Home/Detection rules/Palo Alto Cortex XDR
Tool
EDR / XDR

Palo Alto Cortex XDR

763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB) Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 763
high Moderate High FP
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id d87bd452-6da1-456e-8155-7dc988157b7d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "ShellExec_RunDLL" and 
 (action_process_image_command_line in ("*\Desktop\*", "*\Temp\*", "*\Users\Public\*", "*comspec*", "*iex*", "*Invoke-*", "*msiexec*", "*odbcconf*", "*regsvr32*"))))
view Sigma YAML 
title: Suspicious Usage Of ShellExec_RunDLL
id: d87bd452-6da1-456e-8155-7dc988157b7d
related:
    - id: 36c5146c-d127-4f85-8e21-01bf62355d5a
      type: obsolete
    - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
      type: similar
status: test
description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
references:
    - https://redcanary.com/blog/raspberry-robin/
    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2022-12-30
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_openasrundll:
        CommandLine|contains: 'ShellExec_RunDLL'
    selection_suspcli:
        CommandLine|contains:
            # Note: The ordinal number may differ depending on the DLL version
            - '\Desktop\'
            - '\Temp\'
            - '\Users\Public\'
            - 'comspec'
            - 'iex'
            - 'Invoke-'
            - 'msiexec'
            - 'odbcconf'
            - 'regsvr32'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "Execute" and 
 action_process_image_command_line contains "CreateObject" and 
 action_process_image_command_line contains "RegRead" and 
 action_process_image_command_line contains "window.close" and 
 action_process_image_command_line contains "\Microsoft\Windows\CurrentVersion") and 
 (not 
 action_process_image_command_line contains "\Software\Microsoft\Windows\CurrentVersion\Run")))
view Sigma YAML 
title: Suspicious VBScript UN2452 Pattern
id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
status: test
description: Detects suspicious inline VBScript keywords as used by UNC2452
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'Execute'
            - 'CreateObject'
            - 'RegRead'
            - 'window.close'
            - '\Microsoft\Windows\CurrentVersion'
    filter:
        CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Run'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\Velociraptor.exe" and 
 ((action_process_image_command_line contains "code.exe" and 
 action_process_image_command_line contains "tunnel" and 
 action_process_image_command_line contains "--accept-server-license-terms") or 
 (action_process_image_command_line contains "msiexec" and 
 action_process_image_command_line contains "/i" and 
 action_process_image_command_line contains "http") or 
 ((action_process_image_path in ("*\powershell.exe", "*\powershell_ise.exe", "*\pwsh.exe")) and 
 (action_process_image_command_line in ("*Invoke-WebRequest *", "*IWR *", "*.DownloadFile*", "*.DownloadString*"))))))
view Sigma YAML 
title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
    - https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\Velociraptor.exe'
    selection_child_vscode_tunnel:
        CommandLine|contains|all:
            - 'code.exe'
            - 'tunnel'
            - '--accept-server-license-terms'
    selection_child_msiexec:
        CommandLine|contains|all:
            - 'msiexec'
            - '/i'
            - 'http'
    selection_child_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest '
            - 'IWR '
            - '.DownloadFile'
            - '.DownloadString'
    # Add more child process patterns as needed
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high
Convert to SIEM query
high Strong Medium FP
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
status test author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) ATT&CK sub-technique id 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "\svchost.exe" and 
 actor_process_command_line contains "-s WebClient" and 
 action_process_image_path contains "\rundll32.exe" and 
 action_process_image_command_line contains "C:\windows\system32\davclnt.dll,DavSetCookie" and 
 action_process_image_command_line ~= "://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") and 
 (not 
 (action_process_image_command_line in ("*://10.*", "*://192.168.*", "*://172.16.*", "*://172.17.*", "*://172.18.*", "*://172.19.*", "*://172.20.*", "*://172.21.*", "*://172.22.*", "*://172.23.*", "*://172.24.*", "*://172.25.*", "*://172.26.*", "*://172.27.*", "*://172.28.*", "*://172.29.*", "*://172.30.*", "*://172.31.*", "*://127.*", "*://169.254.*")))))
view Sigma YAML 
title: Suspicious WebDav Client Execution Via Rundll32.EXE
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: test
description: |
    Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
references:
    - https://twitter.com/aceresponder/status/1636116096506818562
    - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
    - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
    - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-03-16
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1048.003
    - cve.2023-23397
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        ParentCommandLine|contains: '-s WebClient'
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
    filter_local_ips:
        CommandLine|contains:
            - '://10.' # 10.0.0.0/8
            - '://192.168.' # 192.168.0.0/16
            - '://172.16.' # 172.16.0.0/12
            - '://172.17.'
            - '://172.18.'
            - '://172.19.'
            - '://172.20.'
            - '://172.21.'
            - '://172.22.'
            - '://172.23.'
            - '://172.24.'
            - '://172.25.'
            - '://172.26.'
            - '://172.27.'
            - '://172.28.'
            - '://172.29.'
            - '://172.30.'
            - '://172.31.'
            - '://127.' # 127.0.0.0/8
            - '://169.254.' # 169.254.0.0/16
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
status test author Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) ATT&CK sub-technique id 8a582fe2-0882-4b89-a82a-da6b2dc32937
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\wbem\WmiPrvSE.exe" and 
 ((action_process_image_path in ("*\certutil.exe", "*\cscript.exe", "*\mshta.exe", "*\msiexec.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\verclsid.exe", "*\wscript.exe")) or 
 (action_process_image_path contains "\cmd.exe" and 
 (action_process_image_command_line in ("*cscript*", "*mshta*", "*powershell*", "*pwsh*", "*regsvr32*", "*rundll32*", "*wscript*")))) and 
 (not 
 (action_process_image_path contains "\WerFault.exe" or 
 action_process_image_path contains "\WmiPrvSE.exe" or 
 (action_process_image_path contains "\msiexec.exe" and 
 action_process_image_command_line contains "/i ")))))
view Sigma YAML 
title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
      type: similar
    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
      type: similar
    - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
      type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
    - https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
    - attack.execution
    - attack.stealth
    - attack.t1047
    - attack.t1204.002
    - attack.t1218.010
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\wbem\WmiPrvSE.exe'
    selection_children_1:
        # TODO: Add more LOLBINs or suspicious processes that make sens in your environment
        Image|endswith:
            - '\certutil.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\verclsid.exe'
            - '\wscript.exe'
    selection_children_2:
        # This is in a separate selection due to the nature of FP generated with CMD
        Image|endswith: '\cmd.exe'
        CommandLine|contains:
            - 'cscript'
            - 'mshta'
            - 'powershell'
            - 'pwsh'
            - 'regsvr32'
            - 'rundll32'
            - 'wscript'
    filter_main_werfault:
        Image|endswith: '\WerFault.exe'
    filter_main_wmiprvse:
        Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
    filter_main_msiexec:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains: '/i '
    condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Suspicious Word Cab File Write CVE-2021-40444
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
status test author Florian Roth (Nextron Systems), Sittikorn S ATT&CK technique id 60c0a111-787a-4e8a-9262-ee485f3ef9d5
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path contains "\winword.exe" and 
 action_file_name contains "\Windows\INetCache" and 
 action_file_name contains ".cab") or 
 (actor_process_image_path contains "\winword.exe" and 
 (action_file_name contains "\AppData\Local\Temp\" and 
 action_file_name contains ".inf"))) and 
 (not 
 (action_file_name contains "C:\Users\" and 
 action_file_name contains "AppData\Local\Temp" and 
 action_file_name contains "\Content.inf"))))
view Sigma YAML 
title: Suspicious Word Cab File Write CVE-2021-40444
id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
status: test
description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
references:
    - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
    - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
author: Florian Roth (Nextron Systems), Sittikorn S
date: 2021-09-10
modified: 2023-06-22
tags:
    - attack.resource-development
    - attack.t1587
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection_cab:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\Windows\INetCache'
        TargetFilename|endswith: '.cab'
    selection_inf:
        Image|endswith: '\winword.exe'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '.inf'
    filter_main_legit:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: 'AppData\Local\Temp'
        TargetFilename|endswith: '\Content.inf'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
status test author Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC ATT&CK sub-technique id 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_command_line contains "/var/log/syslog" and 
 ((action_process_image_path contains "/rm" and 
 (action_process_image_command_line in ("* -r *", "* -f *", "* -rf *", "*/var/log/syslog*"))) or 
 action_process_image_path contains "/unlink" or 
 action_process_image_path contains "/mv" or 
 (action_process_image_path contains "/truncate" and 
 (action_process_image_command_line contains "0 " and 
 action_process_image_command_line contains "/var/log/syslog") and 
 (action_process_image_command_line in ("*-s *", "*-c *", "*--size*"))) or 
 (action_process_image_path contains "/ln" and 
 (action_process_image_command_line contains "/dev/null " and 
 action_process_image_command_line contains "/var/log/syslog") and 
 (action_process_image_command_line in ("*-sf *", "*-sfn *", "*-sfT *"))) or 
 (action_process_image_path contains "/cp" and 
 action_process_image_command_line contains "/dev/null") or 
 (action_process_image_path contains "/shred" and 
 action_process_image_command_line contains "-u "))) or 
 ((action_process_image_command_line in ("* > /var/log/syslog*", "* >/var/log/syslog*", "* >| /var/log/syslog*", "*: > /var/log/syslog*", "*:> /var/log/syslog*", "*:>/var/log/syslog*", "*>|/var/log/syslog*")) or 
 (action_process_image_command_line in ("*journalctl --vacuum*", "*journalctl --rotate*")))))
view Sigma YAML 
title: Syslog Clearing or Removal Via System Utilities
id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
status: test
description: |
    Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
    - https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2025-10-15
tags:
    - attack.defense-impairment
    - attack.t1685.006
logsource:
    product: linux
    category: process_creation
detection:
    selection_file:
        CommandLine|contains: '/var/log/syslog'
    selection_command_rm:
        # Examples:
        #   rm -f /var/log/syslog
        Image|endswith: '/rm'
        CommandLine|contains:
            - ' -r '
            - ' -f '
            - ' -rf '
            - '/var/log/syslog' # We use this to avoid re-writing a separate selection
    selection_command_unlink:
        # Examples:
        #   unlink /var/log/syslog
        Image|endswith: '/unlink'
    selection_command_mv:
        # Examples:
        #   mv /var/log/syslog
        Image|endswith: '/mv'
    selection_command_truncate:
        # Examples:
        #   truncate --size 0 /var/log/syslog
        Image|endswith: '/truncate'
        CommandLine|contains|all:
            - '0 '
            - '/var/log/syslog' # We use this to avoid re-writing a separate selection
        CommandLine|contains:
            - '-s '
            - '-c '
            - '--size'
    selection_command_ln:
        # Examples:
        #   ln -sfn /dev/null /var/log/syslog
        Image|endswith: '/ln'
        CommandLine|contains|all:
            - '/dev/null '
            - '/var/log/syslog' # We use this to avoid re-writing a separate selection
        CommandLine|contains:
            - '-sf '
            - '-sfn '
            - '-sfT '
    selection_command_cp:
        # Examples:
        #   cp /dev/null /var/log/syslog
        Image|endswith: '/cp'
        CommandLine|contains: '/dev/null'
    selection_command_shred:
        # Examples:
        #   shred -u /var/log/syslog
        Image|endswith: '/shred'
        CommandLine|contains: '-u '
    selection_unique_other:
        CommandLine|contains:
            - ' > /var/log/syslog'
            - ' >/var/log/syslog'
            - ' >| /var/log/syslog'  # redirection empties w spacing, noclobber
            - ': > /var/log/syslog'
            - ':> /var/log/syslog'
            - ':>/var/log/syslog'
            - '>|/var/log/syslog'
    selection_unique_journalctl:
        CommandLine|contains:
            - 'journalctl --vacuum'
            - 'journalctl --rotate' # archives current journal files and creates new empty ones
    condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
falsepositives:
    - Log rotation.
    - Maintenance.
level: high
Convert to SIEM query
high Strong Medium FP
Sysmon Driver Altitude Change
Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
status test author B.Talebi ATT&CK technique id 4916a35e-bfc4-47d0-8e25-a003d7067061
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Services\" and 
 action_registry_key_name contains "\Instances\Sysmon Instance\Altitude"))
view Sigma YAML 
title: Sysmon Driver Altitude Change
id: 4916a35e-bfc4-47d0-8e25-a003d7067061
status: test
description: |
    Detects changes in Sysmon driver altitude value.
    If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
references:
    - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
    - https://youtu.be/zSihR3lTf7g
author: B.Talebi
date: 2022-07-28
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
    condition: selection
falsepositives:
    - Legitimate driver altitude change to hide sysmon
level: high
Convert to SIEM query
high Strong High FP
System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
status test author Anish Bogati ATT&CK sub-technique id 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_module_path in ("*\appwiz.cpl", "*\bthprops.cpl", "*\hdwwiz.cpl")) and 
 (not 
 (action_module_path in ("C:\Windows\Prefetch\*", "C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C:\Windows\WinSxS\*")))))
view Sigma YAML 
title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
    Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
    - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
    - https://github.com/mhaskar/FsquirtCPLPoC
    - https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\appwiz.cpl' # Usually loaded by fondue.exe
            - '\bthprops.cpl' # Usually loaded by fsquirt.exe
            - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
    filter_main_legit_location:
        ImageLoaded|startswith:
            - 'C:\Windows\Prefetch\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml
Convert to SIEM query
high Strong Medium FP
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
status test author Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id e4a6b256-3e47-40fc-89d2-7a477edd6915
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*\atbroker.exe", "*\audiodg.exe", "*\bcdedit.exe", "*\bitsadmin.exe", "*\certreq.exe", "*\certutil.exe", "*\cmstp.exe", "*\conhost.exe", "*\consent.exe", "*\cscript.exe", "*\csrss.exe", "*\dashost.exe", "*\defrag.exe", "*\dfrgui.exe", "*\dism.exe", "*\dllhost.exe", "*\dllhst3g.exe", "*\dwm.exe", "*\eventvwr.exe", "*\fsquirt.exe", "*\finger.exe", "*\logonui.exe", "*\LsaIso.exe", "*\lsass.exe", "*\lsm.exe", "*\msiexec.exe", "*\ntoskrnl.exe", "*\powershell_ise.exe", "*\powershell.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\runonce.exe", "*\RuntimeBroker.exe", "*\schtasks.exe", "*\services.exe", "*\sihost.exe", "*\smartscreen.exe", "*\smss.exe", "*\spoolsv.exe", "*\svchost.exe", "*\taskhost.exe", "*\taskhostw.exe", "*\Taskmgr.exe", "*\userinit.exe", "*\werfault.exe", "*\werfaultsecure.exe", "*\wininit.exe", "*\winlogon.exe", "*\winver.exe", "*\wlanext.exe", "*\wscript.exe", "*\wsl.exe", "*\wsmprovhost.exe")) and 
 (not 
 ((action_process_image_path in ("C:\$WINDOWS.~BT\*", "C:\$WinREAgent\*", "C:\Windows\SoftwareDistribution\*", "C:\Windows\System32\*", "C:\Windows\SystemTemp\*", "C:\Windows\SysWOW64\*", "C:\Windows\uus\*", "C:\Windows\WinSxS\*")) or 
 ((action_process_image_path in ("*C:\Program Files\PowerShell\7\*", "*C:\Program Files\PowerShell\7-preview\*", "*C:\Program Files\WindowsApps\Microsoft.PowerShellPreview*", "*\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview*")) and 
 action_process_image_path contains "\pwsh.exe") or 
 ((action_process_image_path in ("C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux*", "C:\Program Files\WSL\*")) and 
 action_process_image_path contains "\wsl.exe") or 
 (action_process_image_path contains "C:\Users\'" and 
 action_process_image_path contains "\AppData\Local\Microsoft\WindowsApps\" and 
 action_process_image_path contains "\wsl.exe"))) and 
 (not 
 action_process_image_path contains "\SystemRoot\System32\")))
view Sigma YAML 
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
      type: derived
status: test
description: |
    Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
    - https://twitter.com/GelosSnake/status/934900723426439170
    - https://asec.ahnlab.com/en/39828/
    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\atbroker.exe'
            - '\audiodg.exe'
            - '\bcdedit.exe'
            - '\bitsadmin.exe'
            - '\certreq.exe'
            - '\certutil.exe'
            - '\cmstp.exe'
            - '\conhost.exe'
            - '\consent.exe'
            - '\cscript.exe'
            - '\csrss.exe'
            - '\dashost.exe'
            - '\defrag.exe'
            - '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
            - '\dism.exe'
            - '\dllhost.exe'
            - '\dllhst3g.exe'
            - '\dwm.exe'
            - '\eventvwr.exe'
            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
            - '\finger.exe'
            - '\logonui.exe'
            - '\LsaIso.exe'
            - '\lsass.exe'
            - '\lsm.exe'
            - '\msiexec.exe'
            - '\ntoskrnl.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\runonce.exe'
            - '\RuntimeBroker.exe'
            - '\schtasks.exe'
            - '\services.exe'
            - '\sihost.exe'
            - '\smartscreen.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\taskhost.exe'
            - '\taskhostw.exe'
            - '\Taskmgr.exe'
            - '\userinit.exe'
            - '\werfault.exe'
            - '\werfaultsecure.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
            - '\winver.exe'
            - '\wlanext.exe'
            - '\wscript.exe'
            - '\wsl.exe'
            - '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
    filter_main_generic:
        Image|startswith:
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\uus\'
            - 'C:\Windows\WinSxS\'
    filter_optional_system32:
        Image|contains: '\SystemRoot\System32\'
    filter_main_powershell:
        Image|contains:
            - 'C:\Program Files\PowerShell\7\'
            - 'C:\Program Files\PowerShell\7-preview\'
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
        Image|endswith: '\pwsh.exe'
    filter_main_wsl_programfiles:
        Image|startswith:
            - 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
            - 'C:\Program Files\WSL\'
        Image|endswith: '\wsl.exe'
    filter_main_wsl_appdata:
        Image|startswith: C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
        Image|endswith: '\wsl.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
Convert to SIEM query
high Moderate Medium FP
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id d1aa3382-abab-446f-96ea-4de52908210b
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*dll,MyStart*", "*dll MyStart*")) or 
 (action_process_image_command_line contains " MyStart" and 
 action_process_image_command_line contains "rundll32.exe")))
view Sigma YAML 
title: TAIDOOR RAT DLL Load
id: d1aa3382-abab-446f-96ea-4de52908210b
status: test
description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
author: Florian Roth (Nextron Systems)
date: 2020-07-30
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1055.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains:
            - 'dll,MyStart'
            - 'dll MyStart'
    selection2a:
        CommandLine|endswith: ' MyStart'
    selection2b:
        CommandLine|contains: 'rundll32.exe'
    condition: selection1 or ( selection2a and selection2b )
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 07e3cb2c-0608-410d-be4b-1511cb1a0448
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "Remove-MpPreference" and 
 (action_process_image_command_line in ("*-ControlledFolderAccessProtectedFolders *", "*-AttackSurfaceReductionRules_Ids *", "*-AttackSurfaceReductionRules_Actions *", "*-CheckForSignaturesBeforeRunningScan *"))))
view Sigma YAML 
title: Tamper Windows Defender Remove-MpPreference
id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
related:
    - id: ae2bdd58-0681-48ac-be7f-58ab4e593458
      type: similar
status: test
description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
references:
    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: process_creation
detection:
    selection_remove:
        CommandLine|contains: 'Remove-MpPreference'
    selection_tamper:
        CommandLine|contains:
            - '-ControlledFolderAccessProtectedFolders '
            - '-AttackSurfaceReductionRules_Ids '
            - '-AttackSurfaceReductionRules_Actions '
            - '-CheckForSignaturesBeforeRunningScan '
    condition: all of selection_*
falsepositives:
    - Legitimate PowerShell scripts
level: high
Convert to SIEM query
high Strong Medium FP
Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 9f4662ac-17ca-43aa-8f12-5d7b989d0101
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name in ("*\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled*", "*\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled*", "*\Sophos\SAVService\TamperProtection\Enabled*")) and 
 (action_registry_value_name = "DWORD (0x00000000)" or 
 action_registry_data = "DWORD (0x00000000)")))
view Sigma YAML 
title: Tamper With Sophos AV Registry Keys
id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
status: test
description: Detects tamper attempts to sophos av functionality via registry key modification
references:
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
            - '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
            - '\Sophos\SAVService\TamperProtection\Enabled'
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
level: high
Convert to SIEM query
high Moderate High FP
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
status test author Ilya Krestinichev, Florian Roth (Nextron Systems) ATT&CK technique id 4a6713f6-3331-11ed-a261-0242ac120002
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "taskkill" and 
 action_process_image_command_line contains " /F " and 
 action_process_image_command_line contains " /IM " and 
 action_process_image_command_line contains "ccSvcHst.exe"))
view Sigma YAML 
title: Taskkill Symantec Endpoint Protection
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: test
description: |
    Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
    Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
    As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
    - https://www.exploit-db.com/exploits/37525
    - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
    - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth (Nextron Systems)
date: 2022-09-13
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'taskkill'
            - ' /F '
            - ' /IM '
            - 'ccSvcHst.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
status test author Florian Roth (Nextron Systems) ATT&CK technique id 9fff585c-c33e-4a86-b3cd-39312079a65f
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_username in ("*AUTHORI*", "*AUTORI*")) and 
 action_process_image_path contains "\taskmgr.exe"))
view Sigma YAML 
title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        Image|endswith: '\taskmgr.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
status test author Sreeman ATT&CK sub-technique id cc4e02ba-9c06-48e2-b09e-2500cace9ae0
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*echo *", "*copy *", "*type *", "*file createnew*")) and 
 (action_process_image_command_line in ("* C:\Windows\System32\Tasks\*", "* C:\Windows\SysWow64\Tasks\*"))))
view Sigma YAML 
title: Tasks Folder Evasion
id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
status: test
description: |
    The Tasks folder in system32 and syswow64 are globally writable paths.
    Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
    in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
references:
    - https://twitter.com/subTee/status/1216465628946563073
    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
author: Sreeman
date: 2020-01-13
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        CommandLine|contains:
            - 'echo '
            - 'copy '
            - 'type '
            - 'file createnew'
    selection2:
        CommandLine|contains:
            - ' C:\Windows\System32\Tasks\'
            - ' C:\Windows\SysWow64\Tasks\'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack. In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 81c0b7f5-81c9-435e-a291-bc32fc2b72cd
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (actor_process_image_path contains "/python3" and 
 (action_file_name in ("*/.config/sysmon/sysmon.py", "*/.config/systemd/user/sysmon.service"))))
view Sigma YAML 
title: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
id: 81c0b7f5-81c9-435e-a291-bc32fc2b72cd
status: experimental
description: |
    Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
    In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
    The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
    - https://novasky.io/hunts/hunting-litellm-supply-chain
    - https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
    - https://huskyhacks.io/posts/litellm-cred-stealer/
    - https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.002
    - attack.initial-access
    - attack.t1195.002
    - detection.emerging-threats
logsource:
    category: file_event
    product: linux
detection:
    selection:
        Image|contains: '/python3'
        TargetFilename|endswith:
            - '/.config/sysmon/sysmon.py'
            - '/.config/systemd/user/sysmon.service'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
Time Travel Debugging Utility Usage
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
status test author Ensar Şamil, @sblmsrsn, @oscd_initiative ATT&CK sub-technique id 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 actor_process_image_path contains "\tttracer.exe")
view Sigma YAML 
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
    - id: e76c8240-d68f-4773-8880-5c6f63595aaf
      type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
    - https://twitter.com/mattifestation/status/1196390321783025666
    - https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1218
    - attack.t1003.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\tttracer.exe'
    condition: selection
falsepositives:
    - Legitimate usage by software developers/testers
level: high
Convert to SIEM query
high Strong High FP
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
status test author Ensar Şamil, @sblmsrsn, @oscd_initiative ATT&CK sub-technique id e76c8240-d68f-4773-8880-5c6f63595aaf
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path in ("*\ttdrecord.dll", "*\ttdwriter.dll", "*\ttdloader.dll")))
view Sigma YAML 
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
    - https://twitter.com/mattifestation/status/1196390321783025666
    - https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1218
    - attack.t1003.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\ttdrecord.dll'
            - '\ttdwriter.dll'
            - '\ttdloader.dll'
    condition: selection
falsepositives:
    - Legitimate usage by software developers/testers
level: high
Convert to SIEM query
high Moderate High FP
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
status stable author Florian Roth (Nextron Systems) ATT&CK technique id 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\wermgr.exe" and 
 actor_process_image_path contains "\rundll32.exe" and 
 actor_process_command_line contains "DllRegisterServer"))
view Sigma YAML 
title: Trickbot Malware Activity
id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
related:
    - id: c37510b8-2107-4b78-aa32-72f251e7a844
      type: similar
status: stable
description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
references:
    - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
    - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
author: Florian Roth (Nextron Systems)
date: 2020-11-26
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1559
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wermgr.exe'
        ParentImage|endswith: '\rundll32.exe'
        ParentCommandLine|contains: 'DllRegisterServer'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id c0239255-822c-4630-b7f1-35362bcb8f44
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 action_file_name = "/tmp/rootlog")
view Sigma YAML 
title: Triple Cross eBPF Rootkit Default LockFile
id: c0239255-822c-4630-b7f1-35362bcb8f44
status: test
description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
    - attack.stealth
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename: '/tmp/rootlog'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 1a2ea919-d11d-4d1e-8535-06cda13be20f
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 action_file_name contains "ebpfbackdoor")
view Sigma YAML 
title: Triple Cross eBPF Rootkit Default Persistence
id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
status: test
description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
references:
    - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|endswith: 'ebpfbackdoor'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Triple Cross eBPF Rootkit Execve Hijack
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/sudo" and 
 action_process_image_command_line contains "execve_hijack"))
view Sigma YAML 
title: Triple Cross eBPF Rootkit Execve Hijack
id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
status: test
description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/sudo'
        CommandLine|contains: 'execve_hijack'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Triple Cross eBPF Rootkit Install Commands
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 22236d75-d5a0-4287-bf06-c93b1770860f
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/sudo" and 
 (action_process_image_command_line contains " tc " and 
 action_process_image_command_line contains " enp0s3 ") and 
 (action_process_image_command_line in ("* qdisc *", "* filter *"))))
view Sigma YAML 
title: Triple Cross eBPF Rootkit Install Commands
id: 22236d75-d5a0-4287-bf06-c93b1770860f
status: test
description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
    - attack.stealth
    - attack.t1014
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/sudo'
        CommandLine|contains|all:
            - ' tc '
            - ' enp0s3 '
        CommandLine|contains:
            - ' qdisc '
            - ' filter '
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
TropicTrooper Campaign November 2018
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
status stable author @41thexplorer, Microsoft Defender ATP ATT&CK sub-technique id 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_process_image_command_line contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc")
view Sigma YAML 
title: TropicTrooper Campaign November 2018
id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
status: stable
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
references:
    - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
author: '@41thexplorer, Microsoft Defender ATP'
date: 2019-11-12
modified: 2020-08-27
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'
    condition: selection
level: high
Convert to SIEM query
high Moderate Medium FP
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
status test author Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Security\AccessVBOM" and 
 (action_registry_value_name = "DWORD (0x00000001)" or 
 action_registry_data = "DWORD (0x00000001)")))
view Sigma YAML 
title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
    - id: 9b894e57-033f-46cf-b7fa-a52804181973
      type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Security\AccessVBOM'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 0cbe38c0-270c-41d9-ab79-6e5a9a669290
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path in ("*:\Windows \System32\*", "*:\Windows \SysWOW64\*")))
view Sigma YAML 
title: Trusted Path Bypass via Windows Directory Spoofing
id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
related:
    - id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
      type: similar
status: experimental
description: |
    Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
    This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
references:
    - https://x.com/Wietze/status/1933495426952421843
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.007
    - attack.t1548.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|contains:
            - ':\Windows \System32\'  # Note the space between "Windows" and "System32"
            - ':\Windows \SysWOW64\'  # Note the space between "Windows" and "SysWOW64"
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 155dbf56-e0a4-4dd0-8905-8a98705045e8
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "C:\Users\" and 
 (action_file_name in ("*\AppData\Local\Temp\system32\winsat.exe", "*\AppData\Local\Temp\system32\winmm.dll"))))
view Sigma YAML 
title: UAC Bypass Abusing Winsat Path Parsing - File
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith:
            - '\AppData\Local\Temp\system32\winsat.exe'
            - '\AppData\Local\Temp\system32\winmm.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 7a01183d-71a2-46ad-ad5c-acd989ac1793
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288")) and 
 actor_process_image_path contains "\AppData\Local\Temp\system32\winsat.exe" and 
 actor_process_command_line contains "C:\Windows \system32\winsat.exe"))
view Sigma YAML 
title: UAC Bypass Abusing Winsat Path Parsing - Process
id: 7a01183d-71a2-46ad-ad5c-acd989ac1793
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe'
        ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Abusing Winsat Path Parsing - Registry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 6597be7b-ac61-4ac8-bef4-d3ec88174853
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Root\InventoryApplicationFile\winsat.exe|" and 
 action_registry_key_name contains "\LowerCaseLongPath" and 
 (action_registry_value_name contains "c:\users\" or 
 action_registry_data contains "c:\users\") and 
 (action_registry_value_name contains "\appdata\local\temp\system32\winsat.exe" or 
 action_registry_data contains "\appdata\local\temp\system32\winsat.exe")))
view Sigma YAML 
title: UAC Bypass Abusing Winsat Path Parsing - Registry
id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|'
        TargetObject|endswith: '\LowerCaseLongPath'
        Details|startswith: 'c:\users\'
        Details|endswith: '\appdata\local\temp\system32\winsat.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 3c05e90d-7eba-4324-9972-5d7f711a60a8
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288")) and 
 action_process_image_path = "C:\Windows\System32\ComputerDefaults.exe") and 
 (not 
 (actor_process_image_path in ("*:\Windows\System32*", "*:\Program Files*")))))
view Sigma YAML 
title: UAC Bypass Tools Using ComputerDefaults
id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
status: test
description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-31
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        Image: 'C:\Windows\System32\ComputerDefaults.exe'
    filter:
        ParentImage|contains:
            - ':\Windows\System32'
            - ':\Program Files'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 93a19907-d4f9-4deb-9f91-aac4692776a6
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "C:\Users\" and 
 action_file_name contains "\AppData\Local\Temp\pe386.dll"))
view Sigma YAML 
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
status: test
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\changepk.exe" and 
 actor_process_image_path contains "\slui.exe" and 
 (action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288"))))
view Sigma YAML 
title: UAC Bypass Using ChangePK and SLUI
id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
status: test
description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
references:
    - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
    - https://github.com/hfiref0x/UACME
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\changepk.exe'
        ParentImage|endswith: '\slui.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Consent and Comctl32 - File
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 62ed5b55-f991-406a-85d9-e8e8fdf18789
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "C:\Windows\System32\consent.exe.@" and 
 action_file_name contains "\comctl32.dll"))
view Sigma YAML 
title: UAC Bypass Using Consent and Comctl32 - File
id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@'
        TargetFilename|endswith: '\comctl32.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 1ca6bd18-0ba0-44ca-851c-92ed89a61085
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\consent.exe" and 
 action_process_image_path contains "\werfault.exe" and 
 (action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288"))))
view Sigma YAML 
title: UAC Bypass Using Consent and Comctl32 - Process
id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\consent.exe'
        Image|endswith: '\werfault.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Disk Cleanup
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id b697e69c-746f-4a86-9f59-7bfff8eab881
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "\"\system32\cleanmgr.exe /autoclean /d C:" and 
 actor_process_command_line = "C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" and 
 (action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288"))))
view Sigma YAML 
title: UAC Bypass Using Disk Cleanup
id: b697e69c-746f-4a86-9f59-7bfff8eab881
status: test
description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:'
        ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 853e74f9-9392-4935-ad3b-2e8c040dae86
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "C:\Users\" and 
 actor_process_image_path contains "\AppData\Local\Temp\" and 
 actor_process_image_path contains "\DismHost.exe") and 
 (action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288"))))
view Sigma YAML 
title: UAC Bypass Using DismHost
id: 853e74f9-9392-4935-ad3b-2e8c040dae86
status: test
description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Temp\'
            - '\DismHost.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 30fc8de7-d833-40c4-96b6-28319fbc4f6c
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*\Event Viewer\RecentViews*", "*\EventV~1\RecentViews*")) and 
 action_process_image_command_line contains ">"))
view Sigma YAML 
title: UAC Bypass Using Event Viewer RecentViews
id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
related:
    - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
      type: similar
status: test
description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
references:
    - https://twitter.com/orange_8361/status/1518970259868626944
    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-22
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_path:
        # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
        CommandLine|contains:
            - '\Event Viewer\RecentViews'
            - '\EventV~1\RecentViews'
    selection_redirect:
        CommandLine|contains: '>'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
status test author Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) ATT&CK tactic-only id 63e4f530-65dc-49cc-8f80-ccfa95c69d43
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\Microsoft\Event Viewer\RecentViews", "*\Microsoft\EventV~1\RecentViews")) and 
 (not 
 (actor_process_image_path in ("C:\Windows\System32\*", "C:\Windows\SysWOW64\*")))))
view Sigma YAML 
title: UAC Bypass Using EventVwr
id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
status: test
description: Detects the pattern of a UAC bypass using Windows Event Viewer
references:
    - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
    - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2022-11-22
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            # Removed the start just in case the logging backend doesn't expand ENV variables when they're used
            - '\Microsoft\Event Viewer\RecentViews'
            - '\Microsoft\EventV~1\RecentViews'
    filter:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 4cbef972-f347-4170-b62a-8253f6168e6d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\DllHost.exe" and 
 actor_process_command_line contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and 
 (action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288"))))
view Sigma YAML 
title: UAC Bypass Using IDiagnostic Profile
id: 4cbef972-f347-4170-b62a-8253f6168e6d
status: test
description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
references:
    - https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
modified: 2024-12-01
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 48ea844d-19b1-4642-944e-fe39c2cc1fec
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\DllHost.exe" and 
 action_file_name contains "C:\Windows\System32\" and 
 action_file_name contains ".dll"))
view Sigma YAML 
title: UAC Bypass Using IDiagnostic Profile - File
id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
status: test
description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
references:
    - https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\DllHost.exe'
        TargetFilename|startswith: 'C:\Windows\System32\'
        TargetFilename|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id bdd8157d-8e85-4397-bb82-f06cc9c71dbb
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path = "C:\Program Files\Internet Explorer\IEInstal.exe" and 
 action_file_name contains "C:\Users\" and 
 action_file_name contains "\AppData\Local\Temp\" and 
 action_file_name contains "consent.exe"))
view Sigma YAML 
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith: 'consent.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 80fc36aa-945e-4181-89f2-2f907ab6775d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288")) and 
 actor_process_image_path contains "\ieinstal.exe" and 
 action_process_image_path contains "\AppData\Local\Temp\" and 
 action_process_image_path contains "consent.exe"))
view Sigma YAML 
title: UAC Bypass Using IEInstal - Process
id: 80fc36aa-945e-4181-89f2-2f907ab6775d
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\ieinstal.exe'
        Image|contains: '\AppData\Local\Temp\'
        Image|endswith: 'consent.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 9ed5959a-c43c-4c59-84e3-d28628429456
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path = "C:\Windows\SysWOW64\iscsicpl.exe" and 
 action_module_path contains "\iscsiexe.dll") and 
 (not 
 (action_module_path contains "C:\Windows\" and 
 action_module_path contains "iscsiexe.dll"))))
view Sigma YAML 
title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: test
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
    - https://twitter.com/wdormann/status/1547583317410607110
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2022-07-25
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image: C:\Windows\SysWOW64\iscsicpl.exe
        ImageLoaded|endswith: '\iscsiexe.dll'
    filter:
        ImageLoaded|contains|all:
            - 'C:\Windows\'
            - 'iscsiexe.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 41bb431f-56d8-4691-bb56-ed34e390906f
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "C:\Users\" and 
 action_file_name contains "\AppData\Local\Temp\pkgmgr.exe"))
view Sigma YAML 
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id ad92e3f9-7eb6-460e-96b1-582b0ccbb980
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288")) and 
 actor_process_image_path contains "\AppData\Local\Temp\pkgmgr.exe" and 
 action_process_image_command_line = "\"C:\Windows\system32\msconfig.exe\" -5"))
view Sigma YAML 
title: UAC Bypass Using MSConfig Token Modification - Process
id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
        ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe'
        CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 7fff6773-2baa-46de-a24a-b6eec1aba2d1
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "C:\Users\" and 
 action_file_name contains "\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL"))
view Sigma YAML 
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 39ed3c80-e6a1-431b-9df3-911ac53d08a7
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "\"C:\Windows\system32\wusa.exe\"  /quiet C:\Users\" and 
 action_process_image_command_line contains "\AppData\Local\Temp\update.msu" and 
 (action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288"))) or 
 (actor_process_command_line = "\"C:\Windows\system32\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\Windows\system32\pe386\" /ignorecheck" and 
 (((action_process_integrity_level gte 12288 and action_process_integrity_level lt 16384) or action_process_integrity_level gte 16384)) and 
 (action_process_image_command_line contains "C:\Users\" and 
 action_process_image_command_line contains "\AppData\Local\Temp\" and 
 action_process_image_command_line contains "\dismhost.exe {") and 
 action_process_image_path contains "\DismHost.exe")))
view Sigma YAML 
title: UAC Bypass Using NTFS Reparse Point - Process
id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|startswith: '"C:\Windows\system32\wusa.exe"  /quiet C:\Users\'
        CommandLine|endswith: '\AppData\Local\Temp\update.msu'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    selection2:
        ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
        IntegrityLevel:
            - 'High'
            - 'System'
        CommandLine|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Temp\'
            - '\dismhost.exe {'
        Image|endswith: '\DismHost.exe'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id a743ceba-c771-4d75-97eb-8a90f7f4844c
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\pkgmgr.exe" and 
 action_process_image_path contains "\dism.exe" and 
 (action_process_integrity_level in ("High", "System", "S-1-16-16384", "S-1-16-12288"))))
view Sigma YAML 
title: UAC Bypass Using PkgMgr and DISM
id: a743ceba-c771-4d75-97eb-8a90f7f4844c
status: test
description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\pkgmgr.exe'
        Image|endswith: '\dism.exe'
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
status test author Christian Burkard (Nextron Systems) ATT&CK sub-technique id 68578b43-65df-4f81-9a9b-92f32711a951
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name contains "C:\Users\" and 
 action_file_name contains "\AppData\Local\Temp\OskSupport.dll") or 
 (actor_process_image_path = "C:\Windows\system32\DllHost.exe" and 
 action_file_name = "C:\Program Files\Windows Media Player\osk.exe")))
view Sigma YAML 
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: file_event
    product: windows
detection:
    selection1:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
    selection2:
        Image: 'C:\Windows\system32\DllHost.exe'
        TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
Showing 651-700 of 763
Prev 14 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh