Tool
EDR / XDR
VMware Carbon Black
1,492 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
◈
Detection rules
50 shown of 1,492
medium
Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
The Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
view Sigma YAML
title: Enumeration for Credentials in Registry
id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
status: test
description: |
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
The Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
reg:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- ' query '
- '/t '
- 'REG_SZ'
- '/s'
hive:
- CommandLine|contains|all:
- '/f '
- 'HKLM'
- CommandLine|contains|all:
- '/f '
- 'HKCU'
- CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
condition: reg and hive
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
view Sigma YAML
title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
author: sam0x90
date: 2021-08-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.003
- attack.s0404
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'esentutl'
- ' /p'
condition: selection
falsepositives:
- To be determined
level: medium
Convert to SIEM query
medium
Esentutl Steals Browser Information
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
view Sigma YAML
title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022-02-13
modified: 2024-03-05
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: 'esentutl.exe'
selection_flag:
CommandLine|contains|windash: '-r'
selection_webcache:
CommandLine|contains: '\Windows\WebCache'
condition: all of selection*
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
EventLog EVTX File Deleted
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: EventLog EVTX File Deleted
id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
status: test
description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
TargetFilename|endswith: '.evtx'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
EventLog Query Requests By Builtin Utilities
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
view Sigma YAML
title: EventLog Query Requests By Builtin Utilities
id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
related:
- id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
type: derived
status: test
description: |
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-20
modified: 2024-01-24
tags:
- attack.t1552
- attack.credential-access
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection_wmi:
CommandLine|contains|all:
- 'Select'
- 'Win32_NTLogEvent'
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wmic_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
condition: selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet
falsepositives:
- Legitimate log access by administrators or troubleshooting tools
level: medium
Convert to SIEM query
medium
Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
view Sigma YAML
title: Eventlog Cleared
id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
type: derived
- id: 100ef69e-3327-481c-8e5c-6d80d9507556
type: derived
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
filter_main_covered:
# The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: medium
Convert to SIEM query
medium
Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
view Sigma YAML
title: Executable from Webdav
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
status: test
description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
references:
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
- https://github.com/OTRF/detection-hackathon-apt29
author: 'SOC Prime, Adam Swan'
date: 2020-05-01
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: zeek
service: http
detection:
selection_webdav:
- c-useragent|contains: 'WebDAV'
- c-uri|contains: 'webdav'
selection_executable:
- resp_mime_types|contains: 'dosexec'
- c-uri|endswith: '.exe'
condition: selection_webdav and selection_executable
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Execute Code with Pester.bat
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
view Sigma YAML
title: Execute Code with Pester.bat
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
author: Julia Fomina, oscd.community
date: 2020-10-08
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
powershell_module:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Pester'
- 'Get-Help'
cmd_execution:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'pester'
- ';'
get_help:
CommandLine|contains:
- 'help'
- '\?'
condition: powershell_module or (cmd_execution and get_help)
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
Convert to SIEM query
medium
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
view Sigma YAML
title: Execute Code with Pester.bat as Parent
id: 18988e1b-9087-4f8a-82fe-0414dce49878
related:
- id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
type: similar
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://twitter.com/_st0pp3r_/status/1560072680887525378
author: frack113, Nasreddine Bencherchali
date: 2022-08-20
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_module:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
selection_cli:
ParentCommandLine|contains:
- '{ Invoke-Pester -EnableExit ;'
- '{ Get-Help "'
condition: all of selection_*
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
Convert to SIEM query
medium
Execute Files with Msdeploy.exe
Detects file execution using the msdeploy.exe lolbin
view Sigma YAML
title: Execute Files with Msdeploy.exe
id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
status: test
description: Detects file execution using the msdeploy.exe lolbin
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/
- https://twitter.com/pabraeken/status/995837734379032576
- https://twitter.com/pabraeken/status/999090532839313408
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'verb:sync'
- '-source:RunCommand'
- '-dest:runCommand'
Image|endswith: '\msdeploy.exe'
condition: selection
falsepositives:
- System administrator Usage
level: medium
Convert to SIEM query
medium
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
view Sigma YAML
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Execute Invoke-command on Remote Host
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: Execute Invoke-command on Remote Host
id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
author: frack113
date: 2022-01-07
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'invoke-command '
- ' -ComputerName '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: medium
Convert to SIEM query
medium
Execution From Webserver Root Folder
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
view Sigma YAML
title: Execution From Webserver Root Folder
id: 35efb964-e6a5-47ad-bbcd-19661854018d
status: test
description: |
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2024-01-18
tags:
- attack.persistence
- attack.t1505.003
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\wwwroot\'
- '\wmpub\'
- '\htdocs\'
filter_main_generic:
Image|contains:
- 'bin\'
- '\Tools\'
- '\SMSComponent\'
ParentImage|endswith: '\services.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Various applications
- Tools that include ping or nslookup command invocations
level: medium
Convert to SIEM query
medium
Execution Of Script Located In Potentially Suspicious Directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
view Sigma YAML
title: Execution Of Script Located In Potentially Suspicious Directory
id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7
status: test
description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
selection_flag:
CommandLine|contains: ' -c '
selection_paths:
# Note: Add more suspicious paths
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Execution of Suspicious File Type Extension
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
This rule might require some initial baselining to align with some third party tooling in the user environment.
No stored carbon_black translation for this rule. Expand the YAML below to convert it inline.
view Sigma YAML
title: Execution of Suspicious File Type Extension
id: c09dad97-1c78-4f71-b127-7edb2b8e491a
status: test
description: |
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
This rule might require some initial baselining to align with some third party tooling in the user environment.
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2023-11-23
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
known_image_extension:
Image|endswith:
- '.bin'
- '.cgi'
- '.com'
- '.exe'
- '.scr'
- '.tmp' # sadly many installers use this extension
filter_main_image: # Windows utilities without extension
Image:
- 'System'
- 'Registry'
- 'MemCompression'
- 'vmmem'
filter_main_msi_installers:
Image|contains: ':\Windows\Installer\MSI'
filter_main_driver_store:
Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
filter_main_msi_rollbackfiles:
Image|contains: ':\Config.Msi\'
Image|endswith:
- '.rbf'
- '.rbs'
filter_main_windows_temp:
- ParentImage|contains: ':\Windows\Temp\'
- Image|contains: ':\Windows\Temp\'
filter_main_deleted:
Image|contains: ':\$Extend\$Deleted\'
filter_main_empty:
Image:
- '-'
- ''
filter_main_null:
Image: null
filter_optional_avira:
ParentImage|contains: ':\ProgramData\Avira\'
filter_optional_nvidia:
Image|contains: 'NVIDIA\NvBackend\'
Image|endswith: '.dat'
filter_optional_winpakpro:
Image|contains:
- ':\Program Files (x86)\WINPAKPRO\'
- ':\Program Files\WINPAKPRO\'
Image|endswith: '.ngn'
filter_optional_myq_server:
Image|endswith:
- ':\Program Files (x86)\MyQ\Server\pcltool.dll'
- ':\Program Files\MyQ\Server\pcltool.dll'
filter_optional_wsl:
Image|contains|all:
- '\AppData\Local\Packages\'
- '\LocalState\rootfs\'
filter_optional_lzma_exe:
Image|endswith: '\LZMA_EXE'
filter_optional_firefox:
Image|contains: ':\Program Files\Mozilla Firefox\'
filter_optional_docker:
ParentImage: 'C:\Windows\System32\services.exe'
Image|endswith: 'com.docker.service'
condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
view Sigma YAML
title: Exploit for CVE-2017-0261
id: 864403a1-36c9-40a2-a982-4c9a45f7d833
status: test
description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
references:
- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
author: Florian Roth (Nextron Systems)
date: 2018-02-22
modified: 2021-11-27
tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.initial-access
- attack.t1566.001
- cve.2017-0261
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WINWORD.EXE'
Image|contains: '\FLTLDR.exe'
condition: selection
falsepositives:
- Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
level: medium
Convert to SIEM query
medium
Explorer Process Tree Break
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
view Sigma YAML
title: Explorer Process Tree Break
id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
status: test
description: |
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
references:
- https://twitter.com/CyberRaiju/status/1273597319322058752
- https://twitter.com/bohops/status/1276357235954909188?s=12
- https://twitter.com/nas_bench/status/1535322450858233858
- https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
date: 2019-06-29
modified: 2025-10-31
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
# Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
selection_factory:
CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
selection_root:
CommandLine|contains: 'explorer.exe'
CommandLine|contains|windash: ' /root,'
# There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
# It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
External Remote RDP Logon from Public IP
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
view Sigma YAML
title: External Remote RDP Logon from Public IP
id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
related:
- id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
type: derived
status: test
description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
references:
- https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
- https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1133
- attack.t1078
- attack.t1110
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
filter_main_local_ranges:
IpAddress|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
filter_main_empty:
IpAddress: '-'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate or intentional inbound connections from public IP addresses on the RDP port.
level: medium
Convert to SIEM query
medium
Extracting Information with PowerShell
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
view Sigma YAML
title: Extracting Information with PowerShell
id: bd5971a7-626d-46ab-8176-ed643f694f68
status: test
description: |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021-12-19
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- ls
- ' -R'
- 'select-string '
- '-Pattern '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
view Sigma YAML
title: F5 BIG-IP iControl Rest API Command Execution - Proxy
id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
related:
- id: 85254a62-22be-4239-b79c-2ec17e566c37
type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: proxy
detection:
selection:
cs-method: 'POST'
c-uri|endswith: '/mgmt/tm/util/bash'
condition: selection
falsepositives:
- Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
Convert to SIEM query
medium
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
view Sigma YAML
title: F5 BIG-IP iControl Rest API Command Execution - Webserver
id: 85254a62-22be-4239-b79c-2ec17e566c37
related:
- id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
- attack.execution
- attack.t1190
- attack.initial-access
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|endswith: '/mgmt/tm/util/bash'
condition: selection
falsepositives:
- Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
Convert to SIEM query
medium
FTP Connection Open Attempt Via Winscp CLI
Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
view Sigma YAML
title: FTP Connection Open Attempt Via Winscp CLI
id: c1477deb-37cf-4439-9ffb-44499acb89d0
status: experimental
description: Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
references:
- https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
author: frack113
date: 2025-10-12
tags:
- attack.exfiltration
- attack.t1048
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WinSCP.exe'
- OriginalFileName: 'winscp.exe'
selection_cmd:
CommandLine|contains|windash: '-command'
CommandLine|contains|all:
- 'open '
- 'ftp://' # cover ftp and sftp
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Failed DNS Zone Transfer
Detects when a DNS zone transfer failed.
view Sigma YAML
title: Failed DNS Zone Transfer
id: 6d444368-6da1-43fe-b2fc-44202430480e
status: test
description: Detects when a DNS zone transfer failed.
references:
- https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp
author: Zach Mathis
date: 2023-05-24
tags:
- attack.reconnaissance
- attack.t1590.002
logsource:
product: windows
service: dns-server
detection:
selection:
EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2.
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
view Sigma YAML
title: Failed Logon From Public IP
id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
status: test
description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
author: NVISO
date: 2020-05-06
modified: 2024-03-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.t1190
- attack.t1133
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
filter_main_ip_unknown:
IpAddress|contains: '-'
filter_main_local_ranges:
IpAddress|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate logon attempts over the internet
- IPv4-to-IPv6 mapped IPs
level: medium
Convert to SIEM query
medium
File Access Of Signal Desktop Sensitive Data
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
view Sigma YAML
title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
- https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
service: security
definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
selection:
EventID: 4663
ObjectType: 'File'
ObjectName|contains: '\AppData\Roaming\Signal\'
ObjectName|endswith:
- '\config.json'
- '\db.sqlite'
filter_main_signal:
ProcessName|endswith:
- '\signal-portable.exe'
- '\signal.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but possible from AV or backup software accessing the files.
level: medium
Convert to SIEM query
medium
File Decryption Using Gpg4win
Detects usage of Gpg4win to decrypt files
view Sigma YAML
title: File Decryption Using Gpg4win
id: 037dcd71-33a8-4392-bb01-293c94663e5a
status: test
description: Detects usage of Gpg4win to decrypt files
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.gpg4win.de/documentation.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Description: 'GnuPG’s OpenPGP tool'
selection_cli:
CommandLine|contains|all:
- ' -d '
- 'passphrase'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
File Deleted Via Sysinternals SDelete
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
view Sigma YAML
title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|endswith:
- '.AAA'
- '.ZZZ'
filter_wireshark:
TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate usage
level: medium
Convert to SIEM query
medium
File Download From Browser Process Via Inline URL
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
view Sigma YAML
title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
- https://twitter.com/mrd0x/status/1478116126005641220
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2025-10-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
selection_http:
CommandLine|contains: 'http'
selection_extensions:
- CommandLine|endswith:
- '.7z'
- '.dat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.psm1'
- '.txt'
- '.vbe'
- '.vbs'
- '.zip'
- CommandLine|contains:
- '.7z"'
- '.dat"'
- '.dll"'
- '.hta"'
- '.ps1"'
- '.psm1"'
- '.txt"'
- '.vbe"'
- '.vbs"'
- '.zip"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml
Convert to SIEM query
medium
File Download From IP URL Via Curl.EXE
Detects file downloads directly from IP address URL using curl.exe
view Sigma YAML
title: File Download From IP URL Via Curl.EXE
id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218
related:
- id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
type: similar
status: test
description: Detects file downloads directly from IP address URL using curl.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_http:
CommandLine|contains: 'http'
selection_flag:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
filter_main_ext:
# Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043
CommandLine|endswith:
- '.bat'
- '.bat"'
- '.dat'
- '.dat"'
- '.dll'
- '.dll"'
- '.exe'
- '.exe"'
- '.gif'
- '.gif"'
- '.hta'
- '.hta"'
- '.jpeg'
- '.jpeg"'
- '.log'
- '.log"'
- '.msi'
- '.msi"'
- '.png'
- '.png"'
- '.ps1'
- '.ps1"'
- '.psm1'
- '.psm1"'
- '.vbe'
- '.vbe"'
- '.vbs'
- '.vbs"'
- ".bat'"
- ".dat'"
- ".dll'"
- ".exe'"
- ".gif'"
- ".hta'"
- ".jpeg'"
- ".log'"
- ".msi'"
- ".png'"
- ".ps1'"
- ".psm1'"
- ".vbe'"
- ".vbs'"
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml
Convert to SIEM query
medium
File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
view Sigma YAML
title: File Download Using ProtocolHandler.exe
id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
status: test
description: |
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
author: frack113
date: 2021-07-13
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\protocolhandler.exe'
- OriginalFileName: 'ProtocolHandler.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
view Sigma YAML
title: File Download Via Bitsadmin
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
status: test
description: Detects usage of bitsadmin downloading a file
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Michael Haag, FPT.EagleEye
date: 2017-03-09
modified: 2023-02-15
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_cmd:
CommandLine|contains: ' /transfer '
selection_cli_1:
CommandLine|contains:
- ' /create '
- ' /addfile '
selection_cli_2:
CommandLine|contains: 'http'
condition: selection_img and (selection_cmd or all of selection_cli_*)
falsepositives:
- Some legitimate apps use this, but limited.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
Convert to SIEM query
medium
File Download Via Curl.EXE
Detects file download using curl.exe
view Sigma YAML
title: File Download Via Curl.EXE
id: 9a517fca-4ba3-4629-9278-a68694697b81
related:
- id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
type: derived
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution
type: derived
status: test
description: Detects file download using curl.exe
references:
- https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
author: Florian Roth (Nextron Systems)
date: 2022-07-05
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1105
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_remote:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
condition: all of selection_*
falsepositives:
- Scripts created by developers and admins
- Administrative activity
- The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt "
level: medium
Convert to SIEM query
medium
File Download Via InstallUtil.EXE
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
view Sigma YAML
title: File Download Via InstallUtil.EXE
id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc
status: test
description: |
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/239
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\InstallUtil.exe'
- OriginalFileName: 'InstallUtil.exe'
selection_cli:
CommandLine|contains:
- 'ftp://'
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
view Sigma YAML
title: File Download Via Nscurl - MacOS
id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
status: test
description: Detects the execution of the nscurl utility in order to download files.
references:
- https://www.loobins.io/binaries/nscurl/
- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
author: Daniel Cortez
date: 2024-06-04
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/nscurl'
CommandLine|contains:
- '--download '
- '--download-directory '
- '--output '
- '-dir '
- '-dl '
- '-ld'
- '-o '
condition: selection
falsepositives:
- Legitimate usage of nscurl by administrators and users.
level: medium
Convert to SIEM query
medium
File Download via CertOC.EXE
Detects when a user downloads a file by using CertOC.exe
view Sigma YAML
title: File Download via CertOC.EXE
id: 70ad0861-d1fe-491c-a45f-fa48148a300d
related:
- id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
type: similar
status: test
description: Detects when a user downloads a file by using CertOC.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-10-18
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_cli:
CommandLine|contains|all:
- '-GetCACAPS'
- 'http'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
File Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
view Sigma YAML
title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-02-24
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
condition: all of selection_*
falsepositives:
- As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml
Convert to SIEM query
medium
File Encryption Using Gpg4win
Detects usage of Gpg4win to encrypt files
view Sigma YAML
title: File Encryption Using Gpg4win
id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd
status: test
description: Detects usage of Gpg4win to encrypt files
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.gpg4win.de/documentation.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Description: 'GnuPG’s OpenPGP tool'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'passphrase'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe".
Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
view Sigma YAML
title: File Recovery From Backup Via Wbadmin.EXE
id: 6fe4aa1e-0531-4510-8be2-782154b73b48
related:
- id: 84972c80-251c-4c3a-9079-4f00aad93938
type: derived
status: test
description: |
Detects the recovery of files from backups via "wbadmin.exe".
Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- ' recovery'
- 'recoveryTarget'
- 'itemtype:File'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
view Sigma YAML
title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
view Sigma YAML
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
touch:
- 'touch'
selection2:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: execve and touch and selection2
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Set a file's access timestamp
technique: T1070.006
atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
- type: atomic-red-team
name: Set a file's modification timestamp
technique: T1070.006
atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
- type: atomic-red-team
name: Modify file timestamps using reference file
technique: T1070.006
atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
Convert to SIEM query
medium
File or Folder Permissions Modifications
Detects a file or folder's permissions being modified or tampered with.
view Sigma YAML
title: File or Folder Permissions Modifications
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
status: test
description: Detects a file or folder's permissions being modified or tampered with.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-23
modified: 2023-11-21
tags:
- attack.defense-impairment
- attack.t1222.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|endswith:
- '\cacls.exe'
- '\icacls.exe'
- '\net.exe' # "grant" Option available when used with "net share"
- '\net1.exe' # "grant" Option available when used with "net share"
CommandLine|contains:
- '/grant'
- '/setowner'
- '/inheritance:r' # Remove all inherited ACEs
selection_2:
Image|endswith: '\attrib.exe'
CommandLine|contains: '-r'
selection_3:
Image|endswith: '\takeown.exe' # If this generates FP in your environment. Comment it out or add more suspicious flags and locations
filter_optional_dynatrace_1:
CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'
filter_optional_dynatrace_2:
CommandLine|contains|all:
- 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r '
- 'S-1-5-19:F'
filter_optional_vscode:
CommandLine|contains:
- '\AppData\Local\Programs\Microsoft VS Code'
- ':\Program Files\Microsoft VS Code'
filter_optional_avira:
CommandLine|contains:
- ':\Program Files (x86)\Avira'
- ':\Program Files\Avira'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Users interacting with the files on their own (unlikely unless privileged users).
- Dynatrace app
level: medium
Convert to SIEM query
medium
Files With System DLL Name In Unsuspected Locations
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
view Sigma YAML
title: Files With System DLL Name In Unsuspected Locations
id: 13c02350-4177-4e45-ac17-cf7ca628ff5e
status: test
description: |
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Note: Add more System DLL that can be abused for DLL sideloading to increase coverage
- '\secur32.dll'
- '\tdh.dll'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Third party software might bundle specific versions of system DLLs.
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml
Convert to SIEM query
medium
Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
view Sigma YAML
title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\AtBroker.exe'
- '\audiodg.exe'
- '\backgroundTaskHost.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\cmdl32.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\csrss.exe'
- '\dasHost.exe'
- '\dfrgui.exe'
- '\dllhost.exe'
- '\dwm.exe'
- '\eventcreate.exe'
- '\eventvwr.exe'
- '\explorer.exe'
- '\extrac32.exe'
- '\fontdrvhost.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\ipconfig.exe'
- '\iscsicli.exe'
- '\iscsicpl.exe'
- '\logman.exe'
- '\LogonUI.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\msinfo32.exe'
- '\mstsc.exe'
- '\nbtstat.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regini.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\SearchFilterHost.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SecurityHealthService.exe'
- '\SecurityHealthSystray.exe'
- '\services.exe'
- '\ShellAppRuntime.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\SystemSettingsBroker.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\TiWorker.exe'
- '\vssadmin.exe'
- '\w32tm.exe'
- '\WerFault.exe'
- '\WerFaultSecure.exe'
- '\wermgr.exe'
- '\wevtutil.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winrshost.exe'
- '\WinRTNetMUAHostServer.exe'
- '\wlanext.exe'
- '\wlrmdr.exe'
- '\WmiPrvSE.exe'
- '\wslhost.exe'
- '\WSReset.exe'
- '\WUDFHost.exe'
- '\WWAHost.exe'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
filter_main_tiworker:
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
TargetFilename|startswith: 'C:\Windows\Temp\'
filter_main_svchost:
Image|endswith:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|contains:
- 'C:\Program Files\WindowsApps\'
- 'C:\Program Files (x86)\WindowsApps\'
- '\AppData\Local\Microsoft\WindowsApps\'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\SysWOW64\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
filter_main_explorer:
TargetFilename|endswith: 'C:\Windows\explorer.exe'
filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith:
- 'C:\WINDOWS\system32\msiexec.exe'
- 'C:\WINDOWS\SysWOW64\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
filter_main_healtray:
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
Image|endswith: '\SecurityHealthSetup.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- System processes copied outside their default folders for testing purposes
- Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml
Convert to SIEM query
medium
Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
view Sigma YAML
title: Filter Driver Unloaded Via Fltmc.EXE
id: 4931188c-178e-4ee7-a348-39e8a7a56821
related:
- id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
type: derived
status: test
description: Detect filter driver unloading activity via fltmc.exe
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
- https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
modified: 2025-10-07
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\fltMC.exe'
- OriginalFileName: 'fltMC.exe'
selection_cli:
CommandLine|contains: 'unload'
filter_optional_avira:
ParentImage|contains:
- '\AppData\Local\Temp\'
- ':\Windows\Temp\'
ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
CommandLine|endswith:
- 'unload rtp_filesystem_filter'
- 'unload rtp_filter'
filter_optional_manageengine:
ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
CommandLine|endswith: 'unload DFMFilter'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
view Sigma YAML
title: Findstr Launching .lnk File
id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
status: test
description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
references:
- https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
author: Trent Liffick
date: 2020-05-01
modified: 2024-01-15
tags:
- attack.stealth
- attack.t1036
- attack.t1202
- attack.t1027.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|endswith:
- '.lnk'
- '.lnk"'
- ".lnk'"
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Firewall Disabled via Netsh.EXE
Detects netsh commands that turns off the Windows firewall
view Sigma YAML
title: Firewall Disabled via Netsh.EXE
id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
status: test
description: Detects netsh commands that turns off the Windows firewall
references:
- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall
author: Fatih Sirin
date: 2019-11-01
modified: 2023-02-13
tags:
- attack.defense-impairment
- attack.t1686.003
- attack.s0108
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli_1:
# Example: netsh firewall set opmode disable
CommandLine|contains|all:
- 'firewall'
- 'set'
- 'opmode'
- 'disable'
selection_cli_2:
# Example: netsh advfirewall set currentprofile state off
CommandLine|contains|all:
- 'advfirewall'
- 'set'
- 'state'
- 'off'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate administration activity
level: medium
Convert to SIEM query
medium
Firewall Rule Deleted Via Netsh.EXE
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
view Sigma YAML
title: Firewall Rule Deleted Via Netsh.EXE
id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
status: test
description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
references:
- https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
author: frack113
date: 2022-08-14
modified: 2025-10-07
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'firewall'
- 'delete '
filter_optional_dropbox:
ParentImage|endswith: '\Dropbox.exe'
CommandLine|contains: 'name=Dropbox'
filter_optional_avast:
ParentImage|endswith: '\instup.exe'
CommandLine|contains: 'advfirewall firewall delete rule name="Avast Antivirus Admin Client"'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activity
- Software installations and removal
level: medium
Convert to SIEM query
medium
Firewall Rule Update Via Netsh.EXE
Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
view Sigma YAML
title: Firewall Rule Update Via Netsh.EXE
id: a70dcb37-3bee-453a-99df-d0c683151be6
status: test
description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
references:
- https://ss64.com/nt/netsh.html
author: X__Junior (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
# Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes"
# Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes"
- ' firewall '
- ' set '
condition: all of selection_*
falsepositives:
- Legitimate administration activity
- Software installations and removal
level: medium
Convert to SIEM query
medium
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
view Sigma YAML
title: Flush Iptables Ufw Chain
id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
status: test
description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/iptables'
- '/xtables-legacy-multi'
- '/iptables-legacy-multi'
- '/ip6tables'
- '/ip6tables-legacy-multi'
selection_params:
CommandLine|contains:
- '-F'
- '-Z'
- '-X'
selection_ufw:
CommandLine|contains:
- 'ufw-logging-deny'
- 'ufw-logging-allow'
- 'ufw6-logging-deny'
- 'ufw6-logging-allow'
# - 'ufw-reject-output'
# - 'ufw-track-inputt'
condition: all of selection_*
falsepositives:
- Network administrators
level: medium
Convert to SIEM query
medium
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
related:
- id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
type: similar
- id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
type: similar
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
type: similar
status: test
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2022-10-09
tags:
- attack.collection
- attack.t1074.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 351-400 of 1,492