Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 3,646
high Moderate Low FP
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
status test author Austin Songer @austinsonger ATT&CK technique id ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
carbon_black query
"outcome.reason":FastPass\ declined\ phishing\ attempt "outcome.result":FAILURE eventType:user.authentication.auth_via_mfa
view Sigma YAML 
title: Okta FastPass Phishing Detection
id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
status: test
description: Detects when Okta FastPass prevents a known phishing site.
references:
    - https://sec.okta.com/fastpassphishingdetection
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2023-05-07
modified: 2026-04-27
tags:
    - attack.initial-access
    - attack.t1566
logsource:
    product: okta
    service: okta
detection:
    selection:
        outcome.reason: 'FastPass declined phishing attempt'
        outcome.result: FAILURE
        eventType: user.authentication.auth_via_mfa
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
status test author kelnage ATT&CK sub-technique id a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
carbon_black query
(eventType:policy.evaluate_sign_on "target.displayName":Okta\ Admin\ Console) ("debugContext.debugData.behaviors":POSITIVE* OR "debugContext.debugData.logOnlySecurityData":POSITIVE*)
view Sigma YAML 
title: Okta New Admin Console Behaviours
id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
status: test
description: Detects when Okta identifies new activity in the Admin Console.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: okta
    service: okta
detection:
    selection_event:
        eventType: 'policy.evaluate_sign_on'
        target.displayName: 'Okta Admin Console'
    selection_positive:
        - debugContext.debugData.behaviors|contains: 'POSITIVE'
        - debugContext.debugData.logOnlySecurityData|contains: 'POSITIVE'
    condition: all of selection_*
falsepositives:
    - When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
level: high
Convert to SIEM query
high Moderate Medium FP
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
status test author kelnage ATT&CK sub-technique id 07e97cc6-aed1-43ae-9081-b3470d2367f1
carbon_black query
eventType:user.account.report_suspicious_activity_by_enduser
view Sigma YAML 
title: Okta Suspicious Activity Reported by End-user
id: 07e97cc6-aed1-43ae-9081-b3470d2367f1
status: test
description: Detects when an Okta end-user reports activity by their account as being potentially suspicious.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
    - attack.resource-development
    - attack.t1586.003
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType: 'user.account.report_suspicious_activity_by_enduser'
    condition: selection
falsepositives:
    - If an end-user incorrectly identifies normal activity as suspicious.
level: high
Convert to SIEM query
high Strong Low FP
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
status test author kelnage ATT&CK technique id bde30855-5c53-4c18-ae90-1ff79ebc9578
carbon_black query
eventType:user.session.start "securityContext.isProxy":true
view Sigma YAML 
title: Okta User Session Start Via An Anonymising Proxy Service
id: bde30855-5c53-4c18-ae90-1ff79ebc9578
status: test
description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType: 'user.session.start'
        securityContext.isProxy: 'true'
    condition: selection
falsepositives:
    - If a user requires an anonymising proxy due to valid justifications.
level: high
Convert to SIEM query
high Moderate High FP
OneNote.EXE Execution of Malicious Embedded Scripts
Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
status test author @kostastsale ATT&CK sub-technique id 84b1706c-932a-44c4-ae28-892b28a25b94
carbon_black query
ParentImage:\\onenote.exe (Image:\\cmd.exe OR Image:\\cscript.exe OR Image:\\mshta.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\wscript.exe) (CommandLine:\\exported\\* OR CommandLine:\\onenoteofflinecache_files\\*)
view Sigma YAML 
title: OneNote.EXE Execution of Malicious Embedded Scripts
id: 84b1706c-932a-44c4-ae28-892b28a25b94
status: test
description: |
    Detects the execution of malicious OneNote documents that contain embedded scripts.
    When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
references:
    - https://bazaar.abuse.ch/browse/tag/one/
author: '@kostastsale'
date: 2023-02-02
tags:
    - attack.stealth
    - attack.t1218.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\onenote.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - '\exported\'
            - '\onenoteofflinecache_files\'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Onyx Sleet APT File Creation Indicators
Detects file creation activity that is related to Onyx Sleet APT activity
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
carbon_black query
TargetFilename:\:\\Windows\\ADFS\\bg\\inetmgr.exe
view Sigma YAML 
title: Onyx Sleet APT File Creation Indicators
id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
status: test
description: Detects file creation activity that is related to Onyx Sleet APT activity
references:
    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-24
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: ':\Windows\ADFS\bg\inetmgr.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - FTP Login Attempt
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions ATT&CK technique id 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
carbon_black query
logtype:2000
view Sigma YAML 
title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: test
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.exfiltration
    - attack.lateral-movement
    - attack.t1190
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 2000
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - GIT Clone Request
Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
status test author Security Onion Solutions ATT&CK technique id 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
carbon_black query
logtype:16001
view Sigma YAML 
title: OpenCanary - GIT Clone Request
id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
status: test
description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.collection
    - attack.t1213
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 16001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - HTTP GET Request
Detects instances where an HTTP service on an OpenCanary node has received a GET request.
status test author Security Onion Solutions ATT&CK technique id af6c3078-84cd-4c68-8842-08b76bd81b13
carbon_black query
logtype:3000
view Sigma YAML 
title: OpenCanary - HTTP GET Request
id: af6c3078-84cd-4c68-8842-08b76bd81b13
status: test
description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 3000
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - HTTP POST Login Attempt
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
status test author Security Onion Solutions ATT&CK technique id af1ac430-df6b-4b38-b976-0b52f07a0252
carbon_black query
logtype:3001
view Sigma YAML 
title: OpenCanary - HTTP POST Login Attempt
id: af1ac430-df6b-4b38-b976-0b52f07a0252
status: test
description: |
    Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 3001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - HTTPPROXY Login Attempt
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
status test author Security Onion Solutions ATT&CK technique id 5498fc09-adc6-4804-b9d9-5cca1f0b8760
carbon_black query
logtype:7001
view Sigma YAML 
title: OpenCanary - HTTPPROXY Login Attempt
id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
status: test
description: |
    Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.command-and-control
    - attack.t1090
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 7001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - Host Port Scan (SYN Scan)
Detects instances where an OpenCanary node has been targeted by a SYN port scan.
status experimental author Marco Pedrinazzi (@pedrinazziM) ATT&CK technique id 974be8d2-283e-4033-ab08-7505b84204d0
carbon_black query
logtype:5001
view Sigma YAML 
title: OpenCanary - Host Port Scan (SYN Scan)
id: 974be8d2-283e-4033-ab08-7505b84204d0
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a SYN port scan.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - MSSQL Login Attempt Via SQLAuth
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
status test author Security Onion Solutions ATT&CK technique id 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
carbon_black query
logtype:9001
view Sigma YAML 
title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1003
    - attack.t1213
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 9001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - MSSQL Login Attempt Via Windows Authentication
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
status test author Security Onion Solutions ATT&CK technique id 6e78f90f-0043-4a01-ac41-f97681613a66
carbon_black query
logtype:9002
view Sigma YAML 
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1003
    - attack.t1213
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 9002
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - MySQL Login Attempt
Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions ATT&CK technique id e7d79a1b-25ed-4956-bd56-bd344fa8fd06
carbon_black query
logtype:8001
view Sigma YAML 
title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1003
    - attack.t1213
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 8001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - NMAP FIN Scan
Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) ATT&CK technique id eae8c0c8-e5da-450a-9d7d-66aa56cd26b6
carbon_black query
logtype:5005
view Sigma YAML 
title: OpenCanary - NMAP FIN Scan
id: eae8c0c8-e5da-450a-9d7d-66aa56cd26b6
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5005
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - NMAP NULL Scan
Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) ATT&CK technique id 68b8547b-107f-43f3-97fb-900a7d63c190
carbon_black query
logtype:5003
view Sigma YAML 
title: OpenCanary - NMAP NULL Scan
id: 68b8547b-107f-43f3-97fb-900a7d63c190
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5003
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - NMAP OS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) ATT&CK technique id e8a677fd-248c-4eab-94df-de2f6f645884
carbon_black query
logtype:5002
view Sigma YAML 
title: OpenCanary - NMAP OS Scan
id: e8a677fd-248c-4eab-94df-de2f6f645884
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5002
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - NMAP XMAS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) ATT&CK technique id d7553d7b-f485-479c-b192-cdac6edd83a4
carbon_black query
logtype:5004
view Sigma YAML 
title: OpenCanary - NMAP XMAS Scan
id: d7553d7b-f485-479c-b192-cdac6edd83a4
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5004
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - NTP Monlist Request
Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
status test author Security Onion Solutions ATT&CK technique id 7cded4b3-f09e-405a-b96f-24248433ba44
carbon_black query
logtype:11001
view Sigma YAML 
title: OpenCanary - NTP Monlist Request
id: 7cded4b3-f09e-405a-b96f-24248433ba44
status: test
description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.impact
    - attack.t1498
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 11001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - RDP New Connection Attempt
Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
status experimental author Marco Pedrinazzi (@pedrinazziM) ATT&CK sub-technique id 598290cf-5932-45cd-9123-be1e05ab4f2e
carbon_black query
logtype:14001
view Sigma YAML 
title: OpenCanary - RDP New Connection Attempt
id: 598290cf-5932-45cd-9123-be1e05ab4f2e
status: experimental
description: Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.t1133
    - attack.t1021.001
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 14001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - REDIS Action Command Attempt
Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
status test author Security Onion Solutions ATT&CK technique id 547dfc53-ebf6-4afe-8d2e-793d9574975d
carbon_black query
logtype:17001
view Sigma YAML 
title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1003
    - attack.t1213
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 17001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SIP Request
Detects instances where an SIP service on an OpenCanary node has had a SIP request.
status test author Security Onion Solutions ATT&CK technique id e30de276-68ec-435c-ab99-ef3befec6c61
carbon_black query
logtype:15001
view Sigma YAML 
title: OpenCanary - SIP Request
id: e30de276-68ec-435c-ab99-ef3befec6c61
status: test
description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 15001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SMB File Open Request
Detects instances where an SMB service on an OpenCanary node has had a file open request.
status test author Security Onion Solutions ATT&CK technique id 22777c9e-873a-4b49-855f-6072ab861a52
carbon_black query
logtype:5000
view Sigma YAML 
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.lateral-movement
    - attack.collection
    - attack.t1021
    - attack.t1005
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5000
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SNMP OID Request
Detects instances where an SNMP service on an OpenCanary node has had an OID request.
status test author Security Onion Solutions ATT&CK technique id e9856028-fd4e-46e6-b3d1-10f7ceb95078
carbon_black query
logtype:13001
view Sigma YAML 
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.discovery
    - attack.lateral-movement
    - attack.t1016
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 13001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions ATT&CK technique id ff7139bc-fdb1-4437-92f2-6afefe8884cb
carbon_black query
logtype:4002
view Sigma YAML 
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4002
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions ATT&CK technique id cd55f721-5623-4663-bd9b-5229cab5237d
carbon_black query
logtype:4000
view Sigma YAML 
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4000
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - TFTP Request
Detects instances where a TFTP service on an OpenCanary node has had a request.
status test author Security Onion Solutions ATT&CK technique id b4e6b016-a2ac-4759-ad85-8000b300d61e
carbon_black query
logtype:10001
view Sigma YAML 
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: test
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 10001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions ATT&CK technique id 512cff7a-683a-43ad-afe0-dd398e872f36
carbon_black query
logtype:6001
view Sigma YAML 
title: OpenCanary - Telnet Login Attempt
id: 512cff7a-683a-43ad-afe0-dd398e872f36
status: test
description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1133
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 6001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - VNC Connection Attempt
Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions ATT&CK technique id 9db5446c-b44a-4291-8b89-fcab5609c3b3
carbon_black query
logtype:12001
view Sigma YAML 
title: OpenCanary - VNC Connection Attempt
id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
status: test
description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 12001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenWith.exe Executes Specified Binary
The OpenWith.exe executes other binary
status test author Beyu Denis, oscd.community (rule), @harr0ey (idea) ATT&CK technique id cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
carbon_black query
Image:\\OpenWith.exe CommandLine:\/c*
view Sigma YAML 
title: OpenWith.exe Executes Specified Binary
id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
status: test
description: The OpenWith.exe executes other binary
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml
    - https://twitter.com/harr0ey/status/991670870384021504
author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\OpenWith.exe'
        CommandLine|contains: '/c'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
status test author Florian Roth (Nextron Systems), frack113 ATT&CK sub-technique id 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
carbon_black query
CommandLine:checkadmin.exe\ 127.0.0.1\ \-all* OR CommandLine:netsh\ advfirewall\ firewall\ add\ rule\ name=powershell\ dir=in* OR CommandLine:cmd\ \/c\ powershell.exe\ \-ep\ bypass\ \-file\ c\:\\s.ps1* OR CommandLine:\/tn\ win32times\ \/f* OR CommandLine:create\ win32times\ binPath=* OR CommandLine:\\c$\\windows\\system32\\devmgr.dll* OR CommandLine:\ \-exec\ bypass\ \-enc\ JgAg* OR CommandLine:type\ *keepass\\KeePass.config.xml* OR CommandLine:iie.exe\ iie.txt* OR CommandLine:reg\ query\ HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*
view Sigma YAML 
title: Operation Wocao Activity
id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
related:
    - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
      type: derived
status: test
description: Detects activity mentioned in Operation Wocao report
references:
    - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
    - https://twitter.com/SBousseaden/status/1207671369963646976
author: Florian Roth (Nextron Systems), frack113
date: 2019-12-20
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.discovery
    - attack.stealth
    - attack.t1012
    - attack.t1036.004
    - attack.t1027
    - attack.execution
    - attack.t1053.005
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        CommandLine|contains:
            - 'checkadmin.exe 127.0.0.1 -all'
            - 'netsh advfirewall firewall add rule name=powershell dir=in'
            - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
            - '/tn win32times /f'
            - 'create win32times binPath='
            - '\c$\windows\system32\devmgr.dll'
            - ' -exec bypass -enc JgAg'
            - 'type *keepass\KeePass.config.xml'
            - 'iie.exe iie.txt'
            - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
    condition: selection
falsepositives:
    - Administrators that use checkadmin.exe tool to enumerate local administrators
level: high
Convert to SIEM query
high Strong Medium FP
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
status test author Florian Roth (Nextron Systems), frack113 ATT&CK sub-technique id 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
carbon_black query
EventID:4799 TargetUserName:Administr* CallerProcessName:\\checkadmin.exe
view Sigma YAML 
title: Operation Wocao Activity - Security
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
status: test
description: Detects activity mentioned in Operation Wocao report
references:
    - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
    - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
    - https://twitter.com/SBousseaden/status/1207671369963646976
author: Florian Roth (Nextron Systems), frack113
date: 2019-12-20
modified: 2022-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.discovery
    - attack.stealth
    - attack.t1012
    - attack.t1036.004
    - attack.t1027
    - attack.execution
    - attack.t1053.005
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4799
        TargetUserName|startswith: 'Administr'
        CallerProcessName|endswith: '\checkadmin.exe'
    condition: selection
falsepositives:
    - Administrators that use checkadmin.exe tool to enumerate local administrators
level: high
Convert to SIEM query
high Moderate High FP
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
status test author _pete_0, TheDFIRReport ATT&CK sub-technique id 647c7b9e-d784-4fda-b9a0-45c565a7b729
carbon_black query
(OriginalFileName:Cmd.Exe OR Image:\\cmd.exe) ((CommandLine:cmd\ * OR CommandLine:cmd.exe* OR CommandLine:c\:\\windows\\system32\\cmd.exe*) (CommandLine:psinject* OR CommandLine:spawnas* OR CommandLine:make_token* OR CommandLine:remote\-exec* OR CommandLine:rev2self* OR CommandLine:dcsync* OR CommandLine:logonpasswords* OR CommandLine:execute\-assembly* OR CommandLine:getsystem*))
view Sigma YAML 
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
    - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
      type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
    - attack.execution
    - attack.t1059.003
    - stp.1u
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'Cmd.Exe'
        - Image|endswith: '\cmd.exe'
    selection_cli:
        CommandLine|startswith:
            - 'cmd '
            - 'cmd.exe'
            - 'c:\windows\system32\cmd.exe'
        CommandLine|contains:
            - 'psinject'
            - 'spawnas'
            - 'make_token'
            - 'remote-exec'
            - 'rev2self'
            - 'dcsync'
            - 'logonpasswords'
            - 'execute-assembly'
            - 'getsystem'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
status test author _pete_0, TheDFIRReport ATT&CK sub-technique id 4f154fb6-27d1-4813-a759-78b93e0b9c48
carbon_black query
(OriginalFileName:Cmd.Exe OR Image:\\cmd.exe) (CommandLine:Invoke\-UserHunter* OR CommandLine:Invoke\-ShareFinder* OR CommandLine:Invoke\-Kerberoast* OR CommandLine:Invoke\-SMBAutoBrute* OR CommandLine:Invoke\-Nightmare* OR CommandLine:zerologon* OR CommandLine:av_query*)
view Sigma YAML 
title: Operator Bloopers Cobalt Strike Modules
id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
related:
    - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
      type: similar
status: test
description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
references:
    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'Cmd.Exe'
        - Image|endswith: '\cmd.exe'
    selection_cli:
        CommandLine|contains:
            - 'Invoke-UserHunter'
            - 'Invoke-ShareFinder'
            - 'Invoke-Kerberoast'
            - 'Invoke-SMBAutoBrute'
            - 'Invoke-Nightmare'
            - 'zerologon'
            - 'av_query'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
status test author Florian Roth (Nextron Systems) ATT&CK technique id 85d466b0-d74c-4514-84d3-2bdd3327588b
carbon_black query
"cs-uri-query":\/console\/images\/%252E%252E%252Fconsole.portal* OR "cs-uri-query":\/console\/css\/%2e*
view Sigma YAML 
title: Oracle WebLogic Exploit CVE-2020-14882
id: 85d466b0-d74c-4514-84d3-2bdd3327588b
status: test
description: Detects exploitation attempts on WebLogic servers
references:
    - https://isc.sans.edu/diary/26734
    - https://twitter.com/jas502n/status/1321416053050667009?s=20
    - https://twitter.com/sudo_sudoka/status/1323951871078223874
author: Florian Roth (Nextron Systems)
date: 2020-11-02
modified: 2023-01-02
tags:
    - attack.t1190
    - attack.initial-access
    - cve.2020-14882
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/console/images/%252E%252E%252Fconsole.portal'
            - '/console/css/%2e'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id efafe0bf-4238-479e-af8f-797bd3490d2d
carbon_black query
(Image:\\cmstp.exe Initiated:true) (-(DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:169.254.* OR DestinationIp:\:\:1 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*))
view Sigma YAML 
title: Outbound Network Connection Initiated By Cmstp.EXE
id: efafe0bf-4238-479e-af8f-797bd3490d2d
status: test
description: |
    Detects a network connection initiated by Cmstp.EXE
    Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2024-05-31
tags:
    - attack.stealth
    - attack.t1218.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\cmstp.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
# Note: Please report any false positive seen in the wild to help tune the rule.
level: high
Convert to SIEM query
high Strong Medium FP
Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
status test author CertainlyP ATT&CK sub-technique id 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
carbon_black query
(Image:\:\\Windows\\System32\\dialer.exe Initiated:true) (-(DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:169.254.* OR DestinationIp:\:\:1 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*))
view Sigma YAML 
title: Outbound Network Connection Initiated By Microsoft Dialer
id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
status: test
description: |
    Detects outbound network connection initiated by Microsoft Dialer.
    The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
    This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
references:
    - https://tria.ge/240301-rk34sagf5x/behavioral2
    - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
    - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
    - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
author: CertainlyP
date: 2024-04-26
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: ':\Windows\System32\dialer.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
level: high
Convert to SIEM query
high Strong Medium FP
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
status test author frack113, Florian Roth (Nextron Systems) ATT&CK technique id 992a6cae-db6a-43c8-9cec-76d7195c96fc
carbon_black query
(Initiated:true (Image:\\wscript.exe OR Image:\\cscript.exe)) (-((DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:169.254.* OR DestinationIp:\:\:1 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*) OR DestinationIp:20.0.* OR DestinationIp:20.1.* OR DestinationIp:20.2.* OR DestinationIp:20.3.* OR DestinationIp:20.4.* OR DestinationIp:20.5.* OR DestinationIp:20.6.* OR DestinationIp:20.7.* OR DestinationIp:20.8.* OR DestinationIp:20.9.* OR DestinationIp:20.10.* OR DestinationIp:20.11.* OR DestinationIp:20.12.* OR DestinationIp:20.13.* OR DestinationIp:20.14.* OR DestinationIp:20.15.* OR DestinationIp:20.16.* OR DestinationIp:20.17.* OR DestinationIp:20.18.* OR DestinationIp:20.19.* OR DestinationIp:20.20.* OR DestinationIp:20.21.* OR DestinationIp:20.22.* OR DestinationIp:20.23.* OR DestinationIp:20.24.* OR DestinationIp:20.25.* OR DestinationIp:20.26.* OR DestinationIp:20.27.* OR DestinationIp:20.28.* OR DestinationIp:20.29.* OR DestinationIp:20.30.* OR DestinationIp:20.31.*))
view Sigma YAML 
title: Outbound Network Connection Initiated By Script Interpreter
id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
related:
    - id: 08249dc0-a28d-4555-8ba5-9255a198e08c
      type: derived
status: test
description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-28
modified: 2024-03-13
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_ms_ranges:
        DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate scripts
level: high
Convert to SIEM query
high Strong Medium FP
Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
status test author Muhammad Faisal (@faisalusuf) ATT&CK sub-technique id 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
carbon_black query
action:dependabot_alerts_new_repos.disable OR action:dependabot_alerts.disable OR action:dependabot_security_updates_new_repos.disable OR action:dependabot_security_updates.disable OR action:repository_vulnerability_alerts.disable
view Sigma YAML 
title: Outdated Dependency Or Vulnerability Alert Disabled
id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
status: test
description: |
    Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
    This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
    - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
tags:
    - attack.initial-access
    - attack.t1195.001
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'dependabot_alerts_new_repos.disable'
            - 'dependabot_alerts.disable'
            - 'dependabot_security_updates_new_repos.disable'
            - 'dependabot_security_updates.disable'
            - 'repository_vulnerability_alerts.disable'
    condition: selection
falsepositives:
    - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
level: high
Convert to SIEM query
high Moderate High FP
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 55f0a3a1-846e-40eb-8273-677371b8d912
carbon_black query
CommandLine:\\Outlook\\Security\\EnableUnsafeClientMailRules*
view Sigma YAML 
title: Outlook EnableUnsafeClientMailRules Setting Enabled
id: 55f0a3a1-846e-40eb-8273-677371b8d912
related:
    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
carbon_black query
TargetObject:\\Outlook\\Security\\EnableUnsafeClientMailRules Details:DWORD\ \(0x00000001\)
view Sigma YAML 
title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
    - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
      type: similar
    - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
status test author @ScoubiMtl ATT&CK technique id e3b50fa5-3c3f-444e-937b-0a99d33731cd
carbon_black query
TargetObject:\\Outlook\\Security\\Level Details:0x00000001*
view Sigma YAML 
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\Level'
        Details|contains: '0x00000001' # Enable all Macros
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
PCRE.NET Package Image Load
Detects processes loading modules related to PCRE.NET package
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK technique id 84b0a8f3-680b-4096-a45b-e9a89221727c
carbon_black query
ImageLoaded:\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\*
view Sigma YAML 
title: PCRE.NET Package Image Load
id: 84b0a8f3-680b-4096-a45b-e9a89221727c
status: test
description: Detects processes loading modules related to PCRE.NET package
references:
    - https://twitter.com/rbmaslen/status/1321859647091970051
    - https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
PCRE.NET Package Temp Files
Detects processes creating temp files related to PCRE.NET package
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK technique id 6e90ae7a-7cd3-473f-a035-4ebb72d961da
carbon_black query
TargetFilename:\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\*
view Sigma YAML 
title: PCRE.NET Package Temp Files
id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
status: test
description: Detects processes creating temp files related to PCRE.NET package
references:
    - https://twitter.com/rbmaslen/status/1321859647091970051
    - https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
PDF File Created By RegEdit.EXE
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 145095eb-e273-443b-83d0-f9b519b7867b
carbon_black query
Image:\\regedit.exe TargetFilename:.pdf
view Sigma YAML 
title: PDF File Created By RegEdit.EXE
id: 145095eb-e273-443b-83d0-f9b519b7867b
status: test
description: |
    Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
    This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
references:
    - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-08
tags:
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        TargetFilename|endswith: '.pdf'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
PIM Alert Setting Changes To Disabled
Detects when PIM alerts are set to disabled.
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' ATT&CK technique id aeaef14c-e5bf-4690-a9c8-835caad458bd
carbon_black query
"properties.message":Disable\ PIM\ Alert
view Sigma YAML 
title: PIM Alert Setting Changes To Disabled
id: aeaef14c-e5bf-4690-a9c8-835caad458bd
status: test
description: Detects when PIM alerts are set to disabled.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Disable PIM Alert
    condition: selection
falsepositives:
    - Administrator disabling PIM alerts as an active choice.
level: high
Convert to SIEM query
high Moderate Medium FP
PIM Approvals And Deny Elevation
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' ATT&CK sub-technique id 039a7469-0296-4450-84c0-f6966b16dc6d
carbon_black query
"properties.message":Request\ Approved\/Denied
view Sigma YAML 
title: PIM Approvals And Deny Elevation
id: 039a7469-0296-4450-84c0-f6966b16dc6d
status: test
description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Request Approved/Denied
    condition: selection
falsepositives:
    - Actual admin using PIM.
level: high
Convert to SIEM query
high Moderate High FP
PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
status experimental author Jason (https://github.com/0xbcf) ATT&CK sub-technique id 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
carbon_black query
(Image:\\WerFaultSecure.exe OR OriginalFileName:WerFaultSecure.exe) (CommandLine:\ \/h\ * CommandLine:\ \/pid\ * CommandLine:\ \/tid\ * CommandLine:\ \/encfile\ * CommandLine:\ \/cancel\ * CommandLine:\ \/type\ * CommandLine:\ 268310*)
view Sigma YAML 
title: PPL Tampering Via WerFaultSecure
id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
related:
    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
      type: similar
    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
      type: similar
status: experimental
description: |
    Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
    This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
    Distinct command line patterns help identify the specific tool:
    - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
    - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
    Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
references:
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
    - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
    - https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
author: Jason (https://github.com/0xbcf)
date: 2025-09-23
modified: 2025-11-23
tags:
    - attack.defense-impairment
    - attack.t1685
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\WerFaultSecure.exe'
        - OriginalFileName: 'WerFaultSecure.exe'
    selection_args:
        CommandLine|contains|all:
            - ' /h '
            - ' /pid ' # Antimalware or EDR process pid will be after this flag
            - ' /tid '
            - ' /encfile '
            - ' /cancel '
            - ' /type '
            - ' 268310'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of WerFaultSecure for debugging purposes
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml
Convert to SIEM query
high Moderate High FP
PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id afd3df04-948d-46f6-ae44-25966c44b97f
carbon_black query
ScriptBlockText:PSAsyncShell*
view Sigma YAML 
title: PSAsyncShell - Asynchronous TCP Reverse Shell
id: afd3df04-948d-46f6-ae44-25966c44b97f
status: test
description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
references:
    - https://github.com/JoelGMSec/PSAsyncShell
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-04
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'PSAsyncShell'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
Showing 851-900 of 3,646
Prev 18 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh