Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
Medium FP
PAExec Service Installation
Detects PAExec service installation
view Sigma YAML
title: PAExec Service Installation
id: de7ce410-b3fb-4e8a-b38c-3b999e2c3420
status: test
description: Detects PAExec service installation
references:
- https://www.poweradmin.com/paexec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_image:
- ServiceName|startswith: 'PAExec-'
- ImagePath|startswith: 'C:\WINDOWS\PAExec-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PDQ Deploy Remote Adminstartion Tool Execution
Detect use of PDQ Deploy remote admin tool
view Sigma YAML
title: PDQ Deploy Remote Adminstartion Tool Execution
id: d679950c-abb7-43a6-80fb-2a480c4fc450
related:
- id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
type: similar
status: test
description: Detect use of PDQ Deploy remote admin tool
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md
- https://www.pdq.com/pdq-deploy/
author: frack113
date: 2022-10-01
modified: 2023-01-30
tags:
- attack.execution
- attack.lateral-movement
- attack.t1072
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: PDQ Deploy Console
- Product: PDQ Deploy
- Company: PDQ.com
- OriginalFileName: PDQDeployConsole.exe
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Strong
Medium FP
PSScriptPolicyTest Creation By Uncommon Process
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
view Sigma YAML
title: PSScriptPolicyTest Creation By Uncommon Process
id: 1027d292-dd87-4a1a-8701-2abe04d7783c
status: test
description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
references:
- https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_powershell:
Image:
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_pwsh_preview:
Image|contains:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
filter_main_generic:
Image:
- 'C:\Windows\System32\dsac.exe'
- 'C:\Windows\System32\sdiagnhost.exe'
- 'C:\Windows\System32\ServerManager.exe'
- 'C:\Windows\System32\wsmprovhost.exe'
- 'C:\Windows\SysWOW64\sdiagnhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PST Export Alert Using New-ComplianceSearchAction
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
view Sigma YAML
title: PST Export Alert Using New-ComplianceSearchAction
id: 6897cd82-6664-11ed-9022-0242ac120002
related:
- id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
type: similar
status: test
description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
references:
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
author: Nikita Khalimonenkov
date: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
Payload|contains|all:
- 'New-ComplianceSearchAction'
- 'Export'
- 'pst'
condition: selection
falsepositives:
- Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
PST Export Alert Using eDiscovery Alert
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
view Sigma YAML
title: PST Export Alert Using eDiscovery Alert
id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
related:
- id: 6897cd82-6664-11ed-9022-0242ac120002
type: similar
status: test
description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
references:
- https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
author: Sorina Ionescu
date: 2022-02-08
modified: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
definition: Requires the 'eDiscovery search or exported' alert to be enabled
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'eDiscovery search started or exported'
status: success
condition: selection
falsepositives:
- PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
view Sigma YAML
title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-21
tags:
- attack.credential-access
- attack.t1555
- attack.t1003
logsource:
product: aws
service: cloudtrail
detection:
selection:
userAgent: 'TruffleHog'
condition: selection
falsepositives:
- Legitimate use of TruffleHog by security teams for credential scanning.
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - AdFind.EXE Execution
Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
view Sigma YAML
title: PUA - AdFind.EXE Execution
id: 514e7e3e-b3b4-4a67-af60-be20f139198b
related:
- id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
type: similar
status: experimental
description: Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-26
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: '\AdFind.exe'
- OriginalFileName: 'AdFind.exe'
- Hashes|contains:
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml
Convert to SIEM query
medium
Strong
High FP
PUA - Advanced IP Scanner Execution
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
view Sigma YAML
title: PUA - Advanced IP Scanner Execution
id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy
date: 2020-05-12
modified: 2023-02-07
tags:
- attack.discovery
- attack.t1046
- attack.t1135
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
- OriginalFileName|contains: 'advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
- Description|contains: 'Advanced IP Scanner'
selection_cli:
CommandLine|contains|all:
- '/portable'
- '/lng'
condition: 1 of selection_*
falsepositives:
- Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml
Convert to SIEM query
medium
Moderate
High FP
PUA - Advanced IP/Port Scanner Update Check
Detect the update check performed by Advanced IP/Port Scanner utilities.
view Sigma YAML
title: PUA - Advanced IP/Port Scanner Update Check
id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
status: test
description: Detect the update check performed by Advanced IP/Port Scanner utilities.
references:
- https://www.advanced-ip-scanner.com/
- https://www.advanced-port-scanner.com/
author: Axel Olsson
date: 2022-08-14
modified: 2024-02-15
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1590
logsource:
category: proxy
detection:
selection:
# Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
# Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
c-uri|contains: '/checkupdate.php'
c-uri-query|contains|all:
- 'lng='
- 'ver='
- 'beta='
- 'type='
- 'rmode='
- 'product='
condition: selection
falsepositives:
- Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - Advanced Port Scanner Execution
Detects the use of Advanced Port Scanner.
view Sigma YAML
title: PUA - Advanced Port Scanner Execution
id: 54773c5f-f1cc-4703-9126-2f797d96a69d
status: test
description: Detects the use of Advanced Port Scanner.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-07
tags:
- attack.discovery
- attack.t1046
- attack.t1135
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\advanced_port_scanner'
- OriginalFileName|contains: 'advanced_port_scanner' # Covers also advanced_port_scanner_console.exe
- Description|contains: 'Advanced Port Scanner'
selection_cli:
CommandLine|contains|all:
- '/portable'
- '/lng'
condition: 1 of selection_*
falsepositives:
- Legitimate administrative use
- Tools with similar commandline (very rare)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml
Convert to SIEM query
medium
Moderate
High FP
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
view Sigma YAML
title: PUA - AdvancedRun Execution
id: d2b749ee-4225-417e-b20e-a8d2193cbb84
related:
- id: fa00b701-44c6-4679-994d-5a18afa8a707
type: similar
status: test
description: Detects the execution of AdvancedRun utility
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://www.elastic.co/security-labs/operation-bleeding-bear
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1564.003
- attack.t1134.002
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
selection:
- OriginalFileName: 'AdvancedRun.exe'
- CommandLine|contains|all:
- ' /EXEFilename '
- ' /Run'
- CommandLine|contains|all:
- ' /WindowState 0'
- ' /RunAs '
- ' /CommandLine '
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
PUA - CSExec Default Named Pipe
Detects default CSExec pipe creation
view Sigma YAML
title: PUA - CSExec Default Named Pipe
id: f318b911-ea88-43f4-9281-0de23ede628e
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsolete
status: test
description: Detects default CSExec pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/malcomvetter/CSExec
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\csexecsvc'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - Mouse Lock Execution
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
view Sigma YAML
title: PUA - Mouse Lock Execution
id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: test
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
references:
- https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf
- https://sourceforge.net/projects/mouselock/
author: Cian Heasley
date: 2020-08-13
modified: 2023-02-21
tags:
- attack.credential-access
- attack.collection
- attack.t1056.002
logsource:
product: windows
category: process_creation
detection:
selection:
- Product|contains: 'Mouse Lock'
- Company|contains: 'Misc314'
- CommandLine|contains: 'Mouse Lock_'
condition: selection
falsepositives:
- Legitimate uses of Mouse Lock software
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - NimScan Execution
Detects usage of NimScan, a portscanner utility.
In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.
This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
view Sigma YAML
title: PUA - NimScan Execution
id: 4fd6b1c7-19b8-4488-97f6-00f0924991a3
status: test
description: |
Detects usage of NimScan, a portscanner utility.
In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.
This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
references:
- https://x.com/cyberfeeddigest/status/1887041526397587859
- https://github.com/elddy/NimScan
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\NimScan.exe' # Other metadata fields such as originalfilename and product were omitted because they were null
- Hashes|contains:
- 'IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C' # v1.0.8
- 'IMPHASH=B1B6ADACB172795480179EFD18A29549' # v1.0.6
- 'IMPHASH=0D1F896DC7642AD8384F9042F30279C2' # v1.0.4 and v1.0.2
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
PUA - NirCmd Execution
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
view Sigma YAML
title: PUA - NirCmd Execution
id: 4e2ed651-1906-4a59-a78a-18220fca1b22
status: test
description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
references:
- https://www.nirsoft.net/utils/nircmd.html
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
- https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-24
modified: 2023-02-13
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection_org:
- Image|endswith: '\NirCmd.exe'
- OriginalFileName: 'NirCmd.exe'
selection_cmd:
CommandLine|contains:
- ' execmd '
- '.exe script '
- '.exe shexec '
- ' runinteractive '
combo_exec:
CommandLine|contains:
- ' exec '
- ' exec2 '
combo_exec_params:
CommandLine|contains:
- ' show '
- ' hide '
condition: 1 of selection_* or all of combo_*
falsepositives:
- Legitimate use by administrators
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - Nmap/Zenmap Execution
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
view Sigma YAML
title: PUA - Nmap/Zenmap Execution
id: f6ecd1cf-19b8-4488-97f6-00f0924991a3
status: test
description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
references:
- https://nmap.org/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
author: frack113
date: 2021-12-10
modified: 2023-12-11
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\nmap.exe'
- '\zennmap.exe'
- OriginalFileName:
- 'nmap.exe'
- 'zennmap.exe'
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PUA - PAExec Default Named Pipe
Detects PAExec default named pipe
view Sigma YAML
title: PUA - PAExec Default Named Pipe
id: f6451de4-df0a-41fa-8d72-b39f54a08db5
status: test
description: Detects PAExec default named pipe
references:
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md
- https://github.com/poweradminllc/PAExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
logsource:
category: pipe_created
product: windows
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|startswith: '\PAExec'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - PingCastle Execution
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
view Sigma YAML
title: PUA - PingCastle Execution
id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
related:
- id: b37998de-a70b-4f33-b219-ec36bf433dc0
type: derived
status: test
description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
references:
- https://github.com/vletoux/pingcastle
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-01-11
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: process_creation
product: windows
detection:
selection:
- Hashes|contains:
# PingCastle.exe
- 'MD5=f741f25ac909ee434e50812d436c73ff'
- 'MD5=d40acbfc29ee24388262e3d8be16f622'
- 'MD5=01bb2c16fadb992fa66228cd02d45c60'
- 'MD5=9e1b18e62e42b5444fc55b51e640355b'
- 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'
- 'MD5=324579d717c9b9b8e71d0269d13f811f'
- 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'
- 'MD5=049e85963826b059c9bac273bb9c82ab'
- 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'
- 'MD5=faf87749ac790ec3a10dd069d10f9d63'
- 'MD5=f296dba5d21ad18e6990b1992aea8f83'
- 'MD5=93ba94355e794b6c6f98204cf39f7a11'
- 'MD5=a258ef593ac63155523a461ecc73bdba'
- 'MD5=97000eb5d1653f1140ee3f47186463c4'
- 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'
- 'MD5=32fe9f0d2630ac40ea29023920f20f49'
- 'MD5=a05930dde939cfd02677fc18bb2b7df5'
- 'MD5=124283924e86933ff9054a549d3a268b'
- 'MD5=ceda6909b8573fdeb0351c6920225686'
- 'MD5=60ce120040f2cd311c810ae6f6bbc182'
- 'MD5=2f10cdc5b09100a260703a28eadd0ceb'
- 'MD5=011d967028e797a4c16d547f7ba1463f'
- 'MD5=2da9152c0970500c697c1c9b4a9e0360'
- 'MD5=b5ba72034b8f44d431f55275bace9f8b'
- 'MD5=d6ed9101df0f24e27ff92ddab42dacca'
- 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'
- 'MD5=5e083cd0143ae95a6cb79b68c07ca573'
- 'MD5=28caff93748cb84be70486e79f04c2df'
- 'MD5=9d4f12c30f9b500f896efd1800e4dd11'
- 'MD5=4586f7dd14271ad65a5fb696b393f4c0'
- 'MD5=86ba9dddbdf49215145b5bcd081d4011'
- 'MD5=9dce0a481343874ef9a36c9a825ef991'
- 'MD5=85890f62e231ad964b1fda7a674747ec'
- 'MD5=599be548da6441d7fe3e9a1bb8cb0833'
- 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'
- 'MD5=32d45718164205aec3e98e0223717d1d'
- 'MD5=6ff5f373ee7f794cd17db50704d00ddb'
- 'MD5=88efbdf41f0650f8f58a3053b0ca0459'
- 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'
- 'MD5=781fa16511a595757154b4304d2dd350'
- 'MD5=5018ec39be0e296f4fc8c8575bfa8486'
- 'MD5=f4a84d6f1caf0875b50135423d04139f'
- 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'
- 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'
- 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'
- 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'
- 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'
- 'SHA1=f14c9633040897d375e3069fddc71e859f283778'
- 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'
- 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'
- 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'
- 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'
- 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'
- 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'
- 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'
- 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'
- 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'
- 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'
- 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'
- 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'
- 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'
- 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'
- 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'
- 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'
- 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'
- 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'
- 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'
- 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'
- 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'
- 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'
- 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'
- 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'
- 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'
- 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'
- 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'
- 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'
- 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'
- 'SHA1=c82152cddf9e5df49094686531872ecd545976db'
- 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'
- 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'
- 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'
- 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'
- 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'
- 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'
- 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'
- 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'
- 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'
- 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'
- 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'
- 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'
- 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'
- 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'
- 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'
- 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'
- 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'
- 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'
- 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'
- 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'
- 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'
- 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'
- 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'
- 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'
- 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'
- 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'
- 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'
- 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'
- 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'
- 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'
- 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'
- 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'
- 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'
- 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'
- 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'
- 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'
- 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'
- 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'
- 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'
- 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'
- 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'
- 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'
- 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'
- 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'
- 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'
- 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'
- 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'
- 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'
- Image|endswith: '\PingCastle.exe'
- OriginalFileName: PingCastle.exe
- Product: 'Ping Castle'
- CommandLine|contains:
- '--scanner aclcheck'
- '--scanner antivirus'
- '--scanner computerversion'
- '--scanner foreignusers'
- '--scanner laps_bitlocker'
- '--scanner localadmin'
- '--scanner nullsession'
- '--scanner nullsession-trust'
- '--scanner oxidbindings'
- '--scanner remote'
- '--scanner share'
- '--scanner smb'
- '--scanner smb3querynetwork'
- '--scanner spooler'
- '--scanner startup'
- '--scanner zerologon'
- CommandLine|contains: '--no-enum-limit'
- CommandLine|contains|all:
- '--healthcheck'
- '--level Full'
- CommandLine|contains|all:
- '--healthcheck'
- '--server '
condition: selection
falsepositives:
- Unknown
# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit
level: medium
Convert to SIEM query
medium
Strong
Medium FP
PUA - Potential PE Metadata Tamper Using Rcedit
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
view Sigma YAML
title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
- https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
- https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
- https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1036.003
- attack.t1036
- attack.t1027.005
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rcedit-x64.exe'
- '\rcedit-x86.exe'
- Description: 'Edit resources of exe'
- Product: 'rcedit'
selection_flags:
CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
selection_attributes:
CommandLine|contains:
- 'OriginalFileName'
- 'CompanyName'
- 'FileDescription'
- 'ProductName'
- 'ProductVersion'
- 'LegalCopyright'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - Process Hacker Execution
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
Threat actors abused older vulnerable versions to manipulate system processes.
view Sigma YAML
title: PUA - Process Hacker Execution
id: 811e0002-b13b-4a15-9d00-a613fce66e42
related:
- id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
type: similar
status: test
description: |
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
Threat actors abused older vulnerable versions to manipulate system processes.
references:
- https://processhacker.sourceforge.io/
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
author: Florian Roth (Nextron Systems)
date: 2022-10-10
modified: 2024-11-23
tags:
- attack.discovery
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1622
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains: '\ProcessHacker_'
- Image|endswith: '\ProcessHacker.exe'
- OriginalFileName:
- 'ProcessHacker.exe'
- 'Process Hacker'
- Description: 'Process Hacker'
- Product: 'Process Hacker'
- Hashes|contains:
- 'MD5=68F9B52895F4D34E74112F3129B3B00D'
- 'MD5=B365AF317AE730A67C936F21432B9C71'
- 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
- 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
- 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
- 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
- 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
- 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
condition: selection
falsepositives:
- While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - Radmin Viewer Utility Execution
Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
view Sigma YAML
title: PUA - Radmin Viewer Utility Execution
id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d
status: test
description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md
- https://www.radmin.fr/
author: frack113
date: 2022-01-22
modified: 2023-12-11
tags:
- attack.execution
- attack.lateral-movement
- attack.t1072
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Radmin Viewer'
- Product: 'Radmin Viewer'
- OriginalFileName: 'Radmin.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PUA - RemCom Default Named Pipe
Detects default RemCom pipe creation
view Sigma YAML
title: PUA - RemCom Default Named Pipe
id: d36f87ea-c403-44d2-aa79-1a0ac7c24456
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsolete
status: test
description: Detects default RemCom pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/kavika13/RemCom
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\RemCom'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - SoftPerfect Netscan Execution
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
view Sigma YAML
title: PUA - SoftPerfect Netscan Execution
id: ca387a8e-1c84-4da3-9993-028b45342d30
status: test
description: |
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
references:
- https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/
- https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
- https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
- https://www.softperfect.com/products/networkscanner/
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2024-04-25
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\netscan.exe'
- Product: 'Network Scanner'
- Description: 'Application for scanning networks'
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PUA - Sysinternals Tools Execution - Registry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
view Sigma YAML
title: PUA - Sysinternals Tools Execution - Registry
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 9841b233-8df8-4ad7-9133-b0b4402a9014
type: obsolete
status: test
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\ProcDump'
- '\PsExec'
- '\PsLoglist'
- '\PsPasswd'
- '\SDelete'
- '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
TargetObject|endswith: '\EulaAccepted'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml
Convert to SIEM query
medium
Moderate
High FP
PUA - System Informer Driver Load
Detects driver load of the System Informer tool
view Sigma YAML
title: PUA - System Informer Driver Load
id: 10cb6535-b31d-4512-9962-513dcbc42cc1
related:
- id: 67add051-9ee7-4ad3-93ba-42935615ae8d
type: similar
status: test
description: Detects driver load of the System Informer tool
references:
- https://systeminformer.sourceforge.io/
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
category: driver_load
product: windows
detection:
selection:
- ImageLoaded|endswith: '\SystemInformer.sys'
- Hashes|contains:
- 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24'
- 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454'
- 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D'
- 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B'
- 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D'
- 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34'
- 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89'
- 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB'
- 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B'
- 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97'
- 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656'
- 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4'
- 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
view Sigma YAML
title: PUA - System Informer Execution
id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
related:
- id: 811e0002-b13b-4a15-9d00-a613fce66e42
type: similar
status: test
description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
references:
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SystemInformer.exe'
- OriginalFileName: 'SystemInformer.exe'
- Description: 'System Informer'
- Product: 'System Informer'
- Hashes|contains:
# Note: add other hashes as needed
# 3.0.11077.6550
- 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
- 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PUA - TruffleHog Execution
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
view Sigma YAML
title: PUA - TruffleHog Execution
id: 44030449-b0df-4c94-aae1-502359ab28ee
related:
- id: d7a650c4-226c-451e-948f-cc490db506aa
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\trufflehog.exe'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_trufflehog/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
PUA - TruffleHog Execution - Linux
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
view Sigma YAML
title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
- id: 44030449-b0df-4c94-aae1-502359ab28ee
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/trufflehog'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
Convert to SIEM query
medium
Moderate
High FP
PUA - WebBrowserPassView Execution
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
view Sigma YAML
title: PUA - WebBrowserPassView Execution
id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
status: test
description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022-08-20
modified: 2023-02-14
tags:
- attack.credential-access
- attack.t1555.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Web Browser Password Viewer'
- Image|endswith: '\WebBrowserPassView.exe'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Strong
Low FP
Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network
view Sigma YAML
title: Pass the Hash Activity 2
id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
status: stable
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
date: 2019-06-14
modified: 2022-10-05
tags:
- attack.lateral-movement
- attack.t1550.002
logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
detection:
selection_logon3:
EventID: 4624
SubjectUserSid: 'S-1-0-0'
LogonType: 3
LogonProcessName: 'NtLmSsp'
KeyLength: 0
selection_logon9:
EventID: 4624
LogonType: 9
LogonProcessName: 'seclogo'
filter:
TargetUserName: 'ANONYMOUS LOGON'
condition: 1 of selection_* and not filter
falsepositives:
- Administrator activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Password Policy Enumerated
Detects when the password policy is enumerated.
view Sigma YAML
title: Password Policy Enumerated
id: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199
status: test
description: Detects when the password policy is enumerated.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661
- https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951
author: Zach Mathis
date: 2023-05-19
tags:
- attack.discovery
- attack.t1201
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection:
EventID: 4661 # A handle to an object was requested.
AccessList|contains: '%%5392' # ReadPasswordParameters
ObjectServer: 'Security Account Manager'
condition: selection
level: medium
Convert to SIEM query
medium
Strong
Low FP
Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
view Sigma YAML
title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
filter: # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
TargetName|contains: '\Temporary Internet Files\Content.Outlook'
condition: selection and not filter
falsepositives:
- Legitimate used of encrypted ZIP files
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Password Provided In Command Line Of Net.EXE
Detects a when net.exe is called with a password in the command line
view Sigma YAML
title: Password Provided In Command Line Of Net.EXE
id: d4498716-1d52-438f-8084-4a603157d131
status: test
description: Detects a when net.exe is called with a password in the command line
references:
- Internal Research
author: Tim Shelton (HAWK.IO)
date: 2021-12-09
modified: 2023-02-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.lateral-movement
- attack.stealth
- attack.t1021.002
- attack.t1078
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ':*\\'
- '/USER:* *'
filter_main_empty:
CommandLine|endswith: ' '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Password Reset By User Account
Detect when a user has reset their password in Azure AD
view Sigma YAML
title: Password Reset By User Account
id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
status: test
description: Detect when a user has reset their password in Azure AD
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: YochanaHenderson, '@Yochana-H'
date: 2022-08-03
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.credential-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
Status: 'Success'
Initiatedby: 'UPN'
filter:
Target|contains: 'UPN'
ActivityType|contains: 'Password reset'
condition: selection and filter
falsepositives:
- If this was approved by System Administrator or confirmed user action.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
view Sigma YAML
title: Password Set to Never Expire via WMI
id: 7864a175-3654-4824-9f0d-f0da18ab27c0
status: experimental
description: |
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
references:
- https://www.huntress.com/blog/the-unwanted-guest
author: "Daniel Koifman (KoifSec)"
date: 2025-07-30
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1047
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_img: # Example command simulated: wmic useraccount where name='guest' set passwordexpires=false
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'useraccount'
- ' set '
- 'passwordexpires'
- 'false'
condition: all of selection_*
falsepositives:
- Legitimate administrative activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Path To Screensaver Binary Modified
Detects value modification of registry key containing path to binary used as screensaver.
view Sigma YAML
title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: test
description: Detects value modification of registry key containing path to binary used as screensaver.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020-10-11
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
filter:
Image|endswith:
- '\rundll32.exe'
- '\explorer.exe'
condition: selection and not filter
falsepositives:
- Legitimate modification of screensaver
level: medium
Convert to SIEM query
medium
Moderate
High FP
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
view Sigma YAML
title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
status: test
description: Detects path traversal exploitation attempts
references:
- https://github.com/projectdiscovery/nuclei-templates
- https://book.hacktricks.xyz/pentesting-web/file-inclusion
author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-25
modified: 2023-08-31
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '../../../../../lib/password'
- '../../../../windows/'
- '../../../etc/'
- '..%252f..%252f..%252fetc%252f'
- '..%c0%af..%c0%af..%c0%afetc%c0%af'
- '%252e%252e%252fetc%252f'
condition: selection
falsepositives:
- Expected to be continuously seen on systems exposed to the Internet
- Internal vulnerability scanners
level: medium
Convert to SIEM query
medium
Moderate
High FP
Payload Decoded and Decrypted via Built-in Utilities
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
view Sigma YAML
title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.stealth
- attack.t1059
- attack.t1204
- attack.execution
- attack.t1140
- attack.s0482
- attack.s0402
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/openssl'
CommandLine|contains|all:
- '/Volumes/'
- 'enc'
- '-base64'
- ' -d '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Periodic Backup For System Registry Hives Enabled
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
view Sigma YAML
title: Periodic Backup For System Registry Hives Enabled
id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f
status: test
description: |
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-01
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\Session Manager\Configuration Manager\EnablePeriodicBackup'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Legitimate need for RegBack feature by administrators.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Perl Inline Command Execution
Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
view Sigma YAML
title: Perl Inline Command Execution
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: test
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\perl.exe'
- OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Permission Check Via Accesschk.EXE
Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
view Sigma YAML
title: Permission Check Via Accesschk.EXE
id: c625d754-6a3d-4f65-9c9a-536aea960d37
status: test
description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
- https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
- https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
- https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-20
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Product|endswith: 'AccessChk'
- Description|contains: 'Reports effective permissions'
- Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- OriginalFileName: 'accesschk.exe'
selection_cli:
CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
- 'uwcqv '
- 'kwsu '
- 'qwsu '
- 'uwdqs '
condition: all of selection*
falsepositives:
- System administrator Usage
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Permission Misconfiguration Reconnaissance Via Findstr.EXE
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
view Sigma YAML
title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
id: 47e4bab7-c626-47dc-967b-255608c9a920
status: test
description: |
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-11-11
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_findstr_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_findstr_cli:
CommandLine|contains:
- '"Everyone"'
- "'Everyone'"
- '"BUILTIN\\"'
- "'BUILTIN\\'"
selection_special:
CommandLine|contains|all:
# Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
# You could extend it for other groups and users
# Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
# Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
- 'icacls '
- 'findstr '
- 'Everyone'
condition: all of selection_findstr_* or selection_special
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Persistence Via Disk Cleanup Handler - Autorun
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
The disk cleanup manager is part of the operating system.
It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
view Sigma YAML
title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
status: test
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
The disk cleanup manager is part of the operating system.
It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
root:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
selection_autorun:
# Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
TargetObject|contains: '\Autorun'
Details: 'DWORD (0x00000001)'
selection_pre_after:
TargetObject|contains:
- '\CleanupString'
- '\PreCleanupString'
Details|contains:
# Add more as you see fit
- 'cmd'
- 'powershell'
- 'rundll32'
- 'mshta'
- 'cscript'
- 'wscript'
- 'wsl'
- '\Users\Public\'
- '\Windows\TEMP\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: root and 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Persistence Via New SIP Provider
Detects when an attacker register a new SIP provider for persistence and defense evasion
view Sigma YAML
title: Persistence Via New SIP Provider
id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/codesigning.html
- https://github.com/gtworek/PSBits/tree/master/SIP
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1553.003
logsource:
category: registry_set
product: windows
detection:
selection_root:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Cryptography\Providers\'
- '\SOFTWARE\Microsoft\Cryptography\OID\EncodingType'
- '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\'
- '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType'
selection_dll:
TargetObject|contains:
- '\Dll'
- '\$DLL'
filter:
Details:
# Add more legitimate SIP providers according to your env
- WINTRUST.DLL
- mso.dll
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|contains: '\CryptSIPDll'
Details: 'C:\Windows\System32\PsfSip.dll'
condition: all of selection_* and not 1 of filter*
falsepositives:
- Legitimate SIP being registered by the OS or different software.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Persistence Via Sudoers.d Files
Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
view Sigma YAML
title: Persistence Via Sudoers.d Files
id: ddb26b76-4447-4807-871f-1b035b2bfa5d
status: test
description: |
Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2026-03-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|startswith: '/etc/sudoers.d/'
filter_main_dpkg:
Image|endswith: '/usr/bin/dpkg'
TargetFilename: '/etc/sudoers.d/README.dpkg-new'
condition: selection and not 1 of filter_main_*
falsepositives:
- Creation of legitimate files in sudoers.d folder as part of administrator work
level: medium
Convert to SIEM query
medium
Moderate
High FP
Persistence Via TypedPaths - CommandLine
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
view Sigma YAML
title: Persistence Via TypedPaths - CommandLine
id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
status: test
description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
references:
- https://twitter.com/dez_/status/1560101453150257154
- https://forensafe.com/blogs/typedpaths.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
tags:
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Php Inline Command Execution
Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
view Sigma YAML
title: Php Inline Command Execution
id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
status: test
description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
references:
- https://www.php.net/manual/en/features.commandline.php
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\php.exe'
- OriginalFileName: 'php.exe'
selection_cli:
CommandLine|contains: ' -r'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PktMon.EXE Execution
Detects execution of PktMon, a tool that captures network packets.
view Sigma YAML
title: PktMon.EXE Execution
id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
status: test
description: Detects execution of PktMon, a tool that captures network packets.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
author: frack113
date: 2022-03-17
modified: 2023-06-23
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\pktmon.exe'
- OriginalFileName: 'PktMon.exe'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Moderate
High FP
Pnscan Binary Data Transmission Activity
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
view Sigma YAML
title: Pnscan Binary Data Transmission Activity
id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
status: test
description: |
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
author: David Burkett (@signalblur)
date: 2024-04-16
references:
- https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
- https://regex101.com/r/RugQYK/1
- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Port Forwarding Activity Via SSH.EXE
Detects port forwarding activity via SSH.exe
view Sigma YAML
title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1572
- attack.t1021.001
- attack.t1021.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains|windash: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: medium
Convert to SIEM query
Showing 651-700 of 1,440