Tool
EDR / XDR
VMware Carbon Black
1,492 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
◈
Detection rules
50 shown of 1,492
medium
New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
view Sigma YAML
title: New BgInfo.EXE Custom DB Path Registry Configuration
id: 53330955-dc52-487f-a3a2-da24dcff99b5
status: test
description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
condition: selection
falsepositives:
- Legitimate use of external DB to save the results
level: medium
Convert to SIEM query
medium
New BgInfo.EXE Custom VBScript Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
view Sigma YAML
title: New BgInfo.EXE Custom VBScript Registry Configuration
id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
related:
- id: cd277474-5c52-4423-a52b-ac2d7969902f
type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
Details|startswith: '4' # WMI
condition: selection
falsepositives:
- Legitimate VBScript
level: medium
Convert to SIEM query
medium
New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
view Sigma YAML
title: New BgInfo.EXE Custom WMI Query Registry Configuration
id: cd277474-5c52-4423-a52b-ac2d7969902f
related:
- id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
Details|startswith: '6' # WMI
condition: selection
falsepositives:
- Legitimate WMI query
level: medium
Convert to SIEM query
medium
New CA Policy by Non-approved Actor
Monitor and alert on conditional access changes.
view Sigma YAML
title: New CA Policy by Non-approved Actor
id: 0922467f-db53-4348-b7bf-dee8d0d348c6
status: test
description: Monitor and alert on conditional access changes.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
author: Corissa Koopmans, '@corissalea'
date: 2022-07-18
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add conditional access policy
condition: selection
falsepositives:
- Misconfigured role permissions
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
Convert to SIEM query
medium
New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
view Sigma YAML
title: New Capture Session Launched Via DXCap.EXE
id: 60f16a96-db70-42eb-8f76-16763e333590
status: test
description: |
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
- https://twitter.com/harr0ey/status/992008180904419328
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2022-06-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\DXCap.exe'
- OriginalFileName: 'DXCap.exe'
selection_cli:
CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
condition: all of selection*
falsepositives:
- Legitimate execution of dxcap.exe by legitimate user
level: medium
Convert to SIEM query
medium
New Custom Shim Database Created
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
view Sigma YAML
title: New Custom Shim Database Created
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: test
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
- https://liberty-shell.com/sec/2020/02/25/shim-persistence/
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-29
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- ':\Windows\apppatch\Custom\'
- ':\Windows\apppatch\CustomSDB\'
condition: selection
falsepositives:
- Legitimate custom SHIM installations will also trigger this rule
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml
Convert to SIEM query
medium
New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
view Sigma YAML
title: New DLL Added to AppCertDlls Registry Key
id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
status: test
description: |
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
references:
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.009
logsource:
category: registry_event
product: windows
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
# key rename
- NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
New DLL Added to AppInit_DLLs Registry Key
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
view Sigma YAML
title: New DLL Added to AppInit_DLLs Registry Key
id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
status: test
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
references:
- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
author: Ilyas Ochkov, oscd.community, Tim Shelton
date: 2019-10-25
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.010
logsource:
category: registry_event
product: windows
detection:
selection:
- TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
# Key Rename
- NewName|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
filter:
Details: '(Empty)'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
view Sigma YAML
title: New DLL Registered Via Odbcconf.EXE
id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
related:
- id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
type: similar
status: test
description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://redcanary.com/blog/raspberry-robin/
- https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains|all:
- 'REGSVR '
- '.dll'
condition: all of selection_*
falsepositives:
- Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.
level: medium
Convert to SIEM query
medium
New DMSA Service Account Created in Specific OUs
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
view Sigma YAML
title: New DMSA Service Account Created in Specific OUs
id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
related:
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
type: similar
- id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
type: similar
status: experimental
description: |
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'powershell_ise.exe'
selection_cli:
CommandLine|contains|all:
- 'New-ADServiceAccount'
- '-CreateDelegatedServiceAccount'
- '-path'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
New Federated Domain Added
Detects the addition of a new Federated Domain.
view Sigma YAML
title: New Federated Domain Added
id: 58f88172-a73d-442b-94c9-95eaed3cbb36
related:
- id: 42127bdd-9133-474f-a6f1-97b6c08a4339
type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
- https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
- https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.002
logsource:
service: audit
product: m365
detection:
selection_domain:
Operation|contains: 'domain'
selection_operation:
Operation|contains:
- 'add'
- 'new'
condition: all of selection_*
falsepositives:
- The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium
Convert to SIEM query
medium
New Federated Domain Added - Exchange
Detects the addition of a new Federated Domain.
view Sigma YAML
title: New Federated Domain Added - Exchange
id: 42127bdd-9133-474f-a6f1-97b6c08a4339
related:
- id: 58f88172-a73d-442b-94c9-95eaed3cbb36
type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
- https://www.sygnia.co/golden-saml-advisory
- https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), '@ionsor (rule)'
date: 2022-02-08
tags:
- attack.persistence
- attack.t1136.003
logsource:
service: exchange
product: m365
detection:
selection:
eventSource: Exchange
eventName: 'Add-FederatedDomain'
status: success
condition: selection
falsepositives:
- The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium
Convert to SIEM query
medium
New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
view Sigma YAML
title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
id: 9acf45ed-3a26-4062-bf08-56857613eb52
status: test
description: |
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'addexclusion'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
view Sigma YAML
title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
id: eca81e8d-09e1-4d04-8614-c91f44fd0519
status: test
description: |
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
Action: 3 # Allow
ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
condition: selection
falsepositives:
- Administrator scripts or activity.
level: medium
Convert to SIEM query
medium
New Firewall Rule Added Via Netsh.EXE
Detects the addition of a new rule to the Windows firewall via netsh
view Sigma YAML
title: New Firewall Rule Added Via Netsh.EXE
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
status: test
description: Detects the addition of a new rule to the Windows firewall via netsh
references:
- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
author: Markus Neis, Sander Wiebing
date: 2019-01-29
modified: 2023-02-10
tags:
- attack.defense-impairment
- attack.t1686.003
- attack.s0246
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' firewall '
- ' add '
filter_optional_dropbox:
CommandLine|contains:
- 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
- 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activity
- Software installations
level: medium
Convert to SIEM query
medium
New Generic Credentials Added Via Cmdkey.EXE
Detects usage of "cmdkey.exe" to add generic credentials.
As an example, this can be used before connecting to an RDP session via command line interface.
view Sigma YAML
title: New Generic Credentials Added Via Cmdkey.EXE
id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
status: test
description: |
Detects usage of "cmdkey.exe" to add generic credentials.
As an example, this can be used before connecting to an RDP session via command line interface.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-03
modified: 2024-03-05
tags:
- attack.credential-access
- attack.t1003.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdkey.exe'
- OriginalFileName: 'cmdkey.exe'
selection_cli_generic:
CommandLine|contains|windash: ' -g' # Generic
selection_cli_user:
CommandLine|contains|windash: ' -u' # User
selection_cli_password:
CommandLine|contains|windash: ' -p' # Password
condition: all of selection_*
falsepositives:
- Legitimate usage for administration purposes
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml
simulation:
- type: atomic-red-team
name: RDP to DomainController
technique: T1021.001
atomic_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
Convert to SIEM query
medium
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
view Sigma YAML
title: New Kernel Driver Via SC.EXE
id: 431a1fdb-4799-4f3b-91c3-a683b003fc49
status: test
description: Detects creation of a new service (kernel driver) with the type "kernel"
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains:
- 'create'
- 'config'
CommandLine|contains|all:
- 'binPath'
- 'type'
- 'kernel'
filter_optional_avira_driver:
- CommandLine|contains|all:
- 'create netprotection_network_filter'
- 'type= kernel start= '
- 'binPath= System32\drivers\netprotection_network_filter'
- 'DisplayName= netprotection_network_filter'
- 'group= PNP_TDI tag= yes'
- CommandLine|contains|all:
- 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys'
- 'type=kernel start=boot error=critical group=Early-Launch'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Rare legitimate installation of kernel drivers via sc.exe
level: medium
Convert to SIEM query
medium
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
view Sigma YAML
title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration|contains: '/system.webServer/modules/add'
filter_main_builtin:
NewValue:
- 'AnonymousAuthenticationModule'
- 'CustomErrorModule'
- 'DefaultDocumentModule'
- 'DirectoryListingModule'
- 'FileCacheModule'
- 'HttpCacheModule'
- 'HttpLoggingModule'
- 'ProtocolSupportModule'
- 'RequestFilteringModule'
- 'StaticCompressionModule'
- 'StaticFileModule'
- 'TokenCacheModule'
- 'UriCacheModule'
filter_main_remove:
NewValue: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
Detects the creation of new msDS-DelegatedManagedServiceAccount objects, which could indicate potential abuse of privilege escalation vulnerabilities in Windows Server 2025.
The msDS-DelegatedManagedServiceAccount (DMSA) is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.
Attackers may exploit this feature to create unauthorized service accounts with elevated privileges, leading to privilege escalation within the Active Directory environment.
It is highly suspicious if an msDS-DelegatedManagedServiceAccount object is created without proper authorization or in an unexpected context, such as by a non-administrative user or outside of normal administrative workflows.
So, it's a good idea to look out for accounts that are not typically responsible for service account creation to detect potential abuse of this feature.
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
id: e15bc294-ae2a-45ad-b7d6-637b33868bde
related:
- id: 02122374-b74e-495c-b285-9e4da973f3d6
type: similar
- id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
type: similar
status: experimental
description: |
Detects the creation of new msDS-DelegatedManagedServiceAccount objects, which could indicate potential abuse of privilege escalation vulnerabilities in Windows Server 2025.
The msDS-DelegatedManagedServiceAccount (DMSA) is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.
Attackers may exploit this feature to create unauthorized service accounts with elevated privileges, leading to privilege escalation within the Active Directory environment.
It is highly suspicious if an msDS-DelegatedManagedServiceAccount object is created without proper authorization or in an unexpected context, such as by a non-administrative user or outside of normal administrative workflows.
So, it's a good idea to look out for accounts that are not typically responsible for service account creation to detect potential abuse of this feature.
references:
- https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection:
EventID: 5137
ObjectClass: 'msDS-DelegatedManagedServiceAccount'
filter_main_legitimate_accounts:
# Exclude modifications made by the system or legitimate administrative accounts
- SubjectAccountName: 'SYSTEM'
- SubjectAccountName|expand: '%Administrators%' # Add all members of the Administrators group to this placeholder
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
# The level is set to medium because while this is a significant event, it may not always indicate malicious activity. It requires further investigation to determine the context and intent behind the modification.
level: medium
Convert to SIEM query
medium
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
view Sigma YAML
title: New Network Route Added
id: c803b2ce-c4a2-4836-beae-b112010390b1
status: test
description: |
Detects the addition of a new network route to a route table in AWS.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.defense-impairment
- attack.t1686.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'CreateRoute'
condition: selection
falsepositives:
- New VPC Creation requiring setup of a new route table
- New subnets added requiring routing setup
level: medium
Convert to SIEM query
medium
New Network Trace Capture Started Via Netsh.EXE
Detects the execution of netsh with the "trace" flag in order to start a network capture
view Sigma YAML
title: New Network Trace Capture Started Via Netsh.EXE
id: d3c3861d-c504-4c77-ba55-224ba82d0118
status: test
description: Detects the execution of netsh with the "trace" flag in order to start a network capture
references:
- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
- https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
author: Kutepov Anton, oscd.community
date: 2019-10-24
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'trace'
- 'start'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: medium
Convert to SIEM query
medium
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
- id: 117d3d3a-755c-4a61-b23e-9171146d094c
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinely creates a VB Macro for their email
level: medium
Convert to SIEM query
medium
New PDQDeploy Service - Client Side
Detects PDQDeploy service installation on the target system.
When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
view Sigma YAML
title: New PDQDeploy Service - Client Side
id: b98a10af-1e1e-44a7-bab2-4cc026917648
status: test
description: |
Detects PDQDeploy service installation on the target system.
When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployRunner-'
- ServiceName|startswith: 'PDQDeployRunner-'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
view Sigma YAML
title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployService.exe'
- ServiceName:
- 'PDQDeploy'
- 'PDQ Deploy'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
New Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
view Sigma YAML
title: New Port Forwarding Rule Added Via Netsh.EXE
id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
status: test
description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-01-29
modified: 2023-09-01
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli_1:
CommandLine|contains|all:
- 'interface'
- 'portproxy'
- 'add'
- 'v4tov4'
selection_cli_2:
CommandLine|contains|all:
# Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1
- 'i ' # interface
- 'p ' # portproxy
- 'a ' # add
- 'v ' # v4tov4
selection_cli_3:
CommandLine|contains|all:
- 'connectp'
- 'listena'
- 'c='
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate administration activity
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
level: medium
Convert to SIEM query
medium
New PortProxy Registry Entry Added
Detects the modification of the PortProxy registry key which is used for port forwarding.
view Sigma YAML
title: New PortProxy Registry Entry Added
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
status: test
description: Detects the modification of the PortProxy registry key which is used for port forwarding.
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Andreas Hunkeler (@Karneades)
date: 2021-06-22
modified: 2024-03-25
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: registry_event
product: windows
detection:
selection:
# Example: HKLM\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/1337
TargetObject|contains: '\Services\PortProxy\v4tov4\tcp\'
condition: selection
falsepositives:
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
- Synergy Software KVM (https://symless.com/synergy)
level: medium
Convert to SIEM query
medium
New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
view Sigma YAML
title: New Process Created Via Wmic.EXE
id: 526be59f-a573-4eea-b5f7-f0973207634d
related:
- id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
type: derived
status: test
description: Detects new process creation using WMIC via the "process call create" flag
references:
- https://www.sans.org/blog/wmic-for-incident-response/
- https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
date: 2019-01-16
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'process'
- 'call'
- 'create'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
New Remote Desktop Connection Initiated Via Mstsc.EXE
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
author: frack113
date: 2022-01-07
modified: 2024-06-04
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
selection_cli:
CommandLine|contains|windash: ' /v:'
filter_optional_wsl:
# Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- WSL (Windows Sub System For Linux)
level: medium
Convert to SIEM query
medium
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
view Sigma YAML
title: New Root Certificate Authority Added
id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
status: test
description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
references:
- https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName: 'Set Company Information'
TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
New Root Certificate Installed Via CertMgr.EXE
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via CertMgr.EXE
id: ff992eac-6449-4c60-8c1d-91c9722a1d48
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
- https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
selection_img:
- Image|endswith: '\CertMgr.exe'
- OriginalFileName: 'CERTMGT.EXE'
selection_cli:
CommandLine|contains|all:
- '/add'
- 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
Convert to SIEM query
medium
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via Certutil.EXE
id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
modified: 2024-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: certutil -addstore -f -user ROOT CertificateFileName.der
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli_add:
CommandLine|contains|windash: '-addstore'
selection_cli_store:
CommandLine|contains: 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
Convert to SIEM query
medium
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
view Sigma YAML
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
TargetObject|endswith: '\Blob'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
New Self Extracting Package Created Via IExpress.EXE
Detects the "iexpress.exe" utility creating self-extracting packages.
Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
view Sigma YAML
title: New Self Extracting Package Created Via IExpress.EXE
id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a
status: test
description: |
Detects the "iexpress.exe" utility creating self-extracting packages.
Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_1_parent:
ParentImage|endswith: '\iexpress.exe'
selection_1_img:
- Image|endswith: '\makecab.exe'
- OriginalFileName: 'makecab.exe'
selection_2_img:
- Image|endswith: '\iexpress.exe'
- OriginalFileName: 'IEXPRESS.exe'
selection_2_cli:
CommandLine|contains: ' /n '
condition: all of selection_1_* or all of selection_2_*
falsepositives:
- Administrators building packages using iexpress.exe
level: medium
Convert to SIEM query
medium
New User Created Via Net.EXE
Identifies the creation of local users via the net.exe command.
view Sigma YAML
title: New User Created Via Net.EXE
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
related:
- id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
type: similar
status: test
description: Identifies the creation of local users via the net.exe command.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
- attack.persistence
- attack.t1136.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'user'
- 'add'
condition: all of selection_*
falsepositives:
- Legitimate user creation.
- Better use event IDs for user creation rather than command line rules.
level: medium
Convert to SIEM query
medium
New Virtual Smart Card Created Via TpmVscMgr.EXE
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
view Sigma YAML
title: New Virtual Smart Card Created Via TpmVscMgr.EXE
id: c633622e-cab9-4eaa-bb13-66a1d68b3e47
status: test
description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
references:
- https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-15
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\tpmvscmgr.exe'
OriginalFileName: 'TpmVscMgr.exe'
selection_cli:
CommandLine|contains: 'create'
condition: all of selection_*
falsepositives:
- Legitimate usage by an administrator
level: medium
Convert to SIEM query
medium
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
view Sigma YAML
title: New or Renamed User Account with '$' Character
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
status: test
description: |
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2024-01-16
tags:
- attack.stealth
- attack.t1036
logsource:
product: windows
service: security
detection:
selection_create:
EventID: 4720 # create user
SamAccountName|contains: '$'
selection_rename:
EventID: 4781 # rename user
NewTargetUserName|contains: '$'
filter_main_homegroup:
EventID: 4720
TargetUserName: 'HomeGroupUser$'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
view Sigma YAML
title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
- https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
filter:
CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
view Sigma YAML
title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
- https://gtfobins.github.io/gtfobins/nohup/
- https://en.wikipedia.org/wiki/Nohup
- https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
condition: selection
falsepositives:
- Administrators or installed processes that leverage nohup
level: medium
Convert to SIEM query
medium
Non-DLL Extension File Renamed With DLL Extension
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: Non-DLL Extension File Renamed With DLL Extension
id: bbfd974c-248e-4435-8de6-1e938c79c5c1
status: test
description: |
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
references:
- https://twitter.com/ffforward/status/1481672378639912960
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
author: frack113
date: 2022-02-19
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036.008
- detection.threat-hunting
logsource:
product: windows
category: file_rename
definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
selection:
TargetFilename|endswith: '.dll'
filter_main_dll:
# Note: To avoid file renames
SourceFilename|endswith: '.dll'
filter_main_installers:
SourceFilename|endswith: '.tmp'
filter_main_empty_source:
SourceFilename: ''
filter_main_null_source:
SourceFilename: null
filter_main_tiworker:
Image|contains: ':\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_main_upgrade:
- Image|endswith: ':\Windows\System32\wuauclt.exe'
- TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
filter_optional_squirrel:
SourceFilename|contains: '\SquirrelTemp\temp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely from installers and temporary locations
level: medium
Convert to SIEM query
medium
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
view Sigma YAML
title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_notepad_legit_domain:
QueryName: 'notepad-plus-plus.org'
filter_optional_sourceforge_legit_domain:
QueryName|endswith: '.sourceforge.net'
filter_optional_github_legit_domain:
- QueryName|endswith: '.githubusercontent.com'
- QueryName: 'github.com'
filter_optional_google_storage_legit_domain:
QueryName|endswith: '.googleapis.com'
filter_optional_uncommon_domains:
QueryName|endswith:
- '.azurewebsites.net'
- 'block.opendns.com'
- 'gateway.zscalerthree.net'
# Add other known legitimate domains if any
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
- Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries
Convert to SIEM query
medium
Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
view Sigma YAML
title: Nslookup PowerShell Download Cradle
id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
related:
- id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
type: similar
status: test
description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
date: 2022-12-10
modified: 2025-02-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'powershell'
- 'nslookup'
- '[1]'
Data|contains:
- '-q=txt http'
- '-querytype=txt http'
- '-type=txt http'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Nslookup PowerShell Download Cradle - ProcessCreation
Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
view Sigma YAML
title: Nslookup PowerShell Download Cradle - ProcessCreation
id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
related:
- id: 72671447-4352-4413-bb91-b85569687135
type: obsolete
- id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
type: similar
status: test
description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2022-12-19
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\nslookup.exe'
- OriginalFileName: '\nslookup.exe'
selection_cmd:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -q=txt '
- ' -querytype=txt '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
view Sigma YAML
title: Ntdsutil Abuse
id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'ESENT'
EventID:
- 216
- 325
- 326
- 327
Data|contains: 'ntds.dit'
condition: selection
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
Convert to SIEM query
medium
Number Of Resource Creation Or Deployment Activities
Number of VM creations or deployment activities occur in Azure via the azureactivity log.
view Sigma YAML
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: test
description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
falsepositives:
- Valid change
level: medium
Convert to SIEM query
medium
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
view Sigma YAML
title: Obfuscated IP Download Activity
id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
status: test
description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
- https://twitter.com/fr0s7_/status/1712780207105404948
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_command:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'Invoke-RestMethod'
- 'irm '
- 'wget '
- 'curl '
- 'DownloadFile'
- 'DownloadString'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
view Sigma YAML
title: Obfuscated IP Via CLI
id: 56d19cb4-6414-4769-9644-1ed35ffbb148
status: test
description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\ping.exe'
- '\arp.exe'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
view Sigma YAML
title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
- attack.command-and-control
- attack.stealth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
filter_main_common_ports:
DestinationPort:
- 53 # DNS
- 80 # HTTP
- 139 # NETBIOS
- 389 # LDAP
- 443 # HTTPS
- 445 # SMB
- 3268 # MSFT-GC
filter_main_outlook_ports:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
DestinationPort:
- 143
- 465 # SMTP
- 587 # SMTP
- 993 # IMAP
- 995 # POP3
condition: selection and not 1 of filter_main_*
falsepositives:
- Other ports can be used, apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
view Sigma YAML
title: Office Application Initiated Network Connection To Non-Local IP
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
status: test
description: |
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
references:
- https://corelight.com/blog/detecting-cve-2021-42292
- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-10
modified: 2025-10-17
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange_generic:
DestinationIp|cidr:
- '2.16.56.0/23' # Akamai International B.V.
- '2.17.248.0/21' # Akamai International B.V.
- '13.107.240.0/21' # Microsoft Corporation
- '20.184.0.0/13' # Microsoft Corporation
- '23.61.224.0/20' # Akamai-AS
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '23.3.88.0/22' # Akamai-AS
- '23.216.132.0/22' # Akamai-AS
- '40.76.0.0/14' # Microsoft Corporation
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
- '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
- '95.101.96.0/21' # Akamai-As
- '204.79.197.0/24' # Microsoft Corporation
filter_main_msrange_exchange_1:
# Exchange Online
# "urls": [
# "outlook.cloud.microsoft",
# "outlook.office.com",
# "outlook.office365.com"
# ]
DestinationIp|cidr:
- '13.107.4.0/22'
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.42.0/23'
- '13.107.128.0/22'
- '23.35.224.0/20'
- '23.53.40.0/22'
- '23.103.160.0/20'
- '23.216.76.0/22'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 80
- 443
filter_main_msrange_exchange_2:
# Exchange Online
# "urls": [
# "outlook.office365.com",
# "smtp.office365.com"
# ]
DestinationIp|cidr:
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.128.0/22'
- '23.103.160.0/20'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 143
- 587
- 993
- 995
Protocol: 'tcp'
filter_main_msrange_exchange_3:
# Exchange Online
# "urls": [
# "*.protection.outlook.com"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 443
filter_main_msrange_exchange_4:
# Exchange Online
# "urls": [
# "*.mail.protection.outlook.com",
# "*.mx.microsoft"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 25
filter_main_msrange_sharepoint_1:
# SharePoint Online and OneDrive for Business",
# "urls": [
# "*.sharepoint.com"
# ]
DestinationIp|cidr:
- '13.107.136.0/22'
- '40.108.128.0/17'
- '52.104.0.0/14'
- '104.146.128.0/17'
- '150.171.40.0/22'
- '2603:1061:1300::/40'
- '2620:1ec:8f8::/46'
- '2620:1ec:908::/46'
- '2a01:111:f402::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_1:
# Microsoft 365 Common and Office Online",
# "urls": [
# "*.officeapps.live.com",
# "*.online.office.com",
# "office.live.com",
# "office.com.akadns.net"
# ],
DestinationIp|cidr:
- '13.107.6.171/32'
- '13.107.18.15/32'
- '13.107.140.6/32'
- '20.64.0.0/10'
- '52.108.0.0/14'
- '52.244.37.168/32'
- '2603:1006:1400::/40'
- '2603:1016:2400::/40'
- '2603:1026:2400::/40'
- '2603:1036:2400::/40'
- '2603:1046:1400::/40'
- '2603:1056:1400::/40'
- '2603:1063:2000::/38'
- '2620:1ec:c::15/128'
- '2620:1ec:8fc::6/128'
- '2620:1ec:a92::171/128'
- '2a01:111:f100:2000::a83e:3019/128'
- '2a01:111:f100:2002::8975:2d79/128'
- '2a01:111:f100:2002::8975:2da8/128'
- '2a01:111:f100:7000::6fdd:6cd5/128'
- '2a01:111:f100:a004::bfeb:88cf/128'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_2:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.auth.microsoft.com",
# "*.msftidentity.com",
# "*.msidentity.com",
# "account.activedirectory.windowsazure.com",
# "accounts.accesscontrol.windows.net",
# "adminwebservice.microsoftonline.com",
# "api.passwordreset.microsoftonline.com",
# "autologon.microsoftazuread-sso.com",
# "becws.microsoftonline.com",
# "ccs.login.microsoftonline.com",
# "clientconfig.microsoftonline-p.net",
# "cloudapp.azure.com",
# "companymanager.microsoftonline.com",
# "device.login.microsoftonline.com",
# "graph.microsoft.com",
# "graph.windows.net",
# "login-us.microsoftonline.com",
# "login.microsoft.com",
# "login.microsoftonline-p.com",
# "login.microsoftonline.com",
# "login.windows.net",
# "logincert.microsoftonline.com",
# "loginex.microsoftonline.com",
# "nexus.microsoftonline-p.com",
# "passwordreset.microsoftonline.com",
# "provisioningapi.microsoftonline.com",
# "web.core.windows.net",
# ]
DestinationIp|cidr:
- '172.128.0.0/10'
- '20.20.32.0/19'
- '20.103.156.88/32' # msn.com
- '20.190.128.0/18'
- '20.231.128.0/19'
- '40.126.0.0/18'
- '57.150.0.0/15'
- '2603:1006:2000::/48'
- '2603:1007:200::/48'
- '2603:1016:1400::/48'
- '2603:1017::/48'
- '2603:1026:3000::/48'
- '2603:1027:1::/48'
- '2603:1036:3000::/48'
- '2603:1037:1::/48'
- '2603:1046:2000::/48'
- '2603:1047:1::/48'
- '2603:1056:2000::/48'
- '2603:1057:2::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_3:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.compliance.microsoft.com",
# "*.data.microsoft.com",
# "*.protection.office.com",
# "*.security.microsoft.com",
# "compliance.microsoft.com",
# "defender.microsoft.com",
# "protection.office.com",
# "security.microsoft.com",
# "teams.microsoft.com",
# ]
DestinationIp|cidr:
- '13.64.0.0/11'
- '13.107.6.192/32'
- '13.107.9.192/32'
- '13.89.179.14/32'
- '20.40.0.0/14'
- '20.48.0.0/12'
- '20.64.0.0/12'
- '52.123.0.0/16'
- '52.108.0.0/14'
- '52.136.0.0/13'
- '57.150.0.0/15'
- '80.239.150.67/32' # Arelion Sweden AB
- '2620:1ec:4::192/128'
- '2620:1ec:a92::192/128'
DestinationPort: 443
Protocol: 'tcp'
filter_main_destination_host:
DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'
DestinationPort: 443
Protocol: 'tcp'
condition: selection and not 1 of filter_main_*
falsepositives:
- You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
- Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
- It is highly recommended to baseline your activity and tune out common business use cases.
level: medium
Convert to SIEM query
medium
Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
view Sigma YAML
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
- https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
author: omkar72
date: 2020-10-25
modified: 2023-11-08
tags:
- attack.persistence
- attack.t1137.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: Office Autorun Keys Modification
id: baecf8fb-edbf-429f-9ade-31fc3f22b970
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: |
Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2026-01-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_office_root:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Office'
- '\Software\Microsoft\Office'
selection_office_details:
TargetObject|contains:
- '\Word\Addins'
- '\PowerPoint\Addins'
- '\Outlook\Addins'
- '\Onenote\Addins'
- '\Excel\Addins'
- '\Access\Addins'
- 'test\Special\Perf'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_known_addins:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\PROGRA~2\MICROS~2\Office'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe '
TargetObject|contains:
# Remove any unused addins in your environment from the filter
# Known addins for excel
- '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
- '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
- '\Excel\Addins\NativeShim\'
- '\Excel\Addins\NativeShim.InquireConnector.1\'
- '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
# Known addins for outlook
- '\Outlook\AddIns\AccessAddin.DC\'
- '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
- '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
- '\Outlook\AddIns\EvernoteOLRD.Connect\'
# - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
- '\Outlook\Addins\\OneNote.OutlookAddin'
- '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
- '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
- '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
- '\Outlook\Addins\OcOffice.OcForms\'
- '\Outlook\Addins\OscAddin.Connect\'
- '\Outlook\Addins\OutlookChangeNotifier.Connect\'
- '\Outlook\Addins\UCAddin.LyncAddin.1'
- '\Outlook\Addins\UCAddin.UCAddin.1'
- '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
- 'AddinTakeNotesService\FriendlyName'
filter_main_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
# These filters are not exhaustive, filter can be expanded based on environment
condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software or add-in installations and administrative configurations
- Automatic registry modifications during legitimate software installations
level: medium
Convert to SIEM query
Showing 601-650 of 1,492