            - ':\ProgramData\'
            - '\AppData\Local\'
    selection_command:
        TaskContent|contains|all:
            - 'rundll32'
            - '.wll'
            - '#1'
    selection_taskname:
        TaskContent|contains:
            - 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases
            - 'Sens Api'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
status experimental author Milad Cheraghi ATT&CK technique id 36388120-b3f1-4ce9-b50b-280d9a7f4c04
carbon_black query
(Image:\/systemctl OR Image:\/bash OR Image:\/sh) (CommandLine:stop* CommandLine:kesl*)
view Sigma YAML 
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
  Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
  This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
    - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
            - '/systemctl'
            - '/bash'
            - '/sh'
        CommandLine|contains|all:
            - 'stop'
            - 'kesl'
    condition: selection
falsepositives:
    - System administrator manually stopping Kaspersky services
level: high
Convert to SIEM query
high Basic High FP
Katz Stealer DLL Loaded
Detects loading of DLLs associated with Katz Stealer malware 2025 variants. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. The process that loads these DLLs are very likely to be malicious.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98
carbon_black query
ImageLoaded:\\katz_ontop.dll OR ImageLoaded:\\AppData\\Local\\Temp\\received_dll.dll
view Sigma YAML 
title: Katz Stealer DLL Loaded
id: e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98
status: experimental
description: |
    Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
    Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
    The process that loads these DLLs are very likely to be malicious.
references:
    - Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1129
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\katz_ontop.dll'
            - '\AppData\Local\Temp\received_dll.dll'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Basic Medium FP
Katz Stealer Suspicious User-Agent
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 834c6d2f-5e98-4b2a-b453-0c4f234afedd
carbon_black query
user_agent:katz\-ontop*
view Sigma YAML 
title: Katz Stealer Suspicious User-Agent
id: 834c6d2f-5e98-4b2a-b453-0c4f234afedd
status: experimental
description: |
    Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
references:
    - Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.command-and-control
    - attack.t1071.001
    - detection.emerging-threats
logsource:
    product: zeek
    service: http
detection:
    selection:
        user_agent|contains: 'katz-ontop'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
Showing 651-700 of 3,646
Prev 14 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh