Tool
EDR / XDR
Palo Alto Cortex XDR
763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 763
high
Moderate
High FP
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
view Sigma YAML
title: Potential EmpireMonkey Activity
id: 10152a7b-b566-438f-a33c-390b607d1c8d
status: test
description: Detects potential EmpireMonkey APT activity
references:
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
- https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2019-04-02
modified: 2023-03-09
tags:
- attack.stealth
- attack.t1218.010
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
- '\Local\Temp\Errors.bat'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
view Sigma YAML
title: Potential EventLog File Location Tampering
id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
status: test
description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
references:
- https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
TargetObject|endswith: '\File'
filter:
Details|contains: '\System32\Winevt\Logs\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation Attempt From Office Application
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
view Sigma YAML
title: Potential Exploitation Attempt From Office Application
id: 868955d9-697e-45d4-a3da-360cefd7c216
status: test
description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
references:
- https://twitter.com/sbousseaden/status/1531653369546301440
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
date: 2022-06-02
modified: 2023-02-04
tags:
- attack.execution
- cve.2021-40444
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\eqnedt32.exe'
- '\visio.exe'
CommandLine|contains:
- '../../../..'
- '..\..\..\..'
- '..//..//..//..'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
view Sigma YAML
title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
status: test
description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
references:
- https://github.com/SigmaHQ/sigma/pull/3946
- https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2023-01-21
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\svchost.exe'
ParentCommandLine|contains: '-k DHCPServer'
CommandLine|contains: '-k DHCPServer'
User|contains: # Covers many language settings for Network Service. Please expand.
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVIZIO DI RETE'
- 'SERVICIO DE RED'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
view Sigma YAML
title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
status: test
description: |
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
references:
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
date: 2024-04-01
modified: 2024-07-03
tags:
- attack.execution
- cve.2024-3094
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/sshd'
CommandLine|startswith:
- 'bash -c'
- 'sh -c'
User: 'root'
condition: selection
falsepositives:
- Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c"
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
view Sigma YAML
title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
id: 0fdc7c7f-c690-4217-9ae3-31f5156eed72
status: experimental
description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
references:
- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
- https://pwn.guide/free/web/crushftp
- https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/
author: Nisarg Suthar
date: 2025-08-01
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1068
- attack.t1190
- cve.2025-54309
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\crushftp.exe'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'IEX'
- 'enc'
- 'Hidden'
- 'bypass'
selection_child_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- '/c powershell'
- 'whoami'
- 'net.exe'
- 'net1.exe'
selection_child_others:
Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate administrative command execution
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
view Sigma YAML
title: Potential Exploitation of GoAnywhere MFT Vulnerability
id: 6c76b3d0-afe4-4870-9443-ffe6773c5fef
status: experimental
description: |
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
references:
- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-07
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1133
- detection.emerging-threats
- cve.2025-10035
logsource:
category: process_creation
product: windows
detection:
# Detects the GoAnywhere Tomcat parent process based on path and command line arguments
selection_parent:
ParentImage|contains: '\GoAnywhere\tomcat\'
selection_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
selection_powershell_cmd:
- CommandLine|contains|all:
- 'IEX'
- 'enc'
- 'Hidden'
- 'bypass'
- CommandLine|re:
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
- CommandLine|contains:
- 'whoami'
- 'systeminfo'
- 'dsquery'
- 'localgroup administrators'
- 'nltest'
- 'samaccountname='
- 'adscredentials'
- 'o365accountconfiguration'
- '.DownloadString('
- '.DownloadFile('
- 'FromBase64String('
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'curl'
selection_child_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'powershell'
- 'whoami'
- 'net.exe'
- 'net1.exe'
- 'rundll32'
- 'quser'
- 'nltest'
- 'curl'
selection_child_others:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'mshta'
- 'cscript'
- 'wscript'
condition: selection_parent and (all of selection_powershell_* or 1 of selection_child_*)
falsepositives:
- Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
view Sigma YAML
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053
id: abe06362-a5b9-4371-8724-ebd00cd48a04
related:
- id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
type: similar
- id: 04fc4b22-91a6-495a-879d-0144fec5ec03
type: similar
status: experimental
description: |
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
references:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1105
- detection.emerging-threats
- cve.2025-33053
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage:
- 'C:\Program Files\internet explorer\iediagcmd.exe'
- 'C:\Windows\System32\CustomShellHost.exe'
selection_child_current_dir:
- CurrentDirectory|startswith: '\\\\'
- CurrentDirectory|contains: '\DavWWWRoot\'
- Image|contains: '\DavWWWRoot\'
- Image|startswith: '\\\\'
selection_child_img:
Image|endswith:
- '\route.exe'
- '\netsh.exe'
- '\makecab.exe'
- '\dxdiag.exe'
- '\ipconfig.exe'
- '\explorer.exe'
filter_main_system:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
view Sigma YAML
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
id: 04fc4b22-91a6-495a-879d-0144fec5ec03
related:
- id: abe06362-a5b9-4371-8724-ebd00cd48a04
type: similar
- id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
type: similar
status: experimental
description: |
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
references:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1105
- detection.emerging-threats
- cve.2025-33053
logsource:
category: image_load
product: windows
detection:
selection_img_path:
Image|startswith: '\\\\'
Image|contains: '\DavWWWRoot\'
selection_img_bin:
Image|endswith:
- '\route.exe'
- '\netsh.exe'
- '\makecab.exe'
- '\dxdiag.exe'
- '\ipconfig.exe'
- '\explorer.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
view Sigma YAML
title: Potential File Extension Spoofing Using Right-to-Left Override
id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
related:
- id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
type: derived
status: test
description: |
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
references:
- https://redcanary.com/blog/right-to-left-override/
- https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-11-17
modified: 2026-03-20
tags:
- attack.execution
- attack.stealth
- attack.t1036.002
logsource:
category: file_event
product: windows
detection:
selection_rtlo_unicode:
TargetFilename|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
# Real char U+202E copied/pasted below
- ''
selection_extensions:
TargetFilename|contains:
- '3pm.' # Reversed `.mp3`
- '4pm.' # Reversed `.mp4`
- 'cod.' # Reversed `.doc`
- 'fdp.' # Reversed `.pdf`
- 'ftr.' # Reversed `.rtf`
- 'gepj.' # Reversed `.jpeg`
- 'gnp.' # Reversed `.png`
- 'gpj.' # Reversed `.jpg`
- 'ism.' # Reversed `.msi`
- 'lmth.' # Reversed `.html`
- 'nls.' # Reversed `.sln`
- 'piz.' # Reversed `.zip`
- 'slx.' # Reversed `.xls`
- 'tdo.' # Reversed `.odt`
- 'vsc.' # Reversed `.csv`
- 'vwm.' # Reversed `.wmv`
- 'xcod.' # Reversed `.docx`
- 'xslx.' # Reversed `.xlsx`
- 'xtpp.' # Reversed `.pptx`
condition: all of selection_*
falsepositives:
- Filenames that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
view Sigma YAML
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Goofy Guineapig Backdoor Activity
Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
view Sigma YAML
title: Potential Goofy Guineapig Backdoor Activity
id: 477a5ed3-a374-4282-9f3b-ed94e159a108
status: test
description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems)
date: 2023-05-14
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'choice /t %d /d y /n >nul'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
view Sigma YAML
title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
status: test
description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\GoogleUpdate.exe'
Image|endswith: '\GoogleUpdate.exe'
filter_main_legit_paths:
- Image|startswith:
- 'C:\Program Files\Google\'
- 'C:\Program Files (x86)\Google\'
- Image|contains: '\AppData\Local\Google\Update\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
view Sigma YAML
title: Potential Iviewers.DLL Sideloading
id: 4c21b805-4dd7-469f-b47d-7383a8fcb437
status: test
description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
references:
- https://www.secureworks.com/research/shadowpad-malware-analysis
author: X__Junior (Nextron Systems)
date: 2023-03-21
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\iviewers.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Windows Kits\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
view Sigma YAML
title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
status: test
description: |
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
references:
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2024-03-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
Details|contains|all:
- '-nop -w h'
- '$env'
- 'explorer.exe'
- 'Start-Process'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Kapeka Decrypted Backdoor Indicator
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
view Sigma YAML
title: Potential Kapeka Decrypted Backdoor Indicator
id: 20228d05-dd68-435d-8b4e-e7e64938880c
status: test
description: |
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-03
tags:
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|contains:
- ':\ProgramData\'
- '\AppData\Local\'
TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll'
selection_specific:
TargetFilename|endswith:
- '\win32log.exe'
- '\crdss.exe'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Ke3chang/TidePool Malware Activity
Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
view Sigma YAML
title: Potential Ke3chang/TidePool Malware Activity
id: 7b544661-69fc-419f-9a59-82ccc328f205
status: test
description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
references:
- https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Markus Neis, Swisscom
date: 2020-06-18
modified: 2023-03-10
tags:
- attack.defense-impairment
- attack.g0004
- attack.t1685
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.
# Setting these registry keys is unique to the Ke3chang and TidePool malware families.
# HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
# HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
# HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
CommandLine|contains:
- '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'
- '-Property String -name Check_Associations -value'
- '-Property DWORD -name IEHarden -value 0 -Force'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
view Sigma YAML
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1036
- attack.credential-access
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|windash:
- ' -ma '
- ' -mm ' # Mini dump
- ' -mp ' # Miniplus dump
selection_process:
CommandLine|contains:
- ' ls' # Short for lsass
- ' keyiso'
- ' samss'
condition: all of selection_*
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses command line flags similar to ProcDump
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential LethalHTA Technique Execution
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
view Sigma YAML
title: Potential LethalHTA Technique Execution
id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
status: test
description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
references:
- https://codewhitesec.blogspot.com/2018/07/lethalhta.html
author: Markus Neis
date: 2018-06-07
modified: 2023-02-07
tags:
- attack.stealth
- attack.t1218.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\mshta.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential MSTSC Shadowing Activity
Detects RDP session hijacking by using MSTSC shadowing
view Sigma YAML
title: Potential MSTSC Shadowing Activity
id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
status: test
description: Detects RDP session hijacking by using MSTSC shadowing
references:
- https://twitter.com/kmkz_security/status/1220694202301976576
- https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet
author: Florian Roth (Nextron Systems)
date: 2020-01-24
modified: 2023-02-05
tags:
- attack.lateral-movement
- attack.t1563.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'noconsentprompt'
- 'shadow:'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
view Sigma YAML
title: Potential Meterpreter/CobaltStrike Activity
id: 15619216-e993-4721-b590-4c520615a67d
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019-10-26
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\services.exe'
selection_technique_1:
# Examples:
# Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
CommandLine|contains|all:
- '/c'
- 'echo'
- '\pipe\'
CommandLine|contains:
- 'cmd'
- '%COMSPEC%'
selection_technique_2:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
CommandLine|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
filter_defender:
CommandLine|contains: 'MpCmdRun'
condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
falsepositives:
- Commandlines containing components like cmd accidentally
- Jobs and services started with cmd
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Mpclient.DLL Sideloading
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
view Sigma YAML
title: Potential Mpclient.DLL Sideloading
id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
related:
- id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
type: similar
status: test
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2023-08-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\mpclient.dll'
Image|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
filter_main_known_locations:
Image|startswith:
- 'C:\Program Files (x86)\Windows Defender\'
- 'C:\Program Files\Microsoft Security Client\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Mpclient.DLL Sideloading Via Defender Binaries
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
view Sigma YAML
title: Potential Mpclient.DLL Sideloading Via Defender Binaries
id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
related:
- id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
type: similar
status: test
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-01
modified: 2023-08-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
filter_main_known_locations:
Image|startswith:
- 'C:\Program Files (x86)\Windows Defender\'
- 'C:\Program Files\Microsoft Security Client\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential MuddyWater APT Activity
Detects potential Muddywater APT activity
view Sigma YAML
title: Potential MuddyWater APT Activity
id: 36222790-0d43-4fe8-86e4-674b27809543
status: test
description: Detects potential Muddywater APT activity
references:
- https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-10
tags:
- attack.execution
- attack.stealth
- attack.g0069
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_mshta:
CommandLine|contains|all:
- 'vbscript:Close(Execute("CreateObject('
- 'powershell'
- '-w 1 -exec Bypass'
- '\ProgramData\'
selection_survey:
CommandLine|contains|all:
- 'Win32_OperatingSystem'
- 'Win32_NetworkAdapterConfiguration'
- 'root\SecurityCenter2'
- '[System.Net.DNS]'
selection_pwsh_backdoor:
CommandLine|contains|all:
- '[Convert]::ToBase64String'
- '[System.Text.Encoding]::UTF8.GetString]'
- 'GetResponse().GetResponseStream()'
- '[System.Net.HttpWebRequest]::Create('
- '-bxor '
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential NetWire RAT Activity - Registry
Detects registry keys related to NetWire RAT
view Sigma YAML
title: Potential NetWire RAT Activity - Registry
id: 1d218616-71b0-4c40-855b-9dbe75510f7f
status: test
description: Detects registry keys related to NetWire RAT
references:
- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
author: Christopher Peacock
date: 2021-10-07
modified: 2025-11-03
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
product: windows
category: registry_add
detection:
selection:
# The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
TargetObject|contains: '\software\NetWire'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Netcat Reverse Shell Execution
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
view Sigma YAML
title: Potential Netcat Reverse Shell Execution
id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
status: test
description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
- https://www.infosecademy.com/netcat-reverse-shells/
- https://man7.org/linux/man-pages/man1/ncat.1.html
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_nc:
Image|endswith:
- '/nc'
- '/ncat'
selection_flags:
CommandLine|contains:
- ' -c '
- ' -e '
selection_shell:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
- '/bin/ash'
- '/bin/bash'
- '/bin/bsh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/pdksh'
- '/bin/sh'
- '/bin/tcsh'
- '/bin/zsh'
- '$IFSash'
- '$IFSbash'
- '$IFSbsh'
- '$IFScsh'
- '$IFSksh'
- '$IFSpdksh'
- '$IFSsh'
- '$IFStcsh'
- '$IFSzsh'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Notepad++ CVE-2025-49144 Exploitation
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
view Sigma YAML
title: Potential Notepad++ CVE-2025-49144 Exploitation
id: 933f0bb5-0681-4fe7-8a17-4e6cccbaac44
status: experimental
description: |
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144
- https://x.com/NullSecurityX/status/1937444064867029179
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.008
- cve.2025-49144
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|startswith: 'regsvr32 /s'
CommandLine|contains: '\contextMenu\NppShell.dll'
filter_main_legit_regsvr32:
Image:
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential PHP Reverse Shell
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
view Sigma YAML
title: Potential PHP Reverse Shell
id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e
status: test
description: |
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: '/php'
CommandLine|contains|all:
- ' -r '
- 'fsockopen'
CommandLine|contains:
- 'ash'
- 'bash'
- 'bsh'
- 'csh'
- 'ksh'
- 'pdksh'
- 'sh'
- 'tcsh'
- 'zsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential PSFactoryBuffer COM Hijacking
Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
view Sigma YAML
title: Potential PSFactoryBuffer COM Hijacking
id: 243380fa-11eb-4141-af92-e14925e77c1b
status: test
description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
references:
- https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
- https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html
- https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection
- https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
date: 2023-06-07
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)'
filter_main:
Details:
- '%windir%\System32\ActXPrxy.dll'
- 'C:\Windows\System32\ActXPrxy.dll'
condition: selection and not filter_main
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Perl Reverse Shell Execution
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
view Sigma YAML
title: Potential Perl Reverse Shell Execution
id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
status: test
description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/perl'
CommandLine|contains: ' -e '
selection_content:
- CommandLine|contains|all:
- 'fdopen('
- '::Socket::INET'
- CommandLine|contains|all:
- 'Socket'
- 'connect'
- 'open'
- 'exec'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential Persistence Via App Paths Default Property
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
view Sigma YAML
title: Potential Persistence Via App Paths Default Property
id: 707e097c-e20f-4f67-8807-1f72ff4500d6
status: test
description: |
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
references:
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.012
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'
TargetObject|endswith:
- '(Default)'
- 'Path'
Details|contains:
# Add more suspicious paths or binaries as you see fit.
- '\Users\Public'
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
- '\Desktop\'
- '\Downloads\'
- '%temp%'
- '%tmp%'
- 'iex'
- 'Invoke-'
- 'rundll32'
- 'regsvr32'
- 'mshta'
- 'cscript'
- 'wscript'
- '.bat'
- '.hta'
- '.dll'
- '.ps1'
condition: selection
falsepositives:
- Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via AutodialDLL
Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
view Sigma YAML
title: Potential Persistence Via AutodialDLL
id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3
status: test
description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
references:
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://persistence-info.github.io/Data/autodialdll.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\WinSock2\Parameters\AutodialDLL'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via CHM Helper DLL
Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
view Sigma YAML
title: Potential Persistence Via CHM Helper DLL
id: 976dd1f2-a484-45ec-aa1d-0e87e882262b
status: test
description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
references:
- https://persistence-info.github.io/Data/htmlhelpauthor.html
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\HtmlHelp Author\Location'
- '\Software\WOW6432Node\Microsoft\HtmlHelp Author\Location'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via DLLPathOverride
Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
view Sigma YAML
title: Potential Persistence Via DLLPathOverride
id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8
status: test
description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
references:
- https://persistence-info.github.io/Data/naturallanguage6.html
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection_root:
# The path can be for multiple languages
# Example: HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
# HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
# HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\'
selection_values:
TargetObject|contains:
- '\StemmerDLLPathOverride'
- '\WBDLLPathOverride'
- '\StemmerClass'
- '\WBreakerClass'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Persistence Via Excel Add-in - Registry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
view Sigma YAML
title: Potential Persistence Via Excel Add-in - Registry
id: 961e33d1-4f86-4fcf-80ab-930a708b2f82
status: test
description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
- https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
author: frack113
date: 2023-01-15
modified: 2023-08-17
tags:
- attack.persistence
- attack.t1137.006
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: 'Software\Microsoft\Office\'
TargetObject|endswith: '\Excel\Options'
Details|startswith: '/R '
Details|endswith: '.xll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
view Sigma YAML
title: Potential Persistence Via GlobalFlags
id: 36803969-5421-41ec-b92f-8500f79c23b0
related:
- id: c81fe886-cac0-4913-a511-2822d72ff505
type: obsolete
status: test
description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
author: Karneades, Jonhnathan Ribeiro, Florian Roth
date: 2018-04-11
modified: 2023-06-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.012
- car.2013-01-002
logsource:
category: registry_set
product: windows
detection:
selection_global_flag:
TargetObject|contains|all:
- '\Microsoft\Windows NT\CurrentVersion\'
- '\Image File Execution Options\'
- '\GlobalFlag'
selection_silent_process:
TargetObject|contains|all:
- '\Microsoft\Windows NT\CurrentVersion\'
- '\SilentProcessExit\'
TargetObject|contains:
- '\ReportingMode'
- '\MonitorProcess'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via LSA Extensions
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
view Sigma YAML
title: Potential Persistence Via LSA Extensions
id: 41f6531d-af6e-4c6e-918f-b946f2b85a36
status: test
description: |
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
references:
- https://persistence-info.github.io/Data/lsaaextension.html
- https://twitter.com/0gtweet/status/1476286368385019906
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via Logon Scripts - CommandLine
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
view Sigma YAML
title: Potential Persistence Via Logon Scripts - CommandLine
id: 21d856f9-9281-4ded-9377-51a1a6e2a432
related:
- id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
type: derived
status: test
description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
references:
- https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2023-06-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1037.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'UserInitMprLogonScript'
condition: selection
falsepositives:
- Legitimate addition of Logon Scripts via the command line by administrators or third party tools
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Persistence Via Microsoft Office Add-In
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
view Sigma YAML
title: Potential Persistence Via Microsoft Office Add-In
id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
status: test
description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
references:
- Internal Research
- https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
- https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
author: NVISO
date: 2020-05-11
modified: 2023-02-08
tags:
- attack.persistence
- attack.t1137.006
logsource:
category: file_event
product: windows
detection:
selection_wlldropped:
TargetFilename|contains: '\Microsoft\Word\Startup\'
TargetFilename|endswith: '.wll'
selection_xlldropped:
TargetFilename|contains: '\Microsoft\Excel\Startup\'
TargetFilename|endswith: '.xll'
selection_xladropped:
TargetFilename|contains: 'Microsoft\Excel\XLSTART\'
TargetFilename|endswith: '.xlam'
selection_generic:
TargetFilename|contains: '\Microsoft\Addins\'
TargetFilename|endswith:
- '.xlam'
- '.xla'
- '.ppam'
condition: 1 of selection_*
falsepositives:
- Legitimate add-ins
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Persistence Via Microsoft Office Startup Folder
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
view Sigma YAML
title: Potential Persistence Via Microsoft Office Startup Folder
id: 0e20c89d-2264-44ae-8238-aeeaba609ece
status: test
description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
references:
- https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
- https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-06-22
tags:
- attack.persistence
- attack.t1137
logsource:
category: file_event
product: windows
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
selection_word_extension:
TargetFilename|endswith:
- '.doc'
- '.docm'
- '.docx'
- '.dot'
- '.dotm'
- '.rtf'
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
selection_excel_extension:
TargetFilename|endswith:
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
filter_main_office:
Image|endswith:
- '\WINWORD.exe'
- '\EXCEL.exe'
condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office
falsepositives:
- Loading a user environment from a backup or a domain controller
- Synchronization of templates
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via Mpnotify
Detects when an attacker register a new SIP provider for persistence and defense evasion
view Sigma YAML
title: Potential Persistence Via Mpnotify
id: 92772523-d9c1-4c93-9547-b0ca500baba3
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/mpnotify.html
- https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify'
condition: selection
falsepositives:
- Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Persistence Via MyComputer Registry Keys
Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
view Sigma YAML
title: Potential Persistence Via MyComputer Registry Keys
id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06
status: test
description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
references:
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-09
modified: 2024-01-11
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\MyComputer'
TargetObject|endswith: '(Default)'
condition: selection
falsepositives:
- Unlikely but if you experience FPs add specific processes and locations you would like to monitor for
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
view Sigma YAML
title: Potential Persistence Via Outlook Form
id: c3edc6a5-d9d4-48d8-930e-aab518390917
status: test
description: Detects the creation of a new Outlook form which can contain malicious code
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
- https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
- https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
author: Tobias Michalski (Nextron Systems)
date: 2021-06-10
modified: 2023-02-22
tags:
- attack.persistence
- attack.t1137.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|contains:
- '\AppData\Local\Microsoft\FORMS\IPM'
- '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
condition: selection
falsepositives:
- Legitimate use of outlook forms
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
view Sigma YAML
title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
related:
- id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
type: similar
status: test
description: |
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-09
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Office\'
- '\Outlook\WebView\'
TargetObject|endswith: '\URL'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
view Sigma YAML
title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
status: test
description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-04-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
Details|contains: '0x00000001'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Persistence Via Outlook Today Page
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
view Sigma YAML
title: Potential Persistence Via Outlook Today Page
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
related:
- id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
type: similar
status: test
description: |
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-10
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains|all:
- 'Software\Microsoft\Office\'
- '\Outlook\Today\'
selection_value_stamp:
TargetObject|endswith: '\Stamp'
Details: 'DWORD (0x00000001)'
selection_value_url:
TargetObject|endswith:
- '\URL'
- '\UserDefinedUrl'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via PlistBuddy
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
view Sigma YAML
title: Potential Persistence Via PlistBuddy
id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb
status: test
description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
references:
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://www.manpagez.com/man/8/PlistBuddy/
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.001
- attack.t1543.004
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/PlistBuddy'
CommandLine|contains|all:
- 'RunAtLoad'
- 'true'
CommandLine|contains:
- 'LaunchAgents'
- 'LaunchDaemons'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
view Sigma YAML
title: Potential Persistence Via Powershell Search Order Hijacking - Task
id: b66474aa-bd92-4333-a16c-298155b120df
related:
- id: 6e8811ee-90ba-441e-8486-5653e68b2299
type: similar
status: test
description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-08
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage: 'C:\WINDOWS\System32\svchost.exe'
ParentCommandLine|contains|all:
- '-k netsvcs'
- '-s Schedule'
CommandLine|endswith:
- ' -windowstyle hidden'
- ' -w hidden'
- ' -ep bypass'
- ' -noni'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Persistence Via Shim Database In Uncommon Location
Detects the installation of a new shim database where the file is located in a non-default location
view Sigma YAML
title: Potential Persistence Via Shim Database In Uncommon Location
id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
status: test
description: Detects the installation of a new shim database where the file is located in a non-default location
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
- https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\DatabasePath'
filter_main_known_locations:
Details|contains: ':\Windows\AppPatch\Custom'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Persistence Via TypedPaths
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
view Sigma YAML
title: Potential Persistence Via TypedPaths
id: 086ae989-9ca6-4fe7-895a-759c5544f247
status: test
description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
references:
- https://twitter.com/dez_/status/1560101453150257154
- https://forensafe.com/blogs/typedpaths.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\'
filter:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\SysWOW64\explorer.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
Showing 351-400 of 763