Tool
EDR / XDR
VMware Carbon Black
1,492 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
◈
Detection rules
50 shown of 1,492
medium
Guest User Invited By Non Approved Inviters
Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
view Sigma YAML
title: Guest User Invited By Non Approved Inviters
id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9
status: test
description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Invite external user
Status: failure
condition: selection
falsepositives:
- A non malicious user is unaware of the proper process
level: medium
Convert to SIEM query
medium
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
view Sigma YAML
title: Guest Users Invited To Tenant By Non Approved Inviters
id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
status: test
description: Detects guest users being invited to tenant by non-approved inviters
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
OperationName: 'Invite external user'
filter:
InitiatedBy|contains: '<approved guest inviter use OR for multiple>'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
Convert to SIEM query
medium
Gzip Archive Decode Via PowerShell
Detects attempts of decoding encoded Gzip archives via PowerShell.
view Sigma YAML
title: Gzip Archive Decode Via PowerShell
id: 98767d61-b2e8-4d71-b661-e36783ee24c1
status: test
description: Detects attempts of decoding encoded Gzip archives via PowerShell.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
- attack.command-and-control
- attack.t1132.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'GZipStream'
- '::Decompress'
condition: selection
falsepositives:
- Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions
level: medium
Convert to SIEM query
medium
HH.EXE Initiated HTTP Network Connection
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
view Sigma YAML
title: HH.EXE Initiated HTTP Network Connection
id: 468a8cea-2920-4909-a593-0cbe1d96674a
related:
- id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
type: derived
status: test
description: |
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
references:
- https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
- https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-05
tags:
- attack.stealth
- attack.t1218.001
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\hh.exe'
Initiated: 'true'
DestinationPort:
- 80
- 443
condition: selection
falsepositives:
- False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.
level: medium
Convert to SIEM query
medium
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
view Sigma YAML
title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
view Sigma YAML
title: HTTP Request to Low Reputation TLD or Suspicious File Extension
id: 68c2c604-92ad-468b-bf4a-aac49adad08c
status: experimental
description: |
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
references:
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- https://www.spamhaus.org/reputation-statistics/cctlds/domains/
author: '@signalblur, Corelight'
date: 2025-02-26
tags:
- attack.initial-access
- attack.command-and-control
logsource:
product: zeek
service: http
detection:
# Suspicious TLD in the 'host' field OR malicious file extension in the 'uri' field.
selection_suspicious_tld:
host|endswith:
- '.bid'
- '.by'
- '.cf'
- '.click'
- '.cm'
- '.ga'
- '.gq'
- '.ir'
- '.kp'
- '.loan'
- '.ml'
- '.mm'
- '.party'
- '.pw'
- '.ru'
- '.su'
- '.sy'
- '.tk'
- '.top'
- '.tv'
- '.ve'
- '.work'
- '.xyz'
selection_malicious_ext:
uri|endswith:
- '.bat'
- '.bin'
- '.cmd'
- '.cpl'
- '.dll'
- '.dylib'
- '.elf'
- '.exe'
- '.hta'
- '.iso'
- '.jar'
- '.js'
- '.lnk'
- '.msi'
- '.pif'
- '.ps1'
- '.py'
- '.reg'
- '.scr'
- '.sh'
- '.so'
- '.vbs'
- '.wsf'
selection_malicious_mime:
resp_mime_types:
- 'application/vnd.microsoft.portable-executable'
- 'application/x-bat'
- 'application/x-dosexec'
- 'application/x-elf'
- 'application/x-iso9660-image'
- 'application/x-java-archive'
- 'application/x-ms-shortcut'
- 'application/x-msdos-program'
- 'application/x-msdownload'
- 'application/x-python-code'
- 'application/x-sh'
condition: selection_suspicious_tld and 1 of selection_malicious_*
falsepositives:
- Rare legitimate software downloads from low quality TLDs
level: medium
Convert to SIEM query
medium
HackTool - Impersonate Execution
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
view Sigma YAML
title: HackTool - Impersonate Execution
id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
status: test
description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
- https://github.com/sensepost/impersonate
author: Sai Prashanth Pulisetti @pulisettis
date: 2022-12-21
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_commandline_exe:
CommandLine|contains: 'impersonate.exe'
selection_commandline_opt:
CommandLine|contains:
- ' list '
- ' exec '
- ' adduser '
selection_hash:
Hashes|contains:
- 'MD5=9520714AB576B0ED01D1513691377D01'
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
condition: all of selection_commandline_* or selection_hash
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
HackTool - Jlaive In-Memory Assembly Execution
Detects the use of Jlaive to execute assemblies in a copied PowerShell
view Sigma YAML
title: HackTool - Jlaive In-Memory Assembly Execution
id: 0a99eb3e-1617-41bd-b095-13dc767f3def
status: test
description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
references:
- https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
- https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-24
modified: 2023-02-22
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
parent_selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|endswith: '.bat'
selection1:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'powershell.exe'
- '.bat.exe'
selection2:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'pwsh.exe'
- '.bat.exe'
selection3:
Image|endswith: '\attrib.exe'
CommandLine|contains|all:
- '+s'
- '+h'
- '.bat.exe'
condition: parent_selection and (1 of selection*)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
view Sigma YAML
title: HackTool - LaZagne Execution
id: c2b86e67-b880-4eec-b045-50bc98ef4844
status: experimental
description: |
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
references:
- https://github.com/AlessandroZ/LaZagne/tree/master
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-06-24
modified: 2025-10-07
tags:
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img_metadata:
Image|endswith: '\lazagne.exe'
selection_img_cli:
# Note: This selection can be prone to FP. An initial baseline is required
Image|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\$Recycle.bin'
- '\AppData\'
- '\Desktop\'
- '\Downloads\'
- '\Favorites\'
- '\Links\'
- '\Music\'
- '\Photos\'
- '\Pictures\'
- '\Saved Games\'
- '\Searches\'
- '\Users\Contacts\'
- '\Users\Default\'
- '\Users\Searches\'
- '\Videos\'
- '\Windows\addins\'
- '\Windows\Fonts\'
- '\Windows\IME\'
CommandLine|endswith:
- '.exe all'
- '.exe browsers'
- '.exe chats'
- '.exe databases'
- '.exe games'
- '.exe git'
- '.exe mails'
- '.exe maven'
- '.exe memory'
- '.exe multimedia'
# - '.exe php' # Might be prone to FP
# - '.exe svn' # Might be prone to FP
- '.exe sysadmin'
- '.exe unused'
- '.exe wifi'
- '.exe windows'
selection_cli_modules:
CommandLine|contains:
- ' all '
- ' browsers '
- ' chats '
- ' databases '
- ' games '
- ' mails '
- ' maven '
- ' memory '
- ' multimedia '
- ' php '
- ' svn '
- ' sysadmin '
- ' unused '
- ' wifi '
selection_cli_options:
CommandLine|contains:
- '-1Password'
- '-apachedirectorystudio'
- '-autologon'
- '-ChromiumBased'
- '-coreftp'
- '-credfiles'
- '-credman'
- '-cyberduck'
- '-dbvis'
- '-EyeCon'
- '-filezilla'
- '-filezillaserver'
- '-ftpnavigator'
- '-galconfusion'
- '-gitforwindows'
- '-hashdump'
- '-iisapppool'
- '-IISCentralCertP'
- '-kalypsomedia'
- '-keepass'
- '-keepassconfig'
- '-lsa_secrets'
- '-mavenrepositories'
- '-memory_dump'
- '-Mozilla'
- '-mRemoteNG'
- '-mscache'
- '-opensshforwindows'
- '-openvpn'
- '-outlook'
- '-pidgin'
- '-postgresql'
- '-psi-im'
- '-puttycm'
- '-pypykatz'
- '-Rclone'
- '-rdpmanager'
- '-robomongo'
- '-roguestale'
- '-skype'
- '-SQLDeveloper'
- '-squirrel'
- '-tortoise'
- '-turba'
- '-UCBrowser'
- '-unattended'
- '-vault'
- '-vaultfiles'
- '-vnc'
- '-winscp'
condition: 1 of selection_img_* or all of selection_cli_*
falsepositives:
- Some false positive is expected from tools with similar command line flags.
# Note: Increase the level to "high" after an initial baseline
level: medium
Convert to SIEM query
medium
HackTool - SharpLDAPmonitor Execution
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
view Sigma YAML
title: HackTool - SharpLDAPmonitor Execution
id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541
status: test
description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
references:
- https://github.com/p0dalirius/LDAPmonitor
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-30
modified: 2023-02-14
tags:
- attack.discovery
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpLDAPmonitor.exe'
- OriginalFileName: 'SharpLDAPmonitor.exe'
selection_cli:
CommandLine|contains|all:
- '/user:'
- '/pass:'
- '/dcip:'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: HackTool - WinRM Access Via Evil-WinRM
id: a197e378-d31b-41c0-9635-cfdf1c1bb423
status: test
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
- https://github.com/Hackplayers/evil-winrm
author: frack113
date: 2022-01-07
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ruby.exe'
CommandLine|contains|all:
- '-i '
- '-u '
- '-p '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
view Sigma YAML
title: Hardware Model Reconnaissance Via Wmic.EXE
id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
status: test
description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
references:
- https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
- https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
author: Florian Roth (Nextron Systems)
date: 2023-02-14
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'csproduct'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Harvesting Of Wifi Credentials Via Netsh.EXE
Detect the harvesting of wifi credentials using netsh.exe
view Sigma YAML
title: Harvesting Of Wifi Credentials Via Netsh.EXE
id: 42b1a5b8-353f-4f10-b256-39de4467faff
status: test
description: Detect the harvesting of wifi credentials using netsh.exe
references:
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
author: Andreas Hunkeler (@Karneades), oscd.community
date: 2020-04-20
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'wlan'
- ' s'
- ' p'
- ' k'
- '=clear'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
The "--headless" flag hides the windows from the user upon execution.
view Sigma YAML
title: Headless Process Launched Via Conhost.EXE
id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
related:
- id: 056c7317-9a09-4bd4-9067-d051312752ea
type: derived
status: test
description: |
Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-23
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\conhost.exe'
ParentCommandLine|contains: '--headless'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
view Sigma YAML
title: Hidden Executable In NTFS Alternate Data Stream
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: test
description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
author: Florian Roth (Nextron Systems), @0xrawsec
date: 2018-06-03
modified: 2023-02-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
definition: 'Requirements: Sysmon or equivalent configured with Imphash logging'
detection:
selection:
Hash|contains: 'IMPHASH='
filter_main_null:
Hash|contains: 'IMPHASH=00000000000000000000000000000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.
level: medium
Convert to SIEM query
medium
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
view Sigma YAML
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium
Convert to SIEM query
medium
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
view Sigma YAML
title: Hidden Powershell in Link File Pattern
id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
status: test
description: Detects events that appear when a user click on a link file with a powershell command in it
references:
- https://www.x86matthew.com/view_post?id=embed_exe_lnk
author: frack113
date: 2022-02-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: C:\Windows\explorer.exe
Image: C:\Windows\System32\cmd.exe
CommandLine|contains|all:
- 'powershell'
- '.lnk'
condition: selection
falsepositives:
- Legitimate commands in .lnk files
level: medium
Convert to SIEM query
medium
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
view Sigma YAML
title: Hidden User Creation
id: b22a5b36-2431-493a-8be1-0bae56c28ef3
status: test
description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-10
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: macos
detection:
dscl_create:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
id_below_500:
CommandLine|contains: UniqueID
CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
ishidden_option_declaration:
CommandLine|contains: 'IsHidden'
ishidden_option_confirmation:
CommandLine|contains:
- 'true'
- 'yes'
- '1'
condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Hiding Files with Attrib.exe
Detects usage of attrib.exe to hide files from users.
view Sigma YAML
title: Hiding Files with Attrib.exe
id: 4281cb20-2994-4580-aa63-c8b86d019934
status: test
description: Detects usage of attrib.exe to hide files from users.
references:
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
- https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
author: Sami Ruohonen
date: 2019-01-16
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +h '
filter_main_msiexec:
CommandLine|contains: '\desktop.ini '
filter_optional_intel:
ParentImage|endswith: '\cmd.exe'
CommandLine: '+R +H +S +A \\\*.cui'
ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
- Msiexec.exe hiding desktop.ini
level: medium
Convert to SIEM query
medium
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
id: 9ec9fb1b-e059-4489-9642-f270c207923d
related:
- id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
type: similar
status: test
description: |
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: '@Kostastsale, TheDFIRReport'
date: 2022-05-14
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
- 'add'
- '/v'
- '/d 0'
condition: selection
falsepositives:
- System administrator activities
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml
Convert to SIEM query
medium
IE Change Domain Zone
Hides the file extension through modification of the registry
view Sigma YAML
title: IE Change Domain Zone
id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
related:
- id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
type: derived
status: test
description: Hides the file extension through modification of the registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.t1137
logsource:
category: registry_set
product: windows
detection:
selection_domains:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
filter:
Details:
- DWORD (0x00000000) # My Computer
- DWORD (0x00000001) # Local Intranet Zone
- '(Empty)'
condition: selection_domains and not filter
falsepositives:
- Administrative scripts
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml
simulation:
- type: atomic-red-team
name: Add Domain to Trusted Sites Zone
technique: T1112
atomic_guid: cf447677-5a4e-4937-a82c-e47d254afd57
Convert to SIEM query
medium
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
view Sigma YAML
title: IIS Native-Code Module Command Line Installation
id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
status: test
description: Detects suspicious IIS native-code module installations via command line
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems)
date: 2019-12-11
modified: 2024-03-13
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'install'
- 'module'
CommandLine|contains|windash: '-name:'
filter_iis_setup:
ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown as it may vary from organisation to organisation how admins use to install IIS modules
level: medium
Convert to SIEM query
medium
IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: IIS WebServer Access Logs Deleted
id: 3eb8c339-a765-48cc-a150-4364c04652bf
related:
- id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
type: similar
status: test
description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
references:
- https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-16
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains: '\inetpub\logs\LogFiles\'
TargetFilename|endswith: '.log'
condition: selection
falsepositives:
- During uninstallation of the IIS service
- During log rotation
level: medium
Convert to SIEM query
medium
IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
view Sigma YAML
title: IIS WebServer Log Deletion via CommandLine Utilities
id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
related:
- id: 3eb8c339-a765-48cc-a150-4364c04652bf
type: similar
status: experimental
description: |
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-02
tags:
- attack.stealth
- attack.t1070
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'cmd.exe'
- 'powershell.exe'
- 'powershell_ise.exe'
- 'pwsh.dll'
selection_cli_del:
CommandLine|contains:
- 'del '
- 'erase '
- 'rm '
- 'remove-item '
- 'rmdir '
selection_cli_iis_dir:
CommandLine|contains: '\inetpub\logs\'
condition: all of selection_*
falsepositives:
- Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
- Legitimate schedule tasks or scripts that clean up log files regularly.
# More Fp cases
# https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
level: medium
Convert to SIEM query
medium
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: ISATAP Router Address Was Set
id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
status: experimental
description: |
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
references:
- https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
- https://redfoxsec.com/blog/ipv6-dns-takeover/
- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
- https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
author: hamid
date: 2025-10-19
tags:
- attack.impact
- attack.credential-access
- attack.collection
- attack.initial-access
- attack.privilege-escalation
- attack.execution
- attack.t1557
- attack.t1565.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 4100
Provider_Name: 'Microsoft-Windows-Iphlpsvc'
filter_main_localhost:
IsatapRouter:
- '127.0.0.1'
- '::1'
filter_optional_null:
IsatapRouter: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate ISATAP router configuration in enterprise environments
- IPv6 transition projects and network infrastructure changes
- Network administrators configuring dual-stack networking
- Automatic ISATAP configuration in some Windows deployments
level: medium
Convert to SIEM query
medium
ISO Image Mounted
Detects the mount of an ISO image on an endpoint
view Sigma YAML
title: ISO Image Mounted
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
status: test
description: Detects the mount of an ISO image on an endpoint
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: Syed Hasan (@syedhasan009)
date: 2021-05-29
modified: 2023-11-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
detection:
selection:
EventID: 4663
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName|startswith: '\Device\CdRom'
filter_main_generic:
ObjectName:
- '\Device\CdRom0\autorun.ico'
- '\Device\CdRom0\setup.exe'
- '\Device\CdRom0\setup64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Software installation ISO files
level: medium
Convert to SIEM query
medium
ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
view Sigma YAML
title: ISO or Image Mount Indicator in Recent Files
id: 4358e5a5-7542-4dcb-b9f3-87667371839b
status: test
description: |
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
references:
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
- https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
author: Florian Roth (Nextron Systems)
date: 2022-02-11
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.iso.lnk'
- '.img.lnk'
- '.vhd.lnk'
- '.vhdx.lnk'
TargetFilename|contains: '\Microsoft\Windows\Recent\'
condition: selection
falsepositives:
- Cases in which a user mounts an image file for legitimate reasons
level: medium
Convert to SIEM query
medium
Ie4uinit Lolbin Use From Invalid Path
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: Ie4uinit Lolbin Use From Invalid Path
id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc
status: test
description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
author: frack113
date: 2022-05-07
modified: 2022-05-16
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
lolbin:
- Image|endswith: '\ie4uinit.exe'
- OriginalFileName: 'IE4UINIT.EXE'
filter_correct:
CurrentDirectory:
- 'c:\windows\system32\'
- 'c:\windows\sysWOW64\'
filter_missing:
CurrentDirectory: null
condition: lolbin and not 1 of filter_*
falsepositives:
- ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"
level: medium
Convert to SIEM query
medium
Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
view Sigma YAML
title: Import LDAP Data Interchange Format File Via Ldifde.EXE
id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
status: test
description: |
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
references:
- https://twitter.com/0gtweet/status/1564968845726580736
- https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber'
date: 2022-09-02
modified: 2023-03-14
tags:
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ldifde.exe'
- OriginalFileName: 'ldifde.exe'
selection_cli:
CommandLine|contains|all:
- '-i'
- '-f'
condition: all of selection_*
falsepositives:
- Since the content of the files are unknown, false positives are expected
level: medium
Convert to SIEM query
medium
Import PowerShell Modules From Suspicious Directories
Detects powershell scripts that import modules from suspicious directories
view Sigma YAML
title: Import PowerShell Modules From Suspicious Directories
id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
related:
- id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-07
modified: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Import PowerShell Modules From Suspicious Directories - ProcCreation
Detects powershell scripts that import modules from suspicious directories
view Sigma YAML
title: Import PowerShell Modules From Suspicious Directories - ProcCreation
id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
related:
- id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Imports Registry Key From a File
Detects the import of the specified file to the registry with regedit.exe.
view Sigma YAML
title: Imports Registry Key From a File
id: 73bba97f-a82d-42ce-b315-9182e76c57b1
related:
- id: 0b80ade5-6997-4b1d-99a1-71701778ea61
type: similar
status: test
description: Detects the import of the specified file to the registry with regedit.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2024-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli:
CommandLine|contains:
- ' /i '
- ' /s '
- '.reg'
filter_1:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
filter_2:
CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
condition: all of selection_* and not all of filter_*
falsepositives:
- Legitimate import of keys
- Evernote
level: medium
Convert to SIEM query
medium
Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
view Sigma YAML
title: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
id: 04580eed-e1d6-426b-a570-f6e64a4577f7
related:
- id: d3577be1-42c9-44a7-b56e-2e8de97349d3
type: similar
status: experimental
description: |
Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
references:
- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-02-10
tags:
- attack.stealth
- attack.t1564.008
- attack.exfiltration
- attack.collection
- attack.t1114.003
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'New-InboxRule'
- 'Set-InboxRule'
selection_params:
ScriptBlockText|contains:
- 'DeleteMessage'
- 'MarkAsRead'
- 'MoveToFolder'
- 'SubjectOrBodyContainsWords'
condition: all of selection_*
falsepositives:
- Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.
level: medium
Convert to SIEM query
medium
Inbox Rules Creation Or Update Activity in O365
Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
view Sigma YAML
title: Inbox Rules Creation Or Update Activity in O365
id: d3577be1-42c9-44a7-b56e-2e8de97349d3
status: experimental
description: |
Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
references:
- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-09
tags:
- attack.stealth
- attack.t1564.008
- attack.exfiltration
- attack.collection
- attack.t1114.003
- detection.threat-hunting
logsource:
service: audit
product: m365
definition: "Requirements: The 'Parameters' field is a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search"
detection:
selection:
Operation:
- 'New-InboxRule'
- 'Set-InboxRule'
Parameters|contains:
- 'DeleteMessage'
- 'MarkAsRead'
- 'MoveToFolder'
- 'SubjectOrBodyContainsWords'
condition: selection
falsepositives:
- Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.
level: medium
Convert to SIEM query
medium
Increased Failed Authentications Of Any Type
Detects when sign-ins increased by 10% or greater.
view Sigma YAML
title: Increased Failed Authentications Of Any Type
id: e1d02b53-c03c-4948-b11d-4d00cca49d03
status: test
description: Detects when sign-ins increased by 10% or greater.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022-08-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: failure
Count: "<10%"
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Indicator Removal on Host - Clear Mac System Logs
Detects deletion of local audit logs
view Sigma YAML
title: Indicator Removal on Host - Clear Mac System Logs
id: acf61bd8-d814-4272-81f0-a7a269aa69aa
status: test
description: Detects deletion of local audit logs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: remotephone, oscd.community
date: 2020-10-11
modified: 2022-09-16
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_cli_1:
CommandLine|contains: '/var/log'
selection_cli_2:
CommandLine|contains|all:
- '/Users/'
- '/Library/Logs/'
condition: selection1 and 1 of selection_cli*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Indirect Command Execution From Script File Via Bash.EXE
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: Indirect Command Execution From Script File Via Bash.EXE
id: 2d22a514-e024-4428-9dba-41505bd63a5b
related:
- id: 5edc2273-c26f-406c-83f3-f4d948e740dd
type: similar
status: test
description: |
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Bash/
- https://linux.die.net/man/1/bash
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-15
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- ':\Windows\System32\bash.exe'
- ':\Windows\SysWOW64\bash.exe'
- OriginalFileName: 'Bash.exe'
filter_main_cli_flag:
CommandLine|contains:
# Note: we're not interested in flags being passed first
- 'bash.exe -'
- 'bash -'
filter_main_no_cli:
CommandLine: null
filter_main_empty:
CommandLine: ''
filter_main_no_flag:
CommandLine:
- 'bash.exe'
- 'bash'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
view Sigma YAML
title: Indirect Command Execution via SFTP ProxyCommand
id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
status: experimental
description: |
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Sftp/
- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sftp.exe'
CommandLine|contains: 'ProxyCommand='
condition: selection
falsepositives:
- Legitimate use of SFTP with proxy commands for administration or networking tasks
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
Convert to SIEM query
medium
Indirect Inline Command Execution Via Bash.EXE
Detects execution of Microsoft bash launcher with the "-c" flag.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
view Sigma YAML
title: Indirect Inline Command Execution Via Bash.EXE
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
related:
- id: 2d22a514-e024-4428-9dba-41505bd63a5b
type: similar
status: test
description: |
Detects execution of Microsoft bash launcher with the "-c" flag.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Bash/
author: frack113
date: 2021-11-24
modified: 2023-08-15
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- ':\Windows\System32\bash.exe'
- ':\Windows\SysWOW64\bash.exe'
- OriginalFileName: 'Bash.exe'
selection_cli:
CommandLine|contains: ' -c '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
view Sigma YAML
title: InfDefaultInstall.exe .inf Execution
id: ce7cf472-6fcc-490a-9481-3786840b5d9b
status: test
description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution
- https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/
author: frack113
date: 2021-07-13
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'InfDefaultInstall.exe '
- '.inf'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group.
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
view Sigma YAML
title: Ingress/Egress Security Group Modification
id: 6fb77778-040f-4015-9440-572aa9b6b580
status: test
description: |
Detects when an account makes changes to the ingress or egress rules of a security group.
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'AuthorizeSecurityGroupEgress'
- 'AuthorizeSecurityGroupIngress'
- 'RevokeSecurityGroupEgress'
- 'RevokeSecurityGroupIngress'
condition: selection
falsepositives:
- New VPCs and Subnets being setup requiring a different security profile to those already defined
- A single port being opened for a new service that is known to be deploying
- Administrators closing unused ports to reduce the attack surface
level: medium
Convert to SIEM query
medium
Insecure Proxy/DOH Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
view Sigma YAML
title: Insecure Proxy/DOH Transfer Via Curl.EXE
id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
status: test
description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
CommandLine|contains:
- '--doh-insecure'
- '--proxy-insecure'
condition: all of selection_*
falsepositives:
- Access to badly maintained internal or development systems
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml
Convert to SIEM query
medium
Insecure Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "--insecure" flag.
view Sigma YAML
title: Insecure Transfer Via Curl.EXE
id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
status: test
description: Detects execution of "curl.exe" with the "--insecure" flag.
references:
- https://curl.se/docs/manpage.html
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
- CommandLine|re: '\s-k\s'
- CommandLine|contains: '--insecure'
condition: all of selection_*
falsepositives:
- Access to badly maintained internal or development systems
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml
Convert to SIEM query
medium
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
The manifest option enables you to install an application by passing in a YAML file directly to the client.
Winget can be used to download and install exe, msi or msix files later.
view Sigma YAML
title: Install New Package Via Winget Local Manifest
id: 313d6012-51a0-4d93-8dfc-de8553239e25
status: test
description: |
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
The manifest option enables you to install an application by passing in a YAML file directly to the client.
Winget can be used to download and install exe, msi or msix files later.
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://lolbas-project.github.io/lolbas/Binaries/Winget/
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Sreeman, Florian Roth (Nextron Systems), frack113
date: 2020-04-21
modified: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_install_flag:
CommandLine|contains:
- 'install'
- ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
selection_manifest_flag:
CommandLine|contains:
- '-m '
- '--manifest'
condition: all of selection_*
falsepositives:
- Some false positives are expected in some environment that may use this functionality to install and test their custom applications
level: medium
Convert to SIEM query
medium
Installation of TeamViewer Desktop
TeamViewer_Desktop.exe is create during install
view Sigma YAML
title: Installation of TeamViewer Desktop
id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
status: test
description: TeamViewer_Desktop.exe is create during install
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
author: frack113
date: 2022-01-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\TeamViewer_Desktop.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
view Sigma YAML
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium
Convert to SIEM query
medium
Interactive Logon to Server Systems
Detects interactive console logons to Server Systems
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: Interactive Logon to Server Systems
id: 3ff152b2-1388-4984-9cd9-a323323fdadf
status: test
description: Detects interactive console logons to Server Systems
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-17
modified: 2023-12-15
tags:
- attack.lateral-movement
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 528
- 529
- 4624
- 4625
LogonType: 2
ComputerName|expand:
- '%ServerSystems%'
- '%DomainControllers%'
filter_main_advapi:
LogonProcessName: 'Advapi'
ComputerName|expand: '%Workstations%'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrative activity via KVM or ILO board
level: medium
Convert to SIEM query
medium
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
ie:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Internet Explorer'
- '\Software\Microsoft\Internet Explorer'
ie_details:
TargetObject|contains:
- '\Toolbar'
- '\Extensions'
- '\Explorer Bars'
filter_empty:
Details: '(Empty)'
filter_extensions:
TargetObject|contains:
- '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
- '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
- '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
- '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
filter_toolbar:
TargetObject|endswith:
- '\Toolbar\ShellBrowser\ITBar7Layout'
- '\Toolbar\ShowDiscussionButton'
- '\Toolbar\Locked'
condition: ie and ie_details and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
view Sigma YAML
title: Internet Explorer DisableFirstRunCustomize Enabled
id: ab567429-1dfb-4674-b6d2-979fd2f9d125
status: test
description: |
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
- https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
Details:
- 'DWORD (0x00000001)' # Home Page
- 'DWORD (0x00000002)' # Welcome To IE
filter_main_generic:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\ie4uinit.exe'
filter_optional_avira:
Image|contains|all:
- '\Temp\'
- '\.cr\avira_'
Details|contains: 'DWORD (0x00000001)'
filter_optional_foxit:
Image:
- 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
- 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
Details|contains: 'DWORD (0x00000001)'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- As this is controlled by group policy as well as user settings. Some false positives may occur.
level: medium
Convert to SIEM query
medium
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
These can be used for example in decrypting malicious payload for defense evasion.
view Sigma YAML
title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
id: ad856965-f44d-42a8-945e-bbf7bd03d05a
status: test
description: |
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
These can be used for example in decrypting malicious payload for defense evasion.
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
- https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
author: Andreas Braathen (mnemonic.io)
date: 2023-12-01
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027.010
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet_namespace:
CommandLine|contains: 'System.Security.Cryptography.'
selection_cmdlet_classes:
CommandLine|contains:
- '.AesCryptoServiceProvider'
- '.DESCryptoServiceProvider'
- '.DSACryptoServiceProvider'
- '.RC2CryptoServiceProvider'
- '.Rijndael'
- '.RSACryptoServiceProvider'
- '.TripleDESCryptoServiceProvider'
condition: all of selection_*
falsepositives:
- Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
level: medium
Convert to SIEM query
Showing 451-500 of 1,492