Palo Alto Cortex XDR detection rules

Home/Detection rules/Palo Alto Cortex XDR

Tool

EDR / XDR

Palo Alto Cortex XDR

559 rules · Sigma detections in Palo Alto Cortex XDR syntax

The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.

Download all 1,524 rules (.zip, 675 KB) Every Palo Alto Cortex XDR query in this view, packaged to deploy.

Severity critical high medium low all severities Export CSV Export .zip

Filter by techniquepick techniques from the ATT&CK matrix

Using these Sigma rules

Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.

Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.

Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.

Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

◈

Detection rules

9 shown of 559

medium Moderate Medium FP

Windows Recall Feature Enabled - Registry

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

status test author Sajid Nawaz Khan ATT&CK technique id 75180c5f-4ea1-461a-a4f6-6e4700c065d4

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis" and 
 (action_registry_value_name = "DWORD (0x00000000)" or 
 action_registry_data = "DWORD (0x00000000)")))

view Sigma YAML

title: Windows Recall Feature Enabled - Registry
id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
related:
    - id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
      type: similar
    - id: 817f252c-5143-4dae-b418-48c3e9f63728
      type: similar
status: test
description: |
    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        TargetObject|endswith: '\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate use/activation of Windows Recall
level: medium

Convert to SIEM query

medium Moderate High FP

Windows Registry Trust Record Modification

Alerts on trust record modification within the registry, indicating usage of macros

status test author Antonlovesdnb, Trent Liffick (@tliffick) ATT&CK sub-technique id 295a59c1-7b79-4b47-a930-df12c15fc9c2

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter event_type = ENUM.REGISTRY and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_registry_key_name contains "\Security\Trusted Documents\TrustRecords")

view Sigma YAML

title: Windows Registry Trust Record Modification
id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
related:
    - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
      type: similar
status: test
description: Alerts on trust record modification within the registry, indicating usage of macros
references:
    - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
    - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
    - https://twitter.com/inversecos/status/1494174785621819397
author: Antonlovesdnb, Trent Liffick (@tliffick)
date: 2020-02-19
modified: 2023-06-21
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
    condition: selection
falsepositives:
    - This will alert on legitimate macro usage as well, additional tuning is required
level: medium

Convert to SIEM query

medium Moderate Medium FP

Windows Terminal Profile Settings Modification By Uncommon Process

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 9b64de98-9db3-4033-bd7a-f51430105f00

cortex_xdr query

config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path in ("*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe")) and 
 action_file_name contains "\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json"))

view Sigma YAML

title: Windows Terminal Profile Settings Modification By Uncommon Process
id: 9b64de98-9db3-4033-bd7a-f51430105f00
status: test
description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile
    - https://twitter.com/nas_bench/status/1550836225652686848
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.015
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Note: Add other potential common applications
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'
    condition: selection
falsepositives:
    - Some false positives may occur with admin scripts that set WT settings.
level: medium

Convert to SIEM query

medium Moderate Medium FP

Winlogon AllowMultipleTSSessions Enable

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id f7997770-92c3-4ec9-b112-774c4ef96f96

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions" and 
 (action_registry_value_name contains "DWORD (0x00000001)" or 
 action_registry_data contains "DWORD (0x00000001)")))

view Sigma YAML

title: Winlogon AllowMultipleTSSessions Enable
id: f7997770-92c3-4ec9-b112-774c4ef96f96
status: test
description: |
  Detects when the 'AllowMultipleTSSessions' value is enabled.
  Which allows for multiple Remote Desktop connection sessions to be opened at once.
  This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
        Details|endswith: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Legitimate use of the multi session functionality
level: medium

Convert to SIEM query

medium Strong Medium FP

Wow6432Node Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

status test author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) ATT&CK sub-technique id 18f2065c-d36c-464a-a748-bcf909acb2e3

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Software\Wow6432Node\Classes" and 
 (action_registry_key_name in ("*\Folder\ShellEx\ExtShellFolderViews*", "*\Folder\ShellEx\DragDropHandlers*", "*\Folder\ShellEx\ColumnHandlers*", "*\Directory\Shellex\DragDropHandlers*", "*\Directory\Shellex\CopyHookHandlers*", "*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*", "*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*", "*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*", "*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*", "*\AllFileSystemObjects\ShellEx\DragDropHandlers*", "*\ShellEx\PropertySheetHandlers*", "*\ShellEx\ContextMenuHandlers*")) and 
 (not 
 (action_registry_value_name = "(Empty)" or 
 action_registry_data = "(Empty)"))))

view Sigma YAML

title: Wow6432Node Classes Autorun Keys Modification
id: 18f2065c-d36c-464a-a748-bcf909acb2e3
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    wow_classes_base:
        TargetObject|contains: '\Software\Wow6432Node\Classes'
    wow_classes:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\ShellEx\ColumnHandlers'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter:
        Details: '(Empty)'
    condition: wow_classes_base and wow_classes and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

Convert to SIEM query

medium Moderate High FP

Write Protect For Storage Disabled

Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

status test author Sreeman ATT&CK technique id 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "\System\CurrentControlSet\Control" and 
 action_process_image_command_line contains "Write Protection" and 
 action_process_image_command_line contains "0" and 
 action_process_image_command_line contains "storage"))

view Sigma YAML

title: Write Protect For Storage Disabled
id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
status: test
description: |
    Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
    This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
references:
    - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
author: Sreeman
date: 2021-06-11
modified: 2024-01-18
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control'
            - 'Write Protection'
            - '0'
            - 'storage'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Writing Local Admin Share

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

status test author frack113 ATT&CK sub-technique id 4aafb0fa-bff5-4b9d-b99e-8093e659c65f

cortex_xdr query

config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "\\127.0.0" and 
 action_file_name contains "\ADMIN$\"))

view Sigma YAML

title: Writing Local Admin Share
id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
status: test
description: |
    Aversaries may use to interact with a remote network share using Server Message Block (SMB).
    This technique is used by post-exploitation frameworks.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
author: frack113
date: 2022-01-01
modified: 2022-08-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.lateral-movement
    - attack.t1546.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains|all:
            - '\\\\127.0.0'
            - '\ADMIN$\'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Writing Of Malicious Files To The Fonts Folder

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

status test author Sreeman ATT&CK technique id ae9b0bd7-8888-4606-b444-0ed7410cb728

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*echo*", "*copy*", "*type*", "*file createnew*", "*cacls*")) and 
 action_process_image_command_line contains "C:\Windows\Fonts\" and 
 (action_process_image_command_line in ("*.sh*", "*.exe*", "*.dll*", "*.bin*", "*.bat*", "*.cmd*", "*.js*", "*.msh*", "*.reg*", "*.scr*", "*.ps*", "*.vb*", "*.jar*", "*.pl*", "*.inf*", "*.cpl*", "*.hta*", "*.msi*", "*.vbs*"))))

view Sigma YAML

title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
    - attack.stealth
    - attack.t1211
    - attack.t1059
    - attack.persistence
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_1:
        CommandLine|contains:
            - 'echo'
            - 'copy'
            - 'type'
            - 'file createnew'
            - 'cacls'
    selection_2:
        CommandLine|contains: 'C:\Windows\Fonts\'
    selection_3:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh'
            - '.reg'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
            - '.inf'
            - '.cpl'
            - '.hta'
            - '.msi'
            - '.vbs'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Wscript Shell Run In CommandLine

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 2c28c248-7f50-417a-9186-a85b223010ee

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "Wscript." and 
 action_process_image_command_line contains ".Shell" and 
 action_process_image_command_line contains ".Run"))

view Sigma YAML

title: Wscript Shell Run In CommandLine
id: 2c28c248-7f50-417a-9186-a85b223010ee
status: test
description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
references:
    - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
    - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-05-15
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'Wscript.'
            - '.Shell'
            - '.Run'
    condition: selection
falsepositives:
    - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
level: medium

Convert to SIEM query

Showing 551-559 of 559

Prev 12 Next