Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 3,646
high Strong Medium FP
Control Panel Items
Detects the malicious use of a control panel item
status test author Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) ATT&CK sub-technique id 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
carbon_black query
((Image:\\reg.exe OR OriginalFileName:reg.exe) (CommandLine:add* CommandLine:CurrentVersion\\Control\ Panel\\CPLs*)) OR (CommandLine:.cpl (-((CommandLine:\\System32\\* OR CommandLine:%System%* OR CommandLine:|C\:\\Windows\\system32|*) OR (CommandLine:regsvr32\ * CommandLine:\ \/s\ * CommandLine:igfxCPL.cpl*))))
view Sigma YAML 
title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: test
description: Detects the malicious use of a control panel item
references:
    - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020-06-22
modified: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1218.002
    - attack.persistence
    - attack.t1546
logsource:
    product: windows
    category: process_creation
detection:
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cli:
        CommandLine|contains|all:
            - 'add'
            - 'CurrentVersion\Control Panel\CPLs'
    selection_cpl:
        CommandLine|endswith: '.cpl'
    filter_cpl_sys:
        CommandLine|contains:
            - '\System32\'
            - '%System%'
            - '|C:\Windows\system32|'
    filter_cpl_igfx:
        CommandLine|contains|all:
            - 'regsvr32 '
            - ' /s '
            - 'igfxCPL.cpl'
    condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 044ba588-dff4-4918-9808-3f95e8160606
carbon_black query
(Image:\\cmd.exe OR OriginalFileName:Cmd.Exe) ((CommandLine:copy\ * CommandLine:\ \\\\*) (CommandLine:.dmp* OR CommandLine:.dump* OR CommandLine:.hdmp*))
view Sigma YAML 
title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
id: 044ba588-dff4-4918-9808-3f95e8160606
status: test
description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2023-09-12
tags:
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    # Example: copy \\<host>\\<folder>\\process.dmp C:\Users\process.dmp
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains|all:
            - 'copy '
            - ' \\\\'
        CommandLine|contains:
            - '.dmp'
            - '.dump'
            - '.hdmp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
status test author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) ATT&CK technique id c73124a7-3e89-44a3-bdc1-25fe4df754b1
carbon_black query
CommandLine:copy\ * CommandLine:\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*
view Sigma YAML 
title: Copy From VolumeShadowCopy Via Cmd.EXE
id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
status: test
description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-03-07
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
        # There is an additional "\" to escape the special "?"
        CommandLine|contains|all:
            - 'copy '
            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
    condition: selection
falsepositives:
    - Backup scenarios using the commandline
level: high
Convert to SIEM query
high Moderate Medium FP
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK sub-technique id fa4aaed5-4fe0-498d-bbc0-08e3346387ba
carbon_black query
Image:\/cp CommandLine:\/tmp\/* (CommandLine:passwd* OR CommandLine:shadow*)
view Sigma YAML 
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
    - https://blogs.blackberry.com/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        Image|endswith: '/cp'
    selection_path:
        CommandLine|contains: '/tmp/'
    selection_file:
        CommandLine|contains:
            - 'passwd'
            - 'shadow'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
status test author Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community ATT&CK sub-technique id e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
carbon_black query
((Image:\\esentutl.exe OR OriginalFileName:\\esentutl.exe) (CommandLine:vss* OR CommandLine:\ \-m\ * OR CommandLine:\ \/m\ * OR CommandLine:\ –m\ * OR CommandLine:\ —m\ * OR CommandLine:\ ―m\ * OR CommandLine:\ \-y\ * OR CommandLine:\ \/y\ * OR CommandLine:\ –y\ * OR CommandLine:\ —y\ * OR CommandLine:\ ―y\ *)) OR (CommandLine:\\config\\RegBack\\sam* OR CommandLine:\\config\\RegBack\\security* OR CommandLine:\\config\\RegBack\\system* OR CommandLine:\\config\\sam* OR CommandLine:\\config\\security* OR CommandLine:\\config\\system\ * OR CommandLine:\\repair\\sam* OR CommandLine:\\repair\\security* OR CommandLine:\\repair\\system* OR CommandLine:\\windows\\ntds\\ntds.dit*)
view Sigma YAML 
title: Copying Sensitive Files with Credential Data
id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
status: test
description: Files with well-known filenames (sensitive files with credential data) copying
references:
    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2024-06-04
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.003
    - car.2013-07-001
    - attack.s0404
logsource:
    category: process_creation
    product: windows
detection:
    selection_esent_img:
        - Image|endswith: '\esentutl.exe'
        - OriginalFileName: '\esentutl.exe'
    selection_esent_cli:
        CommandLine|contains|windash:
            - 'vss'
            - ' /m '
            - ' /y '
    selection_susp_paths:
        CommandLine|contains:
            - '\config\RegBack\sam'
            - '\config\RegBack\security'
            - '\config\RegBack\system'
            - '\config\sam'
            - '\config\security'
            - '\config\system '        # space needed to avoid false positives with \config\systemprofile\
            - '\repair\sam'
            - '\repair\security'
            - '\repair\system'
            - '\windows\ntds\ntds.dit'
    condition: all of selection_esent_* or selection_susp_paths
falsepositives:
    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
level: high
Convert to SIEM query
high Moderate High FP
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
status test author frack113 ATT&CK sub-technique id afd12fed-b0ec-45c9-a13d-aa86625dac81
carbon_black query
ScriptBlockText:Win32_ShadowCopy* ScriptBlockText:\).Create\(* ScriptBlockText:ClientAccessible*
view Sigma YAML 
title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: test
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-12
tags:
    - attack.credential-access
    - attack.t1003.003
    - attack.ds0005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Win32_ShadowCopy
            - ').Create('
            - ClientAccessible
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: high
Convert to SIEM query
high Strong High FP
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
carbon_black query
(Image:\\createdump.exe OR OriginalFileName:FX_VER_INTERNALNAME_STR) (CommandLine:\ \-u\ * OR CommandLine:\ \-\-full\ * OR CommandLine:\ \-f\ * OR CommandLine:\ \-\-name\ * OR CommandLine:.dmp\ *)
view Sigma YAML 
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
    - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
      type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\createdump.exe'
        - OriginalFileName: 'FX_VER_INTERNALNAME_STR'
    selection_cli:
        CommandLine|contains:
            - ' -u ' # Short version of '--full'
            - ' --full '
            - ' -f ' # Short version of '--name'
            - ' --name '
            - '.dmp '
    condition: all of selection_*
falsepositives:
    - Command lines that use the same flags
level: high
Convert to SIEM query
high Moderate Medium FP
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
status test author frack113 ATT&CK sub-technique id 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
carbon_black query
TargetFilename:C\:\\program.exe
view Sigma YAML 
title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
    Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        # Feel free to add more
        TargetFilename: 'C:\program.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 460479f3-80b7-42da-9c43-2cc1d54dbccd
carbon_black query
TargetObject:\\SAM\\SAM\\Domains\\Account\\Users\\Names\\* TargetObject:$\\\(Default\) Image:\\lsass.exe
view Sigma YAML 
title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
status: test
description: Sysmon registry detection of a local hidden user account.
references:
    - https://twitter.com/SBousseaden/status/1387530414185664538
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2025-10-31
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
        TargetObject|endswith: '$\(Default)'
        Image|endswith: '\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
simulation:
    - type: atomic-red-team
      name: Create Hidden User in Registry
      technique: T1564.002
      atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
Convert to SIEM query
high Moderate High FP
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
status test author Teymur Kheirkhabarov, oscd.community ATT&CK sub-technique id 8fbf3271-1ef6-4e94-8210-03c2317947f6
carbon_black query
(TargetFilename:\\fgdump\-log* OR TargetFilename:\\kirbi* OR TargetFilename:\\pwdump* OR TargetFilename:\\pwhashes* OR TargetFilename:\\wce_ccache* OR TargetFilename:\\wce_krbtkts*) OR (TargetFilename:\\cachedump.exe OR TargetFilename:\\cachedump64.exe OR TargetFilename:\\DumpExt.dll OR TargetFilename:\\DumpSvc.exe OR TargetFilename:\\Dumpy.exe OR TargetFilename:\\fgexec.exe OR TargetFilename:\\lsremora.dll OR TargetFilename:\\lsremora64.dll OR TargetFilename:\\NTDS.out OR TargetFilename:\\procdump.exe OR TargetFilename:\\procdump64.exe OR TargetFilename:\\procdump64a.exe OR TargetFilename:\\pstgdump.exe OR TargetFilename:\\pwdump.exe OR TargetFilename:\\SAM.out OR TargetFilename:\\SECURITY.out OR TargetFilename:\\servpw.exe OR TargetFilename:\\servpw64.exe OR TargetFilename:\\SYSTEM.out OR TargetFilename:\\test.pwd OR TargetFilename:\\wceaux.dll)
view Sigma YAML 
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.003
    - attack.t1003.004
    - attack.t1003.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains:
              - '\fgdump-log'
              - '\kirbi'
              - '\pwdump'
              - '\pwhashes'
              - '\wce_ccache'
              - '\wce_krbtkts'
        - TargetFilename|endswith:
              - '\cachedump.exe'
              - '\cachedump64.exe'
              - '\DumpExt.dll'
              - '\DumpSvc.exe'
              - '\Dumpy.exe'
              - '\fgexec.exe'
              - '\lsremora.dll'
              - '\lsremora64.dll'
              - '\NTDS.out'
              - '\procdump.exe'
              - '\procdump64.exe'
              - '\procdump64a.exe'
              - '\pstgdump.exe'
              - '\pwdump.exe'
              - '\SAM.out'
              - '\SECURITY.out'
              - '\servpw.exe'
              - '\servpw64.exe'
              - '\SYSTEM.out'
              - '\test.pwd'
              - '\wceaux.dll'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
Convert to SIEM query
high Strong Medium FP
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
status stable author Bhabesh Raj, Jonhnathan Ribeiro ATT&CK sub-technique id f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
carbon_black query
TargetImage:\\lsass.exe (CallTrace:_ctypes.pyd\+* CallTrace:\:\\Windows\\System32\\KERNELBASE.dll\+* CallTrace:\:\\Windows\\SYSTEM32\\ntdll.dll\+*) (CallTrace:python27.dll\+* OR CallTrace:python3*.dll\+*) GrantedAccess:0x1FFFFF
view Sigma YAML 
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
    - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
      type: obsolete
    - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
      type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
    - https://twitter.com/bh4b3sh/status/1303674603819081728
    - https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0349
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        CallTrace|contains|all:
            - '_ctypes.pyd+'
            - ':\Windows\System32\KERNELBASE.dll+'
            - ':\Windows\SYSTEM32\ntdll.dll+'
        CallTrace|contains:
            - 'python27.dll+'
            - 'python3*.dll+'
        GrantedAccess: '0x1FFFFF'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
status test author Florent Labouyrie ATT&CK technique id 174afcfa-6e40-4ae9-af64-496546389294
carbon_black query
(TargetImage:\\svchost.exe GrantedAccess:0x143a) (-(SourceImage:\\services.exe OR SourceImage:\\msiexec.exe))
view Sigma YAML 
title: Credential Dumping Attempt Via Svchost
id: 174afcfa-6e40-4ae9-af64-496546389294
status: test
description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
references:
    - Internal Research
author: Florent Labouyrie
date: 2021-04-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\svchost.exe'
        GrantedAccess: '0x143a'
    filter_main_known_processes:
        SourceImage|endswith:
            - '\services.exe'
            - '\msiexec.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id e5b33f7d-eb93-48b6-9851-09e1e610b6d7
carbon_black query
SourceImage:\\WerFault.exe TargetImage:\\lsass.exe GrantedAccess:0x1FFFFF
view Sigma YAML 
title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
    - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012-06-27
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\WerFault.exe'
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess: '0x1FFFFF'
    condition: selection
falsepositives:
    - Actual failures in lsass.exe that trigger a crash dump (unlikely)
    - Unknown cases in which WerFault accesses lsass.exe
level: high
Convert to SIEM query
high Strong Medium FP
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
status test author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community ATT&CK sub-technique id f0d1feba-4344-4ca9-8121-a6c97bd6df52
carbon_black query
EventID:4697 (ServiceFileName:cachedump* OR ServiceFileName:dumpsvc* OR ServiceFileName:fgexec* OR ServiceFileName:gsecdump* OR ServiceFileName:mimidrv* OR ServiceFileName:pwdump* OR ServiceFileName:servpw*)
view Sigma YAML 
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high
Convert to SIEM query
high Strong Medium FP
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
status test author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community ATT&CK sub-technique id 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:cachedump* OR ImagePath:dumpsvc* OR ImagePath:fgexec* OR ImagePath:gsecdump* OR ImagePath:mimidrv* OR ImagePath:pwdump* OR ImagePath:servpw*)
view Sigma YAML 
title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high
Convert to SIEM query
high Moderate Medium FP
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
status test author Igor Fits, Mikhail Larin, oscd.community ATT&CK sub-technique id 53b1b378-9b06-4992-b972-dde6e423d2b4
carbon_black query
(Image:\/grep CommandLine:password*) OR CommandLine:laZagne*
view Sigma YAML 
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: macos
    category: process_creation
detection:
    selection1:
        Image|endswith: '/grep'
        CommandLine|contains: 'password'
    selection2:
        CommandLine|contains: 'laZagne'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
status test author Igor Fits, oscd.community ATT&CK sub-technique id df3fcaea-2715-4214-99c5-0056ea59eb35
carbon_black query
type:EXECVE ("grep" "password")
view Sigma YAML 
title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2023-04-30
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
    keywords:
        '|all':
            - 'grep'
            - 'password'
    condition: selection and keywords
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 39f919f3-980b-4e6f-a975-8af7e507ef2b
carbon_black query
EventID:16 Provider_Name:Microsoft\-Windows\-Kernel\-General (HiveName:\\Temp\\SAM* OR HiveName:\\Temp\\SECURITY*)
view Sigma YAML 
title: Critical Hive In Suspicious Location Access Bits Cleared
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
related:
    - id: 839dd1e8-eda8-4834-8145-01beeee33acd
      type: obsolete
status: test
description: |
    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
    This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
    Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
references:
    - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
author: Florian Roth (Nextron Systems)
date: 2017-05-15
modified: 2024-01-18
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 16
        Provider_Name: Microsoft-Windows-Kernel-General
        HiveName|contains:
            - '\Temp\SAM'
            - '\Temp\SECURITY'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
status test author Saw Win Naung, Nasreddine Bencherchali ATT&CK technique id 65354b83-a2ea-4ea6-8414-3ab38be0d409
carbon_black query
"cs-method":GET ("=<script>" OR "=%3Cscript%3E" OR "=%253Cscript%253E" OR "<iframe\ " OR "%3Ciframe\ " OR "<svg\ " OR "%3Csvg\ " OR "document.cookie" OR "document.domain" OR "\ onerror=" OR "\ onresize=" OR "\ onload=\"" OR "onmouseover=" OR "$\{alert" OR "javascript\:alert" OR "javascript%3Aalert") (-"sc-status":404)
view Sigma YAML 
title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: test
description: Detects XSS attempts injected via GET requests in access logs
references:
    - https://github.com/payloadbox/xss-payload-list
    - https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021-08-15
modified: 2022-06-14
tags:
    - attack.initial-access
    - attack.t1189
logsource:
    category: webserver
detection:
    select_method:
        cs-method: 'GET'
    keywords:
        - '=<script>'
        - '=%3Cscript%3E'
        - '=%253Cscript%253E'
        - '<iframe '
        - '%3Ciframe '
        - '<svg '
        - '%3Csvg '
        - 'document.cookie'
        - 'document.domain'
        - ' onerror='
        - ' onresize='
        - ' onload="'
        - 'onmouseover='
        - '${alert'
        - 'javascript:alert'
        - 'javascript%3Aalert'
    filter:
        sc-status: 404
    condition: select_method and keywords and not filter
falsepositives:
    - JavaScripts,CSS Files and PNG files
    - User searches in search boxes of the respective website
    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
Convert to SIEM query
high Moderate High FP
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id fa935401-513b-467b-81f4-f9e77aa0dd78
carbon_black query
"c-useragent":XMRig\ * OR "c-useragent":ccminer*
view Sigma YAML 
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
    - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
    - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith:
        # XMRig
            - 'XMRig '
        # CCMiner
            - 'ccminer'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) ATT&CK sub-technique id b730a276-6b63-41b8-bcf8-55930c8fc6ee
carbon_black query
(Image:\\csc.exe OR OriginalFileName:csc.exe) ((ParentImage:\\cscript.exe OR ParentImage:\\excel.exe OR ParentImage:\\mshta.exe OR ParentImage:\\onenote.exe OR ParentImage:\\outlook.exe OR ParentImage:\\powerpnt.exe OR ParentImage:\\winword.exe OR ParentImage:\\wscript.exe) OR ((ParentImage:\\powershell.exe OR ParentImage:\\pwsh.exe) (ParentCommandLine:\-Encoded\ * OR ParentCommandLine:FromBase64String*)) OR (ParentCommandLine:(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$ OR (ParentCommandLine:\:\\PerfLogs\\* OR ParentCommandLine:\:\\Users\\Public\\* OR ParentCommandLine:\:\\Windows\\Temp\\* OR ParentCommandLine:\\Temporary\ Internet*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Favorites\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Favourites\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Contacts\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Pictures\\*))) (-((ParentImage:C\:\\Program\ Files\ \(x86\)\\* OR ParentImage:C\:\\Program\ Files\\*) OR ParentImage:C\:\\Windows\\System32\\sdiagnhost.exe OR ParentImage:C\:\\Windows\\System32\\inetsrv\\w3wp.exe)) (-(ParentImage:C\:\\ProgramData\\chocolatey\\choco.exe OR ParentCommandLine:\\ProgramData\\Microsoft\\Windows\ Defender\ Advanced\ Threat\ Protection* OR (ParentCommandLine:JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw* OR ParentCommandLine:cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA* OR ParentCommandLine:nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA*)))
view Sigma YAML 
title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
    - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
    - https://reaqta.com/2017/11/short-journey-darkvnc/
    - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-02-11
modified: 2026-03-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\csc.exe'
        - OriginalFileName: 'csc.exe'
    selection_parent_generic:
        ParentImage|endswith:
            - '\cscript.exe'
            - '\excel.exe'
            - '\mshta.exe'
            - '\onenote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wscript.exe'
    selection_parent_powershell:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        ParentCommandLine|contains:
            - '-Encoded '
            - 'FromBase64String'
    selection_parent_susp_location:
        - ParentCommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
        - ParentCommandLine|contains:
              - ':\PerfLogs\'
              - ':\Users\Public\'
              - ':\Windows\Temp\'
              - '\Temporary Internet'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_programfiles:
        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
        ParentImage|startswith:
            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_sdiagnhost:
        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_w3p:
        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
    filter_optional_chocolatey:
        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
    filter_optional_defender:
        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
    filter_optional_ansible:
        # Note: As ansible is widely used we exclude it with this generic filter.
        # A better option would be to filter based on script content basis or other marker while hunting
        ParentCommandLine|contains:
            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
    condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 99b7460d-c9f1-40d7-a316-1f36f61d52ee
carbon_black query
((OriginalFileName:wscript.exe OR OriginalFileName:cscript.exe) OR (Image:\\wscript.exe OR Image:\\cscript.exe)) (CommandLine:.csv* OR CommandLine:.dat* OR CommandLine:.doc* OR CommandLine:.gif* OR CommandLine:.jpeg* OR CommandLine:.jpg* OR CommandLine:.png* OR CommandLine:.ppt* OR CommandLine:.txt* OR CommandLine:.xls* OR CommandLine:.xml*)
view Sigma YAML 
title: Cscript/Wscript Uncommon Script Extension Execution
id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
status: test
description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-06-19
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName:
              - 'wscript.exe'
              - 'cscript.exe'
        - Image|endswith:
              - '\wscript.exe'
              - '\cscript.exe'
    selection_extension:
        CommandLine|contains:
            # Note: add additional potential suspicious extension
            # We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it
            - '.csv'
            - '.dat'
            - '.doc'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.png'
            - '.ppt'
            - '.txt'
            - '.xls'
            - '.xml'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
status test author Sreeman, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 21dd6d38-2b18-4453-9404-a0fe4a0cc288
carbon_black query
(CommandLine:\ \-c\ * OR CommandLine:\ \/c\ * OR CommandLine:\ –c\ * OR CommandLine:\ —c\ * OR CommandLine:\ ―c\ *) (CommandLine:curl\ * CommandLine:http* CommandLine:\-o* CommandLine:&*)
view Sigma YAML 
title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -c '
        CommandLine|contains|all:
            - 'curl '
            - 'http'
            - '-o'
            - '&'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
status test author CD_R0M_ ATT&CK technique id 7530b96f-ad8e-431d-a04d-ac85cc461fdc
carbon_black query
TargetObject:shell\\open\\command\\* (Details:powershell* Details:\-command*)
view Sigma YAML 
title: Custom File Open Handler Executes PowerShell
id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
status: test
description: Detects the abuse of custom file open handler, executing powershell
references:
    - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
author: CD_R0M_
date: 2022-06-11
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'shell\open\command\'
        Details|contains|all:
            - 'powershell'
            - '-command'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Low FP
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
status test author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) ATT&CK sub-technique id c39f0c81-7348-4965-ab27-2fde35a1b641
carbon_black query
(EventID:5145 RelativeTargetName:\\Internet\ Explorer\\iertutil.dll) (-SubjectUserName:$)
view Sigma YAML 
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1021.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id fdf96c90-42d5-4406-8a9c-14a2c9a016b5
carbon_black query
("cs-uri-query":*dwn=* "cs-uri-query":&fn=* "cs-uri-query":.html**) OR ("cs-uri-query":&dwn=* "cs-uri-query":*fn=* "cs-uri-query":.html**)
view Sigma YAML 
title: DEWMODE Webshell Access
id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5
status: test
description: Detects access to DEWMODE webshell as described in FIREEYE report
references:
    - https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
author: Florian Roth (Nextron Systems)
date: 2021-02-22
modified: 2023-01-02
tags:
    - attack.persistence
    - attack.t1505.003
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection1:
        cs-uri-query|contains|all:
            - '?dwn='
            - '&fn='
            - '.html?'
    selection2:
        cs-uri-query|contains|all:
            - '&dwn='
            - '?fn='
            - '.html?'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
status test author Dimitrios Slamaris ATT&CK sub-technique id 9d3436ef-9476-4c43-acca-90ce06bdf33a
carbon_black query
TargetObject:\\Services\\DHCPServer\\Parameters\\CalloutDlls OR TargetObject:\\Services\\DHCPServer\\Parameters\\CalloutEnabled
view Sigma YAML 
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Services\DHCPServer\Parameters\CalloutDlls'
            - '\Services\DHCPServer\Parameters\CalloutEnabled'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Low FP
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
status test author Dimitrios Slamaris, @atc_project (fix) ATT&CK sub-technique id 75edd3fd-7146-48e5-9848-3013d7f0282c
carbon_black query
(EventID:1031 OR EventID:1032 OR EventID:1034) Provider_Name:Microsoft\-Windows\-DHCP\-Server
view Sigma YAML 
title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID:
            - 1031
            - 1032
            - 1034
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Low FP
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
status test author Dimitrios Slamaris ATT&CK sub-technique id 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
carbon_black query
EventID:1033 Provider_Name:Microsoft\-Windows\-DHCP\-Server
view Sigma YAML 
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 1033
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id b3503044-60ce-4bf4-bbcb-e3db98788823
carbon_black query
(TargetObject:\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt* OR TargetObject:\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*) (-(Image:C\:\\Windows\\system32\\lsass.exe (Details:%%systemroot%%\\system32\\ntdsa.dll OR Details:%%systemroot%%\\system32\\lsadb.dll)))
view Sigma YAML 
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
    - https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.008
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
    filter_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        Details:
            - '%%systemroot%%\system32\ntdsa.dll'
            - '%%systemroot%%\system32\lsadb.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 75e508f7-932d-4ebc-af77-269237a84ce1
carbon_black query
Image:\\cmstp.exe (ImageLoaded:\\PerfLogs\\* OR ImageLoaded:\\ProgramData\\* OR ImageLoaded:\\Users\\* OR ImageLoaded:\\Windows\\Temp\\* OR ImageLoaded:C\:\\Temp\\*) (ImageLoaded:.dll OR ImageLoaded:.ocx)
view Sigma YAML 
title: DLL Loaded From Suspicious Location Via Cmspt.EXE
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: test
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
references:
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1218.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\cmstp.exe'
        ImageLoaded|contains:
            # Add more suspicious paths as you see fit in your env
            - '\PerfLogs\'
            - '\ProgramData\'
            - '\Users\'
            - '\Windows\Temp\'
            - 'C:\Temp\'
        ImageLoaded|endswith:
            - '.dll'
            - '.ocx'
    condition: selection
falsepositives:
    - Unikely
level: high
Convert to SIEM query
high Moderate Medium FP
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id b6f91281-20aa-446a-b986-38a92813a18f
carbon_black query
(TargetFilename:C\:\\Windows\ \\* OR TargetFilename:C\:\\Program\ Files\ \\* OR TargetFilename:C\:\\Program\ Files\ \(x86\)\ \\*) TargetFilename:.dll
view Sigma YAML 
title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
    but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
    - https://twitter.com/cyb3rops/status/1552932770464292864
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith:
            - 'C:\Windows \'
            - 'C:\Program Files \'
            - 'C:\Program Files (x86) \'
        TargetFilename|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id ee4c5d06-3abc-48cc-8885-77f1c20f4451
carbon_black query
ImageLoaded:\\ShellChromeAPI.dll
view Sigma YAML 
title: DLL Sideloading Of ShellChromeAPI.DLL
id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
related:
    - id: e173ad47-4388-4012-ae62-bd13f71c18a8
      type: similar
status: test
description: |
    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
    - https://mobile.twitter.com/0gtweet/status/1564131230941122561
    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
        ImageLoaded|endswith: '\ShellChromeAPI.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id ebea773c-a8f1-42ad-a856-00cb221966e8
carbon_black query
Image:\\VMwareXferlogs.exe (-Image:C\:\\Program\ Files\\VMware\\*)
view Sigma YAML 
title: DLL Sideloading by VMware Xfer Utility
id: ebea773c-a8f1-42ad-a856-00cb221966e8
status: test
description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
    filter: # VMware might be installed in another path so update the rule accordingly
        Image|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
status test author Daniil Yugoslavskiy, oscd.community ATT&CK sub-technique id 98a96a5a-64a0-4c42-92c5-489da3866cb0
carbon_black query
Image:\\iodine.exe OR Image:\\dnscat2*
view Sigma YAML 
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
    - https://github.com/iagox86/dnscat2
    - https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.exfiltration
    - attack.t1048.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1132.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\iodine.exe'
        - Image|contains: '\dnscat2'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK technique id 7bd3902d-8b8b-4dd4-838a-c6862d40150d
carbon_black query
QueryName:servicebus.windows.net* Image:HybridConnectionManager*
view Sigma YAML 
title: DNS HybridConnectionManager Service Bus
id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
status: test
description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2023-01-16
tags:
    - attack.persistence
    - attack.t1554
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: 'servicebus.windows.net'
        Image|contains: 'HybridConnectionManager'
    condition: selection
falsepositives:
    - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
level: high
Convert to SIEM query
high Basic High FP
DNS Query To Katz Stealer Domains
Detects DNS queries to domains associated with Katz Stealer malware. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c
carbon_black query
QueryName:katz\-panel.com* OR QueryName:katz\-stealer.com* OR QueryName:katzstealer.com* OR QueryName:twist2katz.com*
view Sigma YAML 
title: DNS Query To Katz Stealer Domains
id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c
related:
    - id: 6b0c762f-0e1b-435f-a829-5943b08fe36a
      type: similar
status: experimental
description: |
    Detects DNS queries to domains associated with Katz Stealer malware.
    Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
    In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
references:
    - Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.command-and-control
    - attack.t1071.004
    - detection.emerging-threats
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains:
            - 'katz-panel.com'
            - 'katz-stealer.com'
            - 'katzstealer.com'
            - 'twist2katz.com'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Basic High FP
DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 6b0c762f-0e1b-435f-a829-5943b08fe36a
carbon_black query
query:katz\-panel.com* OR query:katz\-stealer.com* OR query:katzstealer.com* OR query:twist2katz.com*
view Sigma YAML 
title: DNS Query To Katz Stealer Domains - Network
id: 6b0c762f-0e1b-435f-a829-5943b08fe36a
related:
    - id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c
      type: similar
status: experimental
description: |
    Detects DNS queries to domains associated with Katz Stealer malware.
    Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
    In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
references:
    - Internal research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.command-and-control
    - attack.t1071.004
    - detection.emerging-threats
logsource:
    category: dns
detection:
    selection:
        query|contains:
            - 'katz-panel.com'
            - 'katz-stealer.com'
            - 'katzstealer.com'
            - 'twist2katz.com'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
status test author frack113 ATT&CK sub-technique id b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
carbon_black query
QueryName:.hiddenservice.net OR QueryName:.onion.ca OR QueryName:.onion.cab OR QueryName:.onion.casa OR QueryName:.onion.city OR QueryName:.onion.direct OR QueryName:.onion.dog OR QueryName:.onion.glass OR QueryName:.onion.gq OR QueryName:.onion.ink OR QueryName:.onion.it OR QueryName:.onion.link OR QueryName:.onion.lt OR QueryName:.onion.lu OR QueryName:.onion.nu OR QueryName:.onion.pet OR QueryName:.onion.plus OR QueryName:.onion.rip OR QueryName:.onion.sh OR QueryName:.onion.to OR QueryName:.onion.top OR QueryName:.onion OR QueryName:.s1.tor\-gateways.de OR QueryName:.s2.tor\-gateways.de OR QueryName:.s3.tor\-gateways.de OR QueryName:.s4.tor\-gateways.de OR QueryName:.s5.tor\-gateways.de OR QueryName:.t2w.pw OR QueryName:.tor2web.ae.org OR QueryName:.tor2web.blutmagie.de OR QueryName:.tor2web.com OR QueryName:.tor2web.fi OR QueryName:.tor2web.io OR QueryName:.tor2web.org OR QueryName:.tor2web.xyz OR QueryName:.torlink.co
view Sigma YAML 
title: DNS Query Tor .Onion Address - Sysmon
id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
related:
    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
      type: similar
    - id: a8322756-015c-42e7-afb1-436e85ed3ff5
      type: similar
status: test
description: Detects DNS queries to an ".onion" address related to Tor routing networks
references:
    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: frack113
date: 2022-02-20
modified: 2025-09-12
tags:
    - attack.command-and-control
    - attack.t1090.003
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|endswith:
            - '.hiddenservice.net'
            - '.onion.ca'
            - '.onion.cab'
            - '.onion.casa'
            - '.onion.city'
            - '.onion.direct'
            - '.onion.dog'
            - '.onion.glass'
            - '.onion.gq'
            - '.onion.ink'
            - '.onion.it'
            - '.onion.link'
            - '.onion.lt'
            - '.onion.lu'
            - '.onion.nu'
            - '.onion.pet'
            - '.onion.plus'
            - '.onion.rip'
            - '.onion.sh'
            - '.onion.to'
            - '.onion.top'
            - '.onion'
            - '.s1.tor-gateways.de'
            - '.s2.tor-gateways.de'
            - '.s3.tor-gateways.de'
            - '.s4.tor-gateways.de'
            - '.s5.tor-gateways.de'
            - '.t2w.pw'
            - '.tor2web.ae.org'
            - '.tor2web.blutmagie.de'
            - '.tor2web.com'
            - '.tor2web.fi'
            - '.tor2web.io'
            - '.tor2web.org'
            - '.tor2web.xyz'
            - '.torlink.co'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id c082c2b0-525b-4dbc-9a26-a57dc4692074
carbon_black query
Image:\\finger.exe
view Sigma YAML 
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
      type: similar
    - id: af491bca-e752-4b44-9c86-df5680533dbc
      type: similar
status: experimental
description: |
    Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
    Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
    - attack.command-and-control
    - attack.t1071.004
    - attack.execution
    - attack.t1059.003
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 29f171d7-aa47-42c7-9c7b-3c87938164d9
carbon_black query
EventID:3008 QueryName:.anonfiles.com*
view Sigma YAML 
title: DNS Query for Anonfiles.com Domain - DNS Client
id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
related:
    - id: 065cceea-77ec-4030-9052-fc0affea7110
      type: similar
status: test
description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
references:
    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|contains: '.anonfiles.com'
    condition: selection
falsepositives:
    - Rare legitimate access to anonfiles.com
level: high
Convert to SIEM query
high Moderate High FP
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
status test author pH-T (Nextron Systems) ATT&CK sub-technique id 065cceea-77ec-4030-9052-fc0affea7110
carbon_black query
QueryName:.anonfiles.com*
view Sigma YAML 
title: DNS Query for Anonfiles.com Domain - Sysmon
id: 065cceea-77ec-4030-9052-fc0affea7110
related:
    - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
      type: similar
status: test
description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
references:
    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-01-16
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: '.anonfiles.com'
    condition: selection
falsepositives:
    - Rare legitimate access to anonfiles.com
level: high
Convert to SIEM query
high Strong High FP
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
status test author Florian Roth (Nextron Systems), Matt Kelly (list of domains) ATT&CK sub-technique id aff715fa-4dd5-497a-8db3-910bea555566
carbon_black query
(query:.burpcollaborator.net OR query:.canarytokens.com OR query:.ceye.io OR query:.ddns.1443.eu.org OR query:.ddns.bypass.eu.org OR query:.ddns.xn\-\-gg8h.eu.org OR query:.digimg.store OR query:.dns.su18.org OR query:.dnshook.site OR query:.dnslog.cn OR query:.dnslog.ink OR query:.instances.httpworkbench.com OR query:.interact.sh OR query:.log.dnslog.pp.ua OR query:.log.dnslog.qzz.io OR query:.log.dnslogs.dpdns.org OR query:.log.javaweb.org OR query:.log.nat.cloudns.ph OR query:.oast.fun OR query:.oast.live OR query:.oast.me OR query:.oast.online OR query:.oast.pro OR query:.oast.site OR query:.oastify.com OR query:.p8.lol OR query:.requestbin.net) (-query:polling.oastify.com*)
view Sigma YAML 
title: DNS Query to External Service Interaction Domains
id: aff715fa-4dd5-497a-8db3-910bea555566
status: test
description: |
    Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
references:
    - https://twitter.com/breakersall/status/1533493587828260866
    - https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
    - https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
date: 2022-06-07
modified: 2026-01-24
tags:
    - attack.initial-access
    - attack.t1190
    - attack.reconnaissance
    - attack.t1595.002
logsource:
    category: dns
detection:
    selection:
        query|endswith:
            - '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
            - '.canarytokens.com' # Thinkst Canary Canarytokens
            - '.ceye.io'
            - '.ddns.1443.eu.org' # dig.pm
            - '.ddns.bypass.eu.org' # dig.pm
            - '.ddns.xn--gg8h.eu.org' # dig.pm
            - '.digimg.store' # dnslog.ink
            - '.dns.su18.org' # javaweb.org
            - '.dnshook.site' # webhook.site
            - '.dnslog.cn'
            - '.dnslog.ink' # dnslog.ink
            - '.instances.httpworkbench.com' # httpworkbench.com
            - '.interact.sh' # Project Discovery Interactsh
            - '.log.dnslog.pp.ua' # dnslog.org
            - '.log.dnslog.qzz.io' # dnslog.org
            - '.log.dnslogs.dpdns.org' # dnslog.org
            - '.log.javaweb.org' # javaweb.org
            - '.log.nat.cloudns.ph' # dnslog.org
            - '.oast.fun' # Project Discovery Interactsh
            - '.oast.live' # Project Discovery Interactsh
            - '.oast.me' # Project Discovery Interactsh
            - '.oast.online' # Project Discovery Interactsh
            - '.oast.pro' # Project Discovery Interactsh
            - '.oast.site' # Project Discovery Interactsh
            - '.oastify.com' # Portswigger Burpsuite Collaborator
            - '.p8.lol' # javaweb.org
            - '.requestbin.net'
    filter_main_polling:
        query|contains: 'polling.oastify.com'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate security scanning.
level: high
Convert to SIEM query
high Moderate Medium FP
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id cbe51394-cd93-4473-b555-edf0144952d9
carbon_black query
EventID:150 OR EventID:770 OR EventID:771
view Sigma YAML 
title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
      type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
    - https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: dns-server
detection:
    selection:
        EventID:
            - 150
            - 770
            - 771
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
status test author Markus Neis ATT&CK sub-technique id 8ae51330-899c-4641-8125-e39f2e07da72
carbon_black query
record_type:TXT (answer:IEX* OR answer:Invoke\-Expression* OR answer:cmd.exe*)
view Sigma YAML 
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection:
        record_type: 'TXT'
        answer|contains:
            - 'IEX'
            - 'Invoke-Expression'
            - 'cmd.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
status test author Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 7892ec59-c5bb-496d-8968-e5d210ca3ac4
carbon_black query
(TargetFilename:ntds_capi_* OR TargetFilename:ntds_legacy_* OR TargetFilename:ntds_unknown_*) (TargetFilename:.cer OR TargetFilename:.key OR TargetFilename:.pfx OR TargetFilename:.pvk)
view Sigma YAML 
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
    - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.credential-access
    - attack.t1555
    - attack.t1552.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - 'ntds_capi_'
            - 'ntds_legacy_'
            - 'ntds_unknown_'
        TargetFilename|endswith:
            - '.cer'
            - '.key'
            - '.pfx'
            - '.pvk'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Low FP
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
status test author Roberto Rodriguez @Cyb3rWard0g ATT&CK sub-technique id 4ac1f50b-3bd0-4968-902d-868b4647937e
carbon_black query
EventID:4662 ObjectType:SecretObject AccessMask:0x2 ObjectName:BCKUPKEY*
view Sigma YAML 
title: DPAPI Domain Backup Key Extraction
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
status: test
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
references:
    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2022-02-24
tags:
    - attack.credential-access
    - attack.t1003.004
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        ObjectType: 'SecretObject'
        AccessMask: '0x2'
        ObjectName|contains: 'BCKUPKEY'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 4d16c9a6-4362-4863-9940-1dee35f1d70f
carbon_black query
QueryName:connection.lockscreen.kro.kr OR QueryName:updating.dothome.co.kr
view Sigma YAML 
title: DPRK Threat Actor - C2 Communication DNS Indicators
id: 4d16c9a6-4362-4863-9940-1dee35f1d70f
status: test
description: Detects DNS queries for C2 domains used by DPRK Threat actors.
references:
    - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-20
tags:
    - attack.command-and-control
    - detection.emerging-threats
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName:
            - 'connection.lockscreen.kro.kr'
            - 'updating.dothome.co.kr'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test author Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri ATT&CK sub-technique id 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
carbon_black query
CommandLine:Add\-ADDBSidHistory* OR CommandLine:Add\-ADNgcKey* OR CommandLine:Add\-ADReplNgcKey* OR CommandLine:ConvertFrom\-ADManagedPasswordBlob* OR CommandLine:ConvertFrom\-GPPrefPassword* OR CommandLine:ConvertFrom\-ManagedPasswordBlob* OR CommandLine:ConvertFrom\-UnattendXmlPassword* OR CommandLine:ConvertFrom\-UnicodePassword* OR CommandLine:ConvertTo\-AADHash* OR CommandLine:ConvertTo\-GPPrefPassword* OR CommandLine:ConvertTo\-KerberosKey* OR CommandLine:ConvertTo\-LMHash* OR CommandLine:ConvertTo\-MsoPasswordHash* OR CommandLine:ConvertTo\-NTHash* OR CommandLine:ConvertTo\-OrgIdHash* OR CommandLine:ConvertTo\-UnicodePassword* OR CommandLine:Disable\-ADDBAccount* OR CommandLine:Enable\-ADDBAccount* OR CommandLine:Get\-ADDBAccount* OR CommandLine:Get\-ADDBBackupKey* OR CommandLine:Get\-ADDBDomainController* OR CommandLine:Get\-ADDBGroupManagedServiceAccount* OR CommandLine:Get\-ADDBKdsRootKey* OR CommandLine:Get\-ADDBSchemaAttribute* OR CommandLine:Get\-ADDBServiceAccount* OR CommandLine:Get\-ADDefaultPasswordPolicy* OR CommandLine:Get\-ADKeyCredential* OR CommandLine:Get\-ADPasswordPolicy* OR CommandLine:Get\-ADReplAccount* OR CommandLine:Get\-ADReplBackupKey* OR CommandLine:Get\-ADReplicationAccount* OR CommandLine:Get\-ADSIAccount* OR CommandLine:Get\-AzureADUserEx* OR CommandLine:Get\-BootKey* OR CommandLine:Get\-KeyCredential* OR CommandLine:Get\-LsaBackupKey* OR CommandLine:Get\-LsaPolicy* OR CommandLine:Get\-SamPasswordPolicy* OR CommandLine:Get\-SysKey* OR CommandLine:Get\-SystemKey* OR CommandLine:New\-ADDBRestoreFromMediaScript* OR CommandLine:New\-ADKeyCredential* OR CommandLine:New\-ADNgcKey* OR CommandLine:New\-NTHashSet* OR CommandLine:Remove\-ADDBObject* OR CommandLine:Save\-DPAPIBlob* OR CommandLine:Set\-ADAccountPasswordHash* OR CommandLine:Set\-ADDBAccountPassword* OR CommandLine:Set\-ADDBBootKey* OR CommandLine:Set\-ADDBDomainController* OR CommandLine:Set\-ADDBPrimaryGroup* OR CommandLine:Set\-ADDBSysKey* OR CommandLine:Set\-AzureADUserEx* OR CommandLine:Set\-LsaPolicy* OR CommandLine:Set\-SamAccountPasswordHash* OR CommandLine:Set\-WinUserPasswordHash* OR CommandLine:Test\-ADDBPasswordQuality* OR CommandLine:Test\-ADPasswordQuality* OR CommandLine:Test\-ADReplPasswordQuality* OR CommandLine:Test\-PasswordQuality* OR CommandLine:Unlock\-ADDBAccount* OR CommandLine:Write\-ADNgcKey* OR CommandLine:Write\-ADReplNgcKey*
view Sigma YAML 
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
    - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
      type: similar
status: test
description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Add-ADDBSidHistory'
            - 'Add-ADNgcKey'
            - 'Add-ADReplNgcKey'
            - 'ConvertFrom-ADManagedPasswordBlob'
            - 'ConvertFrom-GPPrefPassword'
            - 'ConvertFrom-ManagedPasswordBlob'
            - 'ConvertFrom-UnattendXmlPassword'
            - 'ConvertFrom-UnicodePassword'
            - 'ConvertTo-AADHash'
            - 'ConvertTo-GPPrefPassword'
            - 'ConvertTo-KerberosKey'
            - 'ConvertTo-LMHash'
            - 'ConvertTo-MsoPasswordHash'
            - 'ConvertTo-NTHash'
            - 'ConvertTo-OrgIdHash'
            - 'ConvertTo-UnicodePassword'
            - 'Disable-ADDBAccount'
            - 'Enable-ADDBAccount'
            - 'Get-ADDBAccount'
            - 'Get-ADDBBackupKey'
            - 'Get-ADDBDomainController'
            - 'Get-ADDBGroupManagedServiceAccount'
            - 'Get-ADDBKdsRootKey'
            - 'Get-ADDBSchemaAttribute'
            - 'Get-ADDBServiceAccount'
            - 'Get-ADDefaultPasswordPolicy'
            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
            - 'Get-ADPasswordPolicy'
            - 'Get-ADReplAccount'
            - 'Get-ADReplBackupKey'
            - 'Get-ADReplicationAccount'
            - 'Get-ADSIAccount'
            - 'Get-AzureADUserEx'
            - 'Get-BootKey'
            - 'Get-KeyCredential'
            - 'Get-LsaBackupKey'
            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
            - 'Get-SamPasswordPolicy'
            - 'Get-SysKey'
            - 'Get-SystemKey'
            - 'New-ADDBRestoreFromMediaScript'
            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
            - 'New-ADNgcKey'
            - 'New-NTHashSet'
            - 'Remove-ADDBObject'
            - 'Save-DPAPIBlob'
            - 'Set-ADAccountPasswordHash'
            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
            - 'Set-ADDBBootKey'
            - 'Set-ADDBDomainController'
            - 'Set-ADDBPrimaryGroup'
            - 'Set-ADDBSysKey'
            - 'Set-AzureADUserEx'
            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
            - 'Set-SamAccountPasswordHash'
            - 'Set-WinUserPasswordHash'
            - 'Test-ADDBPasswordQuality'
            - 'Test-ADPasswordQuality'
            - 'Test-ADReplPasswordQuality'
            - 'Test-PasswordQuality'
            - 'Unlock-ADDBAccount'
            - 'Write-ADNgcKey'
            - 'Write-ADReplNgcKey'
    condition: selection
falsepositives:
    - Legitimate usage of DSInternals for administration or audit purpose.
level: high
Convert to SIEM query
high Moderate High FP
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 846c7a87-8e14-4569-9d49-ecfd4276a01c
carbon_black query
ScriptBlockText:Add\-ADDBSidHistory* OR ScriptBlockText:Add\-ADNgcKey* OR ScriptBlockText:Add\-ADReplNgcKey* OR ScriptBlockText:ConvertFrom\-ADManagedPasswordBlob* OR ScriptBlockText:ConvertFrom\-GPPrefPassword* OR ScriptBlockText:ConvertFrom\-ManagedPasswordBlob* OR ScriptBlockText:ConvertFrom\-UnattendXmlPassword* OR ScriptBlockText:ConvertFrom\-UnicodePassword* OR ScriptBlockText:ConvertTo\-AADHash* OR ScriptBlockText:ConvertTo\-GPPrefPassword* OR ScriptBlockText:ConvertTo\-KerberosKey* OR ScriptBlockText:ConvertTo\-LMHash* OR ScriptBlockText:ConvertTo\-MsoPasswordHash* OR ScriptBlockText:ConvertTo\-NTHash* OR ScriptBlockText:ConvertTo\-OrgIdHash* OR ScriptBlockText:ConvertTo\-UnicodePassword* OR ScriptBlockText:Disable\-ADDBAccount* OR ScriptBlockText:Enable\-ADDBAccount* OR ScriptBlockText:Get\-ADDBAccount* OR ScriptBlockText:Get\-ADDBBackupKey* OR ScriptBlockText:Get\-ADDBDomainController* OR ScriptBlockText:Get\-ADDBGroupManagedServiceAccount* OR ScriptBlockText:Get\-ADDBKdsRootKey* OR ScriptBlockText:Get\-ADDBSchemaAttribute* OR ScriptBlockText:Get\-ADDBServiceAccount* OR ScriptBlockText:Get\-ADDefaultPasswordPolicy* OR ScriptBlockText:Get\-ADKeyCredential* OR ScriptBlockText:Get\-ADPasswordPolicy* OR ScriptBlockText:Get\-ADReplAccount* OR ScriptBlockText:Get\-ADReplBackupKey* OR ScriptBlockText:Get\-ADReplicationAccount* OR ScriptBlockText:Get\-ADSIAccount* OR ScriptBlockText:Get\-AzureADUserEx* OR ScriptBlockText:Get\-BootKey* OR ScriptBlockText:Get\-KeyCredential* OR ScriptBlockText:Get\-LsaBackupKey* OR ScriptBlockText:Get\-LsaPolicy* OR ScriptBlockText:Get\-SamPasswordPolicy* OR ScriptBlockText:Get\-SysKey* OR ScriptBlockText:Get\-SystemKey* OR ScriptBlockText:New\-ADDBRestoreFromMediaScript* OR ScriptBlockText:New\-ADKeyCredential* OR ScriptBlockText:New\-ADNgcKey* OR ScriptBlockText:New\-NTHashSet* OR ScriptBlockText:Remove\-ADDBObject* OR ScriptBlockText:Save\-DPAPIBlob* OR ScriptBlockText:Set\-ADAccountPasswordHash* OR ScriptBlockText:Set\-ADDBAccountPassword* OR ScriptBlockText:Set\-ADDBBootKey* OR ScriptBlockText:Set\-ADDBDomainController* OR ScriptBlockText:Set\-ADDBPrimaryGroup* OR ScriptBlockText:Set\-ADDBSysKey* OR ScriptBlockText:Set\-AzureADUserEx* OR ScriptBlockText:Set\-LsaPolicy* OR ScriptBlockText:Set\-SamAccountPasswordHash* OR ScriptBlockText:Set\-WinUserPasswordHash* OR ScriptBlockText:Test\-ADDBPasswordQuality* OR ScriptBlockText:Test\-ADPasswordQuality* OR ScriptBlockText:Test\-ADReplPasswordQuality* OR ScriptBlockText:Test\-PasswordQuality* OR ScriptBlockText:Unlock\-ADDBAccount* OR ScriptBlockText:Write\-ADNgcKey* OR ScriptBlockText:Write\-ADReplNgcKey*
view Sigma YAML 
title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
related:
    - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
      type: similar
status: test
description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-ADDBSidHistory'
            - 'Add-ADNgcKey'
            - 'Add-ADReplNgcKey'
            - 'ConvertFrom-ADManagedPasswordBlob'
            - 'ConvertFrom-GPPrefPassword'
            - 'ConvertFrom-ManagedPasswordBlob'
            - 'ConvertFrom-UnattendXmlPassword'
            - 'ConvertFrom-UnicodePassword'
            - 'ConvertTo-AADHash'
            - 'ConvertTo-GPPrefPassword'
            - 'ConvertTo-KerberosKey'
            - 'ConvertTo-LMHash'
            - 'ConvertTo-MsoPasswordHash'
            - 'ConvertTo-NTHash'
            - 'ConvertTo-OrgIdHash'
            - 'ConvertTo-UnicodePassword'
            - 'Disable-ADDBAccount'
            - 'Enable-ADDBAccount'
            - 'Get-ADDBAccount'
            - 'Get-ADDBBackupKey'
            - 'Get-ADDBDomainController'
            - 'Get-ADDBGroupManagedServiceAccount'
            - 'Get-ADDBKdsRootKey'
            - 'Get-ADDBSchemaAttribute'
            - 'Get-ADDBServiceAccount'
            - 'Get-ADDefaultPasswordPolicy'
            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
            - 'Get-ADPasswordPolicy'
            - 'Get-ADReplAccount'
            - 'Get-ADReplBackupKey'
            - 'Get-ADReplicationAccount'
            - 'Get-ADSIAccount'
            - 'Get-AzureADUserEx'
            - 'Get-BootKey'
            - 'Get-KeyCredential'
            - 'Get-LsaBackupKey'
            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
            - 'Get-SamPasswordPolicy'
            - 'Get-SysKey'
            - 'Get-SystemKey'
            - 'New-ADDBRestoreFromMediaScript'
            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
            - 'New-ADNgcKey'
            - 'New-NTHashSet'
            - 'Remove-ADDBObject'
            - 'Save-DPAPIBlob'
            - 'Set-ADAccountPasswordHash'
            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
            - 'Set-ADDBBootKey'
            - 'Set-ADDBDomainController'
            - 'Set-ADDBPrimaryGroup'
            - 'Set-ADDBSysKey'
            - 'Set-AzureADUserEx'
            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
            - 'Set-SamAccountPasswordHash'
            - 'Set-WinUserPasswordHash'
            - 'Test-ADDBPasswordQuality'
            - 'Test-ADPasswordQuality'
            - 'Test-ADReplPasswordQuality'
            - 'Test-PasswordQuality'
            - 'Unlock-ADDBAccount'
            - 'Write-ADNgcKey'
            - 'Write-ADReplNgcKey'
    condition: selection
falsepositives:
    - Legitimate usage of DSInternals for administration or audit purpose.
level: high
Convert to SIEM query
Showing 351-400 of 3,646
Prev 8 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh