Tool
EDR / XDR
VMware Carbon Black
1,492 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
◈
Detection rules
50 shown of 1,492
medium
DLL Load By System Process From Suspicious Locations
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
view Sigma YAML
title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: test
description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2023-09-18
tags:
- attack.stealth
- attack.t1070
logsource:
product: windows
category: image_load
detection:
selection:
Image|startswith: 'C:\Windows\'
ImageLoaded|startswith:
# TODO: Add more suspicious paths as you see fit in your env
- 'C:\Users\Public\'
- 'C:\PerfLogs\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DLL Loaded via CertOC.EXE
Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
view Sigma YAML
title: DLL Loaded via CertOC.EXE
id: 242301bc-f92f-4476-8718-78004a6efd9f
related:
- id: 84232095-ecca-4015-b0d7-7726507ee793
type: similar
status: test
description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
references:
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Austin Songer @austinsonger
date: 2021-10-23
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_cli:
CommandLine|contains|windash: ' -LoadDLL '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
view Sigma YAML
title: DLL Names Used By SVR For GraphicalProton Backdoor
id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
status: test
description: Hunts known SVR-specific DLL names.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: CISA
date: 2023-12-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\AclNumsInvertHost.dll'
- '\AddressResourcesSpec.dll'
- '\BlendMonitorStringBuild.dll'
- '\ChildPaletteConnected.dll'
- '\DeregisterSeekUsers.dll'
- '\HandleFrequencyAll.dll'
- '\HardSwapColor.dll'
- '\LengthInMemoryActivate.dll'
- '\ModeBitmapNumericAnimate.dll'
- '\ModeFolderSignMove.dll'
- '\ParametersNamesPopup.dll'
- '\PerformanceCaptionApi.dll'
- '\ScrollbarHandleGet.dll'
- '\UnregisterAncestorAppendAuto.dll'
- '\WowIcmpRemoveReg.dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DMSA Service Account Created in Specific OUs - PowerShell
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
view Sigma YAML
title: DMSA Service Account Created in Specific OUs - PowerShell
id: 02122374-b74e-495c-b285-9e4da973f3d6
related:
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
type: similar
- id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
type: similar
status: experimental
description: |
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|contains|all:
- 'New-ADServiceAccount'
- '-CreateDelegatedServiceAccount'
- '-path'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
view Sigma YAML
title: DNS Query Request By Regsvr32.EXE
id: 36e037c4-c228-4866-b6a3-48eb292b9955
related:
- id: c7e91a02-d771-4a6d-a700-42587e0b1095
type: derived
status: test
description: Detects DNS queries initiated by "Regsvr32.exe"
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
- attack.execution
- attack.stealth
- attack.t1559.001
- attack.t1218.010
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DNS Query To AzureWebsites.NET By Non-Browser Process
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
view Sigma YAML
title: DNS Query To AzureWebsites.NET By Non-Browser Process
id: e043f529-8514-4205-8ab0-7f7d2927b400
related:
- id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
type: derived
status: test
description: |
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith: 'azurewebsites.net'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_defender:
Image|endswith:
- '\MsMpEng.exe' # Microsoft Defender executable
- '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_optional_brave:
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
filter_optional_maxthon:
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\maxthon.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_seamonkey:
Image|startswith:
- 'C:\Program Files\SeaMonkey\'
- 'C:\Program Files (x86)\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|startswith:
- 'C:\Program Files\Naver\Naver Whale\'
- 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
filter_optional_tor:
Image|contains: '\Tor Browser\'
filter_optional_whaterfox:
Image|startswith:
- 'C:\Program Files\Waterfox\'
- 'C:\Program Files (x86)\Waterfox\'
Image|endswith: '\Waterfox.exe'
filter_optional_midori:
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Midori Next Generation.exe'
filter_optional_slimbrowser:
Image|startswith:
- 'C:\Program Files\SlimBrowser\'
- 'C:\Program Files (x86)\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
filter_optional_flock:
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Flock.exe'
filter_optional_phoebe:
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\Phoebe.exe'
filter_optional_falkon:
Image|startswith:
- 'C:\Program Files\Falkon\'
- 'C:\Program Files (x86)\Falkon\'
Image|endswith: '\falkon.exe'
filter_optional_avant:
Image|startswith:
- 'C:\Program Files (x86)\Avant Browser\'
- 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium
Convert to SIEM query
medium
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
Such DNS activity can indicate potential delivery or command-and-control communication attempts.
view Sigma YAML
title: DNS Query To Common Malware Hosting and Shortener Services
id: f8c1e80b-c73a-476a-ae24-6c72528b1521
status: experimental
description: |
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
Such DNS activity can indicate potential delivery or command-and-control communication attempts.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
author: Ahmed Nosir (@egycondor)
date: 2025-06-02
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains:
- 'msapp.workers.dev'
- 'trycloudflare.com'
- 'infinityfreeapp.com'
- 'my5353.com'
- 'reurl.cc'
- 'lihi.cc'
- 'tinyurl.com'
condition: selection
falsepositives:
- Legitimate use of these services is possible but rare in enterprise environments
level: medium
Convert to SIEM query
medium
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
view Sigma YAML
title: DNS Query To Devtunnels Domain
id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
status: test
description: |
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
- https://cydefops.com/devtunnels-unleashed
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1572
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith: '.devtunnels.ms'
condition: selection
falsepositives:
- Legitimate use of Devtunnels will also trigger this.
level: medium
Convert to SIEM query
medium
DNS Query To MEGA Hosting Website
Detects DNS queries for subdomains related to MEGA sharing website
view Sigma YAML
title: DNS Query To MEGA Hosting Website
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
related:
- id: 66474410-b883-415f-9f8d-75345a0a66a6
type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: medium
Convert to SIEM query
medium
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
view Sigma YAML
title: DNS Query To MEGA Hosting Website - DNS Client
id: 66474410-b883-415f-9f8d-75345a0a66a6
related:
- id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: medium
Convert to SIEM query
medium
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
view Sigma YAML
title: DNS Query To Put.io - DNS Client
id: 8b69fd42-9dad-4674-abef-7fdef43ef92a
status: test
description: Detects DNS queries for subdomains related to "Put.io" sharing website.
references:
- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
author: Omar Khaled (@beacon_exe)
date: 2024-08-23
tags:
- attack.command-and-control
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains:
- 'api.put.io'
- 'upload.put.io'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Put.io
level: medium
Convert to SIEM query
medium
DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: DNS Query To Remote Access Software Domain From Non-Browser App
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
- id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
type: obsolete
- id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
type: obsolete
- id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
type: obsolete
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
- https://redcanary.com/blog/misbehaving-rats/
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
author: frack113, Connor Martin
date: 2022-07-11
modified: 2024-12-17
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: dns_query
detection:
selection_generic:
QueryName|endswith:
- 'agent.jumpcloud.com'
- 'agentreporting.atera.com'
- 'ammyy.com'
- 'api.parsec.app'
- 'api.playanext.com'
- 'api.splashtop.com'
- 'app.atera.com'
- 'assist.zoho.com'
- 'authentication.logmeininc.com'
- 'beyondtrustcloud.com'
- 'cdn.kaseya.net'
- 'client.teamviewer.com'
- 'comserver.corporate.beanywhere.com'
- 'control.connectwise.com'
- 'downloads.zohocdn.com'
- 'dwservice.net'
- 'express.gotoassist.com'
- 'getgo.com'
- 'getscreen.me' # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
- 'integratedchat.teamviewer.com'
- 'join.zoho.com'
- 'kickstart.jumpcloud.com'
- 'license.bomgar.com'
- 'logmein-gateway.com'
- 'logmein.com'
- 'logmeincdn.http.internapcdn.net'
- 'n-able.com'
- 'net.anydesk.com'
- 'netsupportsoftware.com' # For NetSupport Manager RAT
- 'parsecusercontent.com'
- 'pubsub.atera.com'
- 'relay.kaseya.net'
- 'relay.screenconnect.com'
- 'relay.splashtop.com'
- 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
- 'remotedesktop-pa.googleapis.com'
- 'remoteutilities.com' # Usage of Remote Utilities RAT
- 'secure.logmeinrescue.com'
- 'services.vnc.com'
- 'static.remotepc.com'
- 'swi-rc.com'
- 'swi-tc.com'
- 'tailscale.com' # Scattered Spider threat group used this RMM tool
- 'telemetry.servers.qetqo.com'
- 'tmate.io'
- 'twingate.com' # Scattered Spider threat group used this RMM tool
- 'zohoassist.com'
selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
QueryName|endswith: '.rustdesk.com'
QueryName|startswith: 'rs-'
# Exclude browsers for legitimate visits of the domains mentioned above
# Add missing browsers you use and exclude the ones you don't
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_defender:
Image|endswith:
- '\MsMpEng.exe' # Microsoft Defender executable
- '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_optional_brave:
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
filter_optional_maxthon:
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\maxthon.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_seamonkey:
Image|startswith:
- 'C:\Program Files\SeaMonkey\'
- 'C:\Program Files (x86)\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|startswith:
- 'C:\Program Files\Naver\Naver Whale\'
- 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
filter_optional_tor:
Image|contains: '\Tor Browser\'
filter_optional_whaterfox:
Image|startswith:
- 'C:\Program Files\Waterfox\'
- 'C:\Program Files (x86)\Waterfox\'
Image|endswith: '\Waterfox.exe'
filter_optional_midori:
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Midori Next Generation.exe'
filter_optional_slimbrowser:
Image|startswith:
- 'C:\Program Files\SlimBrowser\'
- 'C:\Program Files (x86)\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
filter_optional_flock:
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Flock.exe'
filter_optional_phoebe:
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\Phoebe.exe'
filter_optional_falkon:
Image|startswith:
- 'C:\Program Files\Falkon\'
- 'C:\Program Files (x86)\Falkon\'
Image|endswith: '\falkon.exe'
filter_optional_avant:
Image|startswith:
- 'C:\Program Files (x86)\Avant Browser\'
- 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium
Convert to SIEM query
medium
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
view Sigma YAML
title: DNS Query To Visual Studio Code Tunnels Domain
id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://cydefops.com/vscode-data-exfiltration
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith: '.tunnels.api.visualstudio.com'
condition: selection
falsepositives:
- Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
Convert to SIEM query
medium
DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
view Sigma YAML
title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
related:
- id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
type: similar
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Saw Winn Naung , Azure-Sentinel
date: 2021-08-15
modified: 2025-09-12
tags:
- attack.exfiltration
- attack.t1048
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.guide'
- '.onion.in.net'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.ly'
- '.onion.mn'
- '.onion.network'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.pt'
- '.onion.pw'
- '.onion.rip'
- '.onion.sh'
- '.onion.si'
- '.onion.to'
- '.onion.top'
- '.onion.ws'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
view Sigma YAML
title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
- https://github.com/elastic/detection-rules/issues/1371
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1140
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_edge:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
Details: DWORD (0x00000001)
selection_chrome:
TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
Details: 'secure'
selection_firefox:
TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
Details: DWORD (0x00000001)
condition: 1 of selection_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
view Sigma YAML
title: DPAPI Domain Master Key Backup Attempt
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
status: test
description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2023-03-15
tags:
- attack.credential-access
- attack.t1003.004
logsource:
product: windows
service: security
detection:
selection:
EventID: 4692
condition: selection
falsepositives:
- If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.
level: medium
Convert to SIEM query
medium
DarkGate - Autoit3.EXE File Creation By Uncommon Process
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
view Sigma YAML
title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
status: test
description: |
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
references:
- https://github.security.telekom.com/2023/08/darkgate-loader.html
- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
- https://github.com/pr0xylife/DarkGate/tree/main
author: Micah Babinski
date: 2023-10-15
tags:
- attack.command-and-control
- attack.execution
- attack.t1105
- attack.t1059
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\Autoit3.exe'
- '\curl.exe'
- '\ExtExport.exe'
- '\KeyScramblerLogon.exe'
- '\wmprph.exe'
TargetFilename|endswith: '\Autoit3.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DarkGate - Drop DarkGate Loader In C:\Temp Directory
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
view Sigma YAML
title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
id: df49c691-8026-48dd-94d3-4ba6a79102a8
status: test
description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
references:
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
author: Tomasz Dyduch, Josh Nickels
date: 2024-05-31
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_filename_suffix:
TargetFilename|contains: ':\temp\'
TargetFilename|endswith:
- '.au3'
- '\autoit3.exe'
selection_image_suffix:
Image|contains: ':\temp\'
Image|endswith:
- '.au3'
- '\autoit3.exe'
condition: 1 of selection_*
falsepositives:
- Unlikely legitimate usage of AutoIT in temp folders.
level: medium
Convert to SIEM query
medium
Data Exfiltration to Unsanctioned Apps
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
view Sigma YAML
title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
status: test
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1537
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Data exfiltration to unsanctioned apps'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
view Sigma YAML
title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
- https://linux.die.net/man/1/wget
- https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: wget
a1|startswith: '--post-file='
condition: selection
falsepositives:
- Legitimate usage of wget utility to post a file
level: medium
Convert to SIEM query
medium
Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
view Sigma YAML
title: Data Export From MSSQL Table Via BCP.EXE
id: c615d676-f655-46b9-b913-78729021e5d7
status: test
description: |
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
references:
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://asec.ahnlab.com/en/61000/
- https://asec.ahnlab.com/en/78944/
- https://www.huntress.com/blog/attacking-mssql-servers
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
date: 2024-08-20
tags:
- attack.execution
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcp.exe'
- OriginalFileName: 'BCP.exe'
selection_cli:
CommandLine|contains:
- ' out ' # Export data from a table
- ' queryout ' # Export data based on a SQL query
condition: all of selection_*
falsepositives:
- Legitimate data export operations.
level: medium
Convert to SIEM query
medium
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
view Sigma YAML
title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
related:
- id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading
type: similar
status: test
description: |
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2024-03-01
tags:
- attack.credential-access
- attack.t1003.001
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dnx.exe'
- '\excel.exe'
- '\monitoringhost.exe'
- '\msbuild.exe'
- '\mshta.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\regsvcs.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\scriptrunner.exe'
- '\winword.exe'
- '\wmic.exe'
- '\wscript.exe'
# - '\powershell.exe' # Note: Triggered by installing common software
# - '\regsvr32.exe' # Note: triggered by installing common software
# - '\schtasks.exe' # Note: triggered by installing software
# - '\svchost.exe' # Note: triggered by some services
filter_main_tiworker:
# Note: This filter requires "CommandLine" field enrichment
CommandLine|startswith: 'C:\WINDOWS\WinSxS\'
CommandLine|endswith: '\TiWorker.exe -Embedding'
filter_main_generic:
# Note: This filter requires "CommandLine" field enrichment
Image|endswith: '\svchost.exe'
CommandLine|endswith:
- '-k LocalServiceNetworkRestricted'
- '-k WerSvcGroup'
filter_main_rundll32:
# Note: This filter requires "CommandLine" field enrichment
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- '/d srrstr.dll,ExecuteScheduledSPPCreation'
- 'aepdu.dll,AePduRunUpdate'
- 'shell32.dll,OpenAs_RunDL'
- 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'
condition: selection and not 1 of filter_main_*
falsepositives:
- Debugging scripts might leverage this DLL in order to dump process memory for further analysis.
level: medium
Convert to SIEM query
medium
Default Credentials Usage
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
view Sigma YAML
title: Default Credentials Usage
id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
status: experimental
description: |
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
author: Alexandr Yampolskyi, SOC Prime
date: 2019-03-26
modified: 2025-11-01
tags:
- attack.initial-access
# - CSC4
# - CSC4.2
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
logsource:
product: qualys
detection:
selection:
host.scan.vuln:
- 10693
- 11507
- 11633
- 11804
- 11821
- 11847
- 11867
- 11931
- 11935
- 11950
- 12541
- 12558
- 12559
- 12560
- 12562
- 12563
- 12565
- 12587
- 12590
- 12599
- 12702
- 12705
- 12706
- 12907
- 12928
- 12929
- 13053
- 13178
- 13200
- 13218
- 13241
- 13253
- 13274
- 13296
- 13301
- 13327
- 13373
- 13374
- 13409
- 13530
- 13532
- 20065
- 20073
- 20081
- 27202
- 27358
- 38702
- 38719
- 42045
- 42417
- 43029
- 43220
- 43221
- 43222
- 43223
- 43225
- 43246
- 43431
- 43484
- 86857
- 87098
- 87106
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
view Sigma YAML
title: Defrag Deactivation
id: 958d81aa-8566-4cea-a565-59ccd4df27b0
status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
references:
- https://securelist.com/apt-slingshot/84312/
author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
date: 2019-03-04
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.s0111
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/delete'
- '/change'
CommandLine|contains|all:
- '/TN'
- '\Microsoft\Windows\Defrag\ScheduledDefrag'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Defrag Deactivation - Security
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
view Sigma YAML
title: Defrag Deactivation - Security
id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
related:
- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
type: derived
status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
references:
- https://securelist.com/apt-slingshot/84312/
author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
date: 2019-03-04
modified: 2022-11-27
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.s0111
- detection.emerging-threats
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
selection:
EventID: 4701
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
view Sigma YAML
title: Delete Defender Scan ShellEx Context Menu Registry Key
id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
related:
- id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
type: similar
status: experimental
description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely as this weakens defenses and normally would not be done even if using another AV.
level: medium
Convert to SIEM query
medium
Deleted Data Overwritten Via Cipher.EXE
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
view Sigma YAML
title: Deleted Data Overwritten Via Cipher.EXE
id: 4b046706-5789-4673-b111-66f25fe99534
status: test
description: |
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
author: frack113
date: 2021-12-26
modified: 2023-02-21
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'CIPHER.EXE'
- Image|endswith: '\cipher.exe'
selection_cli:
CommandLine|contains: ' /w:'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
simulation:
- type: atomic-red-team
name: Overwrite deleted data on C drive
technique: T1485
atomic_guid: 321fd25e-0007-417f-adec-33232252be19
Convert to SIEM query
medium
Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
view Sigma YAML
title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020-06-27
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4825
condition: selection
falsepositives:
- Valid user was not added to RDP group
level: medium
Convert to SIEM query
medium
Deployment AppX Package Was Blocked By AppLocker
Detects an appx package deployment that was blocked by AppLocker policy.
view Sigma YAML
title: Deployment AppX Package Was Blocked By AppLocker
id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f
status: test
description: Detects an appx package deployment that was blocked by AppLocker policy.
references:
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 412
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
Convert to SIEM query
medium
Deployment Of The AppX Package Was Blocked By The Policy
Detects an appx package deployment that was blocked by the local computer policy.
The following events indicate that an AppX package deployment was blocked by a policy:
- Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- Event ID 453: Package blocked by a platform policy.
- Event ID 454: Package blocked by a platform policy.
view Sigma YAML
title: Deployment Of The AppX Package Was Blocked By The Policy
id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
status: test
description: |
Detects an appx package deployment that was blocked by the local computer policy.
The following events indicate that an AppX package deployment was blocked by a policy:
- Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- Event ID 453: Package blocked by a platform policy.
- Event ID 454: Package blocked by a platform policy.
references:
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
- attack.defense-impairment
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID:
- 441 # The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- 442 # Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- 453 # Package blocked by a platform policy
- 454 # Package blocked by a platform policy
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
Convert to SIEM query
medium
Desktop.INI Created by Uncommon Process
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
view Sigma YAML
title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
Convert to SIEM query
medium
Detected Windows Software Discovery
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
view Sigma YAML
title: Detected Windows Software Discovery
id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1518
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
CommandLine|contains|all:
- 'query'
- '\software\'
- '/v'
- 'svcversion'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Detected Windows Software Discovery - PowerShell
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
view Sigma YAML
title: Detected Windows Software Discovery - PowerShell
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-12-02
tags:
- attack.discovery
- attack.t1518
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
# Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
- 'get-itemProperty'
- '\software\'
- 'select-object'
- 'format-table'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Detection of PowerShell Execution via Sqlps.exe
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
view Sigma YAML
title: Detection of PowerShell Execution via Sqlps.exe
id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
status: test
description: |
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
- https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-10
modified: 2022-12-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\sqlps.exe'
selection_image:
- Image|endswith: '\sqlps.exe'
- OriginalFileName: 'sqlps.exe'
filter_image:
ParentImage|endswith: '\sqlagent.exe'
condition: selection_parent or (selection_image and not filter_image)
falsepositives:
- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium
Convert to SIEM query
medium
Device Installation Blocked
Detects an installation of a device that is forbidden by the system policy
view Sigma YAML
title: Device Installation Blocked
id: c9eb55c3-b468-40ab-9089-db2862e42137
status: test
description: Detects an installation of a device that is forbidden by the system policy
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
author: frack113
date: 2022-10-14
tags:
- attack.initial-access
- attack.t1200
logsource:
service: security
product: windows
detection:
selection:
EventID: 6423
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Device Registration or Join Without MFA
Monitor and alert for device registration or join events where MFA was not performed.
view Sigma YAML
title: Device Registration or Join Without MFA
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
status: test
description: Monitor and alert for device registration or join events where MFA was not performed.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResourceDisplayName: 'Device Registration Service'
conditionalAccessStatus: 'success'
filter_mfa:
AuthenticationRequirement: 'multiFactorAuthentication'
condition: selection and not filter_mfa
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view.
view Sigma YAML
title: DeviceCredentialDeployment Execution
id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
status: test
description: |
Detects the execution of DeviceCredentialDeployment to hide a process from view.
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/147
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\DeviceCredentialDeployment.exe'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Dfsvc.EXE Network Connection To Non-Local IPs
Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
view Sigma YAML
title: Dfsvc.EXE Network Connection To Non-Local IPs
id: 3c21219b-49b5-4268-bce6-c914ed50f09c
status: test
description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
references:
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
modified: 2024-03-12
tags:
- attack.execution
- attack.t1203
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\dfsvc.exe'
Initiated: 'true'
filter_main_local_ip:
DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
- '127.0.0.0/8'
- '10.0.0.0/8'
- '169.254.0.0/16' # link-local address
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary
level: medium
Convert to SIEM query
medium
Direct Autorun Keys Modification
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
view Sigma YAML
title: Direct Autorun Keys Modification
id: 24357373-078f-44ed-9ac4-6d334a668a11
status: test
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-10-25
modified: 2026-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_add:
CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
selection_cli_keys:
CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
- '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
- '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- '\software\Microsoft\Windows NT\CurrentVersion\Windows'
- '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
condition: all of selection_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
Convert to SIEM query
medium
DirectorySearcher Powershell Exploitation
Enumerates Active Directory to determine computers that are joined to the domain
view Sigma YAML
title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
date: 2022-02-12
tags:
- attack.discovery
- attack.t1018
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object '
- 'System.DirectoryServices.DirectorySearcher'
- '.PropertiesToLoad.Add'
- '.findall()'
- 'Properties.name'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
view Sigma YAML
title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
status: test
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022-01-16
modified: 2024-03-25
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\LanmanServer\Parameters\'
TargetObject|endswith:
- '\AutoShareWks'
- '\AutoShareServer'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
simulation:
- type: atomic-red-team
name: Disable Administrative Share Creation at Startup
technique: T1070.005
atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
Convert to SIEM query
medium
Disable Exploit Guard Network Protection on Windows Defender
Detects disabling Windows Defender Exploit Guard Network Protection
view Sigma YAML
title: Disable Exploit Guard Network Protection on Windows Defender
id: bf9e1387-b040-4393-9851-1598f8ecfae9
status: test
description: Detects disabling Windows Defender Exploit Guard Network Protection
references:
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride'
Details: 'DWORD (00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
view Sigma YAML
title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_set_1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
- 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
- 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
Details: 'DWORD (0x00000001)'
selection_set_0:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
- 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
- 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
- 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_set_*
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
view Sigma YAML
title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
status: test
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022-01-09
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
TargetObject|contains: '\Services\SharedAccess\Parameters\FirewallPolicy\'
TargetObject|endswith: '\EnableFirewall'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
simulation:
- type: atomic-red-team
name: Disable Microsoft Defender Firewall via Registry
technique: T1562.004
atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
Convert to SIEM query
medium
Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
view Sigma YAML
title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: |
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
modified: 2025-03-18
tags:
- attack.defense-impairment
- attack.t1685
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/service'
- '/systemctl'
- '/chkconfig'
CommandLine|contains:
- ' stop '
- ' disable '
filter_main_legit_snapd:
Image|endswith: '/systemctl'
CommandLine|contains:
- '--no-reload disable snap-snapd-'
- ' stop snap-snapd-'
filter_main_ssh_preinstall:
Image|endswith: '/systemctl'
ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
CommandLine|contains|all:
- ' stop '
- 'ssh.'
filter_main_ubuntu_upgrade:
ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
Image|endswith: '/systemctl'
filter_optional_aws_agent:
Image|endswith: '/systemctl'
CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activities
- Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium
Convert to SIEM query
medium
Disable Privacy Settings Experience in Registry
Detects registry modifications that disable Privacy Settings Experience
view Sigma YAML
title: Disable Privacy Settings Experience in Registry
id: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b
status: test
description: Detects registry modifications that disable Privacy Settings Experience
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
author: frack113
date: 2022-10-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Disable Security Tools
Detects disabling security tools
view Sigma YAML
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: macos
detection:
launchctl_unload:
Image: '/bin/launchctl'
CommandLine|contains: 'unload'
security_plists:
CommandLine|contains:
- 'com.objective-see.lulu.plist' # Objective-See firewall management utility
- 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
- 'com.google.santad.plist' # google santa
- 'com.carbonblack.defense.daemon.plist' # carbon black
- 'com.carbonblack.daemon.plist' # carbon black
- 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
- 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
- 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
- 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
- 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
- 'osquery' # facebook osquery
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'packetbeat' # elastic network logger/shipper
- 'td-agent' # fluentd log shipper
disable_gatekeeper:
Image: '/usr/sbin/spctl'
CommandLine|contains: 'disable'
condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
- Legitimate activities
level: medium
Convert to SIEM query
medium
Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
view Sigma YAML
title: Disable Tamper Protection on Windows Defender
id: 93d298a1-d28f-47f1-a468-d971e7796679
status: test
description: Detects disabling Windows Defender Tamper Protection
references:
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
Details: DWORD (0x00000000)
filter_msmpeng_client: # only disabled temporarily during updates
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_msmpeng_domain_controller: # only disabled temporarily during updates
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
view Sigma YAML
title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
status: test
description: Detect set EnableFirewall to 0 to disable the Windows firewall
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Disable Windows Security Center Notifications
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
view Sigma YAML
title: Disable Windows Security Center Notifications
id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
status: test
description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml
simulation:
- type: atomic-red-team
name: Disable Windows Security Center Notifications
technique: T1112
atomic_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e
Convert to SIEM query
Showing 251-300 of 1,492