Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 3,646
high Moderate High FP
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 833ef470-fa01-4631-a79b-6f291c9ac498
carbon_black query
TargetObject:\\SOFTWARE\\Microsoft\\Windows\\Windows\ Error\ Reporting\\Hangs\\Debugger*
view Sigma YAML 
title: Add Debugger Entry To Hangs Key For Persistence
id: 833ef470-fa01-4631-a79b-6f291c9ac498
status: test
description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
references:
    - https://persistence-info.github.io/Data/wer_debugger.html
    - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger'
    condition: selection
falsepositives:
    - This value is not set by default but could be rarly used by administrators
level: high
Convert to SIEM query
high Strong High FP
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
carbon_black query
(Image:\\winget.exe OR OriginalFileName:winget.exe) (CommandLine:source\ * CommandLine:add\ * CommandLine:http\:\/\/*)
view Sigma YAML 
title: Add Insecure Download Source To Winget
id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
related:
    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
      type: similar
    - id: c15a46a0-07d4-4c87-b4b6-89207835a83b
      type: similar
status: test
description: |
    Detects usage of winget to add a new insecure (http) download source.
    Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
references:
    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\winget.exe'
        - OriginalFileName: 'winget.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'source '
            - 'add '
            - 'http://'
    condition: all of selection_*
falsepositives:
    - False positives might occur if the users are unaware of such control checks
level: high
Convert to SIEM query
high Strong Medium FP
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id d7662ff6-9e97-4596-a61d-9839e32dee8d
carbon_black query
(Image:\\reg.exe OR OriginalFileName:reg.exe) CommandLine:\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot* (CommandLine:\ copy\ * OR CommandLine:\ add\ *)
view Sigma YAML 
title: Add SafeBoot Keys Via Reg Utility
id: d7662ff6-9e97-4596-a61d-9839e32dee8d
related:
    - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
      type: similar
status: test
description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
references:
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2024-03-19
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_safeboot:
        CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
    selection_flag:
        CommandLine|contains:
            - ' copy '
            - ' add '
    condition: all of selection*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml
Convert to SIEM query
high Moderate Medium FP
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' ATT&CK sub-technique id cbb67ecc-fb70-4467-9350-c910bdf7c628
carbon_black query
"properties.message":Update\ application\ –\ Certificates\ and\ secrets\ management OR "properties.message":Update\ Service\ principal\/Update\ Application
view Sigma YAML 
title: Added Credentials to Existing Application
id: cbb67ecc-fb70-4467-9350-c910bdf7c628
status: test
description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-05-26
modified: 2025-07-18
tags:
    - attack.privilege-escalation
    - attack.t1098.001
    - attack.persistence
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Update application – Certificates and secrets management
            - Update Service principal/Update Application
    condition: selection
falsepositives:
    - When credentials are added/removed as part of the normal working hours/workflows
level: high
Convert to SIEM query
high Moderate High FP
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
status test author Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community ATT&CK sub-technique id 1fac1481-2dbc-48b2-9096-753c49b4ec71
carbon_black query
(CommandLine:\\AppData\\Roaming\\Oracle* CommandLine:\\java* CommandLine:.exe\ *) OR (CommandLine:cscript.exe* CommandLine:Retrive* CommandLine:.vbs\ *)
view Sigma YAML 
title: Adwind RAT / JRAT
id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
              - '\AppData\Roaming\Oracle'
              - '\java'
              - '.exe '
        - CommandLine|contains|all:
              - 'cscript.exe'
              - 'Retrive'
              - '.vbs '
    condition: selection
level: high
Convert to SIEM query
high Moderate High FP
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
status test author Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community ATT&CK sub-technique id 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
carbon_black query
(TargetFilename:\\AppData\\Roaming\\Oracle\\bin\\java* TargetFilename:.exe*) OR (TargetFilename:\\Retrive* TargetFilename:.vbs*)
view Sigma YAML 
title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
      type: derived
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains|all:
              - '\AppData\Roaming\Oracle\bin\java'
              - '.exe'
        - TargetFilename|contains|all:
              - '\Retrive'
              - '.vbs'
    condition: selection
level: high
Convert to SIEM query
high Moderate High FP
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 639c9081-f482-47d3-a0bd-ddee3d4ecd76
carbon_black query
(Image:\\wbadmin.exe OR OriginalFileName:WBADMIN.EXE) ((CommandLine:delete* CommandLine:backup*) CommandLine:keepVersions\:0*)
view Sigma YAML 
title: All Backups Deleted Via Wbadmin.EXE
id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
related:
    - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
      type: derived
status: test
description: |
    Detects the deletion of all backups or system state backups via "wbadmin.exe".
    This technique is used by numerous ransomware families and actors.
    This may only be successful on server platforms that have Windows Backup enabled.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2024-05-10
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wbadmin.exe'
        - OriginalFileName: 'WBADMIN.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'delete'
            - 'backup' # Also covers "SYSTEMSTATEBACKUP"
        CommandLine|contains: 'keepVersions:0'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 79609c82-a488-426e-abcf-9f341a39365d
carbon_black query
(EventID:2033 OR EventID:2059) (-ModifyingApplication:\:\\Windows\\System32\\svchost.exe) (-(ModifyingApplication:\:\\ProgramData\\Microsoft\\Windows\ Defender\\Platform\\* ModifyingApplication:\\MsMpEng.exe*))
view Sigma YAML 
title: All Rules Have Been Deleted From The Windows Firewall Configuration
id: 79609c82-a488-426e-abcf-9f341a39365d
status: test
description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-17
modified: 2024-01-22
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
            - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
    filter_main_svchost:
        ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
    filter_optional_msmpeng:
        ModifyingApplication|contains|all:
            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
            - '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: high
Convert to SIEM query
high Strong Medium FP
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 6c8fbee5-dee8-49bc-851d-c3142d02aa47
carbon_black query
((Image:\\sc.exe OR OriginalFileName:sc.exe) (CommandLine:sdset* CommandLine:A;*) (CommandLine:;IU* OR CommandLine:;SU* OR CommandLine:;BA* OR CommandLine:;SY* OR CommandLine:;WD*)) (-ParentImage:C\:\\Hexnode\\Hexnode\ Agent\\Current\\HexnodeAgent.exe)
view Sigma YAML 
title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47
related:
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
      type: similar
status: test
description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
references:
    - https://twitter.com/0gtweet/status/1628720819537936386
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_sdset:
        CommandLine|contains|all:
            - 'sdset'
            - 'A;' # Allow Access
    selection_trustee:
        CommandLine|contains:
            - ';IU' # Interactively logged-on user
            - ';SU' # Service logon user
            - ';BA' # Built-in administrators
            - ';SY' # Local system
            - ';WD' # Everyone
    filter_optional_hexnode:
        ParentImage: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
status test author Mark Morowczynski '@markmorow' ATT&CK technique id 6555754e-5e7f-4a67-ad1c-4041c413a007
carbon_black query
riskEventType:anomalousToken
view Sigma YAML 
title: Anomalous Token
id: 6555754e-5e7f-4a67-ad1c-4041c413a007
status: test
description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow'
date: 2023-08-07
tags:
    - attack.t1528
    - attack.credential-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'anomalousToken'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high Moderate Medium FP
Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' ATT&CK technique id 258b6593-215d-4a26-a141-c8e31c1299a6
carbon_black query
riskEventType:anomalousUserActivity
view Sigma YAML 
title: Anomalous User Activity
id: 258b6593-215d-4a26-a141-c8e31c1299a6
status: test
description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.privilege-escalation
    - attack.t1098
    - attack.persistence
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'anomalousUserActivity'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high Moderate Medium FP
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
status test author Gloria Lee, '@gleeiamglo' ATT&CK technique id 53acd925-2003-440d-a1f3-71a5253fe237
carbon_black query
riskEventType:anonymizedIPAddress
view Sigma YAML 
title: Anonymous IP Address
id: 53acd925-2003-440d-a1f3-71a5253fe237
status: test
description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
references:
    - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
author: Gloria Lee, '@gleeiamglo'
date: 2023-08-22
tags:
    - attack.t1528
    - attack.credential-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'anonymizedIPAddress'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins
level: high
Convert to SIEM query
high Moderate Medium FP
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
status test author @kostastsale, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 31e124fb-5dc4-42a0-83b3-44a69c77b271
carbon_black query
TargetObject:\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter Details:DWORD\ \(0x00000000\)
view Sigma YAML 
title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
status: test
description: |
    Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
references:
    - https://twitter.com/0gtweet/status/1720419490519752955
author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-11-05
modified: 2024-08-16
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status stable author Florian Roth (Nextron Systems), Arnim Rupp ATT&CK technique id fa0c05b6-8ad3-468d-8231-c1cbccb64fba
carbon_black query
(Signature:ATK\/* OR Signature:Exploit.Script.CVE* OR Signature:HKTL* OR Signature:HTOOL* OR Signature:PWS.* OR Signature:PWSX* OR Signature:SecurityTool*) OR (Signature:Adfind* OR Signature:Brutel* OR Signature:BruteR* OR Signature:Cobalt* OR Signature:COBEACON* OR Signature:Cometer* OR Signature:DumpCreds* OR Signature:FastReverseProxy* OR Signature:Hacktool* OR Signature:Havoc* OR Signature:Impacket* OR Signature:Keylogger* OR Signature:Koadic* OR Signature:Mimikatz* OR Signature:Nighthawk* OR Signature:PentestPowerShell* OR Signature:Potato* OR Signature:PowerSploit* OR Signature:PowerSSH* OR Signature:PshlSpy* OR Signature:PSWTool* OR Signature:PWCrack* OR Signature:PWDump* OR Signature:Rozena* OR Signature:Rusthound* OR Signature:Sbelt* OR Signature:Seatbelt* OR Signature:SecurityTool* OR Signature:SharpDump* OR Signature:SharpHound* OR Signature:Shellcode* OR Signature:Sliver* OR Signature:Snaffler* OR Signature:SOAPHound* OR Signature:Splinter* OR Signature:Swrort* OR Signature:TurtleLoader*)
view Sigma YAML 
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
    - https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith:
              - 'ATK/'  # Sophos
              - 'Exploit.Script.CVE'
              - 'HKTL'
              - 'HTOOL'
              - 'PWS.'
              - 'PWSX'
              - 'SecurityTool'
              # - 'FRP.'
        - Signature|contains:
              - 'Adfind'
              - 'Brutel'
              - 'BruteR'
              - 'Cobalt'
              - 'COBEACON'
              - 'Cometer'
              - 'DumpCreds'
              - 'FastReverseProxy'
              - 'Hacktool'
              - 'Havoc'
              - 'Impacket'
              - 'Keylogger'
              - 'Koadic'
              - 'Mimikatz'
              - 'Nighthawk'
              - 'PentestPowerShell'
              - 'Potato'
              - 'PowerSploit'
              - 'PowerSSH'
              - 'PshlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'Rozena'
              - 'Rusthound'
              - 'Sbelt'
              - 'Seatbelt'
              - 'SecurityTool'
              - 'SharpDump'
              - 'SharpHound'
              - 'Shellcode'
              - 'Sliver'
              - 'Snaffler'
              - 'SOAPHound'
              - 'Splinter'
              - 'Swrort'
              - 'TurtleLoader'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status test author Florian Roth (Nextron Systems), Arnim Rupp ATT&CK technique id c9a88268-0047-4824-ba6e-4d81ce0b907c
carbon_black query
(Filename:\:\\PerfLogs\\* OR Filename:\:\\Temp\\* OR Filename:\:\\Users\\Default\\* OR Filename:\:\\Users\\Public\\* OR Filename:\:\\Windows\\* OR Filename:\/www\/* OR Filename:\\inetpub\\* OR Filename:\\tsclient\\* OR Filename:apache* OR Filename:nginx* OR Filename:tomcat* OR Filename:weblogic*) OR (Filename:.asax OR Filename:.ashx OR Filename:.asmx OR Filename:.asp OR Filename:.aspx OR Filename:.bat OR Filename:.cfm OR Filename:.cgi OR Filename:.chm OR Filename:.cmd OR Filename:.dat OR Filename:.ear OR Filename:.gif OR Filename:.hta OR Filename:.jpeg OR Filename:.jpg OR Filename:.jsp OR Filename:.jspx OR Filename:.lnk OR Filename:.msc OR Filename:.php OR Filename:.pl OR Filename:.png OR Filename:.ps1 OR Filename:.psm1 OR Filename:.py OR Filename:.pyc OR Filename:.rb OR Filename:.scf OR Filename:.sct OR Filename:.sh OR Filename:.svg OR Filename:.txt OR Filename:.vbe OR Filename:.vbs OR Filename:.war OR Filename:.wll OR Filename:.wsf OR Filename:.wsh OR Filename:.xll OR Filename:.xml)
view Sigma YAML 
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
    Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.resource-development
    - attack.t1588
logsource:
    category: antivirus
detection:
    selection_path:
        Filename|contains:
            - ':\PerfLogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '/www/'
            # - '\Client\'
            - '\inetpub\'
            - '\tsclient\'
            - 'apache'
            - 'nginx'
            - 'tomcat'
            - 'weblogic'
    selection_ext:
        Filename|endswith:
            - '.asax'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cfm'
            - '.cgi'
            - '.chm'
            - '.cmd'
            - '.dat'
            - '.ear'
            - '.gif'
            - '.hta'
            - '.jpeg'
            - '.jpg'
            - '.jsp'
            - '.jspx'
            - '.lnk'
            - '.msc'
            - '.php'
            - '.pl'
            - '.png'
            - '.ps1'
            - '.psm1'
            - '.py'
            - '.pyc'
            - '.rb'
            - '.scf'
            - '.sct'
            - '.sh'
            - '.svg'
            - '.txt'
            - '.vbe'
            - '.vbs'
            - '.war'
            - '.wll'
            - '.wsf'
            - '.wsh'
            - '.xll'
            - '.xml'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status test author Florian Roth (Nextron Systems), Arnim Rupp ATT&CK sub-technique id fdf135a2-9241-4f96-a114-bb404948f736
carbon_black query
(Signature:ASP.* OR Signature:IIS\/BackDoor* OR Signature:JAVA\/Backdoor* OR Signature:JSP.* OR Signature:Perl.* OR Signature:PHP.* OR Signature:Troj\/ASP* OR Signature:Troj\/JSP* OR Signature:Troj\/PHP* OR Signature:VBS\/Uxor*) OR (Signature:ASP_* OR Signature:ASP\:* OR Signature:ASP.Agent* OR Signature:ASP\/* OR Signature:Aspdoor* OR Signature:ASPXSpy* OR Signature:Backdoor.ASP* OR Signature:Backdoor.Java* OR Signature:Backdoor.JSP* OR Signature:Backdoor.PHP* OR Signature:Backdoor.VBS* OR Signature:Backdoor\/ASP* OR Signature:Backdoor\/Java* OR Signature:Backdoor\/JSP* OR Signature:Backdoor\/PHP* OR Signature:Backdoor\/VBS* OR Signature:C99shell* OR Signature:Chopper* OR Signature:filebrowser* OR Signature:JSP_* OR Signature:JSP\:* OR Signature:JSP.Agent* OR Signature:JSP\/* OR Signature:Perl\:* OR Signature:Perl\/* OR Signature:PHP_* OR Signature:PHP\:* OR Signature:PHP.Agent* OR Signature:PHP\/* OR Signature:PHPShell* OR Signature:PShlSpy* OR Signature:SinoChoper* OR Signature:Trojan.ASP* OR Signature:Trojan.JSP* OR Signature:Trojan.PHP* OR Signature:Trojan.VBS* OR Signature:VBS.Agent* OR Signature:VBS\/Agent* OR Signature:Webshell*)
view Sigma YAML 
title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
status: test
description: |
    Detects a highly relevant Antivirus alert that reports a web shell.
    It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://github.com/tennc/webshell
    - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
    - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
    - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
    - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
    - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
    - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
    - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith:
              - 'ASP.'
              - 'IIS/BackDoor'
              - 'JAVA/Backdoor'
              - 'JSP.'
              - 'Perl.'
              - 'PHP.'
              - 'Troj/ASP'
              - 'Troj/JSP'
              - 'Troj/PHP'
              - 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
        - Signature|contains:
              - 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
              - 'ASP:'
              - 'ASP.Agent'
              - 'ASP/'
              # - 'ASP/Agent'
              - 'Aspdoor'
              - 'ASPXSpy'
              - 'Backdoor.ASP'
              - 'Backdoor.Java'
              - 'Backdoor.JSP'
              - 'Backdoor.PHP'
              - 'Backdoor.VBS'
              - 'Backdoor/ASP'
              - 'Backdoor/Java'
              - 'Backdoor/JSP'
              - 'Backdoor/PHP'
              - 'Backdoor/VBS'
              - 'C99shell'
              - 'Chopper'
              - 'filebrowser'
              - 'JSP_'
              - 'JSP:'
              - 'JSP.Agent'
              - 'JSP/'
              # - 'JSP/Agent'
              - 'Perl:'
              - 'Perl/'
              - 'PHP_'
              - 'PHP:'
              - 'PHP.Agent'
              - 'PHP/'
              # - 'PHP/Agent'
              - 'PHPShell'
              - 'PShlSpy'
              - 'SinoChoper'
              - 'Trojan.ASP'
              - 'Trojan.JSP'
              - 'Trojan.PHP'
              - 'Trojan.VBS'
              - 'VBS.Agent'
              - 'VBS/Agent'
              - 'Webshell'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 1da8ce0b-855d-4004-8860-7d64d42063b1
carbon_black query
"exit\ signal\ Segmentation\ Fault"
view Sigma YAML 
title: Apache Segmentation Fault
id: 1da8ce0b-855d-4004-8860-7d64d42063b1
status: test
description: Detects a segmentation fault error message caused by a crashing apache worker process
references:
    - http://www.securityfocus.com/infocus/1633
author: Florian Roth (Nextron Systems)
date: 2017-02-28
modified: 2021-11-27
tags:
    - attack.impact
    - attack.t1499.004
logsource:
    service: apache
    definition: 'Requirements: Must be able to collect the error.log file'
detection:
    keywords:
        - 'exit signal Segmentation Fault'
    condition: keywords
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id c8a5f584-cdc8-42cc-8cce-0398e4265de3
carbon_black query
ParentImage:\\bash (CommandLine:id\ \-Gn\ `* OR CommandLine:id\ \-Gn\ '*)
view Sigma YAML 
title: Apache Spark Shell Command Injection - ProcessCreation
id: c8a5f584-cdc8-42cc-8cce-0398e4265de3
status: test
description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
references:
    - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
    - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
    - https://github.com/apache/spark/pull/36315/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-20
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-33891
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\bash'
        CommandLine|contains:
            - 'id -Gn `'
            - "id -Gn '"
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 1a9a04fd-02d1-465c-abad-d733fd409f9c
carbon_black query
"cs-uri-query":*doAs=`*
view Sigma YAML 
title: Apache Spark Shell Command Injection - Weblogs
id: 1a9a04fd-02d1-465c-abad-d733fd409f9c
status: test
description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
references:
    - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
    - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
    - https://github.com/apache/spark/pull/36315/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-19
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-33891
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains: '?doAs=`'
    condition: selection
falsepositives:
    - Web vulnerability scanners
level: high
Convert to SIEM query
high Moderate Medium FP
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
status test author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' ATT&CK technique id c1d147ae-a951-48e5-8b41-dcd0170c7213
carbon_black query
"properties.message":Add\ delegated\ permission\ grant OR "properties.message":Add\ app\ role\ assignment\ to\ service\ principal
view Sigma YAML 
title: App Granted Microsoft Permissions
id: c1d147ae-a951-48e5-8b41-dcd0170c7213
status: test
description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-10
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Add delegated permission grant
            - Add app role assignment to service principal
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: high
Convert to SIEM query
high Moderate Medium FP
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
status test author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' ATT&CK sub-technique id 5aecf3d5-f8a0-48e7-99be-3a759df7358f
carbon_black query
"properties.message":Add\ app\ role\ assignment\ to\ service\ principal
view Sigma YAML 
title: App Granted Privileged Delegated Or App Permissions
id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
related:
    - id: ba2a7c80-027b-460f-92e2-57d113897dbc
      type: obsolete
status: test
description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
modified: 2023-03-29
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098.003
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add app role assignment to service principal
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: high
Convert to SIEM query
high Strong Medium FP
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 5cdeaf3d-1489-477c-95ab-c318559fc051
carbon_black query
EventID:854 ((Path:\:\/Perflogs\/* OR Path:\:\/Users\/Public\/* OR Path:\:\/Windows\/Temp\/* OR Path:\/AppdData\/Local\/Temp\/* OR Path:\/Desktop\/* OR Path:\/Downloads\/*) OR (Path:\:\\PerfLogs\\* OR Path:\:\\Users\\Public\\* OR Path:\:\\Windows\\Temp\\* OR Path:\\AppdData\\Local\\Temp\\* OR Path:\\Desktop\\* OR Path:\\Downloads\\*))
view Sigma YAML 
title: AppX Located in Known Staging Directory Added to Deployment Pipeline
id: 5cdeaf3d-1489-477c-95ab-c318559fc051
status: test
description: |
    Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
references:
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
    - attack.stealth
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection_eid:
        EventID: 854
    selection_paths_forward:
        Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
            - ':/Perflogs/'
            - ':/Users/Public/'
            - ':/Windows/Temp/'
            - '/AppdData/Local/Temp/'
            - '/Desktop/'
            - '/Downloads/'
    selection_paths_back:
        Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
            - ':\PerfLogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppdData\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
    condition: selection_eid and 1 of selection_paths_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' ATT&CK sub-technique id 1b45b0d1-773f-4f23-aedc-814b759563b1
carbon_black query
"properties.message":Update\ Application OR "properties.message":Update\ Service\ principal
view Sigma YAML 
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1552
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Update Application
            - Update Service principal
    condition: selection
falsepositives:
    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high
Convert to SIEM query
high Moderate Medium FP
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' ATT&CK sub-technique id 0055ad1f-be85-4798-83cf-a6da17c993b3
carbon_black query
"properties.message":Update\ Application\ Sucess\-\ Property\ Name\ AppAddress
view Sigma YAML 
title: Application URI Configuration Changes
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
status: test
description: |
    Detects when a configuration change is made to an applications URI.
    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1528
    - attack.t1078.004
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update Application Sucess- Property Name AppAddress
    condition: selection
falsepositives:
    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
level: high
Convert to SIEM query
high Strong High FP
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
status test author Swachchhanda Shrawan Poudel ATT&CK technique id 863218bd-c7d0-4c52-80cd-0a96c09f54af
carbon_black query
(Image:\\IMEWDBLD.exe OR OriginalFileName:imewdbld.exe) (CommandLine:http\:\/\/* OR CommandLine:https\:\/\/*)
view Sigma YAML 
title: Arbitrary File Download Via IMEWDBLD.EXE
id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
related:
    - id: 8d7e392e-9b28-49e1-831d-5949c6281228
      type: derived
status: test
description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\IMEWDBLD.exe'
        - OriginalFileName: 'imewdbld.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL
level: high
Convert to SIEM query
high Moderate Medium FP
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 90ae0469-0cee-4509-b67f-e5efcef040f7
carbon_black query
(Image:\\arubanetsvc.exe (ImageLoaded:\\wtsapi32.dll OR ImageLoaded:\\msvcr100.dll OR ImageLoaded:\\msvcp100.dll OR ImageLoaded:\\dbghelp.dll OR ImageLoaded:\\dbgcore.dll OR ImageLoaded:\\wininet.dll OR ImageLoaded:\\iphlpapi.dll OR ImageLoaded:\\version.dll OR ImageLoaded:\\cryptsp.dll OR ImageLoaded:\\cryptbase.dll OR ImageLoaded:\\wldp.dll OR ImageLoaded:\\profapi.dll OR ImageLoaded:\\sspicli.dll OR ImageLoaded:\\winsta.dll OR ImageLoaded:\\dpapi.dll)) (-(ImageLoaded:C\:\\Windows\\System32\\* OR ImageLoaded:C\:\\Windows\\SysWOW64\\* OR ImageLoaded:C\:\\Windows\\WinSxS\\*))
view Sigma YAML 
title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
    - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\arubanetsvc.exe'
        ImageLoaded|endswith:
            - '\wtsapi32.dll'
            - '\msvcr100.dll'
            - '\msvcp100.dll'
            - '\dbghelp.dll'
            - '\dbgcore.dll'
            - '\wininet.dll'
            - '\iphlpapi.dll'
            - '\version.dll'
            - '\cryptsp.dll'
            - '\cryptbase.dll'
            - '\wldp.dll'
            - '\profapi.dll'
            - '\sspicli.dll'
            - '\winsta.dll'
            - '\dpapi.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
status test author Bhabesh Raj ATT&CK sub-technique id 87261fb2-69d0-42fe-b9de-88c6b5f65a43
carbon_black query
EventID:1033 Provider_Name:MsiInstaller Message:AteraAgent*
view Sigma YAML 
title: Atera Agent Installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
status: test
description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
references:
    - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
author: Bhabesh Raj
date: 2021-09-01
modified: 2022-12-25
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    service: application
    product: windows
detection:
    selection:
        EventID: 1033
        Provider_Name: MsiInstaller
        Message|contains: AteraAgent
    condition: selection
falsepositives:
    - Legitimate Atera agent installation
level: high
Convert to SIEM query
high Moderate High FP
Atlassian Bitbucket Command Injection Via Archive API
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 65c0a0ab-d675-4441-bd6b-d3db226a2685
carbon_black query
"cs-uri-query":\/rest\/api\/latest\/projects\/* "cs-uri-query":prefix=* "cs-uri-query":%00\-\-exec*
view Sigma YAML 
title: Atlassian Bitbucket Command Injection Via Archive API
id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
status: test
description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
references:
    - https://twitter.com/_0xf4n9x_/status/1572052954538192901
    - https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/
    - https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html
    - https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-29
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-36804
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains|all:
            - '/rest/api/latest/projects/'
            - 'prefix='
            - '%00--exec'
    condition: selection
falsepositives:
    - Web vulnerability scanners
level: high
Convert to SIEM query
high Moderate High FP
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 7fb14105-530e-4e2e-8cfb-99f7d8700b66
carbon_black query
ParentImage:\/opt\/atlassian\/confluence\/* ParentImage:\/java (CommandLine:\/bin\/sh* OR CommandLine:bash* OR CommandLine:dash* OR CommandLine:ksh* OR CommandLine:zsh* OR CommandLine:csh* OR CommandLine:fish* OR CommandLine:curl* OR CommandLine:wget* OR CommandLine:python*)
view Sigma YAML 
title: Atlassian Confluence CVE-2022-26134
id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66
related:
    - id: 245f92e3-c4da-45f1-9070-bc552e06db11
      type: derived
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1190
    - attack.t1059
    - cve.2022-26134
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        # Monitor suspicious child processes spawned by Confluence
        ParentImage|startswith: '/opt/atlassian/confluence/'
        ParentImage|endswith: '/java'
        CommandLine|contains:
            - '/bin/sh'
            - 'bash'
            - 'dash'
            - 'ksh'
            - 'zsh'
            - 'csh'
            - 'fish'
            - 'curl'
            - 'wget'
            - 'python'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
status experimental author Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital) ATT&CK sub-technique id e710a880-1f18-4417-b6a0-b5afdf7e33da
carbon_black query
(CommandLine:curl* CommandLine:POST* CommandLine:user\:* CommandLine:\-H\ * CommandLine:BuildID* CommandLine:file=@\/tmp\/out.zip* CommandLine:cl\:\ 0*) OR (CommandLine:FileGrabber* CommandLine:\/tmp*)
view Sigma YAML 
title: Atomic MacOS Stealer - FileGrabber Activity
id: e710a880-1f18-4417-b6a0-b5afdf7e33da
related:
    - id: e710a880-1f18-4417-b6a0-b5afdf7e305a
      type: obsolete
status: experimental
description: |
    Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
references:
    - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
    - https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
    - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
    - attack.execution
    - attack.t1059.002
    - detection.emerging-threats
logsource:
    category: process_creation
    product: macos
detection:
    selection_curl_post:
        CommandLine|contains|all:
            - 'curl'
            - 'POST'
            - 'user:'
            - '-H '
            - 'BuildID'
            - 'file=@/tmp/out.zip'
            - 'cl: 0'
    selection_filegrabber_exec:
        CommandLine|contains|all:
            - 'FileGrabber'
            - '/tmp'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
status experimental author Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital) ATT&CK sub-technique id e710a880-1f18-4417-b6a0-b5afdf7e3023
carbon_black query
(Image:\/curl TargetFilename:\/Users\/* TargetFilename:.helper) OR TargetFilename:\/Library\/LaunchDaemons\/com.finder.helper.plist
view Sigma YAML 
title: Atomic MacOS Stealer - Persistence Indicators
id: e710a880-1f18-4417-b6a0-b5afdf7e3023
status: experimental
description: |
    Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
references:
    - https://moonlock.com/amos-backdoor-persistent-access
    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1564.001
    - attack.t1543.004
    - detection.emerging-threats
logsource:
    category: file_event
    product: macos
detection:
    selection_user_helper:
        # sh -c curl -o '/Users/<username>/.helper' hxxps://halesmp[.]com/zxc/app
        Image|endswith: '/curl'
        TargetFilename|startswith: '/Users/'
        TargetFilename|endswith: '.helper'
    selection_launchdaemon:
        TargetFilename: '/Library/LaunchDaemons/com.finder.helper.plist'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 0ed99dda-6a35-11ef-8c99-0242ac120002
carbon_black query
CommandLine:UWhRCA* CommandLine:BAAAA*
view Sigma YAML 
title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
      type: similar
status: experimental
description: |
    Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
    The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
    to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
    If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
    or checking for the presence of such records through the `nslookup` command.
references:
    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
    - attack.collection
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1557.001
    - attack.t1187
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'UWhRCA'
            - 'BAAAA'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' ATT&CK technique id 1a41023f-1e70-4026-921a-4d9341a9038e
carbon_black query
riskEventType:unlikelyTravel
view Sigma YAML 
title: Atypical Travel
id: 1a41023f-1e70-4026-921a-4d9341a9038e
status: test
description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'unlikelyTravel'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high Strong High FP
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status test author Janantha Marasinghe (https://github.com/blueteam0ps) ATT&CK sub-technique id 0a13e132-651d-11eb-ae93-0242ac130002
carbon_black query
(Image:\\auditpol.exe OR OriginalFileName:AUDITPOL.EXE) (CommandLine:disable* OR CommandLine:clear* OR CommandLine:remove* OR CommandLine:restore*)
view Sigma YAML 
title: Audit Policy Tampering Via Auditpol
id: 0a13e132-651d-11eb-ae93-0242ac130002
related:
    - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
      type: similar
status: test
description: |
  Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
  This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021-02-02
modified: 2023-02-22
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\auditpol.exe'
        - OriginalFileName: 'AUDITPOL.EXE'
    selection_cli:
        CommandLine|contains:
            - 'disable' # disables a specific audit policy
            - 'clear'   # delete or clears audit policy
            - 'remove'  # removes an audit policy
            - 'restore' # restores an audit policy
    condition: all of selection_*
falsepositives:
    - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
level: high
Convert to SIEM query
high Moderate High FP
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id c6c56ada-612b-42d1-9a29-adad3c5c2c1e
carbon_black query
CommandLine:\/logon\:none* OR CommandLine:\/system\:none* OR CommandLine:\/sam\:none* OR CommandLine:\/privilege\:none* OR CommandLine:\/object\:none* OR CommandLine:\/process\:none* OR CommandLine:\/policy\:none*
view Sigma YAML 
title: Audit Policy Tampering Via NT Resource Kit Auditpol
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
related:
    - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
      type: similar
status: test
description: |
    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
    This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-21
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '/logon:none'
            - '/system:none'
            - '/sam:none'
            - '/privilege:none'
            - '/object:none'
            - '/process:none'
            - '/policy:none'
    condition: selection
falsepositives:
    - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
level: high
Convert to SIEM query
high Moderate Medium FP
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.
status experimental author Mohamed LAKRI ATT&CK sub-technique id bed26dea-4525-47f4-b24a-76e30e44ffb0
carbon_black query
Image:\/auditctl CommandLine:-D
view Sigma YAML 
title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
    Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
    This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
    Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
    - https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
    - attack.defense-impairment
    - attack.t1685.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/auditctl'
        CommandLine|re: '-D'
    condition: selection
falsepositives:
    - An administrator troubleshooting. Investigate all attempts.
level: high
Convert to SIEM query
high Strong Medium FP
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
status test author Mikhail Larin, oscd.community ATT&CK technique id 977ef627-4539-4875-adf4-ed8f780c4922
carbon_black query
type:PATH (name:\/etc\/audit\/* OR name:\/etc\/libaudit.conf OR name:\/etc\/audisp\/*)
view Sigma YAML 
title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: test
description: Detect changes in auditd configuration files
references:
    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
    - Self Experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: PATH
        name:
            - /etc/audit/*
            - /etc/libaudit.conf
            - /etc/audisp/*
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: high
Convert to SIEM query
high Moderate Medium FP
Axios NPM Compromise File Creation Indicators - Linux
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id b7cb840c-11f6-47f7-b3ef-5524739c9077
carbon_black query
Image:\/curl TargetFilename:\/tmp\/ld.py
view Sigma YAML 
title: Axios NPM Compromise File Creation Indicators - Linux
id: b7cb840c-11f6-47f7-b3ef-5524739c9077
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.command-and-control
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: file_event
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
        TargetFilename: '/tmp/ld.py'
    condition: selection
falsepositives:
    - Highly unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 2db0458c-05c9-4069-a26f-77becd9c8c13
carbon_black query
(Image:\/curl TargetFilename:\/Library\/Caches\/com.apple.act.mond) OR (Image:\/node TargetFilename:\/tmp\/6202033)
view Sigma YAML 
title: Axios NPM Compromise File Creation Indicators - MacOS
id: 2db0458c-05c9-4069-a26f-77becd9c8c13
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.command-and-control
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: file_event
    product: macos
detection:
    selection_curl_download:
        Image|endswith: '/curl'
        TargetFilename: '/Library/Caches/com.apple.act.mond'
    selection_node_shell:
        Image|endswith: '/node'
        TargetFilename: '/tmp/6202033'
    condition: 1 of selection_*
falsepositives:
    - Highly unlikely
level: high
Convert to SIEM query
high Moderate High FP
Axios NPM Compromise File Creation Indicators - Windows
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id cd6386fa-bb9a-4b67-b006-786b6ab5d2ba
carbon_black query
(Image:\\node.exe OR Image:\\powershell.exe) ((TargetFilename:C\:\\ProgramData\\wt.exe OR TargetFilename:C\:\\ProgramData\\system.bat) OR (TargetFilename:C\:\\Users\\* TargetFilename:\\AppData\\Local\\Temp\\6202033.vbs*) OR (TargetFilename:C\:\\Users\\* TargetFilename:\\AppData\\Local\\Temp\\6202033.ps1*))
view Sigma YAML 
title: Axios NPM Compromise File Creation Indicators - Windows
id: cd6386fa-bb9a-4b67-b006-786b6ab5d2ba
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\node.exe'
            - '\powershell.exe'
    selection_fils:
        - TargetFilename:
              - 'C:\ProgramData\wt.exe'
              - 'C:\ProgramData\system.bat'
        - TargetFilename|contains|all:
              - 'C:\Users\'
              - '\AppData\Local\Temp\6202033.vbs'
        - TargetFilename|contains|all:
              - 'C:\Users\'
              - '\AppData\Local\Temp\6202033.ps1'
    condition: all of selection_*
falsepositives:
    - Highly unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 0a23a62d-c5b3-468b-a072-25064a9a8c87
carbon_black query
((ParentImage:\/node OR ParentImage:\/bun) (CommandLine:curl\ * CommandLine:\/tmp\/ld.py* CommandLine:python3\ * CommandLine:nohup\ * CommandLine:6202033*)) OR (Image:\/curl CommandLine:http\:\/\/sfrclak.com*)
view Sigma YAML 
title: Axios NPM Compromise Indicators - Linux
id: 0a23a62d-c5b3-468b-a072-25064a9a8c87
status: experimental
description: |
    Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.006
    - attack.t1059.004
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection_node_shell:
        ParentImage|endswith:
            - '/node'
            - '/bun'
        CommandLine|contains|all:
            - 'curl '
            - '/tmp/ld.py'
            - 'python3 '
            - 'nohup '
            - '6202033'
    selection_curl_download:
        Image|endswith: '/curl'
        CommandLine|contains: 'http://sfrclak.com'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id f6c27ecc-d890-4452-80e6-2e274a10e097
carbon_black query
((ParentImage:\\node.exe OR ParentImage:\\bun.exe) Image:\\cmd.exe (CommandLine:cscript* CommandLine:AppData\\Local\\Temp* CommandLine:\/\/nologo\ &&\ del* CommandLine:6202033.vbs*)) OR ((Image:\\curl.exe OR Image:\\powershell.exe) CommandLine:http\:\/\/sfrclak.com*) OR (OriginalFileName:PowerShell.EXE CommandLine:\"C\:\\ProgramData\\wt.exe\"\ \-w\ hidden\ \-ep\ bypass\ \-file*)
view Sigma YAML 
title: Axios NPM Compromise Indicators - Windows
id: f6c27ecc-d890-4452-80e6-2e274a10e097
status: experimental
description: |
    Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html?m=1
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_cscript:
        ParentImage|endswith:
            - '\node.exe'
            - '\bun.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'cscript'
            - 'AppData\Local\Temp'
            - '//nologo && del'
            - '6202033.vbs'
    selection_curl:
        Image|endswith:
            - '\curl.exe'
            - '\powershell.exe'
        CommandLine|contains: 'http://sfrclak.com'
    selection_susp_cli:
        OriginalFileName: 'PowerShell.EXE'
        CommandLine|contains: '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'
    condition: 1 of selection_*
falsepositives:
    - Highly unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id a09ee860-31b3-4586-8a68-0ebd74ce0e5f
carbon_black query
(CommandLine:nohup\ * CommandLine:osascript\ * CommandLine:\/tmp\/6202033*) OR (CommandLine:curl\ * CommandLine:packages.npm.org\/product* CommandLine:\/Library\/Caches\/com.apple.act.mond*) OR (CommandLine:rm\ * CommandLine:\-rf\ * CommandLine:\/tmp\/6202033*)
view Sigma YAML 
title: Axios NPM Compromise Indicators - macOS
id: a09ee860-31b3-4586-8a68-0ebd74ce0e5f
status: experimental
description: |
    Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
author: Swachchhanda Shrawan Poudel (Nextron Systems)
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.002
    - attack.t1059.004
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: macos
detection:
    selection_osascript:
        CommandLine|contains|all:
            - 'nohup '
            - 'osascript '
            - '/tmp/6202033'
    selection_curl_download:
        CommandLine|contains|all:
            - 'curl '
            - 'packages.npm.org/product'
            - '/Library/Caches/com.apple.act.mond'
    selection_cleanup:
        CommandLine|contains|all:
            - 'rm '
            - '-rf '
            - '/tmp/6202033'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 73e5d24f-493f-4092-bd2f-c72cabda40ee
carbon_black query
query:sfrclak.com OR query:calltan.com OR query:callnrwise.com
view Sigma YAML 
title: Axios NPM Compromise Malicious C2 Domain DNS Query
id: 73e5d24f-493f-4092-bd2f-c72cabda40ee
status: experimental
description: |
    Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
    - https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1568
    - detection.emerging-threats
logsource:
    category: dns
detection:
    selection:
        query:
            - 'sfrclak.com'
            - 'calltan.com'
            - 'callnrwise.com'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Azure AD Account Credential Leaked
Indicates that the user's valid credentials have been leaked.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' ATT&CK technique id 19128e5e-4743-48dc-bd97-52e5775af817
carbon_black query
riskEventType:leakedCredentials
view Sigma YAML 
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.t1589
    - attack.reconnaissance
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'leakedCredentials'
    condition: selection
falsepositives:
    - A rare hash collision.
level: high
Convert to SIEM query
high Strong Medium FP
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' ATT&CK technique id a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
carbon_black query
riskEventType:investigationsThreatIntelligence
view Sigma YAML 
title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'investigationsThreatIntelligence'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high Moderate Low FP
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
status experimental author Josh Nickels, Marius Rothenbücher ATT&CK technique id 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
carbon_black query
(Operation:UserLoggedIn ApplicationId:9ba1a5c7\-f17a\-4de9\-a1f1\-6178c8d51223 ResultStatus:Success RequestType:Cmsi\:Cmsi) (-ObjectId:0000000a\-0000\-0000\-c000\-000000000000)
view Sigma YAML 
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
    Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
    - https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: audit
    product: m365
detection:
    selection:
        Operation: 'UserLoggedIn'
        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
        ResultStatus: 'Success'
        RequestType: 'Cmsi:Cmsi'
    filter_main_bjectid:
        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
status test author Austin Songer @austinsonger ATT&CK sub-technique id 09438caa-07b1-4870-8405-1dbafe3dad95
carbon_black query
operationName:MICROSOFT.AUTHORIZATION\/ELEVATEACCESS\/ACTION
view Sigma YAML 
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
    Detects when a user has been elevated to manage all Azure Subscriptions.
    This change should be investigated immediately if it isn't planned.
    This setting could allow an attacker access to Azure subscriptions in your environment.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: high
Convert to SIEM query
high Strong Low FP
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
status test author Austin Songer @austinsonger ATT&CK technique id ca9bf243-465e-494a-9e54-bf9fc239057d
carbon_black query
Category:Administrative OperationName:Assigns\ the\ caller\ to\ user\ access\ admin
view Sigma YAML 
title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: test
description: |
    Detects when a user has been elevated to manage all Azure Subscriptions.
    This change should be investigated immediately if it isn't planned.
    This setting could allow an attacker access to Azure subscriptions in your environment.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        Category: 'Administrative'
        OperationName: 'Assigns the caller to user access admin'
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: high
Convert to SIEM query
high Strong Medium FP
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 90f138c1-f578-4ac3-8c49-eecfd847c8b7
carbon_black query
(EventID:16403 (RemoteName:http\:\/\/1* OR RemoteName:http\:\/\/2* OR RemoteName:http\:\/\/3* OR RemoteName:http\:\/\/4* OR RemoteName:http\:\/\/5* OR RemoteName:http\:\/\/6* OR RemoteName:http\:\/\/7* OR RemoteName:http\:\/\/8* OR RemoteName:http\:\/\/9* OR RemoteName:https\:\/\/1* OR RemoteName:https\:\/\/2* OR RemoteName:https\:\/\/3* OR RemoteName:https\:\/\/4* OR RemoteName:https\:\/\/5* OR RemoteName:https\:\/\/6* OR RemoteName:https\:\/\/7* OR RemoteName:https\:\/\/8* OR RemoteName:https\:\/\/9*)) (-((RemoteName:\:\/\/10.* OR RemoteName:\:\/\/192.168.* OR RemoteName:\:\/\/172.16.* OR RemoteName:\:\/\/172.17.* OR RemoteName:\:\/\/172.18.* OR RemoteName:\:\/\/172.19.* OR RemoteName:\:\/\/172.20.* OR RemoteName:\:\/\/172.21.* OR RemoteName:\:\/\/172.22.* OR RemoteName:\:\/\/172.23.* OR RemoteName:\:\/\/172.24.* OR RemoteName:\:\/\/172.25.* OR RemoteName:\:\/\/172.26.* OR RemoteName:\:\/\/172.27.* OR RemoteName:\:\/\/172.28.* OR RemoteName:\:\/\/172.29.* OR RemoteName:\:\/\/172.30.* OR RemoteName:\:\/\/172.31.* OR RemoteName:\:\/\/127.* OR RemoteName:\:\/\/169.254.*) OR (RemoteName:https\:\/\/7\-* OR RemoteName:http\:\/\/7\-*)))
view Sigma YAML 
title: BITS Transfer Job Download From Direct IP
id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
related:
    - id: 99c840f2-2012-46fd-9141-c761987550ef
      type: similar
status: test
description: Detects a BITS transfer job downloading file(s) from a direct IP address.
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        RemoteName|contains:
            - 'http://1'
            - 'http://2'
            - 'http://3'
            - 'http://4'
            - 'http://5'
            - 'http://6'
            - 'http://7'
            - 'http://8'
            - 'http://9'
            - 'https://1'
            - 'https://2'
            - 'https://3'
            - 'https://4'
            - 'https://5'
            - 'https://6'
            - 'https://7'
            - 'https://8'
            - 'https://9'
    filter_optional_local_networks:
        RemoteName|contains:
            - '://10.' # 10.0.0.0/8
            - '://192.168.' # 192.168.0.0/16
            - '://172.16.' # 172.16.0.0/12
            - '://172.17.'
            - '://172.18.'
            - '://172.19.'
            - '://172.20.'
            - '://172.21.'
            - '://172.22.'
            - '://172.23.'
            - '://172.24.'
            - '://172.25.'
            - '://172.26.'
            - '://172.27.'
            - '://172.28.'
            - '://172.29.'
            - '://172.30.'
            - '://172.31.'
            - '://127.' # 127.0.0.0/8
            - '://169.254.' # 169.254.0.0/16
    filter_optional_seven_zip:
        RemoteName|contains:
            # For https://7-zip.org/
            - 'https://7-'
            - 'http://7-'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
Showing 201-250 of 3,646
Prev 5 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh