Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

328 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 328
low Moderate Medium FP
Service Reload or Start - Linux
Detects the start, reload or restart of a service.
status test author Jakob Weinzettl, oscd.community, CheraghiMilad ATT&CK sub-technique id 2625cc59-0634-40d0-821e-cb67382a3dd7
carbon_black query
type:EXECVE (a0:systemctl* OR a0:service*) (a1:reload* OR a1:start*)
view Sigma YAML 
title: Service Reload or Start - Linux
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: test
description: Detects the start, reload or restart of a service.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
author: Jakob Weinzettl, oscd.community, CheraghiMilad
date: 2019-09-23
modified: 2025-03-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1543.002
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains:
            - 'systemctl'
            - 'service'
        a1|contains:
            - 'reload'
            - 'start'
    condition: selection
falsepositives:
    - Installation of legitimate service.
    - Legitimate reconfiguration of service.
    - Command line contains daemon-reload.
level: low
Convert to SIEM query
low Moderate High FP
Set Files as System Files Using Attrib.EXE
Detects the execution of "attrib" with the "+s" flag to mark files as system files
status test author frack113 ATT&CK sub-technique id bb19e94c-59ae-4c15-8c12-c563d23fe52b
carbon_black query
(Image:\\attrib.exe OR OriginalFileName:ATTRIB.EXE) CommandLine:\ \+s\ *
view Sigma YAML 
title: Set Files as System Files Using Attrib.EXE
id: bb19e94c-59ae-4c15-8c12-c563d23fe52b
related:
    - id: efec536f-72e8-4656-8960-5e85d091345b
      type: similar
status: test
description: Detects the execution of "attrib" with the "+s" flag to mark files as system files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
author: frack113
date: 2022-02-04
modified: 2023-03-14
tags:
    - attack.stealth
    - attack.t1564.001
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\attrib.exe'
        - OriginalFileName: 'ATTRIB.EXE'
    selection_cli:
        CommandLine|contains: ' +s '
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands
status test author Ömer Günal ATT&CK sub-technique id c21c4eaa-ba2e-419a-92b2-8371703cbe21
carbon_black query
CommandLine:chown\ root* (CommandLine:\ chmod\ u\+s* OR CommandLine:\ chmod\ g\+s*)
view Sigma YAML 
title: Setuid and Setgid
id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
status: test
description: Detects suspicious change of file privileges with chown and chmod commands
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
author: Ömer Günal
date: 2020-06-16
modified: 2022-10-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1548.001
logsource:
    product: linux
    category: process_creation
detection:
    selection_root:
        CommandLine|contains: 'chown root'
    selection_perm:
        CommandLine|contains:
            - ' chmod u+s'
            - ' chmod g+s'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: low
Convert to SIEM query
low Strong High FP
Share And Session Enumeration Using Net.EXE
Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
status stable author Endgame, JHasenbusch (ported for oscd.community) ATT&CK technique id 62510e69-616b-4078-b371-847da438cc03
carbon_black query
(((Image:\\net.exe OR Image:\\net1.exe) OR (OriginalFileName:net.exe OR OriginalFileName:net1.exe)) CommandLine:view*) (-CommandLine:\\\\*)
view Sigma YAML 
title: Share And Session Enumeration Using Net.EXE
id: 62510e69-616b-4078-b371-847da438cc03
status: stable
description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: 'view'
    filter:
        CommandLine|contains: '\\\\'
    condition: all of selection_* and not filter
falsepositives:
    - Legitimate use of net.exe utility by legitimate user
level: low
Convert to SIEM query
low Moderate High FP
Shell Context Menu Command Tampering
Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 868df2d1-0939-4562-83a7-27408c4a1ada
carbon_black query
TargetObject:\\Software\\Classes\\* TargetObject:\\shell\\* TargetObject:\\command\\*
view Sigma YAML 
title: Shell Context Menu Command Tampering
id: 868df2d1-0939-4562-83a7-27408c4a1ada
status: test
description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
references:
    - https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Classes\'
            - '\shell\'
            - '\command\'
    condition: selection
falsepositives:
    - Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc.
level: low
Convert to SIEM query
low Moderate Low FP
Sign-ins by Unknown Devices
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
status test author Michael Epping, '@mepples21' ATT&CK sub-technique id 4d136857-6a1a-432a-82fc-5dd497ee5e7c
carbon_black query
AuthenticationRequirement:singleFactorAuthentication ResultType:0 NetworkLocationDetails:\[\] "DeviceDetail.deviceId":
view Sigma YAML 
title: Sign-ins by Unknown Devices
id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
status: test
description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
modified: 2022-10-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        AuthenticationRequirement: singleFactorAuthentication
        ResultType: 0
        NetworkLocationDetails: '[]'
        DeviceDetail.deviceId: ''
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Space After Filename - macOS
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
status test author remotephone ATT&CK sub-technique id b6e2a2e3-2d30-43b1-a4ea-071e36595690
carbon_black query
CommandLine:\  OR Image:\
view Sigma YAML 
title: Space After Filename - macOS
id: b6e2a2e3-2d30-43b1-a4ea-071e36595690
status: test
description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
author: remotephone
date: 2021-11-20
modified: 2023-01-04
tags:
    - attack.stealth
    - attack.t1036.006
logsource:
    product: macos
    category: process_creation
detection:
    selection1:
        CommandLine|endswith: ' '
    selection2:
        Image|endswith: ' '
    condition: 1 of selection*
falsepositives:
    - Mistyped commands or legitimate binaries named to match the pattern
level: low
Convert to SIEM query
low Moderate Medium FP
Special File Creation via Mknod Syscall
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices). Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.
status experimental author Milad Cheraghi ATT&CK sub-technique id 710bdbce-495d-491d-9a8f-7d0d88d2b41e
carbon_black query
type:SYSCALL SYSCALL:mknod
view Sigma YAML 
title: Special File Creation via Mknod Syscall
id: 710bdbce-495d-491d-9a8f-7d0d88d2b41e
status: experimental
description: |
    Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
    Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
    or establish covert channels in Linux systems.
    Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
    and it can be abused to bypass file system restrictions or create backdoors.
references:
    - https://man7.org/linux/man-pages/man2/mknod.2.html
    - https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
author: Milad Cheraghi
date: 2025-05-31
modified: 2025-12-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1543.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'mknod'
    condition: selection
falsepositives:
    - Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)
    - Container runtimes or security tools during initialization
level: low
Convert to SIEM query
low Moderate High FP
Split A File Into Pieces
Detection use of the command "split" to split files into parts and possible transfer.
status test author Igor Fits, Mikhail Larin, oscd.community ATT&CK technique id 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
carbon_black query
Image:\/split
view Sigma YAML 
title: Split A File Into Pieces
id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
status: test
description: Detection use of the command "split" to split files into parts and possible transfer.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-15
modified: 2021-11-27
tags:
    - attack.exfiltration
    - attack.t1030
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/split'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: low
Convert to SIEM query
low Moderate Medium FP
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
status test author Igor Fits, oscd.community ATT&CK technique id 2dad0cba-c62a-4a4f-949f-5f6ecd619769
carbon_black query
type:SYSCALL comm:split
view Sigma YAML 
title: Split A File Into Pieces - Linux
id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
status: test
description: 'Detection use of the command "split" to split files into parts and possible transfer.'
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
    - attack.exfiltration
    - attack.t1030
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        comm: 'split'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: low
Convert to SIEM query
low Moderate High FP
Start Windows Service Via Net.EXE
Detects the usage of the "net.exe" command to start a service using the "start" flag
status test author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community ATT&CK sub-technique id 2a072a96-a086-49fa-bcb5-15cc5a619093
carbon_black query
((Image:\\net.exe OR Image:\\net1.exe) OR (OriginalFileName:net.exe OR OriginalFileName:net1.exe)) CommandLine:\ start\ *
view Sigma YAML 
title: Start Windows Service Via Net.EXE
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: test
description: Detects the usage of the "net.exe" command to start a service using the "start" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2023-03-05
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: ' start '     # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
    condition: all of selection_*
falsepositives:
    - Legitimate administrator or user executes a service for legitimate reasons.
level: low
Convert to SIEM query
low Moderate High FP
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
status test author Alejandro Ortuno, oscd.community ATT&CK sub-technique id dfe8b941-4e54-4242-b674-6b613d521962
carbon_black query
(TargetFilename:\/Library\/StartupItems\/* OR TargetFilename:\/System\/Library\/StartupItems*) TargetFilename:.plist
view Sigma YAML 
title: Startup Item File Created - MacOS
id: dfe8b941-4e54-4242-b674-6b613d521962
status: test
description: |
    Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
    Adversaries may use startup items automatically executed at boot initialization to establish persistence.
    Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
    - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2024-08-11
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1037.005
logsource:
    category: file_event
    product: macos
detection:
    selection:
        TargetFilename|startswith:
            - '/Library/StartupItems/'
            - '/System/Library/StartupItems'
        TargetFilename|endswith: '.plist'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
Convert to SIEM query
low Moderate Medium FP
Steganography Extract Files with Steghide
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
status test author Pawel Mazur ATT&CK sub-technique id a5a827d9-1bbe-4952-9293-c59d897eb41b
carbon_black query
type:EXECVE a0:steghide a1:extract a2:\-sf (a3:.jpg OR a3:.png)
view Sigma YAML 
title: Steganography Extract Files with Steghide
id: a5a827d9-1bbe-4952-9293-c59d897eb41b
status: test
description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
references:
    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
author: 'Pawel Mazur'
date: 2021-09-11
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: steghide
        a1: extract
        a2: '-sf'
        a3|endswith:
            - '.jpg'
            - '.png'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Low FP
Steganography Hide Files with Steghide
Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
status test author Pawel Mazur ATT&CK sub-technique id ce446a9e-30b9-4483-8e38-d2c9ad0a2280
carbon_black query
type:EXECVE a0:steghide a1:embed (a2:\-cf OR a2:\-ef) (a4:\-cf OR a4:\-ef)
view Sigma YAML 
title: Steganography Hide Files with Steghide
id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
status: test
description: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
references:
    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
author: 'Pawel Mazur'
date: 2021-09-11
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: steghide
        a1: embed
        a2:
            - '-cf'
            - '-ef'
        a4:
            - '-cf'
            - '-ef'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
Steganography Hide Zip Information in Picture File
Detects appending of zip file to image
status test author Pawel Mazur ATT&CK sub-technique id 45810b50-7edc-42ca-813b-bdac02fb946b
carbon_black query
(type:EXECVE a0:cat) (a1:.jpg OR a1:.png) a2:.zip
view Sigma YAML 
title: Steganography Hide Zip Information in Picture File
id: 45810b50-7edc-42ca-813b-bdac02fb946b
status: test
description: Detects appending of zip file to image
references:
    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
author: 'Pawel Mazur'
date: 2021-09-09
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    commands:
        type: EXECVE
        a0: cat
    a1:
        a1|endswith:
            - '.jpg'
            - '.png'
    a2:
        a2|endswith: '.zip'
    condition: commands and a1 and a2
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
Steganography Unzip Hidden Information From Picture File
Detects extracting of zip file from image file
status test author Pawel Mazur ATT&CK sub-technique id edd595d7-7895-4fa7-acb3-85a18a8772ca
carbon_black query
(type:EXECVE a0:unzip) (a1:.jpg OR a1:.png)
view Sigma YAML 
title: Steganography Unzip Hidden Information From Picture File
id: edd595d7-7895-4fa7-acb3-85a18a8772ca
status: test
description: Detects extracting of zip file from image file
references:
    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
author: 'Pawel Mazur'
date: 2021-09-09
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    commands:
        type: EXECVE
        a0: unzip
    a1:
        a1|endswith:
            - '.jpg'
            - '.png'
    condition: commands and a1
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Stop Windows Service Via Net.EXE
Detects the stopping of a Windows service via the "net" utility.
status test author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 88872991-7445-4a22-90b2-a3adadb0e827
carbon_black query
((OriginalFileName:net.exe OR OriginalFileName:net1.exe) OR (Image:\\net.exe OR Image:\\net1.exe)) CommandLine:\ stop\ *
view Sigma YAML 
title: Stop Windows Service Via Net.EXE
id: 88872991-7445-4a22-90b2-a3adadb0e827
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the "net" utility.
references:
    - https://ss64.com/nt/net-service.html
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
    selection_cli:
        CommandLine|contains: ' stop '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low
Convert to SIEM query
low Moderate High FP
Stop Windows Service Via PowerShell Stop-Service
Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
status test author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id c49c5062-0966-4170-9efd-9968c913a6cf
carbon_black query
((OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll) OR (Image:\\powershell.exe OR Image:\\pwsh.exe)) CommandLine:Stop\-Service\ *
view Sigma YAML 
title: Stop Windows Service Via PowerShell Stop-Service
id: c49c5062-0966-4170-9efd-9968c913a6cf
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc_net_img:
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
    selection_cli:
        CommandLine|contains: 'Stop-Service '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low
Convert to SIEM query
low Moderate High FP
Stop Windows Service Via Sc.EXE
Detects the stopping of a Windows service via the "sc.exe" utility
status test author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 81bcb81b-5b1f-474b-b373-52c871aaa7b1
carbon_black query
(OriginalFileName:sc.exe OR Image:\\sc.exe) CommandLine:\ stop\ *
view Sigma YAML 
title: Stop Windows Service Via Sc.EXE
id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the "sc.exe" utility
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
modified: 2024-01-18
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'sc.exe'
        - Image|endswith: '\sc.exe'
    selection_cli:
        CommandLine|contains: ' stop '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/info.yml
Convert to SIEM query
low Moderate Medium FP
Successful Account Login Via WMI
Detects successful logon attempts performed with WMI
status stable author Thomas Patzke ATT&CK technique id 5af54681-df95-4c26-854f-2565e13cfab0
carbon_black query
EventID:4624 ProcessName:\\WmiPrvSE.exe
view Sigma YAML 
title: Successful Account Login Via WMI
id: 5af54681-df95-4c26-854f-2565e13cfab0
status: stable
description: Detects successful logon attempts performed with WMI
references:
    - Internal Research
author: Thomas Patzke
date: 2019-12-04
modified: 2024-01-17
tags:
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        ProcessName|endswith: '\WmiPrvSE.exe'
    condition: selection
falsepositives:
    - Monitoring tools
    - Legitimate system administration
level: low
Convert to SIEM query
low Moderate Medium FP
Successful MSIX/AppX Package Installation
Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. While most installations are legitimate, this can help identify unauthorized or suspicious package installations. It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads.
status experimental author Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 289dfa9e-e378-4a56-a9d4-7ed5ee218029
carbon_black query
EventID:854
view Sigma YAML 
title: Successful MSIX/AppX Package Installation
id: 289dfa9e-e378-4a56-a9d4-7ed5ee218029
status: experimental
description: |
    Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log.
    While most installations are legitimate, this can help identify unauthorized or suspicious package installations.
    It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads.
references:
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.t1204.002
    - detection.threat-hunting
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 854
    condition: selection
falsepositives:
    - Legitimate MSIX/AppX package installations
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Connection to Remote Account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
status test author frack113 ATT&CK sub-technique id 1883444f-084b-419b-ac62-e0d0c5b3693f
carbon_black query
ScriptBlockText:System.DirectoryServices.Protocols.LdapDirectoryIdentifier* OR ScriptBlockText:System.Net.NetworkCredential* OR ScriptBlockText:System.DirectoryServices.Protocols.LdapConnection*
view Sigma YAML 
title: Suspicious Connection to Remote Account
id: 1883444f-084b-419b-ac62-e0d0c5b3693f
status: test
description: |
    Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
    Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
author: frack113
date: 2021-12-27
tags:
    - attack.credential-access
    - attack.t1110.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
            - 'System.Net.NetworkCredential'
            - 'System.DirectoryServices.Protocols.LdapConnection'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Deno File Written from Remote Source
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
status experimental author Josh Nickels, Michael Taggart ATT&CK sub-technique id 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
carbon_black query
(TargetFilename:\\deno\\gen\\* OR TargetFilename:\\deno\\remote\\https\\*) (TargetFilename:\:\\Users\\* TargetFilename:\\AppData\\*)
view Sigma YAML 
title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
    Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
    This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
    - https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1204
    - attack.t1059.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: file_event
    product: windows
detection:
    selection_path:
        TargetFilename|contains:
            - '\deno\gen\'
            - '\deno\remote\https\'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
    condition: selection_path
falsepositives:
    - Legitimate usage of deno to request a file or bring a DLL to a host
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Execution of Hostname
Use of hostname to get information
status test author frack113 ATT&CK technique id 7be5fb68-f9ef-476d-8b51-0256ebece19e
carbon_black query
Image:\\HOSTNAME.EXE
view Sigma YAML 
title: Suspicious Execution of Hostname
id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
status: test
description: Use of hostname to get information
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
author: frack113
date: 2022-01-01
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\HOSTNAME.EXE'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Execution of Systeminfo
Detects usage of the "systeminfo" command to retrieve information
status test author frack113 ATT&CK technique id 0ef56343-059e-4cb6-adc1-4c3c967c5e46
carbon_black query
Image:\\systeminfo.exe OR OriginalFileName:sysinfo.exe
view Sigma YAML 
title: Suspicious Execution of Systeminfo
id: 0ef56343-059e-4cb6-adc1-4c3c967c5e46
status: test
description: Detects usage of the "systeminfo" command to retrieve information
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
author: frack113
date: 2022-01-01
modified: 2022-07-14
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\systeminfo.exe'
        - OriginalFileName: 'sysinfo.exe'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
status experimental author frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore ATT&CK sub-technique id a1dfd976-4852-41d4-9507-dc6590a3ccd0
carbon_black query
((FileName:\\Sputnik\\Sputnik* OR FileName:\\MapleStudio\\ChromePlus* OR FileName:\\QIP\ Surf* OR FileName:\\BlackHawk* OR FileName:\\7Star\\7Star* OR FileName:\\CatalinaGroup\\Citrio* OR FileName:\\Google\\Chrome* OR FileName:\\Coowon\\Coowon* OR FileName:\\CocCoc\\Browser* OR FileName:\\uCozMedia\\Uran* OR FileName:\\Tencent\\QQBrowser* OR FileName:\\Orbitum* OR FileName:\\Slimjet* OR FileName:\\Iridium* OR FileName:\\Vivaldi* OR FileName:\\Chromium* OR FileName:\\GhostBrowser* OR FileName:\\CentBrowser* OR FileName:\\Xvast* OR FileName:\\Chedot* OR FileName:\\SuperBird* OR FileName:\\360Browser\\Browser* OR FileName:\\360Chrome\\Chrome* OR FileName:\\Comodo\\Dragon* OR FileName:\\BraveSoftware\\Brave\-Browser* OR FileName:\\Torch* OR FileName:\\UCBrowser\\* OR FileName:\\Blisk* OR FileName:\\Epic\ Privacy\ Browser* OR FileName:\\Nichrome* OR FileName:\\Amigo* OR FileName:\\Kometa* OR FileName:\\Xpom* OR FileName:\\Microsoft\\Edge* OR FileName:\\Liebao7Default\\EncryptedStorage* OR FileName:\\AVAST\ Software\\Browser* OR FileName:\\Kinza* OR FileName:\\Mozilla\\SeaMonkey\\* OR FileName:\\Comodo\\IceDragon\\* OR FileName:\\8pecxstudios\\Cyberfox\\* OR FileName:\\FlashPeak\\SlimBrowser\\* OR FileName:\\Moonchild\ Productions\\Pale\ Moon\\*) (FileName:\\Profiles\\* OR FileName:\\User\ Data*) ((FileName:\\Login\ Data* OR FileName:\\Cookies* OR FileName:\\EncryptedStorage* OR FileName:\\WebCache\\*) OR (FileName:cert9.db OR FileName:cookies.sqlite OR FileName:formhistory.sqlite OR FileName:key3.db OR FileName:key4.db OR FileName:Login\ Data.sqlite OR FileName:logins.json OR FileName:places.sqlite))) (-((Image:\\Sputnik.exe OR Image:\\ChromePlus.exe OR Image:\\QIP\ Surf.exe OR Image:\\BlackHawk.exe OR Image:\\7Star.exe OR Image:\\Sleipnir5.exe OR Image:\\Citrio.exe OR Image:\\Chrome\ SxS.exe OR Image:\\Chrome.exe OR Image:\\Coowon.exe OR Image:\\CocCocBrowser.exe OR Image:\\Uran.exe OR Image:\\QQBrowser.exe OR Image:\\Orbitum.exe OR Image:\\Slimjet.exe OR Image:\\Iridium.exe OR Image:\\Vivaldi.exe OR Image:\\Chromium.exe OR Image:\\GhostBrowser.exe OR Image:\\CentBrowser.exe OR Image:\\Xvast.exe OR Image:\\Chedot.exe OR Image:\\SuperBird.exe OR Image:\\360Browser.exe OR Image:\\360Chrome.exe OR Image:\\dragon.exe OR Image:\\brave.exe OR Image:\\torch.exe OR Image:\\UCBrowser.exe OR Image:\\BliskBrowser.exe OR Image:\\Epic\ Privacy\ Browser.exe OR Image:\\nichrome.exe OR Image:\\AmigoBrowser.exe OR Image:\\KometaBrowser.exe OR Image:\\XpomBrowser.exe OR Image:\\msedge.exe OR Image:\\LiebaoBrowser.exe OR Image:\\AvastBrowser.exe OR Image:\\Kinza.exe OR Image:\\seamonkey.exe OR Image:\\icedragon.exe OR Image:\\cyberfox.exe OR Image:\\SlimBrowser.exe OR Image:\\palemoon.exe) OR (Image:\\Sputnik\\* OR Image:\\MapleStudio\\* OR Image:\\QIP\ Surf\\* OR Image:\\BlackHawk\\* OR Image:\\7Star\\* OR Image:\\Fenrir\ Inc\\* OR Image:\\CatalinaGroup\\* OR Image:\\Google\\* OR Image:\\Coowon\\* OR Image:\\CocCoc\\* OR Image:\\uCozMedia\\* OR Image:\\Tencent\\* OR Image:\\Orbitum\\* OR Image:\\Slimjet\\* OR Image:\\Iridium\\* OR Image:\\Vivaldi\\* OR Image:\\Chromium\\* OR Image:\\GhostBrowser\\* OR Image:\\CentBrowser\\* OR Image:\\Xvast\\* OR Image:\\Chedot\\* OR Image:\\SuperBird\\* OR Image:\\360Browser\\* OR Image:\\360Chrome\\* OR Image:\\Comodo\\* OR Image:\\BraveSoftware\\* OR Image:\\Torch\\* OR Image:\\UCBrowser\\* OR Image:\\Blisk\\* OR Image:\\Epic\ Privacy\ Browser\\* OR Image:\\Nichrome\\* OR Image:\\Amigo\\* OR Image:\\Kometa\\* OR Image:\\Xpom\\* OR Image:\\Microsoft\\* OR Image:\\Liebao7\\* OR Image:\\AVAST\ Software\\* OR Image:\\Kinza\\* OR Image:\\Mozilla\\* OR Image:\\8pecxstudios\\* OR Image:\\FlashPeak\\* OR Image:\\Moonchild\ Productions\\*) OR (Image:System ParentImage:Idle) OR (Image:C\:\\Program\ Files\\* OR Image:C\:\\Program\ Files\ \(x86\)\\* OR Image:C\:\\Windows\\System32\\* OR Image:C\:\\Windows\\SysWOW64\\*))) (-((Image:\\Microsoft\\Windows\ Defender\\* (Image:\\MpCopyAccelerator.exe OR Image:\\MsMpEng.exe)) OR (Image:\\thor.exe OR Image:\\thor64.exe) OR ParentImage:C\:\\Windows\\System32\\msiexec.exe OR Image:\\everything.exe))
view Sigma YAML 
title: Suspicious File Access to Browser Credential Storage
id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
status: experimental
description: |
    Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
    Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
    This behavior is often commonly observed in credential stealing malware.
references:
    - https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
    - https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1555.003
    - attack.discovery
    - attack.t1217
logsource:
    category: file_access
    product: windows
detection:
    selection_browser_paths:
        FileName|contains:
            - '\Sputnik\Sputnik'
            - '\MapleStudio\ChromePlus'
            - '\QIP Surf'
            - '\BlackHawk'
            - '\7Star\7Star'
            - '\CatalinaGroup\Citrio'
            - '\Google\Chrome'
            - '\Coowon\Coowon'
            - '\CocCoc\Browser'
            - '\uCozMedia\Uran'
            - '\Tencent\QQBrowser'
            - '\Orbitum'
            - '\Slimjet'
            - '\Iridium'
            - '\Vivaldi'
            - '\Chromium'
            - '\GhostBrowser'
            - '\CentBrowser'
            - '\Xvast'
            - '\Chedot'
            - '\SuperBird'
            - '\360Browser\Browser'
            - '\360Chrome\Chrome'
            - '\Comodo\Dragon'
            - '\BraveSoftware\Brave-Browser'
            - '\Torch'
            - '\UCBrowser\'
            - '\Blisk'
            - '\Epic Privacy Browser'
            - '\Nichrome'
            - '\Amigo'
            - '\Kometa'
            - '\Xpom'
            - '\Microsoft\Edge'
            - '\Liebao7Default\EncryptedStorage'
            - '\AVAST Software\Browser'
            - '\Kinza'
            - '\Mozilla\SeaMonkey\'
            - '\Comodo\IceDragon\'
            - '\8pecxstudios\Cyberfox\'
            - '\FlashPeak\SlimBrowser\'
            - '\Moonchild Productions\Pale Moon\'
    selection_browser_subpaths:
        FileName|contains:
            - '\Profiles\'
            - '\User Data'
    selection_cred_files:
        - FileName|contains:
              - '\Login Data'
              - '\Cookies'
              - '\EncryptedStorage'
              - '\WebCache\'
        - FileName|endswith:
              - 'cert9.db'
              - 'cookies.sqlite'
              - 'formhistory.sqlite'
              - 'key3.db'
              - 'key4.db'
              - 'Login Data.sqlite'
              - 'logins.json'
              - 'places.sqlite'
    filter_main_img:
        Image|endswith:
            - '\Sputnik.exe'
            - '\ChromePlus.exe'
            - '\QIP Surf.exe'
            - '\BlackHawk.exe'
            - '\7Star.exe'
            - '\Sleipnir5.exe'
            - '\Citrio.exe'
            - '\Chrome SxS.exe'
            - '\Chrome.exe'
            - '\Coowon.exe'
            - '\CocCocBrowser.exe'
            - '\Uran.exe'
            - '\QQBrowser.exe'
            - '\Orbitum.exe'
            - '\Slimjet.exe'
            - '\Iridium.exe'
            - '\Vivaldi.exe'
            - '\Chromium.exe'
            - '\GhostBrowser.exe'
            - '\CentBrowser.exe'
            - '\Xvast.exe'
            - '\Chedot.exe'
            - '\SuperBird.exe'
            - '\360Browser.exe'
            - '\360Chrome.exe'
            - '\dragon.exe'
            - '\brave.exe'
            - '\torch.exe'
            - '\UCBrowser.exe'
            - '\BliskBrowser.exe'
            - '\Epic Privacy Browser.exe'
            - '\nichrome.exe'
            - '\AmigoBrowser.exe'
            - '\KometaBrowser.exe'
            - '\XpomBrowser.exe'
            - '\msedge.exe'
            - '\LiebaoBrowser.exe'
            - '\AvastBrowser.exe'
            - '\Kinza.exe'
            - '\seamonkey.exe'
            - '\icedragon.exe'
            - '\cyberfox.exe'
            - '\SlimBrowser.exe'
            - '\palemoon.exe'
    filter_main_path:
        Image|contains:
            - '\Sputnik\'
            - '\MapleStudio\'
            - '\QIP Surf\'
            - '\BlackHawk\'
            - '\7Star\'
            - '\Fenrir Inc\'
            - '\CatalinaGroup\'
            - '\Google\'
            - '\Coowon\'
            - '\CocCoc\'
            - '\uCozMedia\'
            - '\Tencent\'
            - '\Orbitum\'
            - '\Slimjet\'
            - '\Iridium\'
            - '\Vivaldi\'
            - '\Chromium\'
            - '\GhostBrowser\'
            - '\CentBrowser\'
            - '\Xvast\'
            - '\Chedot\'
            - '\SuperBird\'
            - '\360Browser\'
            - '\360Chrome\'
            - '\Comodo\'
            - '\BraveSoftware\'
            - '\Torch\'
            - '\UCBrowser\'
            - '\Blisk\'
            - '\Epic Privacy Browser\'
            - '\Nichrome\'
            - '\Amigo\'
            - '\Kometa\'
            - '\Xpom\'
            - '\Microsoft\'
            - '\Liebao7\'
            - '\AVAST Software\'
            - '\Kinza\'
            - '\Mozilla\'
            - '\8pecxstudios\'
            - '\FlashPeak\'
            - '\Moonchild Productions\'
    filter_main_system:
        Image: System
        ParentImage: Idle
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|contains: '\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_msiexec:
        ParentImage: 'C:\Windows\System32\msiexec.exe'
    filter_optional_other:
        Image|endswith: '\everything.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus, Anti-Spyware, Anti-Malware Software
    - Legitimate software accessing browser data for synchronization or backup purposes.
    - Legitimate software installed on partitions other than "C:\"
level: low
Convert to SIEM query
low Moderate High FP
Suspicious GPO Discovery With Get-GPO
Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
status test author frack113 ATT&CK technique id eb2fd349-ec67-4caa-9143-d79c7fb34441
carbon_black query
ScriptBlockText:Get\-GPO*
view Sigma YAML 
title: Suspicious GPO Discovery With Get-GPO
id: eb2fd349-ec67-4caa-9143-d79c7fb34441
status: test
description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
    - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
author: frack113
date: 2022-06-04
tags:
    - attack.discovery
    - attack.t1615
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-GPO
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Get Information for SMB Share
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
status test author frack113 ATT&CK sub-technique id 95f0643a-ed40-467c-806b-aac9542ec5ab
carbon_black query
ScriptBlockText:get\-smbshare*
view Sigma YAML 
title: Suspicious Get Information for SMB Share
id: 95f0643a-ed40-467c-806b-aac9542ec5ab
status: test
description: |
    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
    a precursor for Collection and to identify potential systems of interest for Lateral Movement.
    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: get-smbshare
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Get Information for SMB Share - PowerShell Module
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
status test author frack113 ATT&CK sub-technique id 6942bd25-5970-40ab-af49-944247103358
carbon_black query
Payload:get\-smbshare* OR ContextInfo:get\-smbshare*
view Sigma YAML 
title: Suspicious Get Information for SMB Share - PowerShell Module
id: 6942bd25-5970-40ab-af49-944247103358
status: test
description: |
    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
    to identify potential systems of interest for Lateral Movement.
    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-02
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        - Payload|contains: get-smbshare
        - ContextInfo|contains: get-smbshare
    condition: selection
falsepositives:
    - Administrator script
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Get Local Groups Information
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
status test author frack113 ATT&CK sub-technique id cef24b90-dddc-4ae1-a09a-8764872f69fc
carbon_black query
((Payload:get\-localgroup\ * OR Payload:get\-localgroupmember\ *) OR (ContextInfo:get\-localgroup\ * OR ContextInfo:get\-localgroupmember\ *)) OR (((Payload:get\-wmiobject\ * OR Payload:gwmi\ * OR Payload:get\-ciminstance\ * OR Payload:gcim\ *) OR (ContextInfo:get\-wmiobject\ * ContextInfo:gwmi\ * ContextInfo:get\-ciminstance\ * ContextInfo:gcim\ *)) (Payload:win32_group* OR ContextInfo:win32_group*))
view Sigma YAML 
title: Suspicious Get Local Groups Information
id: cef24b90-dddc-4ae1-a09a-8764872f69fc
related:
    - id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
      type: similar
status: test
description: |
    Detects the use of PowerShell modules and cmdlets to gather local group information.
    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2025-08-22
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_localgroup:
        - Payload|contains:
              - 'get-localgroup '
              - 'get-localgroupmember '
        - ContextInfo|contains:
              - 'get-localgroup '
              - 'get-localgroupmember '
    selection_wmi_module:
        - Payload|contains:
              - 'get-wmiobject '
              - 'gwmi '
              - 'get-ciminstance '
              - 'gcim '
        - ContextInfo|contains|all:
              - 'get-wmiobject '
              - 'gwmi '
              - 'get-ciminstance '
              - 'gcim '
    selection_wmi_class:
        - Payload|contains: 'win32_group'
        - ContextInfo|contains: 'win32_group'
    condition: selection_localgroup or all of selection_wmi_*
falsepositives:
    - Administrator script
level: low
Convert to SIEM query
low Strong High FP
Suspicious Get Local Groups Information - PowerShell
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
status test author frack113 ATT&CK sub-technique id fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
carbon_black query
(ScriptBlockText:get\-localgroup\ * OR ScriptBlockText:get\-localgroupmember\ *) OR ((ScriptBlockText:get\-wmiobject\ * OR ScriptBlockText:gwmi\ * OR ScriptBlockText:get\-ciminstance\ * OR ScriptBlockText:gcim\ *) ScriptBlockText:win32_group*)
view Sigma YAML 
title: Suspicious Get Local Groups Information - PowerShell
id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
related:
    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
      type: similar
status: test
description: |
    Detects the use of PowerShell modules and cmdlets to gather local group information.
    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2025-08-22
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_localgroup:
        ScriptBlockText|contains:
            - 'get-localgroup '
            - 'get-localgroupmember '
    selection_wmi_module:
        ScriptBlockText|contains:
            - 'get-wmiobject '
            - 'gwmi '
            - 'get-ciminstance '
            - 'gcim '
    selection_wmi_class:
        ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser
    condition: selection_localgroup or all of selection_wmi_*
falsepositives:
    - Inventory scripts or admin tasks
level: low
Convert to SIEM query
low Moderate Medium FP
Suspicious Inbox Forwarding
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
status test author Austin Songer @austinsonger ATT&CK technique id 6c220477-0b5b-4b25-bb90-66183b4089e8
carbon_black query
eventSource:SecurityComplianceCenter eventName:Suspicious\ inbox\ forwarding status:success
view Sigma YAML 
title: Suspicious Inbox Forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
status: test
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-22
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Suspicious inbox forwarding'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
status test author frack113 ATT&CK sub-technique id 29e1c216-6408-489d-8a06-ee9d151ef819
carbon_black query
ScriptBlockText:Mount\-DiskImage\ * ScriptBlockText:\-ImagePath\ *
view Sigma YAML 
title: Suspicious Mount-DiskImage
id: 29e1c216-6408-489d-8a06-ee9d151ef819
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
status test author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' ATT&CK technique id a29c1813-ab1f-4dde-b489-330b952e91ae
carbon_black query
CommandLine:ipconfig\\s+/all OR CommandLine:netsh\\s+interface show interface OR CommandLine:arp\\s+-a OR CommandLine:nbtstat\\s+-n OR CommandLine:net\\s+config OR CommandLine:route\\s+print
view Sigma YAML 
title: Suspicious Network Command
id: a29c1813-ab1f-4dde-b489-330b952e91ae
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-19
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re:
            - 'ipconfig\s+/all'
            - 'netsh\s+interface show interface'
            - 'arp\s+-a'
            - 'nbtstat\s+-n'
            - 'net\s+config'
            - 'route\s+print'
    condition: selection
falsepositives:
    - Administrator, hotline ask to user
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Network Communication With IPFS
Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
status test author Gavin Knapp ATT&CK technique id eb6c2004-1cef-427f-8885-9042974e5eb6
carbon_black query
"cs-uri":(?i)(ipfs\\.io/|ipfs\\.io\\s).+\\..+@.+\\.[a-z]+
view Sigma YAML 
title: Suspicious Network Communication With IPFS
id: eb6c2004-1cef-427f-8885-9042974e5eb6
status: test
description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
references:
    - https://blog.talosintelligence.com/ipfs-abuse/
    - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
    - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
author: Gavin Knapp
date: 2023-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056
logsource:
    category: proxy
detection:
    selection:
        cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
    condition: selection
falsepositives:
    - Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.
level: low
Convert to SIEM query
low Moderate High FP
Suspicious PowerShell Get Current User
Detects the use of PowerShell to identify the current logged user.
status test author frack113 ATT&CK technique id 4096a49c-7de4-4da0-a230-c66ccd56ea5a
carbon_black query
ScriptBlockText:\[System.Environment\]\:\:UserName* OR ScriptBlockText:$env\:UserName* OR ScriptBlockText:\[System.Security.Principal.WindowsIdentity\]\:\:GetCurrent\(\)*
view Sigma YAML 
title: Suspicious PowerShell Get Current User
id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
status: test
description: Detects the use of PowerShell to identify the current logged user.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
author: frack113
date: 2022-04-04
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - '[System.Environment]::UserName'
            - '$env:UserName'
            - '[System.Security.Principal.WindowsIdentity]::GetCurrent()'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Process Discovery With Get-Process
Get the processes that are running on the local computer.
status test author frack113 ATT&CK technique id af4c87ce-bdda-4215-b998-15220772e993
carbon_black query
ScriptBlockText:Get\-Process*
view Sigma YAML 
title: Suspicious Process Discovery With Get-Process
id: af4c87ce-bdda-4215-b998-15220772e993
status: test
description: Get the processes that are running on the local computer.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1057
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-Process
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Query of MachineGUID
Use of reg to get MachineGuid information
status test author frack113 ATT&CK technique id f5240972-3938-4e56-8e4b-e33893176c1f
carbon_black query
Image:\\reg.exe (CommandLine:SOFTWARE\\Microsoft\\Cryptography* CommandLine:\/v\ * CommandLine:MachineGuid*)
view Sigma YAML 
title: Suspicious Query of MachineGUID
id: f5240972-3938-4e56-8e4b-e33893176c1f
status: test
description: Use of reg to get MachineGuid information
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
author: frack113
date: 2022-01-01
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'SOFTWARE\Microsoft\Cryptography'
            - '/v '
            - 'MachineGuid'
    condition: selection
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate High FP
Suspicious SSL Connection
Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
status test author frack113 ATT&CK technique id 195626f3-5f1b-4403-93b7-e6cfd4d6a078
carbon_black query
ScriptBlockText:System.Net.Security.SslStream* ScriptBlockText:Net.Security.RemoteCertificateValidationCallback* ScriptBlockText:.AuthenticateAsClient*
view Sigma YAML 
title: Suspicious SSL Connection
id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078
status: test
description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
    - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
author: frack113
date: 2022-01-23
tags:
    - attack.command-and-control
    - attack.t1573
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - System.Net.Security.SslStream
            - Net.Security.RemoteCertificateValidationCallback
            - '.AuthenticateAsClient'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: low
Convert to SIEM query
low Moderate High FP
Suspicious Where Execution
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 725a9768-0f5e-4cb3-aec2-bc5719c6831a
carbon_black query
(Image:\\where.exe OR OriginalFileName:where.exe) (CommandLine:places.sqlite* OR CommandLine:cookies.sqlite* OR CommandLine:formhistory.sqlite* OR CommandLine:logins.json* OR CommandLine:key4.db* OR CommandLine:key3.db* OR CommandLine:sessionstore.jsonlz4* OR CommandLine:History* OR CommandLine:Bookmarks* OR CommandLine:Cookies* OR CommandLine:Login\ Data*)
view Sigma YAML 
title: Suspicious Where Execution
id: 725a9768-0f5e-4cb3-aec2-bc5719c6831a
status: test
description: |
    Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
    internal network resources such as servers, tools/dashboards, or other related infrastructure.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2022-06-29
tags:
    - attack.discovery
    - attack.t1217
logsource:
    category: process_creation
    product: windows
detection:
    where_exe:
        - Image|endswith: '\where.exe'
        - OriginalFileName: 'where.exe'
    where_opt:
        CommandLine|contains:
            # Firefox Data
            - 'places.sqlite'
            - 'cookies.sqlite'
            - 'formhistory.sqlite'
            - 'logins.json'
            - 'key4.db'
            - 'key3.db'
            - 'sessionstore.jsonlz4'
            # Chrome Data
            - 'History'
            - 'Bookmarks'
            - 'Cookies'
            - 'Login Data'
    condition: all of where_*
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id d29a20b2-be4b-4827-81f2-3d8a59eab5fc
carbon_black query
EventID:201 (ImageName:procdump.exe OR ImageName:psloglist.exe OR ImageName:psexec.exe OR ImageName:livekd.exe OR ImageName:ADExplorer.exe)
view Sigma YAML 
title: Sysinternals Tools AppX Versions Execution
id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
status: test
description: |
    Detects execution of Sysinternals tools via an AppX package.
    Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-12
tags:
    - attack.execution
    - attack.stealth
logsource:
    product: windows
    service: appmodel-runtime
detection:
    selection:
        EventID: 201
        ImageName:
            - 'procdump.exe'
            - 'psloglist.exe'
            - 'psexec.exe'
            - 'livekd.exe'
            - 'ADExplorer.exe'
    condition: selection
falsepositives:
    - Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
level: low
Convert to SIEM query
low Moderate High FP
System Drawing DLL Load
Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK technique id 666ecfc7-229d-42b8-821e-1a8f8cb7057c
carbon_black query
ImageLoaded:\\System.Drawing.ni.dll
view Sigma YAML 
title: System Drawing DLL Load
id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
status: test
description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-22
tags:
    - attack.collection
    - attack.t1113
    - detection.threat-hunting
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\System.Drawing.ni.dll'
    condition: selection
falsepositives:
    - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness
level: low
Convert to SIEM query
low Moderate Medium FP
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
status experimental author Milad Cheraghi ATT&CK technique id b207d563-a1d9-4275-b349-77d1eb55aa6d
carbon_black query
(type:SYSCALL SYSCALL:sysinfo) (-exe:\/bin\/splunkd)
view Sigma YAML 
title: System Info Discovery via Sysinfo Syscall
id: b207d563-a1d9-4275-b349-77d1eb55aa6d
status: experimental
description: |
    Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
    Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
references:
    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
    - https://man7.org/linux/man-pages/man2/sysinfo.2.html
author: Milad Cheraghi
date: 2025-05-30
modified: 2025-12-05
tags:
    - attack.discovery
    - attack.t1057
    - attack.t1082
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
        -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'sysinfo'
    filter_optional_splunk:
        exe|endswith: '/bin/splunkd'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrative activity
level: low
Convert to SIEM query
low Strong Medium FP
System Information Discovery - Auditd
Detects System Information Discovery commands
status test author Pawel Mazur ATT&CK technique id f34047d9-20d3-4e8b-8672-0a35cc50dc71
carbon_black query
(type:PATH (name:\/etc\/lsb\-release OR name:\/etc\/redhat\-release OR name:\/etc\/issue)) OR (type:EXECVE (a0:uname OR a0:uptime OR a0:lsmod OR a0:hostname OR a0:env)) OR (type:EXECVE a0:grep (a1:vbox* OR a1:vm* OR a1:xen* OR a1:virtio* OR a1:hv*)) OR (type:EXECVE a0:kmod a1:list)
view Sigma YAML 
title: System Information Discovery - Auditd
id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
status: test
description: Detects System Information Discovery commands
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
author: Pawel Mazur
date: 2021-09-03
modified: 2023-03-06
tags:
    - attack.discovery
    - attack.t1082
logsource:
    product: linux
    service: auditd
detection:
    selection_1:
        type: PATH
        name:
            - /etc/lsb-release
            - /etc/redhat-release
            - /etc/issue
    selection_2:
        type: EXECVE
        a0:
            - uname
            - uptime
            - lsmod
            - hostname
            - env
    selection_3:
        type: EXECVE
        a0: grep
        a1|contains:
            - vbox
            - vm
            - xen
            - virtio
            - hv
    selection_4:
        type: EXECVE
        a0: kmod
        a1: list
    condition: 1 of selection_*
falsepositives:
    - Likely
level: low
Convert to SIEM query
low Strong High FP
System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions.
status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK technique id d85ecdd7-b855-4e6e-af59-d9c78b5b861e
carbon_black query
((Description:WMI\ Commandline\ Utility OR OriginalFileName:wmic.exe OR Image:\\WMIC.exe) CommandLine:get* (CommandLine:baseboard* OR CommandLine:bios* OR CommandLine:cpu* OR CommandLine:diskdrive* OR CommandLine:logicaldisk* OR CommandLine:memphysical* OR CommandLine:os* OR CommandLine:path* OR CommandLine:startup* OR CommandLine:win32_videocontroller*) (CommandLine:caption* OR CommandLine:command* OR CommandLine:driverversion* OR CommandLine:maxcapacity* OR CommandLine:name* OR CommandLine:osarchitecture* OR CommandLine:product* OR CommandLine:size* OR CommandLine:smbiosbiosversion* OR CommandLine:version* OR CommandLine:videomodedescription*)) (-ParentCommandLine:\\VMware\\VMware\ Tools\\serviceDiscovery\\scripts\\*)
view Sigma YAML 
title: System Information Discovery Via Wmic.EXE
id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
related:
    - id: 9d5a1274-922a-49d0-87f3-8c653483b909
      type: derived
status: test
description: |
    Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
    including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,
    and GPU driver products/versions.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
    - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
    - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
    - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
    - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
    - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-19
modified: 2024-01-15
tags:
    - attack.discovery
    - attack.t1082
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_wmic:
        - Description: 'WMI Commandline Utility'
        - OriginalFileName: 'wmic.exe'
        - Image|endswith: '\WMIC.exe'
    selection_get:
        CommandLine|contains: 'get'
    selection_classes:
        CommandLine|contains:
            - 'baseboard'
            - 'bios'
            - 'cpu'
            - 'diskdrive'
            - 'logicaldisk'
            - 'memphysical'
            - 'os'
            - 'path'
            - 'startup'
            - 'win32_videocontroller'
    selection_attributes:
        CommandLine|contains:
            - 'caption'
            - 'command'
            - 'driverversion'
            - 'maxcapacity'
            - 'name'
            - 'osarchitecture'
            - 'product'
            - 'size'
            - 'smbiosbiosversion'
            - 'version'
            - 'videomodedescription'
    filter_optional_vmtools:
        ParentCommandLine|contains: '\VMware\VMware Tools\serviceDiscovery\scripts\'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - VMWare Tools serviceDiscovery scripts
# Note: Might be upgraded to a medium detection rules after some time
level: low
Convert to SIEM query
low Strong High FP
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
status experimental author lazarg ATT&CK technique id 0022869c-49f7-4ff2-ba03-85ac42ddac58
carbon_black query
((Image:\\reg.exe CommandLine:query* (CommandLine:\-v* OR CommandLine:\/v* OR CommandLine:–v* OR CommandLine:—v* OR CommandLine:―v*)) OR ((Image:\\powershell.exe OR Image:\\pwsh.exe) (CommandLine:Get\-ItemPropertyValue* OR CommandLine:gpv*))) (CommandLine:\\SOFTWARE\\Microsoft\\Windows\ Defender* OR CommandLine:\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion* OR CommandLine:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall* OR CommandLine:\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation* OR CommandLine:\\SYSTEM\\CurrentControlSet\\Services*)
view Sigma YAML 
title: System Information Discovery via Registry Queries
id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
status: experimental
description: Detects attempts to query system information directly from the Windows Registry.
references:
    - https://cert.gov.ua/article/6277849
    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
author: lazarg
date: 2025-06-12
modified: 2025-10-25
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_reg:
        Image|endswith: '\reg.exe'
        CommandLine|contains: 'query'
        CommandLine|contains|windash: '-v'
    selection_cmd_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Get-ItemPropertyValue'
            - 'gpv'
    selection_keys:
        CommandLine|contains:
            - '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
            - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
            - '\SYSTEM\CurrentControlSet\Services' # Details about existing services
    condition: 1 of selection_cmd_* and selection_keys
falsepositives:
    - Unlikely
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml
simulation:
    - type: atomic-red-team
      name: System Information Discovery
      technique: T1010
      atomic_guid: 66703791-c902-4560-8770-42b8a91f7667
    - type: atomic-red-team
      name: Discover OS Product Name via Registry
      technique: T1082
      atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
    - type: atomic-red-team
      name: Discover OS Build Number via Registry
      technique: T1082
      atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
Convert to SIEM query
low Strong High FP
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK sub-technique id 53821412-17b0-4147-ade0-14faae67d54b
carbon_black query
Image:\/csrutil CommandLine:status*
view Sigma YAML 
title: System Integrity Protection (SIP) Enumeration
id: 53821412-17b0-4147-ade0-14faae67d54b
status: test
description: |
    Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
references:
    - https://ss64.com/osx/csrutil.html
    - https://objective-see.org/blog/blog_0x6D.html
    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    product: macos
    category: process_creation
detection:
    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
    selection:
        Image|endswith: '/csrutil'
        CommandLine|contains: 'status'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
Convert to SIEM query
low Strong High FP
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
status test author Daniil Yugoslavskiy, oscd.community ATT&CK technique id 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
carbon_black query
(Image:\/who OR Image:\/w OR Image:\/last OR Image:\/lsof OR Image:\/netstat) (-(ParentCommandLine:\/usr\/bin\/landscape\-sysinfo* Image:\/who))
view Sigma YAML 
title: System Network Connections Discovery - Linux
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: test
description: Detects usage of system utilities to discover system network connections
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2023-01-17
tags:
    - attack.discovery
    - attack.t1049
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/who'
            - '/w'
            - '/last'
            - '/lsof'
            - '/netstat'
    filter_landscape_sysinfo:
        ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
        Image|endswith: '/who'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate activities
level: low
Convert to SIEM query
low Moderate High FP
System Network Connections Discovery Via Net.EXE
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
status test author frack113 ATT&CK technique id 1c67a717-32ba-409b-a45d-0fb704a73a81
carbon_black query
((Image:\\net.exe OR Image:\\net1.exe) OR (OriginalFileName:net.exe OR OriginalFileName:net1.exe)) ((CommandLine:\ use OR CommandLine:\ sessions) OR (CommandLine:\ use\ * OR CommandLine:\ sessions\ *))
view Sigma YAML 
title: System Network Connections Discovery Via Net.EXE
id: 1c67a717-32ba-409b-a45d-0fb704a73a81
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
author: frack113
date: 2021-12-10
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1049
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        - CommandLine|endswith:
              - ' use'
              - ' sessions'
        - CommandLine|contains:
              - ' use '
              - ' sessions '
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
Convert to SIEM query
low Moderate Medium FP
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
status test author Timur Zinniatullin, oscd.community ATT&CK technique id 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
carbon_black query
type:EXECVE (a0:hostname OR a0:id OR a0:last OR a0:uname OR a0:users OR a0:w OR a0:who OR a0:whoami)
view Sigma YAML 
title: System Owner or User Discovery - Linux
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: test
description: |
    Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
    Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2025-06-04
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0:
            - 'hostname'
            - 'id'
            - 'last'
            - 'uname'
            - 'users'
            - 'w'
            - 'who'
            - 'whoami'
    condition: selection
falsepositives:
    - Admin activity
level: low
Convert to SIEM query
Showing 251-300 of 328
Prev 6 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh