Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

1,492 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 1,492
medium
Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
status test author Muhammad Faisal (@faisalusuf) id 70ed1d26-0050-4b38-a599-92c53d57d45a
carbon_black query
"auditType.category":Authentication "auditType.action":User\ login\ failed
view Sigma YAML 
title: Bitbucket User Login Failure
id: 70ed1d26-0050-4b38-a599-92c53d57d45a
status: test
description: |
    Detects user authentication failure events.
    Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Authentication'
        auditType.action: 'User login failed'
    condition: selection
falsepositives:
    - Legitimate user wrong password attempts.
level: medium
Convert to SIEM query
medium
Bitbucket User Login Failure Via SSH
Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
status test author Muhammad Faisal (@faisalusuf) id d3f90469-fb05-42ce-b67d-0fded91bbef3
carbon_black query
"auditType.category":Authentication "auditType.action":User\ login\ failed\(SSH\)
view Sigma YAML 
title: Bitbucket User Login Failure Via SSH
id: d3f90469-fb05-42ce-b67d-0fded91bbef3
status: test
description: |
    Detects SSH user login access failures.
    Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
references:
    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.lateral-movement
    - attack.credential-access
    - attack.t1021.004
    - attack.t1110
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Authentication'
        auditType.action: 'User login failed(SSH)'
    condition: selection
falsepositives:
    - Legitimate user wrong password attempts.
level: medium
Convert to SIEM query
medium
Bitbucket User Permissions Export Attempt
Detects user permission data export attempt.
status test author Muhammad Faisal (@faisalusuf) id 87cc6698-3e07-4ba2-9b43-a85a73e151e2
carbon_black query
"auditType.category":Users\ and\ groups ("auditType.action":User\ details\ export\ failed OR "auditType.action":User\ details\ export\ started OR "auditType.action":User\ details\ exported)
view Sigma YAML 
title: Bitbucket User Permissions Export Attempt
id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
status: test
description: Detects user permission data export attempt.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.reconnaissance
    - attack.collection
    - attack.discovery
    - attack.t1213
    - attack.t1082
    - attack.t1591.004
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Users and groups'
        auditType.action:
            - 'User details export failed'
            - 'User details export started'
            - 'User details exported'
    condition: selection
falsepositives:
    - Legitimate user activity.
level: medium
Convert to SIEM query
medium
Bitlocker Key Retrieval
Monitor and alert for Bitlocker key retrieval.
status test author Michael Epping, '@mepples21' id a0413867-daf3-43dd-9245-734b3a787942
carbon_black query
Category:KeyManagement OperationName:Read\ BitLocker\ key
view Sigma YAML 
title: Bitlocker Key Retrieval
id: a0413867-daf3-43dd-9245-734b3a787942
status: test
description: Monitor and alert for Bitlocker key retrieval.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        Category: KeyManagement
        OperationName: Read BitLocker key
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
Bpfdoor TCP Ports Redirect
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
status test author Rafal Piasecki id 70b4156e-50fc-4523-aa50-c9dddf1993fc
carbon_black query
(type:EXECVE a0:iptables a1:\-t a2:nat) ("\-\-to\-ports\ 42" OR "\-\-to\-ports\ 43")
view Sigma YAML 
title: Bpfdoor TCP Ports Redirect
id: 70b4156e-50fc-4523-aa50-c9dddf1993fc
status: test
description: |
    All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
    The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
references:
    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
author: Rafal Piasecki
date: 2022-08-10
tags:
    - attack.defense-impairment
    - attack.t1686
logsource:
    product: linux
    service: auditd
detection:
    cmd:
        type: 'EXECVE'
        a0|endswith: 'iptables'
        a1: '-t'
        a2: 'nat'
    keywords:
        - '--to-ports 42'
        - '--to-ports 43'
    condition: cmd and keywords
falsepositives:
    - Legitimate ports redirect
level: medium
Convert to SIEM query
medium
Browser Started with Remote Debugging
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
status test author pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id b3d34dc5-2efd-4ae3-845f-8ec14921f449
carbon_black query
CommandLine:\ \-\-remote\-debugging\-* OR (Image:\\firefox.exe CommandLine:\ \-start\-debugger\-server*)
view Sigma YAML 
title: Browser Started with Remote Debugging
id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
related:
    - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
      type: derived
status: test
description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
references:
    - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
    - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://github.com/wunderwuzzi23/firefox-cookiemonster
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-27
modified: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1185
logsource:
    category: process_creation
    product: windows
detection:
    selection_chromium_based:
        # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
        CommandLine|contains: ' --remote-debugging-'
    selection_firefox:
        Image|endswith: '\firefox.exe'
        CommandLine|contains: ' -start-debugger-server'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
C# IL Code Compilation Via Ilasm.EXE
Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id 850d55f9-6eeb-4492-ad69-a72338f65ba4
carbon_black query
(Image:\\ilasm.exe OR OriginalFileName:ilasm.exe) (CommandLine:\ \/dll* OR CommandLine:\ \/exe*)
view Sigma YAML 
title: C# IL Code Compilation Via Ilasm.EXE
id: 850d55f9-6eeb-4492-ad69-a72338f65ba4
status: test
description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ilasm/
    - https://www.echotrail.io/insights/search/ilasm.exe
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-07
modified: 2022-05-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\ilasm.exe'
        - OriginalFileName: 'ilasm.exe'
    selection_cli:
        CommandLine|contains:
            - ' /dll'
            - ' /exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
CA Policy Removed by Non Approved Actor
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
status test author Corissa Koopmans, '@corissalea' id 26e7c5e2-6545-481e-b7e6-050143459635
carbon_black query
"properties.message":Delete\ conditional\ access\ policy
view Sigma YAML 
title: CA Policy Removed by Non Approved Actor
id: 26e7c5e2-6545-481e-b7e6-050143459635
status: test
description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Delete conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
Convert to SIEM query
medium
CA Policy Updated by Non Approved Actor
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
status test author Corissa Koopmans, '@corissalea' id 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
carbon_black query
"properties.message":Update\ conditional\ access\ policy
view Sigma YAML 
title: CA Policy Updated by Non Approved Actor
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
status: test
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
modified: 2024-05-28
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
Convert to SIEM query
medium
CLR DLL Loaded Via Office Applications
Detects CLR DLL being loaded by an Office Product
status test author Antonlovesdnb id d13c43f0-f66b-4279-8b2c-5912077c1780
carbon_black query
(Image:\\excel.exe OR Image:\\mspub.exe OR Image:\\outlook.exe OR Image:\\onenote.exe OR Image:\\onenoteim.exe OR Image:\\powerpnt.exe OR Image:\\winword.exe) ImageLoaded:\\clr.dll*
view Sigma YAML 
title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: test
description: Detects CLR DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\outlook.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|contains: '\clr.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
COM Hijacking via TreatAs
Detect modification of TreatAs key to enable "rundll32.exe -sta" command
status test author frack113 id dc5c24af-6995-49b2-86eb-a9ff62199e82
carbon_black query
TargetObject:TreatAs\\\(Default\) (-((Image:C\:\\Program\ Files\\Common\ Files\\Microsoft\ Shared\\ClickToRun\\* Image:\\OfficeClickToRun.exe) OR (Image:C\:\\Program\ Files\\Microsoft\ Office\\root\\integration\\integrator.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\root\\integration\\integrator.exe) OR Image:C\:\\Windows\\system32\\svchost.exe OR (Image:C\:\\Windows\\system32\\msiexec.exe OR Image:C\:\\Windows\\SysWOW64\\msiexec.exe)))
view Sigma YAML 
title: COM Hijacking via TreatAs
id: dc5c24af-6995-49b2-86eb-a9ff62199e82
status: test
description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
    - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
author: frack113
date: 2022-08-28
modified: 2025-07-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'TreatAs\(Default)'
    filter_office:
        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_office2:
        Image:
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_svchost:
        # Example of target object by svchost
        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
        Image: 'C:\Windows\system32\svchost.exe'
    filter_misexec:
        # This FP has been seen during installation/updates
        Image:
            - 'C:\Windows\system32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate use
level: medium
Convert to SIEM query
medium
COM Object Execution via Xwizard.EXE
Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
status test author Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) id 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
carbon_black query
CommandLine:RunWizard CommandLine:\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}
view Sigma YAML 
title: COM Object Execution via Xwizard.EXE
id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
status: test
description: |
    Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
    This utility can be abused in order to run custom COM object created in the registry.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
    - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
    - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-07
modified: 2024-08-15
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine: 'RunWizard'
        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
CSExec Service File Creation
Detects default CSExec service filename which indicates CSExec service installation and execution
status test author Nasreddine Bencherchali (Nextron Systems) id f0e2b768-5220-47dd-b891-d57b96fc0ec1
carbon_black query
TargetFilename:\\csexecsvc.exe
view Sigma YAML 
title: CSExec Service File Creation
id: f0e2b768-5220-47dd-b891-d57b96fc0ec1
status: test
description: Detects default CSExec service filename which indicates CSExec service installation and execution
references:
    - https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\csexecsvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
CSExec Service Installation
Detects CSExec service installation and execution events
status test author Nasreddine Bencherchali (Nextron Systems) id a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12
carbon_black query
(Provider_Name:Service\ Control\ Manager EventID:7045) (ServiceName:csexecsvc OR ImagePath:\\csexecsvc.exe)
view Sigma YAML 
title: CSExec Service Installation
id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12
status: test
description: Detects CSExec service installation and execution events
references:
    - https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'csexecsvc'
        - ImagePath|endswith: '\csexecsvc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
CVE-2022-31659 VMware Workspace ONE Access RCE
Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
status test author Nasreddine Bencherchali (Nextron Systems) id efdb2003-a922-48aa-8f37-8b80021a9706
carbon_black query
"cs-method":POST "cs-uri-query":\/SAAS\/jersey\/manager\/api\/migrate\/tenant*
view Sigma YAML 
title: CVE-2022-31659 VMware Workspace ONE Access RCE
id: efdb2003-a922-48aa-8f37-8b80021a9706
status: test
description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
references:
    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-31659
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker
    condition: selection
falsepositives:
    - Vulnerability scanners
    - Legitimate access to the URI
level: medium
Convert to SIEM query
medium
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
status test author Nasreddine Bencherchali (Nextron Systems), Rohit Jain id 6c7defa9-69f8-4c34-b815-41fce3931754
carbon_black query
(("cs-method":GET OR "cs-method":POST) ("cs-uri":\/cgi\-bin\/luci\/;stok=\/locale* "cs-uri":form=country*)) ("operation=write" OR "country=$\(")
view Sigma YAML 
title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
id: 6c7defa9-69f8-4c34-b815-41fce3931754
status: test
description: |
    Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
references:
    - https://www.tenable.com/security/research/tra-2023-11
    - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
    - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain
date: 2024-06-25
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-1389
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection_uri:
        cs-method:
            - 'GET'
            - 'POST'
        cs-uri|contains|all:
            - '/cgi-bin/luci/;stok=/locale'
            - 'form=country'
    selection_keyword:
        - 'operation=write'
        - 'country=$('
    condition: all of selection_*
falsepositives:
    - Vulnerability Scanners
level: medium
Convert to SIEM query
medium
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
status test author Andreas Braathen (mnemonic.io) id 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
carbon_black query
((ParentImage:\\tomcat8.exe OR ParentImage:\\tomcat9.exe OR ParentImage:\\tomcat10.exe) ParentCommandLine:confluence*) ((Image:\\cmd.exe OR Image:\\powershell.exe) OR (OriginalFileName:Cmd.Exe OR OriginalFileName:PowerShell.EXE))
view Sigma YAML 
title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
related:
    - id: f8987c03-4290-4c96-870f-55e75ee377f4
      type: similar
status: test
description: |
    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
    - https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023-11-14
tags:
    - attack.execution
    - attack.t1059
    - attack.initial-access
    - attack.t1190
    - cve.2023-22518
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\tomcat8.exe'
            - '\tomcat9.exe'
            - '\tomcat10.exe'
        ParentCommandLine|contains: 'confluence'
    selection_child:
        # Note: Only children associated with known campaigns
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
status test author Andreas Braathen (mnemonic.io) id 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
carbon_black query
"cs-method":POST ("cs-uri":\/json\/setup\-restore\-local.action* OR "cs-uri":\/json\/setup\-restore\-progress.action* OR "cs-uri":\/json\/setup\-restore.action* OR "cs-uri":\/server\-info.action* OR "cs-uri":\/setup\/setupadministrator.action*) ("sc-status":200 OR "sc-status":302 OR "sc-status":405)
view Sigma YAML 
title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
related:
    - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
      type: similar
status: test
description: |
    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
    - https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023-11-14
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-22518
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection_method:
        cs-method: 'POST'
    selection_uris:
        cs-uri|contains:
          # Exploitable endpoints
            - '/json/setup-restore-local.action'
            - '/json/setup-restore-progress.action'
            - '/json/setup-restore.action'
            - '/server-info.action'
            - '/setup/setupadministrator.action'
    selection_status:
        # Response code may be indicative of exploitation success, but is not always the case
        sc-status:
            - 200
            - 302
            - 405
    condition: all of selection_*
falsepositives:
    - Vulnerability scanners
level: medium
Convert to SIEM query
medium
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
status test author Andreas Braathen (mnemonic.io) id a902d249-9b9c-4dc4-8fd0-fbe528ef965c
carbon_black query
"cs-method":POST ("cs-uri-query":\/json\/setup\-restore\-local.action* OR "cs-uri-query":\/json\/setup\-restore\-progress.action* OR "cs-uri-query":\/json\/setup\-restore.action* OR "cs-uri-query":\/server\-info.action* OR "cs-uri-query":\/setup\/setupadministrator.action*) ("sc-status":200 OR "sc-status":302 OR "sc-status":405)
view Sigma YAML 
title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
related:
    - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
      type: similar
status: test
description: |
    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
    - https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023-11-14
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-22518
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_method:
        cs-method: 'POST'
    selection_uris:
        cs-uri-query|contains:
          # Exploitable endpoints
            - '/json/setup-restore-local.action'
            - '/json/setup-restore-progress.action'
            - '/json/setup-restore.action'
            - '/server-info.action'
            - '/setup/setupadministrator.action'
    selection_status:
        # Response code may be indicative of exploitation success, but is not always the case
        sc-status:
            - 200
            - 302
            - 405
    condition: all of selection_*
falsepositives:
    - Vulnerability scanners
level: medium
Convert to SIEM query
medium
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
status test author Nasreddine Bencherchali (Nextron Systems) id e5a29b54-6fe7-4258-8a23-82960e31231a
carbon_black query
(Provider_Name:Application\ Error EventID:1000 AppName:WinRAR.exe) (-(AppVersion:6.23.* OR AppVersion:6.24.* OR AppVersion:6.25.* OR AppVersion:6.26.* OR AppVersion:7.*))
view Sigma YAML 
title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
id: e5a29b54-6fe7-4258-8a23-82960e31231a
status: test
description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
references:
    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
    - https://www.rarlab.com/vuln_rev3_names.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
    - attack.execution
    - cve.2023-40477
    - detection.emerging-threats
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        AppName: 'WinRAR.exe'
    filter_main_fixed_version:
        # TODO: fix this when the "lt" modifier is implemented for software versions
        AppVersion|startswith:
            - '6.23.'
            - '6.24.'
            - '6.25.'
            - '6.26.'
            - '7.'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate crash for reasons other than exploitation of the vulnerability
level: medium
Convert to SIEM query
medium
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
status test author Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) id ff349b81-617f-4af4-924f-dbe8ea9bab41
carbon_black query
"cs-method":GET "cs-uri":\/oauth\/idp\/.well\-known\/openid\-configuration* "sc-status":200
view Sigma YAML 
title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
id: ff349b81-617f-4af4-924f-dbe8ea9bab41
related:
    - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
      type: similar
    - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
      type: similar
    - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
      type: similar
status: test
description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
references:
    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)
date: 2023-11-28
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-4966
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'GET'
        cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
        sc-status: 200
    condition: selection
falsepositives:
    - Vulnerability scanners
level: medium
Convert to SIEM query
medium
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
status test author Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) id 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0
carbon_black query
"cs-method":GET "cs-uri-stem":\/oauth\/idp\/.well\-known\/openid\-configuration* "sc-status":200
view Sigma YAML 
title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0
related:
    - id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
      type: similar
    - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
      type: similar
    - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
      type: similar
status: test
description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
references:
    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)
date: 2023-11-28
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-4966
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
        cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'
        sc-status: 200
    condition: selection
falsepositives:
    - Vulnerability scanners
level: medium
Convert to SIEM query
medium
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
status test author Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress id 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
carbon_black query
(Image:\\ScreenConnect.Service.exe (TargetFilename:ScreenConnect\\App_Extensions\\*.ashx OR TargetFilename:ScreenConnect\\App_Extensions\\*.aspx)) (-TargetFilename:ScreenConnect\\App_Extensions\\*\\*)
view Sigma YAML 
title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
related:
    - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
      type: similar
status: test
description: |
    This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
references:
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
    - https://www.cve.org/CVERecord?id=CVE-2024-1709
    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
date: 2024-02-21
tags:
    - attack.persistence
    - cve.2024-1708
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\ScreenConnect.Service.exe'
        TargetFilename|endswith:
            - 'ScreenConnect\\App_Extensions\\*.ashx'
            - 'ScreenConnect\\App_Extensions\\*.aspx'
    filter_main_legit_extension:
        TargetFilename|contains: 'ScreenConnect\App_Extensions\\*\\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - This will occur legitimately as well and will result in some benign activity.
level: medium
Convert to SIEM query
medium
Cab File Extraction Via Wusa.EXE
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
status test author Nasreddine Bencherchali (Nextron Systems) id 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
carbon_black query
Image:\\wusa.exe CommandLine:\/extract\:*
view Sigma YAML 
title: Cab File Extraction Via Wusa.EXE
id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
related:
    - id: c74c0390-3e20-41fd-a69a-128f0275a5ea
      type: derived
status: test
description: |
    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
references:
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-04
modified: 2024-08-15
tags:
    - attack.execution
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wusa.exe'
        CommandLine|contains: '/extract:'
    condition: selection
falsepositives:
    - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)
level: medium
Convert to SIEM query
medium
Capture Credentials with Rpcping.exe
Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
status test author Julia Fomina, oscd.community id 93671f99-04eb-4ab4-a161-70d446a84003
carbon_black query
((Image:\\RpcPing.exe OR OriginalFileName:\\RpcPing.exe) (CommandLine:\-s* OR CommandLine:\/s* OR CommandLine:–s* OR CommandLine:—s* OR CommandLine:―s*)) (((CommandLine:\-u* OR CommandLine:\/u* OR CommandLine:–u* OR CommandLine:—u* OR CommandLine:―u*) CommandLine:NTLM*) OR ((CommandLine:\-t* OR CommandLine:\/t* OR CommandLine:–t* OR CommandLine:—t* OR CommandLine:―t*) CommandLine:ncacn_np*))
view Sigma YAML 
title: Capture Credentials with Rpcping.exe
id: 93671f99-04eb-4ab4-a161-70d446a84003
status: test
description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
    - https://twitter.com/vysecurity/status/974806438316072960
    - https://twitter.com/vysecurity/status/873181705024266241
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
author: Julia Fomina, oscd.community
date: 2020-10-09
modified: 2025-10-31
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection_main_img:
        - Image|endswith: '\RpcPing.exe'
        - OriginalFileName: '\RpcPing.exe'
    selection_main_flag:
        CommandLine|contains|windash: '-s'
    selection_cli_ntlm:
        CommandLine|contains|windash: '-u'
        CommandLine|contains: 'NTLM'
    selection_cli_ncacn:
        CommandLine|contains|windash: '-t'
        CommandLine|contains: 'ncacn_np'
    condition: all of selection_main_* and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: medium
Convert to SIEM query
medium
Certificate Exported From Local Certificate Store
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
status test author Zach Mathis id 58c0bff0-40a0-46e8-b5e8-b734b84d2017
carbon_black query
EventID:1007
view Sigma YAML 
title: Certificate Exported From Local Certificate Store
id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017
status: test
description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
references:
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Zach Mathis
date: 2023-05-13
tags:
    - attack.credential-access
    - attack.t1649
logsource:
    product: windows
    service: certificateservicesclient-lifecycle-system
detection:
    selection:
        EventID: 1007 # A certificate has been exported
    condition: selection
falsepositives:
    - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
level: medium
Convert to SIEM query
medium
Certificate Exported Via Certutil.EXE
Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) id 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
carbon_black query
(Image:\\certutil.exe OR OriginalFileName:CertUtil.exe) (CommandLine:\-exportPFX\ * OR CommandLine:\/exportPFX\ * OR CommandLine:–exportPFX\ * OR CommandLine:—exportPFX\ * OR CommandLine:―exportPFX\ *)
view Sigma YAML 
title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash: '-exportPFX '
    condition: all of selection_*
falsepositives:
    - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml
Convert to SIEM query
medium
Certificate Exported Via PowerShell
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
status test author Nasreddine Bencherchali (Nextron Systems) id 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
carbon_black query
CommandLine:Export\-PfxCertificate\ * OR CommandLine:Export\-Certificate\ *
view Sigma YAML 
title: Certificate Exported Via PowerShell
id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
related:
    - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
      type: similar
status: test
description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-18
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1552.004
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Export-PfxCertificate '
            - 'Export-Certificate '
    condition: selection
falsepositives:
    - Legitimate certificate exports by administrators. Additional filters might be required.
level: medium
Convert to SIEM query
medium
Certificate Exported Via PowerShell - ScriptBlock
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
status test author Florian Roth (Nextron Systems) id aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
carbon_black query
(ScriptBlockText:Export\-PfxCertificate* OR ScriptBlockText:Export\-Certificate*) (-ScriptBlockText:CmdletsToExport\ =\ @\(*)
view Sigma YAML 
title: Certificate Exported Via PowerShell - ScriptBlock
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
related:
    - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
      type: similar
status: test
description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-05-18
tags:
    - attack.credential-access
    - attack.t1552.004
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Export-PfxCertificate'
            - 'Export-Certificate'
    filter_optional_module_export:
        ScriptBlockText|contains: 'CmdletsToExport = @('
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate certificate exports by administrators. Additional filters might be required.
level: medium
Convert to SIEM query
medium
Certificate Private Key Acquired
Detects when an application acquires a certificate private key
status test author Zach Mathis id e2b5163d-7deb-4566-9af3-40afea6858c3
carbon_black query
EventID:70
view Sigma YAML 
title: Certificate Private Key Acquired
id: e2b5163d-7deb-4566-9af3-40afea6858c3
status: test
description: Detects when an application acquires a certificate private key
references:
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Zach Mathis
date: 2023-05-13
tags:
    - attack.credential-access
    - attack.t1649
logsource:
    product: windows
    service: capi2
    definition: 'Requirements: The CAPI2 Operational log needs to be enabled'
detection:
    selection:
        EventID: 70 # Acquire Certificate Private Key
    condition: selection
falsepositives:
    - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
level: medium
Convert to SIEM query
medium
Certificate Use With No Strong Mapping
Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
status test author @br4dy5 id 993c2665-e6ef-40e3-a62a-e1a97686af79
carbon_black query
(Provider_Name:Kerberos\-Key\-Distribution\-Center OR Provider_Name:Microsoft\-Windows\-Kerberos\-Key\-Distribution\-Center) (EventID:39 OR EventID:41)
view Sigma YAML 
title: Certificate Use With No Strong Mapping
id: 993c2665-e6ef-40e3-a62a-e1a97686af79
status: test
description: |
    Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)
    This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.
    Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
references:
    - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
author: '@br4dy5'
date: 2023-10-09
modified: 2025-09-22
tags:
    - attack.privilege-escalation
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        EventID:
            - 39
            - 41 # For Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
    condition: selection
falsepositives:
    - If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user
    - If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name
level: medium
Convert to SIEM query
medium
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
status test author Harjot Shah Singh, '@cyb3rjy0t' id c2496b41-16a9-4016-a776-b23f8910dc58
carbon_black query
OperationName:Authentication\ Methods\ Policy\ Update "TargetResources.modifiedProperties":AuthenticationMethodsPolicy*
view Sigma YAML 
title: Certificate-Based Authentication Enabled
id: c2496b41-16a9-4016-a776-b23f8910dc58
status: test
description: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
references:
    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        OperationName: 'Authentication Methods Policy Update'
        TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
status test author frack113 id 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
carbon_black query
(((OriginalFileName:powershell_ise.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll) OR (Image:\\powershell_ise.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe)) (CommandLine:\-executionpolicy\ * OR CommandLine:\ \-ep\ * OR CommandLine:\ \-exec\ *) (CommandLine:Bypass* OR CommandLine:Unrestricted*)) (-((ParentImage:C\:\\Windows\\SysWOW64\\msiexec.exe OR ParentImage:C\:\\Windows\\System32\\msiexec.exe) (CommandLine:\-NoProfile\ \-ExecutionPolicy\ Bypass\ \-File\ \"C\:\\Program\ Files\\PowerShell\\7\\* OR CommandLine:\-NoProfile\ \-ExecutionPolicy\ Bypass\ \-File\ \"C\:\\Program\ Files\ \(x86\)\\PowerShell\\7\\*))) (-((ParentImage:C\:\\Program\ Files\\Avast\ Software\\Avast\\* OR ParentImage:C\:\\Program\ Files\ \(x86\)\\Avast\ Software\\Avast\\* OR ParentImage:\\instup.exe*) (CommandLine:\-ExecutionPolicy\ ByPass\ \-File\ \"C\:\\Program\ Files\\Avast\ Software\\Avast* OR CommandLine:\-ExecutionPolicy\ ByPass\ \-File\ \"C\:\\Program\ Files\ \(x86\)\\Avast\ Software\\Avast\\*)))
view Sigma YAML 
title: Change PowerShell Policies to an Insecure Level
id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
related:
    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
      type: similar
    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock
      type: similar
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
      type: similar
status: test
description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
    - https://adsecurity.org/?p=2604
    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
author: frack113
date: 2021-11-01
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - OriginalFileName:
              - 'powershell_ise.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
    selection_option:
        CommandLine|contains:
            - '-executionpolicy '
            - ' -ep '
            - ' -exec '
    selection_level:
        CommandLine|contains:
            - 'Bypass'
            - 'Unrestricted'
    filter_main_powershell_core:
        ParentImage:
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains:
            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\'
            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files (x86)\PowerShell\7\'
    filter_optional_avast:
        ParentImage|contains:
            - 'C:\Program Files\Avast Software\Avast\'
            - 'C:\Program Files (x86)\Avast Software\Avast\'
            - '\instup.exe'
        CommandLine|contains:
            - '-ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast'
            - '-ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrator scripts
level: medium
Convert to SIEM query
medium
Change PowerShell Policies to an Insecure Level - PowerShell
Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
status test author frack113 id 61d0475c-173f-4844-86f7-f3eebae1c66b
carbon_black query
(ScriptBlockText:Set\-ExecutionPolicy* (ScriptBlockText:Unrestricted* OR ScriptBlockText:bypass*)) (-(ScriptBlockText:\(New\-Object\ System.Net.WebClient\).DownloadString\('https\:\/\/community.chocolatey.org\/install.ps1'\)* OR ScriptBlockText:\(New\-Object\ System.Net.WebClient\).DownloadString\('https\:\/\/chocolatey.org\/install.ps1'\)*))
view Sigma YAML 
title: Change PowerShell Policies to an Insecure Level - PowerShell
id: 61d0475c-173f-4844-86f7-f3eebae1c66b
related:
    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
      type: similar
    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
      type: similar
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
      type: similar
status: test
description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
    - https://adsecurity.org/?p=2604
author: frack113
date: 2021-10-20
modified: 2023-12-14
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Set-ExecutionPolicy'
    selection_option:
        ScriptBlockText|contains:
            - 'Unrestricted'
            - 'bypass'
    filter_optional_chocolatey:
        ScriptBlockText|contains:
            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
            - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Administrator script
level: medium
Convert to SIEM query
medium
Change User Agents with WebRequest
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
status test author frack113 id d4488827-73af-4f8d-9244-7b7662ef046e
carbon_black query
(ScriptBlockText:Invoke\-WebRequest* OR ScriptBlockText:Invoke\-RestMethod* OR ScriptBlockText:\ irm\ * OR ScriptBlockText:iwr\ *) ScriptBlockText:\-UserAgent\ *
view Sigma YAML 
title: Change User Agents with WebRequest
id: d4488827-73af-4f8d-9244-7b7662ef046e
status: test
description: |
    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
author: frack113
date: 2022-01-23
modified: 2025-07-18
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_webrequest:
        ScriptBlockText|contains:
            - 'Invoke-WebRequest'
            - 'Invoke-RestMethod'
            - ' irm ' # Space before and after to avoid false positives with 'irm' as a variable
            - 'iwr '
    selection_useragent:
        ScriptBlockText|contains: '-UserAgent '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
status test author AlertIQ id 4d78a000-ab52-4564-88a5-7ab5242b20c7
carbon_black query
LoggedByService:Authentication\ Methods Category:UserManagement OperationName:User\ registered\ security\ info
view Sigma YAML 
title: Change to Authentication Method
id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
status: test
description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556
    - attack.persistence
    - attack.t1098
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        LoggedByService: 'Authentication Methods'
        Category: 'UserManagement'
        OperationName: 'User registered security info'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
status test author frack113 id 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
carbon_black query
(Image:\\reg.exe (CommandLine:add\ * CommandLine:SYSTEM\\CurrentControlSet\\Services\\* CommandLine:\ ImagePath\ *)) (CommandLine:\ \-d\ * OR CommandLine:\ \/d\ * OR CommandLine:\ –d\ * OR CommandLine:\ —d\ * OR CommandLine:\ ―d\ *)
view Sigma YAML 
title: Changing Existing Service ImagePath Value Via Reg.EXE
id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
author: frack113
date: 2021-12-30
modified: 2024-03-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'add '
            - 'SYSTEM\CurrentControlSet\Services\'
            - ' ImagePath '
    selection_value:
        CommandLine|contains|windash: ' -d '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium
Chmod Targeting Sensitive Directories
Detects chmod targeting files in sensitive directory paths on Linux systems. Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
status test author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io id 6419afd1-3742-47a5-a7e6-b50386cd15f8
carbon_black query
(Image:\/chmod (CommandLine:\/tmp\/* OR CommandLine:\/.Library\/* OR CommandLine:\/etc\/* OR CommandLine:\/opt\/*)) (-((CommandLine:chmod\ \-\-reference=\/etc\/shells* ParentCommandLine:\/update\-shells) OR (CommandLine:\/etc\/* (ParentCommandLine:\/var\/lib\/dpkg\/info\/* ParentCommandLine:.postinst\ configure*)) OR CommandLine:chmod\ 700\ \/tmp\/apt\-key\-gpghome.* OR CommandLine:chmod\ 755\ \/var\/tmp\/mkinitramfs* OR CommandLine:chmod\ 0775\ \/etc\/landscape\/ OR CommandLine:chmod\ 644\ \/etc\/apparmor.d\/tunables\/home.d\/ubuntu))
view Sigma YAML 
title: Chmod Targeting Sensitive Directories
id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
status: test
description: |
    Detects chmod targeting files in sensitive directory paths on Linux systems.
    Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
references:
    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-03
modified: 2026-03-18
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/chmod'
        CommandLine|contains:
            - '/tmp/'
            - '/.Library/'
            - '/etc/'
            - '/opt/'
    filter_main_update_shells:
        CommandLine|contains: 'chmod --reference=/etc/shells'
        ParentCommandLine|endswith: '/update-shells'
    filter_main_postinst:
        CommandLine|contains: '/etc/'
        ParentCommandLine|contains|all:
            - '/var/lib/dpkg/info/'
            - '.postinst configure'
    filter_main_apt_key:
        CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.'
    filter_main_mkinitramfs:
        CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs'
    filter_main_landscape:
        CommandLine: 'chmod 0775 /etc/landscape/'
    filter_main_ubuntu_apparmor:
        CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium
Convert to SIEM query
medium
Chromium Browser Instance Executed With Custom Extension
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
status test author Aedan Russell, frack113, X__Junior (Nextron Systems) id 88d6e60c-759d-4ac1-a447-c0f1466c2d21
carbon_black query
(Image:\\brave.exe OR Image:\\chrome.exe OR Image:\\msedge.exe OR Image:\\opera.exe OR Image:\\vivaldi.exe) CommandLine:\-\-load\-extension=*
view Sigma YAML 
title: Chromium Browser Instance Executed With Custom Extension
id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
related:
    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
      type: similar
status: test
description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
references:
    - https://redcanary.com/blog/chromeloader/
    - https://emkc.org/s/RJjuLa
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
    - attack.persistence
    - attack.t1176.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--load-extension='
    condition: selection
falsepositives:
    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml
Convert to SIEM query
medium
Cisco Denial of Service
Detect a system being shutdown or put into different boot mode
status test author Austin Clark id d94a35f0-7a29-45f6-90a0-80df6159967c
carbon_black query
"shutdown" OR "config\-register\ 0x2100" OR "config\-register\ 0x2142"
view Sigma YAML 
title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: test
description: Detect a system being shutdown or put into different boot mode
author: Austin Clark
date: 2019-08-15
modified: 2023-01-04
tags:
    - attack.impact
    - attack.t1495
    - attack.t1529
    - attack.t1565.001
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'shutdown'
        - 'config-register 0x2100'
        - 'config-register 0x2142'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands, though rarely.
level: medium
Convert to SIEM query
medium
Cisco Dot1x Disabled
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
status experimental author Luc Génaux id ef0ff092-a24a-4fbc-beea-06c08d53e085
carbon_black query
"access\-session\ port\-control\ force\-authorized" OR "authentication\ port\-control\ force\-authorized" OR "dot1x\ port\-control\ force\-authorized" OR "no\ access\-session\ port\-control" OR "no\ authentication\ port\-control" OR "no\ dot1x\ port\-control" OR "no\ dot1x\ system\-auth\-control"
view Sigma YAML 
title: Cisco Dot1x Disabled
id: ef0ff092-a24a-4fbc-beea-06c08d53e085
status: experimental
description: |
    Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.
    Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.
    This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
references:
    - https://www.cisco.com/en/US/docs/ios-xml/ios/san/command/san-xe-3se-3850-cr-book_chapter_00.html#wp3394428680 # Modern IOS-XE
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_010.html#wp3502072400 # Older IOS
    - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/command/reference/2960ComRef/cli1.html#47220 # Legacy
author: Luc Génaux
date: 2026-04-28
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1685
    - attack.t1556.004
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        # xxx port-control force-authorized : disables 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required
        # no xxx port-control : causes the port to fallback to the default setting which is "force-authorized", thereby disabling 802.1X
        - 'access-session port-control force-authorized' # Modern IOS-XE
        - 'authentication port-control force-authorized' # Older IOS
        - 'dot1x port-control force-authorized' # Legacy
        - 'no access-session port-control' # Modern IOS-XE
        - 'no authentication port-control' # Older IOS
        - 'no dot1x port-control' # Legacy
        - 'no dot1x system-auth-control' # disables 802.1X globally
    condition: keywords
falsepositives:
    - Administrator troubleshooting connectivity issues
level: medium
# regression_tests_path: regression_data/rules/cisco/aaa/cisco_cli_dot1x_disabled/info.yml
Convert to SIEM query
medium
Cisco Duo Successful MFA Authentication Via Bypass Code
Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
status test author Nikita Khalimonenkov id 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8
carbon_black query
event_type:authentication reason:bypass_user
view Sigma YAML 
title: Cisco Duo Successful MFA Authentication Via Bypass Code
id: 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8
status: test
description: |
    Detects when a successful MFA authentication occurs due to the use of a bypass code.
    A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
references:
    - https://duo.com/docs/adminapi#logs
    - https://help.duo.com/s/article/6327?language=en_US
author: Nikita Khalimonenkov
date: 2024-04-17
tags:
    - attack.credential-access
    - attack.initial-access
    - attack.stealth
logsource:
    product: cisco
    service: duo
detection:
    selection:
        event_type: authentication
        reason: bypass_user
    condition: selection
falsepositives:
    - Legitimate user that was assigned on purpose to a bypass group
level: medium
Convert to SIEM query
medium
Cisco File Deletion
See what files are being deleted from flash file systems
status test author Austin Clark id 71d65515-c436-43c0-841b-236b1f32c21e
carbon_black query
"erase" OR "delete" OR "format"
view Sigma YAML 
title: Cisco File Deletion
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: test
description: See what files are being deleted from flash file systems
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070.004
    - attack.t1561.001
    - attack.t1561.002
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'erase'
        - 'delete'
        - 'format'
    condition: keywords
falsepositives:
    - Will be used sometimes by admins to clean up local flash space
level: medium
Convert to SIEM query
medium
Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
status test author Austin Clark id 671ffc77-50a7-464f-9e3d-9ea2b493b26b
carbon_black query
"ip\ http\ server" OR "ip\ https\ server" OR "kron\ policy\-list" OR "kron\ occurrence" OR "policy\-list" OR "access\-list" OR "ip\ access\-group" OR "archive\ maximum" OR "ntp\ server"
view Sigma YAML 
title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019-08-12
modified: 2025-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.impact
    - attack.t1490
    - attack.t1505
    - attack.t1565.002
    - attack.t1053
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
        - 'ntp server'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: medium
Convert to SIEM query
medium
Cisco Show Commands Input
See what commands are being input into the device by other people, full credentials can be in the history
status test author Austin Clark id b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
carbon_black query
"show\ history" OR "show\ history\ all" OR "show\ logging"
view Sigma YAML 
title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: test
description: See what commands are being input into the device by other people, full credentials can be in the history
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'show history'
        - 'show history all'
        - 'show logging'
    condition: keywords
falsepositives:
    - Not commonly run by administrators, especially if remote logging is configured
level: medium
Convert to SIEM query
medium
Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
status test author Austin Clark id b9e1f193-d236-4451-aaae-2f3d2102120d
carbon_black query
"monitor\ capture\ point" OR "set\ span" OR "set\ rspan"
view Sigma YAML 
title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: test
description: Show when a monitor or a span/rspan is setup or modified
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'monitor capture point'
        - 'set span'
        - 'set rspan'
    condition: keywords
falsepositives:
    - Admins may setup new or modify old spans, or use a monitor for troubleshooting
level: medium
Convert to SIEM query
medium
Classes Autorun Keys Modification
Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
status test author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) id 9df5f547-c86a-433e-b533-f2794357e242
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML 
title: Classes Autorun Keys Modification
id: 9df5f547-c86a-433e-b533-f2794357e242
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: |
    Detects modification of Windows Registry Classes keys used for persistence.
    Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.
    Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,
    thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_classes_base:
        TargetObject|contains: '\Software\Classes'
    selection_classes_target:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\Shellex\ColumnHandlers'
            - '\Filter'
            - '\Exefile\Shell\Open\Command\(Default)'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\.exe'
            - '\.cmd'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter_main_drivers:
        Image: 'C:\Windows\System32\drvinst.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        # If more targets are found from "svchost". Please exclude the whole image
        TargetObject|contains: '\lnkfile\shellex\ContextMenuHandlers\'
    filter_optional_msoffice:
        Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Clear PowerShell History - PowerShell
Detects keywords that could indicate clearing PowerShell history
status test author Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community id 26b692dc-1722-49b2-b496-a8258aa6371d
carbon_black query
((ScriptBlockText:Set\-PSReadlineOption* ScriptBlockText:–HistorySaveStyle* ScriptBlockText:SaveNothing*) OR (ScriptBlockText:Set\-PSReadlineOption* ScriptBlockText:\-HistorySaveStyle* ScriptBlockText:SaveNothing*)) OR ((ScriptBlockText:del* OR ScriptBlockText:Remove\-Item* OR ScriptBlockText:rm*) ScriptBlockText:\(Get\-PSReadlineOption\).HistorySavePath*)
view Sigma YAML 
title: Clear PowerShell History - PowerShell
id: 26b692dc-1722-49b2-b496-a8258aa6371d
related:
    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
      type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2022-01-25
modified: 2022-12-02
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection1a:
        ScriptBlockText|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
    selection1b:
        ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_2:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
    selection_3:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
            - '-HistorySaveStyle'
            - 'SaveNothing'
    condition: 1 of selection_* or all of selection1*
falsepositives:
    - Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
status test author Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community id f99276ad-d122-4989-a09a-d00904a5f9d2
carbon_black query
((Payload:Set\-PSReadlineOption* Payload:–HistorySaveStyle* Payload:SaveNothing*) OR (Payload:Set\-PSReadlineOption* Payload:\-HistorySaveStyle* Payload:SaveNothing*)) OR ((Payload:del* OR Payload:Remove\-Item* OR Payload:rm*) Payload:\(Get\-PSReadlineOption\).HistorySavePath*)
view Sigma YAML 
title: Clear PowerShell History - PowerShell Module
id: f99276ad-d122-4989-a09a-d00904a5f9d2
related:
    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
      type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019-10-25
modified: 2022-12-02
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_1a_payload:
        Payload|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
    selection_1b_payload:
        Payload|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_payload_2:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
    selection_payload_3:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '-HistorySaveStyle'
            - 'SaveNothing'
    condition: 1 of selection_payload_* or all of selection_1*
falsepositives:
    - Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
status experimental author Milad Cheraghi id eca5e022-d368-4043-98e5-9736fb01f72f
carbon_black query
type:SYSCALL SYSCALL:syslog (a0:4 OR a0:5 OR a0:6)
view Sigma YAML 
title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
id: eca5e022-d368-4043-98e5-9736fb01f72f
status: experimental
description: |
    Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
    (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
    ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
    or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
references:
    - https://man7.org/linux/man-pages/man2/syslog.2.html
    - https://man7.org/linux/man-pages/man1/dmesg.1.html
author: Milad Cheraghi
date: 2025-05-27
modified: 2025-12-05
tags:
    - attack.defense-impairment
    - attack.t1685.006
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs
        -a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs
        -a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs
        -a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs
        -a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs
        -a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'syslog'
        a0:
            - 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
            - 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
            - 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console
    condition: selection
falsepositives:
    - System administrators or scripts that intentionally clear logs
    - Debugging scripts
level: medium
Convert to SIEM query
Showing 151-200 of 1,492
Prev 4 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh