Tool
EDR / XDR
VMware Carbon Black
3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,646
high
Moderate
High FP
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
view Sigma YAML
title: Kavremover Dropped Binary LOLBIN Usage
id: d047726b-c71c-4048-a99b-2e2f50dc107d
status: test
description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
references:
- https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-01
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: ' run run-cmd '
filter_main_legit_parents:
ParentImage|endswith:
- '\cleanapi.exe' # When launched from KES installer
- '\kavremover.exe' # When launched from kavremover.exe
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
view Sigma YAML
title: Kerberos Manipulation
id: f7644214-0eb0-4ace-9455-331ec4c09253
status: test
description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
author: Florian Roth (Nextron Systems)
date: 2017-02-10
modified: 2024-01-16
tags:
- attack.credential-access
- attack.t1212
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 675
- 4768
- 4769
- 4771
Status:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
condition: selection
falsepositives:
- Faulty legacy applications
level: high
Convert to SIEM query
high
Strong
High FP
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
view Sigma YAML
title: Kernel Memory Dump Via LiveKD
id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
status: test
description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
- https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
- https://kb.acronis.com/content/60892
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2024-03-13
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\livekd.exe'
- '\livekd64.exe'
- OriginalFileName: 'livekd.exe'
selection_cli:
CommandLine|contains|windash: ' -m'
condition: all of selection_*
falsepositives:
- Unlikely in production environment
level: high
Convert to SIEM query
high
Moderate
Low FP
KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
view Sigma YAML
title: KrbRelayUp Service Installation
id: e97d9903-53b2-41fc-8cb9-889ed4093e80
status: test
description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
references:
- https://github.com/Dec0ne/KrbRelayUp
author: Sittikorn S, Tim Shelton
date: 2022-05-11
modified: 2022-10-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName: 'KrbSCM'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
view Sigma YAML
title: LOL-Binary Copied From System Directory
id: f5d19838-41b5-476c-98d8-ba8af4929ee2
related:
- id: fff9d2b7-e11c-4a69-93d3-40ef66189767
type: derived
status: test
description: |
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
references:
- https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
- https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-29
modified: 2025-11-27
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_tools_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'copy '
selection_tools_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'copy-item'
- ' copy '
- 'cpi '
- ' cp '
selection_tools_other:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_target_path:
CommandLine|contains:
- '\System32'
- '\SysWOW64'
- '\WinSxS'
selection_target_lolbin:
CommandLine|contains:
# Note: add more binaries to increase coverage
- '\bitsadmin.exe'
- '\calc.exe'
- '\certutil.exe'
- '\cmdl32.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\ie4uinit.exe'
condition: 1 of selection_tools_* and all of selection_target_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
LPE InstallerFileTakeOver PoC CVE-2021-41379
Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
view Sigma YAML
title: LPE InstallerFileTakeOver PoC CVE-2021-41379
id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
status: test
description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
references:
- https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2022-07-12
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
EventID: 1033
Provider_Name: 'MsiInstaller'
Data|contains: 'test pkg'
condition: selection
falsepositives:
- Other MSI packages for which your admins have used that name
level: high
Convert to SIEM query
high
Strong
Medium FP
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
view Sigma YAML
title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: windefend
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
selection:
EventID: 1121
Path|endswith: '\lsass.exe'
filter_thor:
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
ProcessName|endswith:
- '\thor64.exe'
- '\thor.exe'
filter_exact:
ProcessName:
- 'C:\Windows\System32\atiesrxx.exe'
- 'C:\Windows\System32\CompatTelRunner.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\nvwmi64.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\Taskmgr.exe'
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_begins:
ProcessName|startswith:
- 'C:\Windows\System32\DriverStore\'
- 'C:\WINDOWS\Installer\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_*
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
level: high
Convert to SIEM query
high
Moderate
Medium FP
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
view Sigma YAML
title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
- https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith:
- '\TrolleyExpress.exe' # Citrix
- '\ProcessDump.exe' # Cisco Jabber
- '\dump64.exe' # Visual Studio
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
view Sigma YAML
title: LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
id: f8a66a02-4a16-46e5-b7fd-a42c8a93d137
status: experimental
description: |
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
references:
- https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/
- https://learn.microsoft.com/en-us/shows/inside/c0000409
- https://github.com/p3Nt3st3r-sTAr/CVE-2026-41089
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-06-02
tags:
- attack.impact
- attack.t1499
- cve.2026-41089
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ModuleName: 'netlogon.dll'
ExceptionCode: 'c0000409' # STATUS_STACK_BUFFER_OVERRUN
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
LSASS Dump Keyword In CommandLine
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
view Sigma YAML
title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
- id: a5a2d357-1ab8-4675-a967-ef9990a59391
type: derived
status: test
description: |
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
- https://github.com/Hackndo/lsassy
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains:
- 'lsass.dmp'
- 'lsass.zip'
- 'lsass.rar'
- 'Andrew.dmp'
- 'Coredump.dmp'
- 'NotLSASS.zip' # https://github.com/CCob/MirrorDump
- 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- 'lsassdump'
- 'lsassdmp'
- CommandLine|contains|all:
- 'lsass'
- '.dmp'
- CommandLine|contains|all:
- 'SQLDmpr'
- '.mdmp'
- CommandLine|contains|all:
- 'nanodump'
- '.dmp'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
view Sigma YAML
title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|contains: 'dump'
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Rare programs that contain the word dump in their name and access lsass
level: high
Convert to SIEM query
high
Strong
Low FP
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
view Sigma YAML
title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selection
falsepositives:
- Rare legitimate crashing of the lsass process
level: high
Convert to SIEM query
high
Strong
High FP
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
view Sigma YAML
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
Convert to SIEM query
high
Strong
High FP
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
view Sigma YAML
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- ':\Windows\system32\taskmgr.exe'
- ':\Windows\SysWOW64\taskmgr.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '\lsass'
- '.DMP'
condition: selection
falsepositives:
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
Convert to SIEM query
high
Strong
Medium FP
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
view Sigma YAML
title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
type: obsolete
- id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
- https://www.google.com/search?q=procdump+lsass
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_1:
TargetFilename|endswith:
- '\Andrew.dmp'
- '\Coredump.dmp'
- '\lsass.dmp'
- '\lsass.rar'
- '\lsass.zip'
- '\NotLSASS.zip' # https://github.com/CCob/MirrorDump
- '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade
- '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
selection_2:
TargetFilename|contains:
- '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- '\lsassdmp'
- '\lsassdump'
selection_3:
TargetFilename|contains|all:
- '\lsass'
- '.dmp'
selection_4:
TargetFilename|contains: 'SQLDmpr'
TargetFilename|endswith: '.mdmp'
selection_5:
TargetFilename|contains:
- '\nanodump'
- '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
TargetFilename|endswith: '.dmp'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
view Sigma YAML
title: LSASS Process Reconnaissance Via Findstr.EXE
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
status: test
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
references:
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2024-06-04
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_findstr_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_findstr_cli:
CommandLine|contains: 'lsass'
selection_special:
CommandLine|contains|windash:
- ' /i "lsass'
- ' /i lsass.exe'
- 'findstr "lsass'
- 'findstr lsass'
- 'findstr.exe "lsass'
- 'findstr.exe lsass'
condition: all of selection_findstr_* or selection_special
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml
Convert to SIEM query
high
Moderate
High FP
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
view Sigma YAML
title: Lace Tempest Cobalt Strike Download
id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
status: test
description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
- /a')
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
view Sigma YAML
title: Lace Tempest File Indicators
id: e94486ea-2650-4548-bf25-88cbd0bb32d7
status: test
description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|endswith:
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
- ':\Program Files\SysAidServer\tomcat\webapps\leave'
- TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
view Sigma YAML
title: Lace Tempest Malware Loader Execution
id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
status: test
description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
selection_hash:
Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
view Sigma YAML
title: Lace Tempest PowerShell Evidence Eraser
id: b377ddab-502d-4519-9e8c-5590033d2d70
status: test
description: |
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'cleanLL'
- 'usersfiles.war'
- 'Remove-Item -Path "$tomcat_dir'
- 'SysAidServer'
- 'sleep '
- 'while(1)'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
view Sigma YAML
title: Lace Tempest PowerShell Launcher
id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
status: test
description: |
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '\SysAidServer\tomcat\webapps'
- 'Starting user.exe'
- '\usersfiles\user.exe'
- 'Remove-Item -Force "$wapps'
- '(Sophos).'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
view Sigma YAML
title: Lazarus APT DLL Sideloading Activity
id: 24007168-a26b-4049-90d0-ce138e13a5cf
status: test
description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
references:
- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0032
- detection.emerging-threats
logsource:
product: windows
category: image_load
detection:
selection_mscoree:
Image: 'C:\ProgramShared\PresentationHost.exe'
ImageLoaded: ':\ProgramShared\mscoree.dll'
selection_colorui:
Image: 'C:\ProgramData\Adobe\colorcpl.exe'
ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
selection_mapistub:
Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
selection_hid:
Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Lazarus System Binary Masquerading
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
view Sigma YAML
title: Lazarus System Binary Masquerading
id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
status: test
description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
references:
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
date: 2020-06-03
modified: 2023-03-10
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\msdtc.exe'
- '\gpsvc.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
view Sigma YAML
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- \finger.exe
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
- '.diagcab'
- '.appx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
view Sigma YAML
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
view Sigma YAML
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
view Sigma YAML
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
Convert to SIEM query
high
Moderate
High FP
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
view Sigma YAML
title: Linux Command History Tampering
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: test
description: |
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
- https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
author: Patrick Bareiss
date: 2019-03-24
modified: 2024-04-17
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: linux
detection:
keywords:
- 'cat /dev/null >*sh_history'
- 'cat /dev/zero >*sh_history'
- 'chattr +i*sh_history'
- 'echo "" >*sh_history'
- 'empty_bash_history'
- 'export HISTFILESIZE=0'
- 'history -c'
- 'history -w'
- 'ln -sf /dev/null *sh_history'
- 'ln -sf /dev/zero *sh_history'
- 'rm *sh_history'
- 'shopt -ou history'
- 'shopt -uo history'
- 'shred *sh_history'
- 'truncate -s0 *sh_history'
# - 'unset HISTFILE' # prone to false positives
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
view Sigma YAML
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
- 'sh -c /sbin/modprobe msr allow_writes=on'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
view Sigma YAML
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux HackTool Execution
Detects known hacktool execution based on image name.
view Sigma YAML
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Low FP
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
view Sigma YAML
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
Convert to SIEM query
high
Moderate
High FP
Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
view Sigma YAML
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
Convert to SIEM query
high
Moderate
Medium FP
Linux Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
view Sigma YAML
title: Linux Suspicious Child Process from Node.js - React2Shell
id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
related:
- id: 271de298-cc0e-4842-acd8-079a0a99ea65
type: similar
status: experimental
description: |
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
references:
- https://github.com/msanft/CVE-2025-55182
- https://nodejs.org/api/child_process.html#class-childprocess
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
- attack.execution
- attack.t1059
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-55182
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/node'
ParentCommandLine|contains:
- '--experimental-https'
- '--experimental-next-config-strip-types'
- '/node_modules/next'
- 'next dev'
- 'next start'
- 'node_modules/.bin'
- 'react-scripts start'
- 'start-server.js'
selection_generic_child_img:
# Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes in exploit
- Image|endswith:
- '/busybox'
- '/cat'
- '/curl'
- '/dash'
- '/dig'
- '/head'
- '/id'
- '/ifconfig'
- '/ip'
- '/java'
- '/less'
- '/lua'
- '/more'
- '/nc'
- '/ncat'
- '/netcat'
- '/netstat'
- '/nslookup'
- '/perl'
- '/ping'
- '/python'
- '/python2'
- '/ruby'
- '/socat'
- '/tail'
- '/wget'
- '/whoami'
- Image|contains: '/python'
selection_generic_child_cli:
# Observed when child_process.execSync() is used to spawn suspicious processes
# Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
# By default, the cli will look something like `/bin/sh -c .......`
CommandLine|contains:
- '/dev/tcp/'
- '/dev/udp/'
- '/etc/hosts'
- '/etc/passwd'
- '/etc/shadow'
- 'base64'
- 'cat '
- 'curl'
- 'dig'
- 'ifconfig'
- 'IO::Socket::INET'
- 'java'
- 'less '
- 'lua'
- 'mkfifo '
- 'more'
- 'nc '
- 'ncat'
- 'netcat'
- 'netstat'
- 'nslookup'
- 'perl'
- 'php'
- 'ping'
- 'ps -ef'
- 'ps aux'
- 'python'
- 'rcat'
- 'ruby'
- 'sh -i 2>&1'
- '-c id'
- 'socat'
- 'uname'
- 'wget'
- 'whoami'
selection_specific_sh:
Image|endswith: '/sh'
selection_specific_cli:
Image|endswith: '-c'
filter_main_default_shell_flag:
Image|endswith: '-c'
condition:
selection_parent and
(
1 of selection_generic_*
or
(selection_specific_sh and not filter_main_default_shell_flag)
or
(all of selection_specific_* and selection_generic_child_cli)
)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux Webshell Indicators
Detects suspicious sub processes of web server processes
view Sigma YAML
title: Linux Webshell Indicators
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
status: test
description: Detects suspicious sub processes of web server processes
references:
- https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-15
modified: 2022-12-28
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
category: process_creation
detection:
selection_general:
ParentImage|endswith:
- '/httpd'
- '/lighttpd'
- '/nginx'
- '/apache2'
- '/node'
- '/caddy'
selection_tomcat:
ParentCommandLine|contains|all:
- '/bin/java'
- 'tomcat'
selection_websphere: # ? just guessing
ParentCommandLine|contains|all:
- '/bin/java'
- 'websphere'
sub_processes:
Image|endswith:
- '/whoami'
- '/ifconfig'
- '/ip'
- '/bin/uname'
- '/bin/cat'
- '/bin/crontab'
- '/hostname'
- '/iptables'
- '/netstat'
- '/pwd'
- '/route'
condition: 1 of selection_* and sub_processes
falsepositives:
- Web applications that invoke Linux command line tools
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
view Sigma YAML
title: LiteLLM / TeamPCP Supply Chain Attack Indicators
id: 36603778-030c-43c4-8cbb-cd3c1d1a80c7
status: experimental
description: |
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
- https://novasky.io/hunts/hunting-litellm-supply-chain
- https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
- https://huskyhacks.io/posts/litellm-cred-stealer/
- https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
- attack.initial-access
- attack.t1195.002
- attack.collection
- attack.t1560.001
- attack.persistence
- attack.privilege-escalation
- attack.t1543.002
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_pth_package:
# Execution of .pth file
Image|contains: '/python3'
CommandLine|contains|all:
- "exec(base64.b64decode('aW1wb3J0"
- "kI2NF9TQ1JJUFQgPSAiYV"
selection_tar:
Image|endswith: '/tar'
CommandLine|contains|all:
- 'tpcp.tar.gz'
- 'payload.enc'
- 'session.key.enc'
selection_curl:
Image|endswith: '/curl'
CommandLine|contains|all:
- 'models.litellm.cloud'
- 'X-Filename: tpcp.tar.gz'
selection_sysmon_service:
ParentImage|contains: '/python3'
CommandLine|contains|all:
- 'systemctl'
- '--user'
- 'sysmon'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
view Sigma YAML
title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-StorageDiagnosticInfo'
- '-IncludeLiveDump'
condition: selection
falsepositives:
- Diagnostics
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiveKD Driver Creation By Uncommon Process
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
view Sigma YAML
title: LiveKD Driver Creation By Uncommon Process
id: 059c5af9-5131-4d8d-92b2-de4ad6146712
related:
- id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
type: similar
status: test
description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
filter_main_legit_name:
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiveKD Kernel Memory Dump File Created
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
view Sigma YAML
title: LiveKD Kernel Memory Dump File Created
id: 814ddeca-3d31-4265-8e07-8cc54fb44903
status: test
description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\livekd.dmp'
condition: selection
falsepositives:
- In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
level: high
Convert to SIEM query
high
Strong
High FP
Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
view Sigma YAML
title: Load Of RstrtMgr.DLL By A Suspicious Process
id: b48492dc-c5ef-4572-8dff-32bc241c15c8
related:
- id: 3669afd2-9891-4534-a626-e5cf03810a61
type: derived
status: test
description: |
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
references:
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
tags:
- attack.impact
- attack.defense-impairment
- attack.t1486
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
- ImageLoaded|endswith: '\RstrtMgr.dll'
- OriginalFileName: 'RstrtMgr.dll'
selection_folders_1:
Image|contains:
# Note: increase coverage by adding more suspicious paths
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
condition: selection_img and 1 of selection_folders_*
falsepositives:
- Processes related to software installation
level: high
Convert to SIEM query
high
Strong
Medium FP
Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
view Sigma YAML
title: Loading Diagcab Package From Remote Path
id: 50cb47b8-2c33-4b23-a2e9-4600657d9746
status: test
description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
references:
- https://twitter.com/nas_bench/status/1539679555908141061
- https://twitter.com/j00sean/status/1537750439701225472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
- attack.execution
logsource:
product: windows
service: diagnosis-scripted
detection:
selection:
EventID: 101
PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package
condition: selection
falsepositives:
- Legitimate package hosted on a known and authorized remote location
level: high
Convert to SIEM query
high
Moderate
Low FP
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command.
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
view Sigma YAML
title: Loading of Kernel Module via Insmod
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
status: test
description: |
Detects loading of kernel modules with insmod command.
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
- https://linux.die.net/man/8/insmod
- https://man7.org/linux/man-pages/man8/kmod.8.html
author: 'Pawel Mazur'
date: 2021-11-02
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
comm: insmod
exe: /usr/bin/kmod
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
view Sigma YAML
title: Local Privilege Escalation Indicator TabTip
id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
status: test
description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
references:
- https://github.com/antonioCoco/JuicyPotatoNG
author: Florian Roth (Nextron Systems)
date: 2022-10-07
modified: 2023-04-14
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-DistributedCOM'
EventID: 10001
param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # Binary starting/started
param2: 2147943140 # ERROR id
param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # DCOM Server
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Log4j RCE CVE-2021-44228 Generic
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
view Sigma YAML
title: Log4j RCE CVE-2021-44228 Generic
id: 5ea8faa8-db8b-45be-89b0-151b84c82702
status: test
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
- https://github.com/tangxiaofeng7/apache-log4j-poc
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
- https://github.com/YfryTchsGD/Log4jAttackSurface
- https://twitter.com/shutingrz/status/1469255861394866177?s=21
author: Florian Roth (Nextron Systems)
date: 2021-12-10
modified: 2022-02-06
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: webserver
detection:
keywords:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
filter:
- 'w.nessus.org/nessus'
- '/nessus}'
condition: keywords and not filter
falsepositives:
- Vulnerability scanning
level: high
Convert to SIEM query
high
Strong
Medium FP
Log4j RCE CVE-2021-44228 in Fields
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
view Sigma YAML
title: Log4j RCE CVE-2021-44228 in Fields
id: 9be472ed-893c-4ec0-94da-312d2765f654
status: test
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
- https://github.com/tangxiaofeng7/apache-log4j-poc
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
- https://github.com/YfryTchsGD/Log4jAttackSurface
- https://twitter.com/shutingrz/status/1469255861394866177?s=21
author: Florian Roth (Nextron Systems)
date: 2021-12-10
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-44228
- detection.emerging-threats
logsource:
category: webserver
detection:
selection1:
cs-user-agent|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
# selection2:
# user-agent|contains:
# - '${jndi:ldap:/'
# - '${jndi:rmi:/'
# - '${jndi:ldaps:/'
# - '${jndi:dns:/'
# - '/$%7bjndi:'
# - '%24%7bjndi:'
# - '$%7Bjndi:'
# - '%2524%257Bjndi'
# - '%2F%252524%25257Bjndi%3A'
# - '${jndi:${lower:'
# - '${::-j}${'
# - '${jndi:nis'
# - '${jndi:nds'
# - '${jndi:corba'
# - '${jndi:iiop'
# - 'Reference Class Name: foo'
# - '${${env:BARFOO:-j}'
# - '${::-l}${::-d}${::-a}${::-p}'
# - '${base64:JHtqbmRp'
# - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
# - '${${lower:j}ndi:'
# - '${${upper:j}ndi:'
# - '${${::-j}${::-n}${::-d}${::-i}:'
selection3:
cs-uri-query|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
selection4:
cs-referer|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
condition: 1 of selection*
falsepositives:
- Vulnerability scanning
level: high
Convert to SIEM query
high
Moderate
Low FP
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
view Sigma YAML
title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
status: test
description: Detect changes of syslog daemons configuration files
references:
- self experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/syslog-ng/syslog-ng.conf
condition: selection
falsepositives:
- Legitimate administrative activity
level: high
Convert to SIEM query
high
Moderate
High FP
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
view Sigma YAML
title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
status: test
description: |
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
references:
- https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
author: frack113
date: 2022-05-28
modified: 2023-08-17
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Lsass Full Dump Request Via DumpType Registry Settings
Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
view Sigma YAML
title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
Details: 'DWORD (0x00000002)' # Full Dump
condition: selection
falsepositives:
- Legitimate application that needs to do a full dump of their process
level: high
Convert to SIEM query
high
Moderate
Medium FP
Lsass Memory Dump via Comsvcs DLL
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
view Sigma YAML
title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: '\rundll32.exe'
CallTrace|contains: 'comsvcs.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Lummac Stealer Activity - Execution Of More.com And Vbc.exe
Detects the execution of more.com and vbc.exe in the process tree.
This behavior was observed by a set of samples related to Lummac Stealer.
The Lummac payload is injected into the vbc.exe process.
view Sigma YAML
title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
status: experimental
description: |
Detects the execution of more.com and vbc.exe in the process tree.
This behavior was observed by a set of samples related to Lummac Stealer.
The Lummac payload is injected into the vbc.exe process.
references:
- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
- https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-12-19
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
# VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
selection_parent:
ParentImage|endswith: '\more.com'
selection_child:
- Image|endswith: '\vbc.exe'
- OriginalFileName: 'vbc.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 701-750 of 3,646