Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

174 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Severity critical high medium low all severities

Detection rules

24 shown of 174
critical
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Nasreddine Bencherchali (Nextron Systems) id 0d18728b-f5bf-4381-9dcf-915539fff6c2
carbon_black query
EventID:3008 ((QueryName:aaa.stage.* OR QueryName:post.1*) OR QueryName:.stage.123456.*)
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
    - id: f356a9c4-effd-4608-bbf8-408afd5cd006
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.t1071.004
    - attack.command-and-control
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection_eid:
        EventID: 3008
    selection_query_1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection_query_2:
        QueryName|contains: '.stage.123456.'
    condition: selection_eid and 1 of selection_query_*
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Florian Roth (Nextron Systems) id f356a9c4-effd-4608-bbf8-408afd5cd006
carbon_black query
(QueryName:aaa.stage.* OR QueryName:post.1*) OR QueryName:.stage.123456.*
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
    - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
status test author Florian Roth (Nextron Systems) id 889719ef-dd62-43df-86c3-768fb08dc7c0
carbon_black query
CommandLine:New\-MailboxExportRequest* CommandLine:\ \-Mailbox\ * CommandLine:\ \-FilePath\ \\\\*
view Sigma YAML 
title: Suspicious PowerShell Mailbox Export to Share
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
    - https://youtu.be/5mqid-7zp8k?t=2481
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems)
date: 2021-08-07
modified: 2022-10-26
tags:
    - attack.exfiltration
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
            - ' -FilePath \\\\'
    condition: selection
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
status test author Nasreddine Bencherchali (Nextron Systems) id 4a241dea-235b-4a7e-8d76-50d817b146c4
carbon_black query
ScriptBlockText:New\-MailboxExportRequest* ScriptBlockText:\ \-Mailbox\ * ScriptBlockText:\ \-FilePath\ \\\\*
view Sigma YAML 
title: Suspicious PowerShell Mailbox Export to Share - PS
id: 4a241dea-235b-4a7e-8d76-50d817b146c4
related:
    - id: 889719ef-dd62-43df-86c3-768fb08dc7c0
      type: derived
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
    - https://youtu.be/5mqid-7zp8k?t=2481
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
    - attack.exfiltration
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
            - ' -FilePath \\\\'
    condition: selection
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
status test author Florian Roth (Nextron Systems) id 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
carbon_black query
Image:C\:\\Windows\ \\System32\\* OR Image:C\:\\Windows\ \\SysWOW64\\*
view Sigma YAML 
title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
    - id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
      type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
    - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
    - https://github.com/netero1010/TrustedPath-UACBypass-BOF
    - https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'C:\Windows \System32\'
            - 'C:\Windows \SysWOW64\'
    condition: selection
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
status test author Florian Roth (Nextron Systems) id 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
carbon_black query
(CommandLine:tracert\ \-h\ 10\ yahoo.com* OR CommandLine:.WSqmCons\)\)|iex;* OR CommandLine:Fr`omBa`se6`4Str`ing*) OR (CommandLine:net\\s+use\\s+https://docs.live.net CommandLine:@aol.co.uk*)
view Sigma YAML 
title: Turla Group Commands May 2020
id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
status: test
description: Detects commands used by Turla group as reported by ESET in May 2020
references:
    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth (Nextron Systems)
date: 2020-05-26
modified: 2025-10-19
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.g0010
    - attack.execution
    - attack.t1059.001
    - attack.t1053.005
    - attack.t1027
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli_1:
        CommandLine|contains:
            - 'tracert -h 10 yahoo.com'
            - '.WSqmCons))|iex;'
            - 'Fr`omBa`se6`4Str`ing'
    selection_cli_2:
        CommandLine|re: 'net\s+use\s+https://docs.live.net'
        CommandLine|contains: '@aol.co.uk'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Turla Group Lateral Movement
Detects automated lateral movement by Turla group
status test author Markus Neis id c601f20d-570a-4cde-a7d6-e17f99cb8e7f
carbon_black query
CommandLine:net\ use\ \\\\%DomainController%\\C$\ \"P@ssw0rd\"\ * OR CommandLine:dir\ c\:\\*.doc*\ \/s OR CommandLine:dir\ %TEMP%\\*.exe
view Sigma YAML 
title: Turla Group Lateral Movement
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
status: test
description: Detects automated lateral movement by Turla group
references:
    - https://securelist.com/the-epic-turla-operation/65545/
author: Markus Neis
date: 2017-11-07
modified: 2022-10-09
tags:
    - attack.g0010
    - attack.execution
    - attack.t1059
    - attack.lateral-movement
    - attack.t1021.002
    - attack.discovery
    - attack.t1083
    - attack.t1135
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'net use \\\\%DomainController%\C$ "P@ssw0rd" *'
            - 'dir c:\\*.doc* /s'
            - 'dir %TEMP%\\*.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Turla Group Named Pipes
Detects a named pipe used by Turla group samples
status test author Markus Neis id 739915e4-1e70-4778-8b8a-17db02f66db1
carbon_black query
PipeName:\\atctl OR PipeName:\\comnap OR PipeName:\\iehelper OR PipeName:\\sdlrpc OR PipeName:\\userpipe
view Sigma YAML 
title: Turla Group Named Pipes
id: 739915e4-1e70-4778-8b8a-17db02f66db1
status: test
description: Detects a named pipe used by Turla group samples
references:
    - Internal Research
author: Markus Neis
date: 2017-11-06
modified: 2021-11-27
tags:
    - attack.g0010
    - attack.execution
    - attack.t1106
    - detection.emerging-threats
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName:
            - '\atctl'    # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
            - '\comnap'   # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
            - '\iehelper' # ruag apt case
            - '\sdlrpc'   # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
            - '\userpipe' # ruag apt case
            # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
    condition: selection
falsepositives:
    - Unlikely
level: critical
Convert to SIEM query
critical
Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
status test author Florian Roth (Nextron Systems) id 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 ServiceName:WerFaultSvc
view Sigma YAML 
title: Turla PNG Dropper Service
id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
status: test
description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
references:
    - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
author: Florian Roth (Nextron Systems)
date: 2018-11-23
modified: 2021-11-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.g0010
    - attack.t1543.003
    - detection.emerging-threats
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: 'WerFaultSvc'
    condition: selection
falsepositives:
    - Unlikely
level: critical
Convert to SIEM query
critical
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
status test author Florian Roth (Nextron Systems) id b7155193-8a81-4d8f-805d-88de864ca50c
carbon_black query
(CommandLine:Invoke\-WMIMethod\ win32_process\ \-name\ create\ \-argumentlist* CommandLine:rundll32\ c\:\\windows*) OR (CommandLine:wmic\ \/node\:* CommandLine:process\ call\ create\ \"rundll32\ c\:\\windows*)
view Sigma YAML 
title: UNC2452 PowerShell Pattern
id: b7155193-8a81-4d8f-805d-88de864ca50c
status: test
description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
    - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
author: Florian Roth (Nextron Systems)
date: 2021-01-20
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1047
    - detection.emerging-threats
    # - sunburst
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli_1:
        CommandLine|contains|all:
            - 'Invoke-WMIMethod win32_process -name create -argumentlist'
            - 'rundll32 c:\windows'
    selection_cli_2:
        CommandLine|contains|all:
            - 'wmic /node:'
            - 'process call create "rundll32 c:\windows'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical
Convert to SIEM query
critical
UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
status test author Nasreddine Bencherchali (Nextron Systems) id f6a711f3-d032-4f9e-890b-bbe776236c84
carbon_black query
Image:\/BarracudaMailService OR Image:\/resize2fstab OR Image:\/resize_reisertab
view Sigma YAML 
title: UNC4841 - Potential SEASPY Execution
id: f6a711f3-d032-4f9e-890b-bbe776236c84
status: test
description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
references:
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/BarracudaMailService'
            - '/resize2fstab'
            - '/resize_reisertab'
    condition: selection
falsepositives:
    - Unlikely
level: critical
Convert to SIEM query
critical
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
status stable author Thomas Patzke id 932ac737-33ca-4afd-9869-0d48b391fcc9
carbon_black query
("c-uri":_2f* OR "c-uri":_2b*) ("c-uri":.avi* "c-uri":\/images\/*)
view Sigma YAML 
title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
    - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
date: 2019-12-19
modified: 2021-08-09
tags:
    - attack.initial-access
    - attack.t1566.001
    - attack.execution
    - attack.t1204.002
    - attack.command-and-control
    - attack.t1071.001
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    b64encoding:
        c-uri|contains:
            - '_2f'
            - '_2b'
    urlpatterns:
        c-uri|contains|all:
            - '.avi'
            - '/images/'
    condition: b64encoding and urlpatterns
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
status test author Thomas Patzke id 1de68c67-af5c-4097-9c85-fe5578e09e67
carbon_black query
(EventID:4656 OR EventID:4663) ObjectName:\\wceaux.dll
view Sigma YAML 
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
    - attack.credential-access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectName|endswith: '\wceaux.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
status test author Florian Roth (Nextron Systems) id 797011dc-44f4-4e6f-9f10-a8ceefbe566b
carbon_black query
ParentImage:\\EdgeTransport.exe (-(Image:C\:\\Windows\\System32\\conhost.exe OR (Image:C\:\\Program\ Files\\Microsoft\\Exchange\ Server\\* Image:\\Bin\\OleConverter.exe)))
view Sigma YAML 
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
    - https://twitter.com/cglyer/status/1182389676876980224
    - https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\EdgeTransport.exe'
    filter_conhost:
        Image: 'C:\Windows\System32\conhost.exe'
    filter_oleconverter:  # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
        Image|endswith: '\Bin\OleConverter.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
status test author Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro id 41d40bff-377a-43e2-8e1b-2e543069e079
carbon_black query
((Image:\\tasksche.exe OR Image:\\mssecsvc.exe OR Image:\\taskdl.exe OR Image:\\taskhsvc.exe OR Image:\\taskse.exe OR Image:\\111.exe OR Image:\\lhdfrgui.exe OR Image:\\linuxnew.exe OR Image:\\wannacry.exe) OR Image:WanaDecryptor*) OR CommandLine:@[email protected]*
view Sigma YAML 
title: WannaCry Ransomware Activity
id: 41d40bff-377a-43e2-8e1b-2e543069e079
status: test
description: Detects WannaCry ransomware activity
references:
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    - https://x.com/nas_bench/status/1868639048484425963
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-18
tags:
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1210
    - attack.discovery
    - attack.t1083
    - attack.t1222.001
    - attack.impact
    - attack.t1486
    - attack.t1490
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\tasksche.exe'
              - '\mssecsvc.exe'
              - '\taskdl.exe'
              - '\taskhsvc.exe'
              - '\taskse.exe'
              - '\111.exe'
              - '\lhdfrgui.exe'
              # - '\diskpart.exe'  # cannot be used in a rule of level critical
              - '\linuxnew.exe'
              - '\wannacry.exe'
        - Image|contains: 'WanaDecryptor'
    selection_cmd:
        CommandLine|contains: '@[email protected]'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
status test author Ilyas Ochkov, Beyu Denis, oscd.community id c0d3734d-330f-4a03-aae2-65dacc6a8222
carbon_black query
type:SYSCALL (SYSCALL:execve OR SYSCALL:execveat) euid:33
view Sigma YAML 
title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
    - Personal Experience of the Author
    - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
        Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL:
            - 'execve'
            - 'execveat'
        euid: 33
    condition: selection
falsepositives:
    - Admin activity
    - Crazy web applications
level: critical
Convert to SIEM query
critical
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
status test author elhoim id 39698b3f-da92-4bc6-bfb5-645a98386e45
carbon_black query
(SamAccountName:SAMTHEADMIN\-* SamAccountName:$) OR (TargetUserName:SAMTHEADMIN\-* TargetUserName:$)
view Sigma YAML 
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
    - https://twitter.com/malmoeb/status/1511760068743766026
    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
    - attack.initial-access
    - cve.2021-42278
    - cve.2021-42287
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    service: security
    product: windows
detection:
    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
    selection1:
        SamAccountName|startswith: 'SAMTHEADMIN-'
        SamAccountName|endswith: '$'
    selection2:
        TargetUserName|startswith: 'SAMTHEADMIN-'
        TargetUserName|endswith: '$'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
status test author Florian Roth (Nextron Systems) id a6b33c02-8305-488f-8585-03cb2a7763f2
carbon_black query
TargetObject:Services\\WCESERVICE\\Start*
view Sigma YAML 
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: Services\WCESERVICE\Start
    condition: selection
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
status test author Florian Roth (Nextron Systems), Markus Neis id 3121461b-5aa0-4a41-b910-66d25524edbb
carbon_black query
((ParentImage:C\:\\Windows\\Temp* OR ParentImage:\\hpqhvind.exe*) Image:C\:\\ProgramData\\DRM*) OR (ParentImage:C\:\\ProgramData\\DRM* Image:\\wmplayer.exe) OR (ParentImage:\\Test.exe Image:\\wmplayer.exe) OR Image:C\:\\ProgramData\\DRM\\CLR\\CLR.exe OR (ParentImage:C\:\\ProgramData\\DRM\\Windows* Image:\\SearchFilterHost.exe)
view Sigma YAML 
title: Winnti Malware HK University Campaign
id: 3121461b-5aa0-4a41-b910-66d25524edbb
status: test
description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
references:
    - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
author: Florian Roth (Nextron Systems), Markus Neis
date: 2020-02-01
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - attack.g0044
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|contains:
            - 'C:\Windows\Temp'
            - '\hpqhvind.exe'
        Image|startswith: 'C:\ProgramData\DRM'
    selection2:
        ParentImage|startswith: 'C:\ProgramData\DRM'
        Image|endswith: '\wmplayer.exe'
    selection3:
        ParentImage|endswith: '\Test.exe'
        Image|endswith: '\wmplayer.exe'
    selection4:
        Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
    selection5:
        ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
        Image|endswith: '\SearchFilterHost.exe'
    condition: 1 of selection*
falsepositives:
    - Unlikely
level: critical
Convert to SIEM query
critical
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
status stable author Florian Roth (Nextron Systems), oscd.community id 73d70463-75c9-4258-92c6-17500fe972f2
carbon_black query
CommandLine:setup0.exe\ \-p* OR (CommandLine:setup.exe* (CommandLine:\-x\:0 OR CommandLine:\-x\:1 OR CommandLine:\-x\:2))
view Sigma YAML 
title: Winnti Pipemon Characteristics
id: 73d70463-75c9-4258-92c6-17500fe972f2
status: stable
description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
references:
    - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
author: Florian Roth (Nextron Systems), oscd.community
date: 2020-07-30
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - attack.g0044
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains: 'setup0.exe -p'
    selection_2:
        CommandLine|contains: 'setup.exe'
        CommandLine|endswith:
            - '-x:0'
            - '-x:1'
            - '-x:2'
    condition: 1 of selection_*
falsepositives:
    - Legitimate setups that use similar flags
level: critical
Convert to SIEM query
critical
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
status test author Nasreddine Bencherchali (Nextron Systems) id 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
carbon_black query
TargetFilename:\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$ OR TargetFilename:C:\\\\__1\\d{9}\\.\\d{1,7}$ OR TargetFilename:D:\\\\__1\\d{9}\\.\\d{1,7}$
view Sigma YAML 
title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1047
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
        - TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
        - TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
    condition: selection
falsepositives:
    - Unlikely
level: critical
Convert to SIEM query
critical
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 614a7e17-5643-4d89-b6fe-f9df1a79641c
carbon_black query
Image:System TargetFilename:\\wbem\\wbemcomn.dll
view Sigma YAML 
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
Convert to SIEM query
critical
Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
status stable author Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community id 18f37338-b9bd-4117-a039-280c81f7a596
carbon_black query
(EventID:5805 OR EventID:5723) ("kali" OR "mimikatz")
view Sigma YAML 
title: Zerologon Exploitation Using Well-known Tools
id: 18f37338-b9bd-4117-a039-280c81f7a596
status: stable
description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
references:
    - https://www.secura.com/blog/zero-logon
    - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
date: 2020-10-13
modified: 2021-05-30
tags:
    - attack.t1210
    - attack.lateral-movement
logsource:
    service: system
    product: windows
detection:
    selection:
        EventID:
            - 5805
            - 5723
    keywords:
        - kali
        - mimikatz
    condition: selection and keywords
level: critical
Convert to SIEM query
critical
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
status test author Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro id f0b70adb-0075-43b0-9745-e82a1c608fcc
carbon_black query
Image:\\rundll32.exe (CommandLine:zxFunction* OR CommandLine:RemoteDiskXXXXX*)
view Sigma YAML 
title: ZxShell Malware
id: f0b70adb-0075-43b0-9745-e82a1c608fcc
status: test
description: Detects a ZxShell start by the called and well-known function name
references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
    - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2017-07-20
modified: 2021-11-27
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.003
    - attack.t1218.011
    - attack.s0412
    - attack.g0001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - 'zxFunction'
            - 'RemoteDiskXXXXX'
    condition: selection
falsepositives:
    - Unlikely
level: critical
Convert to SIEM query
Showing 151-174 of 174
Prev 4 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh