Tool
EDR / XDR
VMware Carbon Black
3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,646
high
Strong
Medium FP
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
view Sigma YAML
title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
id: aee7681f-b53d-4594-a9de-ac51e6ad3362
related:
- id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
type: similar
- id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
type: similar
- id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
type: similar
status: test
description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
references:
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
- attack.initial-access
- attack.t1190
- cve.2023-4966
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
cs-host|re: '.{150}'
condition: selection
falsepositives:
- Vulnerability scanners
level: high
Convert to SIEM query
high
Strong
Medium FP
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
view Sigma YAML
title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1
related:
- id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
type: similar
- id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
type: similar
- id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
type: similar
status: test
description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
references:
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
- attack.initial-access
- attack.t1190
- cve.2023-4966
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'
cs-host|re: '.{150}'
condition: selection
falsepositives:
- Vulnerability scanners
level: high
Convert to SIEM query
high
Moderate
High FP
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
view Sigma YAML
title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
status: test
description: |
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
references:
- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-20
tags:
- attack.initial-access
- cve.2024-1212
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_path:
cs-method: 'GET'
cs-uri-stem|contains|all:
- '/access/set'
- 'param=enableapi'
- 'value=1'
selection_keywords:
- 'Basic Jz'
- 'Basic c7'
- 'Basic nO'
- "Basic ';"
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
view Sigma YAML
title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148
status: experimental
description: |
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
references:
- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
- https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/
author: Samuel Monsempes
date: 2025-01-08
tags:
- attack.impact
- attack.t1499
- cve.2024-49113
- detection.emerging-threats
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
Data|contains|all:
- 'lsass.exe'
- 'WLDAP32.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
view Sigma YAML
title: CVE-2024-50623 Exploitation Attempt - Cleo
id: f007b877-02e3-45b7-8501-1b78c2864029
status: experimental
description: |
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
references:
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
date: 2024-12-09
tags:
- attack.initial-access
- attack.execution
- attack.t1190
- cve.2024-50623
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\javaw.exe'
ParentCommandLine|contains:
- 'Harmony'
- 'lexicom'
- 'VersaLex'
- 'VLTrader'
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'powershell'
- ' -enc '
- ' -EncodedCommand'
- '.Download'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
view Sigma YAML
title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
id: c74c0390-3e20-41fd-a69a-128f0275a5ea
related:
- id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
type: derived
status: test
description: |
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
references:
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
- https://www.echotrail.io/insights/search/wusa.exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-11-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_root:
Image|endswith: '\wusa.exe'
CommandLine|contains: '/extract:'
selection_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Appdata\Local\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
view Sigma YAML
title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
Detects the use of the "capsh" utility to invoke a shell.
references:
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/capsh'
CommandLine|endswith: ' --'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
view Sigma YAML
title: Chafer Malware URL Pattern
id: fb502828-2db0-438e-93e6-801c7548686d
status: test
description: Detects HTTP request used by Chafer malware to receive data from its C2.
references:
- https://securelist.com/chafer-used-remexi-malware/89538/
author: Florian Roth (Nextron Systems)
date: 2019-01-31
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/asp.asp\?ui='
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Change Default File Association To Executable Via Assoc
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
view Sigma YAML
title: Change Default File Association To Executable Via Assoc
id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
related:
- id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
type: derived
status: test
description: |
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'assoc '
- 'exefile'
filter:
CommandLine|contains: '.exe=exefile'
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
view Sigma YAML
title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
filter:
Details|contains: NetworkService
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
view Sigma YAML
title: Change Winevt Channel Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
status: test
description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
references:
- https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
- https://learn.microsoft.com/en-us/windows/win32/api/winevt/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: frack113
date: 2022-09-17
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\ChannelAccess'
# Add more interesting combinations if you found them
Details|contains:
- '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
- '(A;;0x1;;;SY)' # Local System having GENERIC ALL
- '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
view Sigma YAML
title: Change the Fax Dll
id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
status: test
description: Detect possible persistence using Fax DLL load when service restart
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Fax\Device Providers\'
- '\ImageName'
filter:
Details: '%systemroot%\system32\fxst30.dll' # Windows 10
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Changes To PIM Settings
Detects when changes are made to PIM roles
view Sigma YAML
title: Changes To PIM Settings
id: db6c06c4-bf3b-421c-aa88-15672b88c743
status: test
description: Detects when changes are made to PIM roles
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update role setting in PIM
condition: selection
falsepositives:
- Legit administrative PIM setting configuration changes
level: high
Convert to SIEM query
high
Moderate
Low FP
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
view Sigma YAML
title: Changes to Device Registration Policy
id: 9494bff8-959f-4440-bbce-fb87a208d517
status: test
description: Monitor and alert for changes to the device registration policy.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'Policy'
ActivityDisplayName: 'Set device registration policies'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
view Sigma YAML
title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_origin:
- Image|endswith: '\w3wp.exe'
- ParentImage|endswith: '\w3wp.exe'
selection_cmdline:
CommandLine|contains:
- '&ipconfig&echo'
- '&quser&echo'
- '&whoami&echo'
- '&c:&echo'
- '&cd&echo'
- '&dir&echo'
- '&echo [E]'
- '&echo [S]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
view Sigma YAML
title: ChromeLoader Malware Execution
id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2
status: test
description: Detects execution of ChromeLoader malware via a registered scheduled task
references:
- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
- https://twitter.com/th3_protoCOL/status/1480621526764322817
- https://twitter.com/Kostastsale/status/1480716528421011458
- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
author: '@kostastsale'
date: 2022-01-10
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
- attack.t1176
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\powershell.exe'
ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
CommandLine|contains: '--load-extension="*\Appdata\local\chrome"'
Image|endswith: '\chrome.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
view Sigma YAML
title: Chromium Browser Headless Execution To Mockbin Like Site
id: 1c526788-0abe-4713-862f-b520da5e5316
status: test
description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
references:
- https://www.zscaler.com/blogs/security-research/steal-it-campaign
author: X__Junior (Nextron Systems)
date: 2023-09-11
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
selection_headless:
CommandLine|contains: '--headless'
selection_url:
CommandLine|contains:
- '://run.mocky'
- '://mockbin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
view Sigma YAML
title: Cisco ASA Exploitation Activity - Proxy
id: 15697955-6a29-47ca-92e9-0e05efae3260
status: experimental
description: |
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
references:
- https://x.com/defusedcyber/status/1971492272966598683
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-20
tags:
- attack.initial-access
- attack.t1190
- cve.2025-20333
- cve.2025-20362
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
cs-uri-stem:
- '/+CSCOU+/MacTunnelStart.jar'
- '/+CSCOL+/csvrloader64.cab'
- '/+CSCOL+/csvrloader.jar'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
view Sigma YAML
title: Cisco ASA FTD Exploit CVE-2020-3452
id: aba47adc-4847-4970-95c1-61dce62a8b29
status: test
description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
references:
- https://twitter.com/aboul3la/status/1286012324722155525
- https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
author: Florian Roth (Nextron Systems)
date: 2021-01-07
modified: 2023-01-02
tags:
- attack.t1190
- attack.initial-access
- cve.2020-3452
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_endpoint:
cs-uri-query|contains:
- '+CSCOT+/translation-table'
- '+CSCOT+/oem-customization'
selection_path_select:
cs-uri-query|contains:
- '&textdomain=/'
- '&textdomain=%'
- '&name=/'
- '&name=%'
select_status_code:
sc-status: 200
condition: selection_endpoint and selection_path_select and select_status_code
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Cisco Clear Logs
Clear command history in network OS which is used for defense evasion
view Sigma YAML
title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: test
description: Clear command history in network OS which is used for defense evasion
references:
- https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
author: Austin Clark
date: 2019-08-12
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'clear logging'
- 'clear archive'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands
level: high
Convert to SIEM query
high
Moderate
Medium FP
Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
view Sigma YAML
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: test
description: Show when private keys are being exported from the device, or when new certificates are installed
references:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1553.004
- attack.t1552.004
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates
level: high
Convert to SIEM query
high
Moderate
Medium FP
Cisco Disabling Logging
Turn off logging locally or remote
view Sigma YAML
title: Cisco Disabling Logging
id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
status: test
description: Turn off logging locally or remote
references:
- https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'no logging'
- 'no aaa new-model'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Cisco Local Accounts
Find local accounts being created or modified as well as remote authentication configurations
view Sigma YAML
title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: test
description: Find local accounts being created or modified as well as remote authentication configurations
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'username'
- 'aaa'
condition: keywords
falsepositives:
- When remote authentication is in place, this should not change often
level: high
Convert to SIEM query
high
Strong
Medium FP
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
view Sigma YAML
title: Clearing Windows Console History
id: bde47d4b-9987-405c-94c7-b080410e8ea7
status: test
description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
references:
- https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
- https://www.shellhacks.com/clear-history-powershell/
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains: Clear-History
selection2a:
ScriptBlockText|contains:
- Remove-Item
- rm
selection2b:
ScriptBlockText|contains:
- ConsoleHost_history.txt
- (Get-PSReadlineOption).HistorySavePath
condition: selection1 or selection2a and selection2b
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
view Sigma YAML
title: Cmd.EXE Missing Space Characters Execution Anomaly
id: a16980c2-0c56-4de0-9a79-17971979efdd
status: test
description: |
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
references:
- https://twitter.com/cyb3rops/status/1562072617552678912
- https://ss64.com/nt/cmd.html
author: Florian Roth (Nextron Systems)
date: 2022-08-23
modified: 2026-05-13
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1: # missing space before the /c
CommandLine|contains:
- 'cmd.exe/c'
- '\cmd/c' # just cmd/c would be prone to false positives
- '"cmd/c'
- 'cmd.exe/k'
- '\cmd/k' # just cmd/k would be prone to false positives
- '"cmd/k'
- 'cmd.exe/r'
- '\cmd/r' # just cmd/r would be prone to false positives
- '"cmd/r'
selection2: # special cases verified via Virustotal Enterprise search
CommandLine|contains:
- '/cwhoami'
- '/cpowershell'
- '/cschtasks'
- '/cbitsadmin'
- '/ccertutil'
- '/kwhoami'
- '/kpowershell'
- '/kschtasks'
- '/kbitsadmin'
- '/kcertutil'
selection3: # missing space after the /c
CommandLine|contains:
- 'cmd.exe /c'
- 'cmd /c'
- 'cmd.exe /k'
- 'cmd /k'
- 'cmd.exe /r'
- 'cmd /r'
filter_generic:
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd /c '
- 'cmd.exe /k '
- 'cmd /k '
- 'cmd.exe /r '
- 'cmd /r '
filter_fp:
- CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
- CommandLine|endswith: 'cmd.exe/c .'
- CommandLine: 'cmd.exe /c'
- CommandLine: 'cmd /c'
condition: 1 of selection* and not 1 of filter_*
falsepositives:
- Legitimate use of cmd.exe with no arguments e.g. via system("") in C to enable ANSI escape codes
level: high
Convert to SIEM query
high
Moderate
High FP
CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
view Sigma YAML
title: CobaltStrike Load by Rundll32
id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
status: test
description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
references:
- https://www.cobaltstrike.com/help-windows-executable
- https://redcanary.com/threat-detection-report/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
author: Wojciech Lesicki
date: 2021-06-01
modified: 2022-09-16
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_rundll:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains:
- 'rundll32.exe'
- 'rundll32 '
selection_params:
CommandLine|contains: '.dll'
CommandLine|endswith:
- ' StartW'
- ',StartW'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
view Sigma YAML
title: CobaltStrike Named Pipe Patterns
id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
related:
- id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
type: similar
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
type: similar
status: test
description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2021-07-30
modified: 2024-01-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- stp.1k
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection_malleable_profile_generic:
- PipeName|startswith:
- '\DserNamePipe'
- '\f4c3'
- '\f53f'
- '\fullduplex_'
- '\mojo.5688.8052.183894939787088877'
- '\mojo.5688.8052.35780273329370473'
- '\MsFteWds'
- '\msrpc_'
- '\mypipe-f'
- '\mypipe-h'
- '\ntsvcs'
- '\PGMessagePipe'
- '\rpc_'
- '\scerpc'
- '\SearchTextHarvester'
- '\spoolss'
- '\win_svc'
- '\win\msrpc_'
- '\windows.update.manager'
- '\wkssvc'
- PipeName:
- '\demoagent_11'
- '\demoagent_22'
selection_malleable_profile_catalog_change_listener:
PipeName|startswith: '\Winsock2\CatalogChangeListener-'
PipeName|endswith: '-0,'
filter_main_generic:
PipeName:
- '\wkssvc'
- '\spoolss'
- '\scerpc'
- '\ntsvcs'
- '\SearchTextHarvester'
- '\PGMessagePipe'
- '\MsFteWds'
filter_optional_websense:
Image|contains:
- ':\Program Files\Websense\'
- ':\Program Files (x86)\Websense\'
PipeName|startswith:
- '\DserNamePipeR'
- '\DserNamePipeW'
condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Chrome instances using the exact same pipe name "mojo.xxx"
- Websense Endpoint using the pipe name "DserNamePipe(R|W)\d{1,5}"
level: high
Convert to SIEM query
high
Strong
Medium FP
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
view Sigma YAML
title: CobaltStrike Service Installations - Security
id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
related:
- id: 5a105d34-05fc-401e-8553-272b45c1522d
type: derived
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
event_id:
EventID: 4697
selection1:
ServiceFileName|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
ServiceFileName|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
selection3:
ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
selection4:
ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
condition: event_id and 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
view Sigma YAML
title: Code Executed Via Office Add-in XLL File
id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
status: test
description: |
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
author: frack113
date: 2021-12-28
tags:
- attack.persistence
- attack.t1137.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'new-object '
- '-ComObject '
- '.application'
- '.RegisterXLL'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
view Sigma YAML
title: Code Injection by ld.so Preload
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
status: test
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
references:
- https://man7.org/linux/man-pages/man8/ld.so.8.html
author: Christian Burkard (Nextron Systems)
date: 2021-05-05
modified: 2022-10-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.006
logsource:
product: linux
detection:
keywords:
- '/etc/ld.so.preload'
condition: keywords
falsepositives:
- Rare temporary workaround for library misconfiguration
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
view Sigma YAML
title: CodeIntegrity - Blocked Driver Load With Revoked Certificate
id: 9b72b82d-f1c5-4632-b589-187159bc6ec1
status: test
description: Detects blocked load attempts of revoked drivers
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3023 # The driver %2 is blocked from loading as the driver has been revoked by Microsoft.
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
view Sigma YAML
title: CodeIntegrity - Blocked Image Load With Revoked Certificate
id: 6f156c48-3894-4952-baf0-16193e9067d2
status: test
description: Detects blocked image load events with revoked certificates by code integrity.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3036 # Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available.
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
view Sigma YAML
title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation
id: e4be5675-4a53-426a-8c81-a8bb2387e947
status: test
description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
references:
- https://twitter.com/wdormann/status/1590434950335320065
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2023-06-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3077 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy (Policy ID:%XX).
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
view Sigma YAML
title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
id: 5daf11c3-022b-4969-adb9-365e6c078c7c
status: test
description: Detects block events for files that are disallowed by code integrity for protected processes
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3104 # Windows blocked file %2 which has been disallowed for protected processes.
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
view Sigma YAML
title: CodeIntegrity - Revoked Image Loaded
id: 881b7725-47cc-4055-8000-425823344c59
status: test
description: Detects image load events with revoked certificates by code integrity.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3032 # Code Integrity determined a revoked image %2 is loaded into the system. Check with the publisher to see if a new signed version of the image is available.
- 3035 # Code Integrity determined a revoked image %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
view Sigma YAML
title: CodeIntegrity - Revoked Kernel Driver Loaded
id: 320fccbf-5e32-4101-82b8-2679c5f007c6
status: test
description: Detects the load of a revoked kernel driver
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available.
- 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
view Sigma YAML
title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
status: test
description: Detects loaded kernel modules that did not meet the WHQL signing requirements.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
modified: 2023-06-14
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
- 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
filter_optional_vmware:
FileNameBuffer:
- 'system32\drivers\vsock.sys'
- 'System32\drivers\vmci.sys'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system
view Sigma YAML
title: CodeIntegrity - Unsigned Image Loaded
id: c92c24e7-f595-493f-9c98-53d5142f5c18
status: test
description: Detects loaded unsigned image on the system
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3037 # Code Integrity determined an unsigned image %2 is loaded into the system. Check with the publisher to see if a signed version of the image is available.
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
view Sigma YAML
title: CodeIntegrity - Unsigned Kernel Module Loaded
id: 951f8d29-f2f6-48a7-859f-0673ff105e6f
status: test
description: Detects the presence of a loaded unsigned kernel module on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
ComRAT Network Communication
Detects Turla ComRAT network communication.
view Sigma YAML
title: ComRAT Network Communication
id: 7857f021-007f-4928-8b2c-7aedbe64bb82
status: test
description: Detects Turla ComRAT network communication.
references:
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth (Nextron Systems)
date: 2020-05-26
modified: 2024-02-26
tags:
- attack.command-and-control
- attack.t1071.001
- attack.g0010
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/index/index.php\?h='
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
view Sigma YAML
title: Commands to Clear or Remove the Syslog - Builtin
id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
status: test
description: Detects specific commands commonly used to remove or empty the syslog
references:
- https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
author: Max Altgelt (Nextron Systems)
date: 2021-09-10
modified: 2022-11-26
tags:
- attack.impact
- attack.t1565.001
logsource:
product: linux
detection:
selection:
- 'rm /var/log/syslog'
- 'rm -r /var/log/syslog'
- 'rm -f /var/log/syslog'
- 'rm -rf /var/log/syslog'
- 'mv /var/log/syslog'
- ' >/var/log/syslog'
- ' > /var/log/syslog'
falsepositives:
- '/syslog.'
condition: selection and not falsepositives
falsepositives:
- Log rotation
level: high
Convert to SIEM query
high
Strong
Medium FP
Communication To LocaltoNet Tunneling Service Initiated
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
view Sigma YAML
title: Communication To LocaltoNet Tunneling Service Initiated
id: 3ab65069-d82a-4d44-a759-466661a082d1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
Convert to SIEM query
high
Strong
Medium FP
Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
view Sigma YAML
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
Convert to SIEM query
high
Moderate
High FP
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
view Sigma YAML
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
Convert to SIEM query
high
Moderate
High FP
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
view Sigma YAML
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
- id: 18249279-932f-45e2-b37a-8925f2597670
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
level: high
Convert to SIEM query
high
Moderate
High FP
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
view Sigma YAML
title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
id: ff0225a0-1d9a-4bae-ab26-6038b18bb6d4
status: experimental
description: |
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-57791
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'qlogin'
- ' -cs '
- ' -localadmin'
- ' -clp '
- '_localadmin__'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
view Sigma YAML
title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
id: bd3b3fff-a018-4994-9876-68af5809160f
status: experimental
description: |
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.persistence
- attack.t1505.003
- detection.emerging-threats
- cve.2025-57790
logsource:
category: process_creation
product: windows
detection:
selection:
# qoperation execute -af F:\Program Files\Commvault\ContentStore\Reports\MetricsUpload\Upload\ABC1234\rekt.xml -file F:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\wT-poc.jsp
CommandLine|contains|all:
- 'qoperation'
- 'exec'
- ' -af '
- '.xml '
- '\Apache\webapps\ROOT\'
- '.jsp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
view Sigma YAML
title: Conhost.exe CommandLine Path Traversal
id: ee5e119b-1f75-4b34-add8-3be976961e39
status: test
description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
references:
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains: 'conhost'
CommandLine|contains: '/../../'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
view Sigma YAML
title: Conti NTDS Exfiltration Command
id: aa92fd02-09f2-48b0-8a93-864813fb8f41
status: test
description: Detects a command used by conti to exfiltrate NTDS
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.collection
- attack.t1560
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '7za.exe'
- '\\C$\\temp\\log.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
view Sigma YAML
title: Conti Volume Shadow Listing
id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
status: test
description: Detects a command used by conti to find volume shadow backups
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
tags:
- attack.t1587.001
- attack.resource-development
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'vssadmin list shadows'
- 'log.txt'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 301-350 of 3,646