Tool
EDR / XDR
VMware Carbon Black
3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,646
high
Moderate
Medium FP
Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL
view Sigma YAML
title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
status: test
description: Detect AD credential dumping using impacket secretdump HKTL
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: Samir Bousseaden, wagga
date: 2019-04-03
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$
RelativeTargetName|contains|all:
- 'SYSTEM32\'
- '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Possible Impacket SecretDump Remote Activity - Zeek
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
view Sigma YAML
title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\'
- 'ADMIN$'
name|contains: 'SYSTEM32\'
name|endswith: '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Possible PetitPotam Coerce Authentication Attempt
Detect PetitPotam coerced authentication activity.
view Sigma YAML
title: Possible PetitPotam Coerce Authentication Attempt
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
status: test
description: Detect PetitPotam coerced authentication activity.
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
author: Mauricio Velazco, Michael Haag
date: 2021-09-02
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
ShareName|endswith: '\IPC$'
RelativeTargetName: lsarpc
SubjectUserName: ANONYMOUS LOGON
condition: selection
falsepositives:
- Unknown. Feedback welcomed.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
view Sigma YAML
title: Possible Privilege Escalation via Weak Service Permissions
id: d937b75f-a665-4480-88a5-2f20e9f9b22a
status: test
description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://pentestlab.blog/2017/03/30/weak-service-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
scbynonadmin:
Image|endswith: '\sc.exe'
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
selection_binpath:
CommandLine|contains|all:
- 'config'
- 'binPath'
selection_failure:
CommandLine|contains|all:
- 'failure'
- 'command'
condition: scbynonadmin and 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
view Sigma YAML
title: Possible Shadow Credentials Added
id: f598ea0c-c25a-4f72-a219-50c44411c791
status: test
description: Detects possible addition of shadow credentials to an active directory object.
references:
- https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html
- https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
- https://twitter.com/SBousseaden/status/1581300963650187264?
author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
date: 2022-10-17
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-KeyCredentialLink'
# If you experience a lot of FP you could uncomment the selection below
# There could be other cases for other tooling add them accordingly
# AttributeValue|contains: 'B:828'
# OperationType: '%%14674' # Value Added
# As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic
# Uncomment the filter below and add the account name (or any other specific field) accordingly
# Don't forget to add it to the condition section below
# filter:
# SubjectUserName: "%name%"
condition: selection
falsepositives:
- Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)
level: high
Convert to SIEM query
high
Moderate
High FP
Potential ACTINIUM Persistence Activity
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
view Sigma YAML
title: Potential ACTINIUM Persistence Activity
id: e1118a8f-82f5-44b3-bb6b-8a284e5df602
status: test
description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
references:
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
author: Andreas Hunkeler (@Karneades)
date: 2022-02-07
modified: 2023-03-18
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'schtasks'
- 'create'
- 'wscript'
- ' /e:vbscript'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
view Sigma YAML
title: Potential AMSI Bypass Via .NET Reflection
id: 30edb182-aa75-42c0-b0a9-e998bb29067c
related:
- id: 4f927692-68b5-4267-871b-073c45f4f6fe
type: obsolete
status: test
description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
references:
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
author: Markus Neis, @Kostastsale
date: 2018-08-17
modified: 2023-02-03
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'System.Management.Automation.AmsiUtils'
- 'amsiInitFailed'
- CommandLine|contains|all:
- '[Ref].Assembly.GetType'
- 'SetValue($null,$true)'
- 'NonPublic,Static'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential AMSI COM Server Hijacking
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
view Sigma YAML
title: Potential AMSI COM Server Hijacking
id: 160d2780-31f7-4922-8b3a-efce30e63e96
status: test
description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
references:
- https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
filter:
Details: '%windir%\system32\amsi.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential APT FIN7 POWERHOLD Execution
Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
view Sigma YAML
title: Potential APT FIN7 POWERHOLD Execution
id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca
status: test
description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- attack.t1059.001
- attack.g0046
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- '$env:APPDATA'
- 'function MainPayload'
- '::WriteAllBytes'
- 'wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
view Sigma YAML
title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e
status: test
description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- attack.g0046
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '-noni -nop -exe bypass -f \\\\'
- 'ADMIN$'
selection_2:
CommandLine|contains|all:
- '-ex bypass -noprof -nolog -nonint -f'
- 'C:\Windows\Temp\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
view Sigma YAML
title: Potential APT FIN7 Related PowerShell Script Created
id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
status: test
description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- attack.g0046
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|endswith: '_64refl.ps1'
- TargetFilename: 'host_ip.ps1'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential APT Mustang Panda Activity Against Australian Gov
Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
view Sigma YAML
title: Potential APT Mustang Panda Activity Against Australian Gov
id: 7806bb49-f653-48d3-a915-5115c1a85234
status: test
description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
references:
- https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- attack.execution
- attack.g0129
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- 'copy SolidPDFCreator.dll'
- 'C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll'
selection_2:
CommandLine|contains|all:
- 'reg '
- '\Windows\CurrentVersion\Run'
- 'SolidPDF'
- 'C:\Users\Public\Libraries\PhotoTvRHD\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential APT10 Cloud Hopper Activity
Detects potential process and execution activity related to APT10 Cloud Hopper operation
view Sigma YAML
title: Potential APT10 Cloud Hopper Activity
id: 966e4016-627f-44f7-8341-f394905c361f
status: test
description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
references:
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
author: Florian Roth (Nextron Systems)
date: 2017-04-07
modified: 2023-03-08
tags:
- attack.execution
- attack.g0045
- attack.t1059.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cscript:
Image|endswith: '\cscript.exe'
CommandLine|contains: '.vbs /shell '
selection_csvde:
CommandLine|contains|all:
- 'csvde -f C:\windows\web\'
- '.log'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
view Sigma YAML
title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
- https://twitter.com/nas_bench/status/1534916659676422152
- https://twitter.com/nas_bench/status/1534915321856917506
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-06-23
tags:
- attack.execution
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\adplus.exe'
- OriginalFileName: 'Adplus.exe'
selection_cli:
CommandLine|contains:
# Dump process memory
- ' -hang '
- ' -pn '
- ' -pmn '
- ' -p '
- ' -po '
# Using a config file
- ' -c '
# Execute commands inline
- ' -sc '
condition: all of selection_*
falsepositives:
- Legitimate usage of Adplus for debugging purposes
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
view Sigma YAML
title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
- https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_main:
Image|endswith: '\node.exe'
CommandLine|contains:
- ' -e '
- ' --eval '
# Add more pattern of abuse as actions
selection_action_reverse_shell:
CommandLine|contains|all:
- '.exec('
- 'net.socket'
- '.connect'
- 'child_process'
condition: selection_main and 1 of selection_action_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Arbitrary Command Execution Using Msdt.EXE
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
view Sigma YAML
title: Potential Arbitrary Command Execution Using Msdt.EXE
id: 258fc8ce-8352-443a-9120-8a11e4857fa5
status: test
description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://twitter.com/_JohnHammond/status/1531672601067675648
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-29
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
selection_cmd_inline:
CommandLine|contains: 'IT_BrowseForFile='
selection_cmd_answerfile_flag:
CommandLine|contains: ' PCWDiagnostic'
selection_cmd_answerfile_param:
CommandLine|contains|windash: ' -af '
condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
view Sigma YAML
title: Potential Arbitrary File Download Using Office Application
id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
related:
- id: 0c79148b-118e-472b-bdb7-9b57b444cc19
type: obsolete
status: test
description: Detects potential arbitrary file download using a Microsoft Office application
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2022-05-17
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_http:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
view Sigma YAML
title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
id: 245f92e3-c4da-45f1-9070-bc552e06db11
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://github.com/h3v0x/CVE-2021-26084_Confluence
author: Bhabesh Raj
date: 2021-09-08
modified: 2023-02-13
tags:
- attack.initial-access
- attack.execution
- attack.t1190
- attack.t1059
- cve.2021-26084
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Monitor suspicious child processes spawned by Confluence
ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe'
CommandLine|contains:
- 'certutil'
- 'cmd /c'
- 'cmd /k'
- 'cscript'
- 'curl'
- 'ipconfig'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'whoami'
- 'wscript'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
view Sigma YAML
title: Potential Attachment Manager Settings Associations Tamper
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: test
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
selection_value_default_file_type_rsik:
TargetObject|endswith: '\DefaultFileTypeRisk'
Details: 'DWORD (0x00006152)'
selection_value_low_risk_filetypes:
TargetObject|endswith: '\LowRiskFileTypes'
Details|contains: # Add more as you see fit
- '.zip;'
- '.rar;'
- '.exe;'
- '.bat;'
- '.com;'
- '.cmd;'
- '.reg;'
- '.msi;'
- '.htm;'
- '.html;'
condition: selection_main and 1 of selection_value_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Attachment Manager Settings Attachments Tamper
Detects tampering with attachment manager settings policies attachments (See reference for more information)
view Sigma YAML
title: Potential Attachment Manager Settings Attachments Tamper
id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
status: test
description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
selection_value_hide_zone_info:
TargetObject|endswith: '\HideZoneInfoOnProperties'
Details: 'DWORD (0x00000001)' # On
selection_value_save_zone_info:
TargetObject|endswith: '\SaveZoneInformation'
Details: 'DWORD (0x00000002)' # Off
selection_value_scan_with_av:
TargetObject|endswith: '\ScanWithAntiVirus'
Details: 'DWORD (0x00000001)' # Disabled
condition: selection_main and 1 of selection_value_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential AutoLogger Sessions Tampering
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
The AutoLogger event tracing session records events up that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
view Sigma YAML
title: Potential AutoLogger Sessions Tampering
id: f37b4bce-49d0-4087-9f5b-58bffda77316
related:
- id: d7b81144-b866-48a4-9bcc-275dc69d870e
type: similar
status: test
description: |
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
The AutoLogger event tracing session records events up that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\Control\WMI\Autologger\'
selection_values:
TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
- '\EventLog-'
- '\Defender'
TargetObject|endswith:
- '\Enabled'
- '\Start'
Details: DWORD (0x00000000)
filter_main_wevtutil:
Image: 'C:\Windows\system32\wevtutil.exe'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
TargetObject|contains:
- '\DefenderApiLogger\'
- '\DefenderAuditLogger\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml
simulation:
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
technique: T1562.001
atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
technique: T1562.001
atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - Cmd
technique: T1562.001
atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
technique: T1562.001
atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
Convert to SIEM query
high
Moderate
High FP
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
view Sigma YAML
title: Potential Baby Shark Malware Activity
id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
status: test
description: Detects activity that could be related to Baby Shark malware
references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
author: Florian Roth (Nextron Systems)
date: 2019-02-24
modified: 2023-03-08
tags:
- attack.execution
- attack.discovery
- attack.stealth
- attack.t1012
- attack.t1059.003
- attack.t1059.001
- attack.t1218.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'powershell.exe mshta.exe http'
- '.hta'
- CommandLine|contains:
- 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
- 'cmd.exe /c taskkill /im cmd.exe'
- "(New-Object System.Net.WebClient).UploadFile('http"
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
view Sigma YAML
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.stealth
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential BearLPE Exploitation
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
view Sigma YAML
title: Potential BearLPE Exploitation
id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
status: test
description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
references:
- https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
author: Olaf Hartong
date: 2019-05-22
modified: 2023-01-26
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1053.005
- car.2013-08-001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- '/change'
- '/TN'
- '/RU'
- '/RP'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
view Sigma YAML
title: Potential BlackByte Ransomware Activity
id: 999e8307-a775-4d5f-addc-4855632335be
status: test
description: Detects command line patterns used by BlackByte ransomware in different operations
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-02-08
tags:
- attack.execution
- attack.impact
- attack.stealth
- attack.t1485
- attack.t1498
- attack.t1059.001
- attack.t1140
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|startswith: 'C:\Users\Public\'
CommandLine|contains: ' -single '
selection_2:
CommandLine|contains:
- 'del C:\Windows\System32\Taskmgr.exe'
- ';Set-Service -StartupType Disabled $'
- 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
- ' do start wordpad.exe /p '
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
view Sigma YAML
title: Potential Bumblebee Remote Thread Creation
id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
status: test
description: Detects remote thread injection events based on action seen used by bumblebee
references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\wabmig.exe'
- '\wab.exe'
- '\ImagingDevices.exe'
TargetImage|endswith: '\rundll32.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential COLDSTEEL Persistence Service DLL Creation
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
view Sigma YAML
title: Potential COLDSTEEL Persistence Service DLL Creation
id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27
status: test
description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: X__Junior (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Roaming\newdev.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential COLDSTEEL Persistence Service DLL Load
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
view Sigma YAML
title: Potential COLDSTEEL Persistence Service DLL Load
id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
status: test
description: |
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\svchost.exe'
ImageLoaded|endswith: '\AppData\Roaming\newdev.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
view Sigma YAML
title: Potential COLDSTEEL RAT File Indicators
id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
status: test
description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename: 'C:\users\public\Documents\dllhost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
view Sigma YAML
title: Potential COLDSTEEL RAT Windows User Creation
id: 95214813-4c7a-4a50-921b-ee5c538e1d16
status: test
description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
modified: 2023-08-17
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-'
- '\ProfileImagePath'
Details|contains:
- 'ANONYMOUS'
- '_DomainUser_'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CSharp Streamer RAT Loading .NET Executable Image
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
view Sigma YAML
title: Potential CSharp Streamer RAT Loading .NET Executable Image
id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
status: test
description: |
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
references:
- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
author: Luca Di Bartolomeo
date: 2024-06-22
tags:
- attack.command-and-control
- attack.t1219.002
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2021-26084 Exploitation Attempt
Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
view Sigma YAML
title: Potential CVE-2021-26084 Exploitation Attempt
id: 38825179-3c78-4fed-b222-2e2166b926b1
status: test
description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
references:
- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/
author: Sittikorn S, Nuttakorn T
date: 2022-12-13
modified: 2023-03-24
tags:
- attack.initial-access
- attack.t1190
- cve.2021-26084
- detection.emerging-threats
logsource:
category: webserver
definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection'
detection:
selection_main:
cs-method: 'POST'
sc-status: 200
cs-username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts
selection_exploit_1:
cs-uri-query|contains|all:
- '/pages/createpage-entervariables.action'
- 'SpaceKey=x' # This URI assume that you can't have a space ID of "X"
selection_exploit_2_uri:
cs-uri-query|contains: '/doenterpagevariables.action'
selection_exploit_2_keyword:
- 'u0027' # This string should appear in the post body as a value of the parameter "queryString"
condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2021-26857 Exploitation Attempt
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
view Sigma YAML
title: Potential CVE-2021-26857 Exploitation Attempt
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
status: stable
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2023-02-07
tags:
- attack.t1203
- attack.execution
- cve.2021-26857
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\UMWorkerProcess.exe'
filter:
Image|endswith:
- 'wermgr.exe'
- 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2021-40444 Exploitation Attempt
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
view Sigma YAML
title: Potential CVE-2021-40444 Exploitation Attempt
id: 894397c6-da03-425c-a589-3d09e7d1f750
status: test
description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://twitter.com/neonprimetime/status/1435584010202255375
- https://www.joesandbox.com/analysis/476188/1/iochtml
author: Florian Roth (Nextron Systems), @neonprimetime
date: 2021-09-08
modified: 2023-02-04
tags:
- attack.execution
- attack.t1059
- cve.2021-40444
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith:
- '\winword.exe'
- '\powerpnt.exe'
- '\excel.exe'
filter:
CommandLine|endswith:
- '\control.exe input.dll'
- '\control.exe" input.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
view Sigma YAML
title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
id: 3eb91f0a-0060-424a-a676-59f5fdd75610
status: test
description: |
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
references:
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://twitter.com/TheDFIRReport/status/1482078434327244805
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
author: '@kostastsale'
date: 2022-01-14
tags:
- attack.initial-access
- attack.t1190
- cve.2021-44228
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ws_TomcatService.exe'
filter_main_shells:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2022-21587 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
view Sigma YAML
title: Potential CVE-2022-21587 Exploitation Attempt
id: d033cb8a-8669-4a8e-a974-48d4185a8503
status: test
description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
references:
- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/
- https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis
- https://github.com/hieuminhnv/CVE-2022-21587-POC
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
author: Isa Almannaei
date: 2023-02-13
tags:
- attack.initial-access
- attack.t1190
- cve.2022-21587
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|contains:
- '/OA_HTML/BneViewerXMLService?bne:uueupload=TRUE'
- '/OA_HTML/BneUploaderService?bne:uueupload=TRUE'
- '/OA_HTML/BneDownloadService?bne:uueupload=TRUE'
- '/OA_HTML/BneOfflineLOVService?bne:uueupload=TRUE'
condition: selection
falsepositives:
- Vulnerability Scanners
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
view Sigma YAML
title: Potential CVE-2022-26809 Exploitation Attempt
id: a7cd7306-df8b-4398-b711-6f3e4935cf16
status: test
description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
- https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
- https://twitter.com/cyb3rops/status/1514217991034097664
- https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
modified: 2023-02-03
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1569.002
- cve.2022-26809
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\System32\svchost.exe'
ParentCommandLine|contains: '-k RPCSS'
condition: selection
falsepositives:
- Unknown
- Some cases in which the service spawned a werfault.exe process
level: high
Convert to SIEM query
high
Strong
High FP
Potential CVE-2022-46169 Exploitation Attempt
Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
view Sigma YAML
title: Potential CVE-2022-46169 Exploitation Attempt
id: 738cb115-881f-4df3-82cc-56ab02fc5192
status: test
description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
references:
- https://github.com/0xf4n9x/CVE-2022-46169
- https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
- https://github.com/rapid7/metasploit-framework/pull/17407
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2022-46169
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
# Check for the presence of the X-FORWARDED-FOR header pointing to the hostname of the server running Cacti (which indicate auth bypass)
# Check for previous requests indicating the bruteforce of the "local_data_ids" and "host_id"
cs-method: 'GET'
cs-uri-query|contains|all:
- '/remote_agent.php'
- 'action=polldata'
- 'poller_id='
cs-uri-query|contains:
# From https://github.com/rapid7/metasploit-framework/pull/17407/files#diff-972a47250ccd30b935a59e8871134956a15980df5b29f9d970414646704d5258R288
# Not tested could be shown in other format (update if you have more info)
- '| base64 -d | /bin/bash`'
- '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60' # URL encoded version
# Add more suspicious commands accordingly
- '`whoami'
- 'powershell'
- 'cmd'
- 'wget'
condition: selection
falsepositives:
- Web vulnerability scanners
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
view Sigma YAML
title: Potential CVE-2023-21554 QueueJumper Exploitation
id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
status: test
description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
references:
- https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-12
tags:
- attack.privilege-escalation
- attack.execution
- cve.2023-21554
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\Windows\System32\mqsvc.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2023-23752 Exploitation Attempt
Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
view Sigma YAML
title: Potential CVE-2023-23752 Exploitation Attempt
id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a
status: test
description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
references:
- https://xz.aliyun.com/t/12175
- https://twitter.com/momika233/status/1626464189261942786
author: Bhabesh Raj
date: 2023-02-23
tags:
- attack.initial-access
- attack.t1190
- cve.2023-23752
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/api/index.php/v1/'
- 'public=true'
condition: selection
falsepositives:
- Vulnerability scanners
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2023-25157 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
view Sigma YAML
title: Potential CVE-2023-25157 Exploitation Attempt
id: c0341543-5ed0-4475-aabc-7eea8c52aa66
status: test
description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
references:
- https://github.com/win3zz/CVE-2023-25157
- https://twitter.com/parzel2/status/1665726454489915395
- https://github.com/advisories/GHSA-7g5f-wrx8-5ccf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.initial-access
- cve.2023-25157
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_url:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/geoserver/ows'
- 'CQL_FILTER='
cs-uri-query|contains:
# Abusable Filters/Function as reported in the Advisory
- 'PropertyIsLike'
- 'strEndsWith'
- 'strStartsWith'
- 'FeatureId'
- 'jsonArrayContains'
- 'DWithin'
selection_payload:
cs-uri-query|contains:
- '+--'
- '+AS+'
- '+OR+'
- 'FROM'
- 'ORDER+BY'
- 'SELECT'
- 'sleep%28'
- 'substring%28'
- 'UNION'
- 'WHERE'
condition: all of selection_*
falsepositives:
- Vulnerability scanners
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CVE-2023-25717 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
view Sigma YAML
title: Potential CVE-2023-25717 Exploitation Attempt
id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
status: test
description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
references:
- https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-30
tags:
- attack.initial-access
- attack.t1190
- cve.2023-25717
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/forms/doLogin'
- 'login_username'
- 'password'
cs-uri-query|contains:
- '$('
- '%24%28' # URL Encode version of "$("
condition: selection
falsepositives:
- Vulnerability scanners
- Some rare false positives may occur if the password contains the characters "$(". Apply addition indicators such as executed commands to remove FP
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
view Sigma YAML
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: test
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023-10-11
tags:
- attack.persistence
- attack.t1505.001
- cve.2023-27363
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\FoxitPDFReader.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith: '.hta'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
view Sigma YAML
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
id: 50dbc08b-60ce-40f1-a6b6-346497e34c88
status: test
description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
references:
- https://github.com/Wh04m1001/CVE-2023-36874
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
tags:
- attack.execution
- cve.2023-36874
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'Cmd.Exe'
- 'powershell_ise.EXE'
- 'powershell.exe'
Image|endswith: '\wermgr.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
view Sigma YAML
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
id: ad0960eb-0015-4d16-be13-b3d9f18f1342
status: test
description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
references:
- https://github.com/Wh04m1001/CVE-2023-36874
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
modified: 2025-01-13
tags:
- attack.execution
- cve.2023-36874
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\wermgr.exe'
filter_main_locations:
TargetFilename|contains:
- ':\$WINDOWS.~BT\NewOS\'
- ':\$WinREAgent\' # From "wuauclt.exe"
- ':\Windows\servicing\LCU\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
- ':\WUDownloadCache\' # Windows Update Download Cache
- ':\Windows\SoftwareDistribution\Download\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2023-36884 Exploitation - Share Access
Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
view Sigma YAML
title: Potential CVE-2023-36884 Exploitation - Share Access
id: 3df95076-9e78-4e63-accb-16699c3b74f8
status: test
description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
selection_eid:
EventID: 5140
selection_share_name:
ShareName|contains: '\MSHTML_C7\'
ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_share_path:
ShareLocalPath|contains: '\MSHTML_C7\'
ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
condition: selection_eid and 1 of selection_share_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2023-36884 Exploitation - URL Marker
Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
view Sigma YAML
title: Potential CVE-2023-36884 Exploitation - URL Marker
id: e59f71ff-c042-4f7a-8a82-8f53beea817e
status: test
description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|contains: '/MSHTML_C7/'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
view Sigma YAML
title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
status: test
description: |
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
references:
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-18
modified: 2025-11-22
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- cve.2024-3400
- detection.emerging-threats
- attack.stealth
logsource:
category: appliance
product: paloalto
service: globalprotect
definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested'
detection:
keywords_generic:
- 'failed to unmarshal session(../'
- 'failed to unmarshal session(./../'
- 'failed to unmarshal session(/..'
- 'failed to unmarshal session(%2E%2E%2F'
- 'failed to unmarshal session(%2F%2E%2E'
- 'failed to unmarshal session(%2E%2F%2E%2E%2F'
- 'failed to unmarshal session(%252E%252E%252F'
- 'failed to unmarshal session(%252F%252E%252E'
- 'failed to unmarshal session(%252E%252F%252E%252E%252F'
keywords_telemetry_exploit:
- '{IFS}'
- 'base64'
- 'bash'
- 'curl'
- 'http'
keywords_telemetry_path:
- '/opt/panlogs/tmp/device_telemetry/'
condition: keywords_generic or (keywords_telemetry_exploit and keywords_telemetry_path)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
view Sigma YAML
title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
status: test
description: |
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
references:
- https://x.com/BlackArrowSec/status/2044374743491424508
- https://x.com/SBousseaden/status/2044417029721997635
author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-28
tags:
- attack.credential-access
- attack.t1187
- detection.emerging-threats
- cve.2026-33829
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\SnippingTool.exe'
CommandLine|contains:
# '\\\\' = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
- 'ms-screensketch:edit?&filePath=\\\\'
- 'ms-screensketch:edit?&filePath=%%5C'
- 'ms-screensketch:edit?&filePath=%5C'
- 'ms-screensketch:edit?&filePath=http'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2303-36884 URL Request Pattern Traffic
Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
view Sigma YAML
title: Potential CVE-2303-36884 URL Request Pattern Traffic
id: d9365e39-febd-4a4b-8441-3ca91bb9d333
status: test
description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
category: proxy
detection:
# Examples:
# hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.
# 104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_
selection:
cs-method: 'GET'
c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 951-1000 of 3,646